Cookies and Internet Protocol (IP) logging
When you visit our website, our server will record your computer's IP address (the unique numerical address given to every computer connected to the Internet) and the time and duration of your visit.
What is a Privacy Notice?
The RNOH is an acute hospital and it provides healthcare services to both the UK and worldwide. Our vision is to be a world-leading orthopaedic hospital with the best patient care and staff experience in the NHS.
Everything the Trust does is underpinned by our four core values:
- Patients first, always;
- Excellence, in all we do;
- Trust, honesty & respect, for each other;
- Equality, for all.
We are monitored by a number of different National Bodies, including:
- NHS England
- Information Commissioner’s Office (ICO)
- Care Quality Commission (CQC)
- Department of Health (DH)
- NHS Improvement
Our consultants, doctors, nurses and healthcare professionals are also regulated and governed by their respective professional bodies.
The Trust would like to demonstrate its commitment to openness and accountability. We recognise the importance of protecting personal and confidential information in all that the Trust does to ensure that we meet our legal responsibilities and other duties, including compliance with the following:
- Data Protection Act (DPA)
- Human Rights Act
- Access to Health Records Act
- Freedom of Information Act
- Health and Social Care Act
- Public Records Act
- Copyright Design and Patents Act
- Re-Use of Public Sector Information Regulations
- Computer Misuse Act
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International Information Security Standards
- Information Security Code of Practice
- Records Management Code of Practice
- Accessible Information Standards
- General Data Protection Regulations (GDPR)
Your information could be collected in a number of ways by us. This might be via a referral from your GP or by another healthcare professional you have seen. Perhaps information may have been provided directly through you to us from a private health insurance company or by a third party funding your treatment. Information may have been collected over the telephone or by a form that you have completed.
There may also be times when information is collected from another NHS Trust emergency department (A&E) where you may have been unconscious or unable to communicate. In such cases, information may be collected from your relatives or from your next of kin.
The information that we collect about you may include details such as:
- Name, address, telephone, email, date of birth and next of kin (financial details for self-paying patients)
- Details we have had from you during your attendance of appointments
- Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
- Results of X-rays, scans, blood tests, etc.
- Other relevant information collected from people who care for you and who know you well, such as health professionals, relatives and carers
Where the Trust processes special categories of information in relation to your racial or ethnic origin, religious and philosophical beliefs, Trade Union membership, biometric data or sexual orientation, the Trust will always obtain your explicit consent to those processes unless this is not required by law or the information is required to protect your health in an emergency. Where the Trust processes data with your consent, you have the right to withdraw that consent at any time.
The Trust collects personal and confidential information about you to support the delivery of your appropriate healthcare and treatment. In order to provide you with the best patient care, the Trust must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for the Trust to provide the right care to meet your individual needs.
The Trust uses your information to ensure that:
- The right decisions are made about your care
- Your treatment is safe and effective
- We can work well with other organisations that may be involved in your care
This is important because having accurate and up-to-date information will assist us in providing you with the best patient care. It also ensures that all information is readily available to other health professionals or specialists within our Trust or in another part of the NHS.
There is also the potential for your information to help improve healthcare and other services across our Trust and within the wider NHS. Therefore, your information may also be used to help with:
- Ensuring that our services can be planned to meet the future needs of patients
- Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
- Evaluating and improving patient safety
- Training healthcare professionals
- Conducting clinical research and audits, and understanding more about health risks and causes in order to develop new treatments
- Preparing statistics on NHS performance and monitoring how we spend public money
- Supporting the health of the general public
- Government and NHS policies
The GDPR and Data Protection Act has strict principles governing our use of information and our duty to ensure that it is kept safe and secure. Your information may be stored using electronic or paper records, or a combination of both. All our records are restricted so that only authorised individuals have access to them. Restricted access might be through the use of technology or other environmental safeguards.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you have provided to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you, or there are other circumstances which require us to have your information.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you about how your information will be used, and allow you to decide if and how your information can be shared, and with whom.
Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian and, within a Trust, this role sits with the Medical Director. You can find more details online about the RNOH medical director.
To help provide you with the best possible care, sometimes the Trust will need to share your information with others. However, any sharing of information will always be governed by specific rules and laws. We may share your information with a range of health and social care organisations for a specific reason and we will have a duty to tell you why they will be contacting you.
The Trust works with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be shared with them on a secure basis.
For your benefit, we may also need to share some of your information with authorised non-NHS authorities and organisations which are involved in your care. This might include organisations such as local councils, social services, education services, the police, voluntary and private sector providers, private healthcare companies, third party, and embassy sponsors. In such circumstances where we are required to use your personal information, we will only do this if:
- the information is necessary for your direct healthcare
- we have received written consent from you to use your information for a specific purpose, e.g. concern/complaint raised by your representative on your behalf
- there is an overriding public interest in using the information, e.g. in order to safeguard an individual or to prevent a serious crime
- there is a legal requirement that will allow us to use or provide information, e.g. a formal Court Order or summons
- we have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work
- emergency planning reasons such as protection of the health and safety of others. Typically these relate to severe weather outbreaks of diseases, e.g. seasonal flu, major transport incidents, and terrorism.
Where sharing information involves a non-NHS organisation, a specific information sharing agreement will be put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.
Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.
The Trust at times may outsource a limited number of administration and IT support services to external organisations. These companies are based within the European Economic Area and all services are provided under specific contractual terms which are compliant with legislation.
Only organisations which have a legitimate requirement to have access to your information will be allowed to and only whilst adhering to strict controls and rules. The Trust will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.
Sometimes the Trust may be required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority is granted by the Courts or by a qualified health professional. Reasons may include to report a serious crime or to identify of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information would be released.
The Trust may also be required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by the NHS Information Authority. This organisation takes advice from an independent board called the Security and Confidentiality Advisory Group, which reports to the Government Chief Medical Officer. There may also be occasions when the Trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure that we are operating legally.
Some health records are needed to teach student clinicians about rare cases and rare diseases. Without such material, new doctors and nurses would not be properly trained to treat you and others like you. It is also possible that individuals, such as student nurses, medical students and healthcare cadets are receiving training using such information to care for patients. If staff would like a student to be present whilst treating you, they will always ask for your permission to do so and you have the right to refuse without this affecting the care or treatment that you are receiving.
We also undertake clinical research and audits within the Trust, and your permission may be required for some of this work if we are using your information. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify you or any other individual person.
The Trust may use automated decision making (including profiling) in limited circumstances in the future. This will only be used if there it is evidence that it could improve your treatment whilst at the Trust.
You have the right to refuse (or withdraw) consent to your information being shared at any time. This is also referred to as ‘opt-out’. If you choose to prevent your information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided to you is limited. It may also mean that it might not be possible to offer you certain treatment options. The possible consequences of withholding your consent will be fully explained to you at the time should this situation occur.
You also have the right to ‘opt-out’ of having your information used in any mandatory audits which the Trust is involved in. If this is the case, you should write to our Information Governance team (using the contact details on the front of this booklet) providing your name, address, date of birth and hospital or NHS number.
The Trust securely stores your information electronically and in paper form. We use different systems depending on the treatment you are having and these are subject to change:
|Compucare||Private patients administration and charging|
|ICE||ICE allows tracking of clinical requests from wards and clinics, such as blood tests|
|Tiara||Appointment booking systems for patient appointments|
|Picture Archive Communication System (PACS)||Diagnostic imaging system|
|Patient Outcome Data (POD)||Recording outcomes of patient treatment|
|iCS||Core Patient system for managing patient information|
|NoteOn & C-Store||Written patient records, clinic lists that have been electronically scanned and stored|
|C-Scribe||Patient letter transcription|
|e-Referrals||Electronic patient requests from GPs|
|InfoFlex||Cancer patient treatment and management system|
If the Trust develops any information systems it will conduct a data protection impact assessment to help identify and minimise the risks of your information being used incorrectly.
Your personal data will be kept in line with the recommendations set out by the Department of Health Management Code of Practice for Health & Social Care:
|Record Type||Retention Start||Retention Period|
|Adult health records||Patient discharge or patient last seen||8 years|
|Adult social care records||End of care or patient last seen||8 years|
|Children’s records including midwifery, health visiting and school nursing||Discharge or patient last seen||25th birthday or, if the if the patient was 17 at the conclusion of the treatment, records will be kept until their 26th birthday|
|Death of a patient||Ptient records||10 years|
|Cancer / Oncology records of any patient||Diagnosis of Cancer||30 years or 8 years after the patient has died|
|Medical record of a patient with Creutzfeldt-Jakob Disease (CJD)||Diagnosis||30 years or 8 years after the patient has died|
|Record of long term illness or an illness that may reoccur||Discharge or patient last seen||30 years or 8 years after the patient has died|
Your records which have reached the end of their administrative life must be destroyed in as secure a manner as is appropriate to the level of confidentiality or protective markings they bear. The methods used to destroy records must provide adequate safeguards against the accidental loss or disclosure of the contents.
A record of the destruction of records, showing their reference, description and date of destruction should be maintained and preserved by the department responsible for the records so that the organisation is aware of those records that have been destroyed and are therefore no longer available.
You have the right to confidentiality under Data Protection Law, the Human Rights Act 1998 and the Common Law Duty of Confidentiality
The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with. We do this through this privacy notice and patient leaflets.
The right of access – to information held about you. For further information please refer to the section “How can you gain access to the information that the Trust holds about you?”
The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us (firstname.lastname@example.org) so that we are able to contact the person who entered the information. We will correct factual mistakes and provide you with a copy of the corrected information. If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.
The right to erasure – this is also known as your ‘right to be forgotten’ where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. Your health record is retained in accordance with NHS national guidance, and because of our obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period. However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer, email@example.com. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital.
The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement.
The right to object – this is your right to object to the hospital processing your health data because of your particular situation. Because of our obligation to keep health records, it is extremely rare that we would stop processing your data if you wished to continue to be treated by the hospital. If you believe you have compelling grounds for the hospital to stop processing your data, you should contact our Data Protection Officer, firstname.lastname@example.org. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision would be taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace clinical judgements when making decisions about your care.
If you have provided your consent, you have the right to withdraw your consent at any time. Please speak to your clinician or nurse if you would like to withdraw the consent that you have provided.
You have the right to lodge a complaint with the Information Commissioner Office (ICO) if you believe that the Trust has not complied with the requirements of the GDPR or the DPA with regards to your personal data. Please refer to the section, “How can you contact us with queries or concerns about this privacy notice?” or “How can you make a complaint?”
Under the General Data Protection Regulations (GDPR) and Access to Health Records Act, you have the right to request access to the information that we hold about you using the process known as a ‘Subject Access Request’ (SAR).
You may have the right to see what has been written about a deceased patient in the Trust and their other health records. Access is available to:
- The patient’s personal representative (this will be the executor of the will or the administrator of the estate)
- Any person who may have a claim arising out of the patient’s death
Please note that medical records are defined as a “chronological written account of a patient’s examination and treatment which includes patients medical history and complaints, the physician’s physical findings, the results of diagnostic tests and procedures, and medications and therapeutic procedures.”
If you want to view your medical records, you may not need to make a formal application. Nothing in the law prevents healthcare professionals from informally showing you your own records. For further information please contact; The Access to Health Records Officer, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP or Telephone: 020 8909 5366 or Email: rno-tr.MedicalRecords@nhs.net
If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, then please contact our Information Governance Department:
Post: Information Governance Department, Data Protection Officer, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP
Telephone: 020 3947 0419
You can also find details of our registration with the Information Governance Commissioner online here:
- Search Information Commissioner
- Our ICO registration number is Z6139846
A downloadable copy of this privacy notice is also available below
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend that you contact our Information Governance Department initially to talk through any concerns that you may have.
It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before you follow a more formal process:
- Post: Complaints and PALS Service, Royal National Orthopaedic Hospital NHS Trust, Brockley Hill, Stanmore, Middlesex, HA7 4LP
- Email: email@example.com
- Telephone: 020 8909 5717 / 5439 / 5741
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Web: Information Commissioner
- Telephone: 0303 123 1113