Privacy Notice

We will  process your personal information fairly and lawfully by;

a) Only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;

We do not rely on consent to use your information as a ‘legal basis for processing’.  We rely on specific provisions under Article 6 and 9 of the UK GDPR, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’ 

This means we can use your personal information to provide you with your care without seeking your consent.  

We would never share it for marketing or insurance purposes.

b) Collect your information for a specified purpose and not to use it in a way that is not compatible with that purpose.

c) Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care;

d) Keeping your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate and as soon as we can;

e) Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;

f) Having secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you receive.  This may include:

• Basic details such as name, address, date of birth, phone number, and email address  - where you have provided it to enable us to communicate with you by email

• Information about how to contact you like your mobile number - so we can use it to contact you, and to communicate with you via SMS text messaging or to leave a voicemail if you can't answer. If you do not want us to communicate with you in this way, you must tell us or specify your preferred method for contact and for what purpose

• Your next of kin and contact details

• Information regarding your carer/s (which include friends and significant others) contact information

• Notes and reports about your physical or mental health and any treatment, care or support you need and receive

• Results of your tests and diagnosis

• Relevant information from other professionals, relatives or those who care for you or know you well

• Any contacts you have with us such as home visits or outpatient appointments

• Information on medicines, side effects and allergies

• Patient experience feedback and treatment outcome information you provide

Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers.  To assist this, the use of other electronic patient record systems to share your information will be implemented.  You will be given the opportunity to say no and to opt-out of this sharing.  To do this, please speak to your GP or the team providing your treatment.

To support the provision of environments that are safe and secure for patients, staff and visitors we use surveillance systems such as Closed Circuit Television systems (CCTV) across Trust sites.  All recordings are held locally within our network, with restricted access. Please refer to Policy for Surveillance and the use of Closed Circuit Television for further information.

Your information is collected to enable us to provide you with a range of health care services to;

• have all the information necessary for assessing your needs and for making decisions with you about your care
• have details of  our contact with you, such as referrals and appointments and can see the services you have received
• assess the quality of care we give you 
• properly investigate if you and your family have a concern or a complaint about your healthcare

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

• move to another area  
• need to use another service
• see a different healthcare professional.

Health and Social Care Professionals - Your information will be shared with the team who are caring for you and are providing treatment to you. However, the NHS, other agencies and partners, including, for example, social services, and private healthcare organisations work together so we may need to share information about you, in order to provide you with a seamless service. We do this in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.  We will only share your information in this way if we have your consent and it is considered necessary.

GP Connect - We use this facility to support your direct care. GP Connect makes your clinical information available to all appropriate clinicians when and where they need it, to support your direct care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than your direct care.

Care and Health Information Exchange (CHIE) formerly known as the Hampshire Health Record, is a local health and social care record which brings together information from participating Health and Care organisations such as GP practices, community providers, acute hospitals and social care providers.

From your patient record we share your name, address, your contacts such as next of kin, diagnosis, allergies and alerts as well as information about your appointments, care plans, immunisations, progress notes, assessments, inpatient events and referrals, with CHIE. If you do not want your information shared with CHIE, please discuss this with your healthcare professional.

The four Local Safeguarding Adults Boards in Hampshire, Southampton, Portsmouth and Isle of Wight (4LSAB), Fire Safety Development Group - This is to ensure that fire risk is managed by all partners represented through the 4LSABs. This supports consistent provision of fire safety of vulnerable groups and to implement ways of reducing future avoidable fire deaths and near miss fire incidents across the partner organisations/agencies. Through partner agencies working together, vulnerable groups will be less at risk of fire and its affects.

Staff undertaking clinical audits - To ensure we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Our access to your patient records for this purpose is monitored and only anonymous (unidentifiable) information is used in any reports that are shared internally within our Trust.

The Trust also partakes in other national audits - for example; National Audit of Care at the End of Life.

Statutory public inquiries - The Inquiries Act provides a statutory public inquiry with powers to formally request any relevant information from any person or organisation. As a health and care organisation, we have a legal obligation to comply with any formal request from a statutory public inquiry that we receive, known as a Section 21 notice. Where the formal request includes confidential patient information, the lawful basis for providing this under the common law duty of confidentiality is met.

You will not be able to object to your confidential patient information being shared for formal requests issued by statutory public inquiries, because of their importance to the wider public.

Non statutory public inquiries, investigations and reviews related to patient safety – Health and care organisations must work with any investigation that is considering the safety of the care and support that the organisation has provided. This includes providing records and other information to allow the investigation to carry out its task.

You can object to your information being shared if it has been requested by a non-statutory public inquiry, but you will need to give us specific reasons for your objection, and we will consider whether to comply with it.

Investigations and reviews - Usually take place because something may have or has gone wrong, and we need to learn more about the safety of the service, to support improvement in the safety of care. They can be internal, external, or independent. Independent investigations and reviews are carried out by a third party appointed by NHS England or a local commissioner, on the basis of the Patient Safety Incident Response Framework (PSIRF).  Although our Trust is not legally obliged to share information, to keep our patients safe from serious harm or death, we will disclose relevant and appropriate information where it is in the interests of the patient, and public.

You can object to your information being shared if it has been requested for an investigation or review. You will need to give us specific reasons for your objection, and we will consider whether to comply with it.

Courts (criminal, civil, family and coroner’s) - courts may request information from us. A request like this is called a court order. A judge can request any information they see as relevant to a case, and we are legally obliged to comply by providing exactly the information requested within the court order. The information will be supplied unredacted, and in its original format where possible, to avoid any doubt about its authenticity.  You will not be able to object if your information is requested by a court.

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record, CCTV recordings with other agencies.  In these rare circumstances we are not required to have your consent, for example:

• If there is a concern that you are putting yourself at risk of serious harm

• If there is concern that you are putting another person at risk of serious harm

• If there is concern that you are putting a child at risk of harm

• If we have been instructed to do so by a Court

• If the information is essential for the investigation of a serious crime

• If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object

• If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases

Further information  

You can find more about what personal information we share, to whom and for what purpose by looking on our webpages - Information Sharing and Record of Processing Acitvities or you can email our Data Protection Officer.    

Integrated Care Boards (ICBs) like the old Clinincal Commissioning Groups (CCGs)

To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information with the ICBs. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.

Integrated Care System (ICS) – One of the Hampshire and Isle of Wight ICS initiatives is Population Health Management (PHM). This initiative helps the NHS to understand the health and care needs of the local population within Hampshire and Isle of Wight. It means we can identify what care will be needed, be proactive and preventative in planning and delivering it, to help keep the population well. The type of data we share for this is identifiable, pseudonymous, anonymous, and aggregated data. However, only those who are providing you with your individual care will see your identifiable data. Data Processors to which data is disclosed: Cerner Ltd, Optum Ltd, NECS CSU. 

For further information contact: Population Health Management Services, Hampshire & Isle of Wight Integrated Care System, (Hosted by Hampshire and Isle of Wight ICB) - hiowicb-hsi.hiow-phm@nhs.net

In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.

NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services.  We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP.

Forensic Child and Adolescent Mental Health Services (FCAMHS) Research Database - Used for the collation of routinely collected data in a patient's normal care from all medium secure sites within the FCAMHS network. This data will be used for research purposes to predict patient outcomes and improve patient care across medium secure FCAMHS. You have the right to ask us to not use your data for this database by contacting your forensic team.

NHS England  - NHS England assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.

Most of the time, NHS England use anonymised data for planning. So your confidential patient information isn't always needed.

Southern Health NHS Foundation Trust is a University Hospital Trust and is committed to promoting research with a view to improving future care. Researchers can use information to improve how physical and mental health can be treated and prevented.

As a data controller Southern Health rely upon Articles 6(1)(e) and 9(2)(j) as our lawful basis for processing your information under the UK GDPR and UK Data Protection Act 2018. This means we do not rely upon your consent for our Researchers to access information we have collected about you.

However, we do rely upon your consent for you to actively take part in a research study. For you to have the opportunity to take part in local research with Southern Health you might receive a letter, email, text message or phone call asking if you would like to receive further information about specific individual local research studies that might be relevant to your health.      

You have the right to ask us not to send any further communication about our local research.

If you do take part in a research study, you have the right to withdraw your consent at any point, however, the information already collected as part of the research study would not be erased.

We would never publish the outcome of our research studies in a way that would personally identify you.

Our Trust also uses an IT system known as UK CRIS (Clinical Record Interactive Search).  This system has a copy of your Southern Health clinical record in it and is used for research by approved researchers. However, all personal identifiable information about you has been removed so you cannot be identified.

For further details on how your information is used in research please visit the Health Research Authority - patient information, health and care research or you can contact our:  

If you do not want your personal confidential patient information used for the planning of health and care services as well as research in England, you have the right to nationally object/Opt-out to your information being used, by registering your choice via https://nhs.uk/your-nhs-data-matters.

If you do choose to nationally opt-out, you can still consent to your data being used for specified individual research studies and planning purposes locally.

The Trust will honour your national choice to opt out of your personal confidential patient information being used for planning and research purposes where we are legally required to do so.

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format.

This Trust is registered to the Information Commissioner’s Office; registration number Z8537183

All of the Information Systems used by our Trust are implemented with robust security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the Trust are influenced by mandated frameworks such as the Data Security and Protection Toolkit (DSPT) and the Governments Secure Email Standard (DCB1596). As required, the security controls are supported by other relevant guidance from sources such as NHS Digital and the National Cyber Security Centre (NCSC).

This Trust is accredited to:

• Cyber Essentials PLUS (CE+) (Certificate no.: 4ff26518-cbcb-4bc2-b1f9-5240fce56303 issued by the IASME Consortium Ltd) Assessed annually and demonstrates the minimal level of cyber security controls are implemented.
• Secure Email Standard (DCB1596) - assessed annually and certified via NHS Digital.
• ISO27001 (registration number IS 664113) - the email service meets the requirement of ISO27001 and is independently certified.

All employees and our partner organisations are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal.

If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.  

To find more information about how we keep your information safe click here. If you need further information, you can email our Data Protection Officer.

All records held by the NHS are subject to the Records Management Code of Practice 2021.The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

You have a right to see the information we hold about you, both on paper or electronic, except for information that: 

• Has been provided about you by someone else if they haven’t given permission for you to see it

• Relates to criminal offences

• Is being used to detect or prevent crime

• Could cause physical or mental harm to you or someone else

We may need to request proof of identity before we can formally respond to your request for your personal information. You can find out more about how to access your information by visiting our webpage and clicking on 'Access to your personal information'.  

If you wish to complete our Subject Access Request Form or send an email, please forward to the service where you receive your care or alternatively send to:

The Records Manager
Southern Health NHS Foundation Trust
4-6 Sterne Road
Tatchbury Mount
Calmore
Southampton SO40 2RZ

Email: accesstorecords@southernhealth.nhs.uk

The team are available to assist you with your comments, concerns and complaints.  The team act independently of clinical teams to ensure your concerns are investigated and responded to in an effective and timely manner.  Contact details are:

FREEPOST RSJL- JXSX-ATUE
Complaints Team
7 Sterne Road
Tatchbury Mount
Calmore
Southampton SO40 2RZ

Telephone: 023 8087 4065                                                                                                                        Email: complaints@southernhealth.nhs.uk

To get further advice or report a concern directly to the UK’s independent authority you can do this by making contacting with:

Information Commissioner's Office 
Wycliffe House
Water Lane
Wilmslow                                                                                                                                                Cheshire SK9 5AF

Telephone: 0303 123 1113

For more information please go to:  https://ico.org.uk/concerns/handling/ 

The Data Controller 

Southern Health NHS Foundation Trust
7 Sterne Road
Tatchbury Mount
Calmore
Southampton SO40 2RZ

Telephone: 023 8087 4000

Caldicott Guardian

Dr Mayura Deshpande
Southern Health NHS Foundation Trust
7 Sterne Road
Tatchbury Mount
Calmore
Southampton SO40 2RZ      

Telephone: 023 8087 4000 
Email: dataprotectionofficer@southernhealth.nhs.uk

Data Protection Officer

Heather Mitchell
Southern Health NHS Foundation Trust
7 Sterne Road
Tatchbury Mount
Calmore
Southampton SO40 2RZ      

Telephone: 023 8087 4000
Email: dataprotectionofficer@southernhealth.nhs.uk

Freedom of Information Officer

Southern Health NHS Foundation Trust                                                                                                            6 Sterne Road                                                                                                                                                    Tatchbury Mount                                                                                                                                                Calmore                                                                                                                                                              Southampton SO40 2RZ

Telephone: 023 8087 4662                                                                                                                                  Email: freedom.information@southernhealth.nhs.uk