Privacy and Fair Processing

Introduction

This document is aimed at people using the services of New Victoria Hospital (NVH). It is an explanation of why the hospital needs to collect your personal data, how it is stored, how long it is kept and who it is shared with. The document also outlines your rights regarding your personal data and who to speak to if you have any concerns regarding the management of your data at the hospital. Information regarding the hospital’s CCTV system, telephone system and information collected on our website is also included.

What information does NVH collect?

We will use your personal data for the reasons set out below.

The personal data we collect and use may include:

Your name, address and contact details, including email address and home and mobile telephone numbers. If you provide these details, we may use them to contact you unless you ask us not to. This could include emails, text or voicemail messages.
Date of birth and gender.
The terms and conditions of your contract with us for the provision of healthcare and related services.
Your medical insurance details.
We will take a swipe of your debit or credit card. We will let you know if we intend to take a payment from this card before we do so.
Information about your marital status, next of kin, dependants nominated and/or emergency contacts.

Health related data:

Your previous and current medical health record.
Information about medical or health conditions of your family.

How NVH collects this information?

We collect most of this information during the registration or admission process.
We will keep copies of medical records you provide.
In some cases, we may collect information provided by your consultant, your GP or the NHS.

How does NVH use your data?

We use your personal data to support the provision of your healthcare in the following ways:

To decide how best to provide treatment to you;
As necessary to support the healthcare contract with you and to allow us to receive full payment for those services;
To take steps at your request during the course of your treatment;
To keep your records up to date;

We use your data for the following purposes, to maintain the high standards of service that we provide to you:

For good governance, accounting, and managing and auditing our clinical and business operations both internally and by third parties;
For surveys of patient experience and quality of care;
To monitor emails, calls, other communications, and activities on our networks and systems;
For developing statistics for improving clinical performance;

We may process your data to ensure the security of our systems and to prevent crime and ensure compliance with all laws and regulations that are applicable to our services:

We may monitor and record telephone calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations.

We use your data to ensure we can comply with our legal obligations:

When you exercise your rights under data protection law and make requests;
For compliance with legal and regulatory requirements and related disclosures;
For establishment and defence of legal rights;
For activities relating to the prevention, detection and investigation of crime;
To verify your identity, credit fraud prevention and anti-money laundering checks; and
To investigate complaints, legal claims and data protection or clinical incidents.

Based on your consent we may also share your data:

With your next of kin or other nominated contact;
If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf; or otherwise agree to disclosures;
When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).

You are free at any time to change your mind and withdraw your consent, where we have only relied on your consent, to share your data. We will advise you if the consequence of doing so is that we cannot continue to provide full healthcare services to you.

Your demographic details are used for the purpose of communicating with you. The hospital will use information such as your age and sex to determine the most appropriate treatment for you and to ensure that scientific information such as blood results are performed and reported accurately.

Whom NVH shares your personal data with?

We may share your personal data with:

Healthcare Providers or those who help us provide care to you

Consultants/Doctors and other healthcare professionals who provide treatment to you at NVH;
Other healthcare providers including your General Practitioner (GP) where we believe this will enhance the quality of your care. Let us know if you do not wish us to share information with your GP;
Sub-contractors and other persons who help us to provide healthcare products and services to you;

For payment from your insurer, sponsor or guarantor

We will contact the individual or company including your insurer and provide them with the information necessary to support our invoices for payment and to ensure that we receive full payment for your care. We may also contact them prior to your care to confirm that the treatment you are about to receive is covered by them and they are willing to pay for your care. We will also provide information necessary to support any audits carried out by insurers and sponsors.

Legal, Government and regulatory bodies

Fraud prevention agencies, credit reference agencies, and debt collection agencies;
Government bodies and agencies;

Others

In an emergency or to otherwise protect your vital interests;
Payment systems and providers; and
Anyone else where we have your consent or as required by law.

How long will NVH keep your personal data?

The hospital is required to keep medical records for the amount of time specified in the Records Management Code of Practice for Health and Social Care 2016. With some exceptions, medical records for adults will be stored for a minimum of eight years. Medical records for patients seen, while under the age of 17, will be kept until they are 25 years old. Medical records of patients 17 years old will be kept until their 26th birthday.

Your rights regarding your personal data?

The General Data Protection Regulation allows you the following rights:

The right to be informed about what personal data is kept, where and how it is processed and who it is shared with. This information is provided to you in the hospital’s registration form where permission to process your data is requested and in this document.
The right to access a copy of your personal information verbally or in writing. If you do request a copy of your information it will be provided to you in electronic or paper format within one month of requesting the information. You will not be charged for receiving this information.
The right to rectification of your personal data held by the hospital. If you request a change to your data NVH will make the changes within one month of your request.
The right to have your data erased. This right is not absolute and will only apply if the hospital is able to do so without breaking other laws that the hospital must abide by. If it is possible to erase your data it will be done so within one month of receiving your request.
The right to restrict the hospital processing your data. This is not an absolute right and only applies in certain circumstances. Where NVH is able to comply with a request to restrict processing it retain your personal data but do not process it.
The right to data portability. This right applies only to the data you have provided. If you request a copy of your personal information for your own purposes, the hospital will give you the data in either paper or electronic format. Do/should we charge
The right to object to the hospital processing your personal data. You have the absolute right to object to the hospital using your personal data for direct marketing purposes.
Rights related to automated decision making including profiling. This right relates to processes where decisions are made solely by automated means without any human involvement. Although the hospital has no automated decisions process it is obliged to inform you of this right.

Please, email our data protection officer at [email protected] if you would like to exercise any of these rights.

The Lawful Basis for processing your data

Data protection law means that we can only use your data for certain reasons, and where we have a legal basis to do so. Here are the reasons for which we ‘process’ (use) your information, and an explanation of how much control you have over different aspects of this:


What we use	Why we use it	What’s the legal basis?	If I obtain services from New Victoria Hospital, do I have a choice? Where can I find out more?
Information you provide to us, demographic information (contact details, your age, gender and ethnicity), referral information, and information about how you are paying for your treatment.	We – and your consultant – will use information to: • Make decisions with you about your care and treatment. • Ensure that we are paid for the treatment which is provided to you. • Provide details about the treatment you have received to other health professionals involved in your care to ensure the safe and effective delivery of treatment and continuity of care – for instance external radiologists who may undertake scans, pharmacies for prescriptions, care agencies, or your GP. • Respond to any complaints, concerns or correspondence from you about your treatment.	Article 6(1)(b) GDPR – Information which is necessary for a contract. Article 6(1)(f) GDPR – Processing is in our ‘legitimate interests’. We explain some of our legitimate interests below.	You can decide what to tell us, but giving an incomplete picture may prevent, delay or interfere with your care and treatment. For instance, if you did not tell us about any allergies you have, that may mean you are at higher risk of an allergic reaction in the course of treatment. If we don’t think we have enough information to provide you with safe care, we will not commence or continue your treatment. Given we provide private, elective treatment, we also won’t provide treatment to you if we don’t have sufficient information to be able to recover the cost of the treatment you receive.
Your health records	We are required to maintain records of treatment provided as a regulated provider of health services.	Article 6(1)(c) GDPR – compliance with legal obligations – see the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.	No. But you can tell us if there is information you think is inaccurate or incomplete.
Your health records	We may use information to undertake internal (and sometimes external) audits of care and treatment. We may sometimes need to use your health records as part of matters relating to the employment or engagement of our staff.	Article 6(1)(f) GDPR – legitimate interests. There is a compelling legitimate interest, recognised by the GMC, in undertaking local audits of the quality of care provided. Audits are undertaken in confidence and the processing of data is not used to make decisions about particular patients.	Not normally. We need to make use of a comprehensive cross-section of patient records for this purpose. Where possible, we use anonymised or statistical information.
Your health records or other health information.	Compliance with requests or requirements from our regulator, the CQC, during inspections; requests from the professional regulators of our staff (for instance, the GMC, NMC); requests from law enforcement bodies; or information shared for safeguarding purposes.	Article 6(1)(c) - legal obligations; Article 6(1)(e) – the processing is necessary for the discharge of official authority or in the public interest.	No, and most regulators have legal powers to require us to provide information. Typically, however, you would be asked for your views by us or the regulator concerned prior to any disclosure being made. We may not be able to tell you about the supply of information to certain law enforcement bodies if doing so would, for instance, prejudice the prevention or detection of crime.
Your age, gender, ethnicity or race; your diagnosis (what you are receiving treatment for); certain other information about your state of health; the procedure you have undergone; the date you came into hospital, and the date you left; your postcode.	Complying with our obligations to provide information as part of the Private Health Information Network – a national requirement to collect and publish information about the activity and performance of hospitals and doctors providing private hospital care.	Article 6(1)(c) – compliance with a legal obligation.	No. All private hospitals are required to collate and provide this information.
If you receive certain kinds of treatment involving implants or joint replacements, we supply certain information about the procedure and any implant used (for instance, its model/serial number) to national registries. In some cases we are asked by the registries to provide additional data, including your: • name • date of birth • gender • home address postcode • NHS number or national patient identifier	Supply of information to joint and implant registries.	Article 6(1)(e) – the public interest. There is a strong public interest in improving patient safety and maintaining a long-term record of the effectiveness of particular implants. Article 6(1)(a) – consent.	To a degree. Giving consent for additional personal details to be held in registries is voluntary, but for the registries to be most effective, they need to collect as many records as possible that include patient personal details.
Your contact details and summary information about the procedure you received (for instance, when it took place, and what the procedure was).	We send our patients surveys and questionnaires to find out about their experience of our services to help monitor quality and evidence improvements.	Article 6(1)(f) – the processing is in our legitimate interests.	Yes. You can tell us if you don’t want to receive surveys.
Your contact details	Sending you information about our services, and any offers you may be interested in.	Article 6(1)(f) – the processing is in our legitimate interests.	Yes. You can tell us if you do not want to receive marketing communications at any time.
Specific health information	We may ask patients if they wish to participate in medical research projects.	Article 6(1)(a) – consent.	Yes. Your participation in medical research is entirely voluntary. Your clinician will talk to you if she or he would like you to take part in a research project.
Images captured in CCTV footage	We make use of CCTV to record public areas of the hospital, for the purposes of prevention and detection of crime, to promote the safety of staff and patients, and to protect property.	Article 6(1)(f) – the processing is in our legitimate interests.	No.

In more detail: sensitive information

Where we handle health information or other sensitive information (which in legal terms is known as ‘special category data’), the legal basis for this is largely that which is set out in Article 9(2)(h) GDPR – the delivery and management of healthcare services (which is also provided for in Schedule 1 paragraph 2 of the Data Protection Act 2018). In some instances, the legal basis will be that our use of your information:

is necessary to establish, exercise or defend our legal rights or those of other people;
is to comply with a statutory or other legal obligation, as set out above;
supports equality monitoring;
is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response a complaint, regulatory request from the Care Quality Commission or a professional regulator); or
is because we have your permission (consent) – but we will only ask for this if there is a genuine choice on your part, will tell you if your choices may have negative impacts for you, and will respect your wishes.

In more detail: our ‘legitimate interests’

As set out above, we process personal data for a number of ‘legitimate interests’, as part of managing our relationship with you and your funders, for marketing, service and quality improvement, and in order to establish our legal rights. In general terms, we have determined that processing your information in the following ways (and the set-up of our systems and processes) is compatible with your rights and interests:

Managing our relationship with you, our business, third parties we work with, and those who fund your treatment;
Investigating any concerns about the treatment you have received, and assessing the quality of the service we provide;
Offering you additional services which we think may be of interest to you;
Establishing, exercising and defending our legal rights, and adhering to law and good practice in the delivery of services.

CCTV

CCTV is used for maintaining the security of property and premises and for preventing and investigating crime. The information processed includes visual images, personal appearance and behaviours. This information may include images of employees, patients, consultants and members of the public entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves or the police.

Telephone recordings

All telephone calls are recorded.

New Victoria Hospital website

Your personal details will be collected when completing a booking or enquiry form on newvictoria.co.uk. The data collected is encrypted and password protected. Data can only be accessed via a secure/encrypted internet connection. Data is held on the website until your query has been responded to and then deleted.

The NVH website uses cookies. A comprehensive Cookie Policy is available at https://www.newvictoria.co.uk/cookie-policy/

Privacy Details for GPs and allied health professionals

NVH collects and processes personal data of GPs and AHPs. The Privacy Policy for GPs and AHPs is available at www.newvictoria.co.uk/gp-zone/privacy-policy-gps-ahps

What NVH does to ensure your personal data is secure

NVH is registered with the Information Commissioner’s Office (ICO) as a data controller. The hospital’s registration number is Z7354295.

In order to keep your data secure the hospital abides by, and is accredited for the following standards:

ISO27001 (includes an annual external audit by the British Assessment Bureau).

NHS Data Protection Security Toolkit (includes an annual review).

Payment Card Industry Data Security Standards (PCI DSS) (includes an annual review).

The Hospital’s quality management system is ISO9001 accredited annually.

The National Data Opt-Out Service

If your care at New Victoria Hospital is funded by the NHS, we are required to share your data with them for the purpose of research and planning.

You have the right to request that your identifiable data is not shared with them. If you do so, we will not provide them with your NHS number or postcode.

You can opt out by contacting [email protected].

Reporting concerns regarding NVH’s management of your data

If you have any concerns regarding the management of your data please contact the hospital’s Data Protection Officer. You have a right to make a complaint to the ICO at any time.

Contact details

Our Data Protection Officer can be emailed at [email protected]

Issue: May 2024

Review: May 2025