Enquiries: 01305 251150

Privacy Notice for Service Users

Home > About Us > Information Governance > Privacy Notice for Service Users

This privacy notice tells you what to expect us to do with your personal information when you contact us or use our services. We are the controller for your information. A controller is responsible for the data and decides on why and how information is used and shared.

You can find more detailed information about how we process your information for the following specific purposes here:

  • Research - Dorset County Hospital NHS Foundation Trust are part of the Clinical Research Network Wessex. Find out how health researchers use information. Read our Research team's privacy notice here. They rely on the lawful basis in Article 6(1)(e) and Article 9(2)(j) to screen patients for involvement in research and trials, then will involve you on an informed consent basis.
  • Employees (including volunteers) –  Read the privacy notice here. To process personal data we rely on Article 6(1)(a) Consent, 6(1)(b) Contract, 6(1)(c) Legal obligation, 6(1)(e) Public task, and Article 9(2)(b) for special category data.
  • The Dorset County Hospital Charity has their own privacy notice here. The Charity do not obtain any personal information from our health care services. They rely on Article 6(1)(f) to process personal data, and Article 9(2)(d) if they require special category data.

Our contact details

Dorset County Hospital NHS Foundation Trust
Williams Avenue
Dorchester
Dorset, DT1 2JY

General phone number: 01305 251150

General inquiries email address: headquarters@dchft.nhs.uk

Website: https://www.dchft.nhs.uk

Data Protection Officer contact details

Our Data Protection Officer is Diane Gravett, and she is responsible for monitoring our compliance with data protection requirements. You can contact her with queries or concerns relating to the use of your personal data at informationgovernance@dchft.nhs.uk

The Legal bit

UK GDPR Data Protection Act 2018

There are six core Principles to data protection legislation:

  1. personal data must be processed lawfully, fairly and transparently
  2. personal data must be collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes
  3. personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. personal data must be accurate and up to date
  5. personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. personal data is processed in a manner that ensures security, integrity and confidentiality including protection against unauthorised or unlawful processing, and accidental loss, destruction or damage, using appropriate technical or organisational measures.

How do we get your information and why do we have it?

The personal information we collect is provided directly from you, or your carer for one of the following reasons:

  • you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
  • you have sought funding for continuing health care or personal health budget support
  • you have applied for a job with us or work for us
  • you have signed up to our newsletter/patient participation group
  • you have made a complaint.

We also receive personal information about you indirectly from others, in the following scenarios:

  • from other health and care organisations involved in your care so that we can provide you with care, e.g. GPs
  • from family members or carers to support your care.

What information do we collect?

Personal information
Personal information is any information that can be used to identify a living person. For example, an individual's email address, telephone number, or NHS number.

We currently collect and use the following personal information:

  • identity details - name, date of birth, NHS Number
  • contact details - address, telephone number, email address
  • 'next of kin' - the contact details of a close relative or friend.

More sensitive information
The UK GDPR gives extra protection to more sensitive information known as ‘special category data’.  Information concerning health and care falls into this category and we need to treat it with greater care.

We process the following, more sensitive, data (including special category data):

  • data concerning physical or mental health, for example:
    • details of any Emergency Department visits, in-patient stays or clinic appointments
    • results of any scans, X-rays and pathology tests
    • details of any diagnosis and treatment given
    • information about any allergies and health conditions
    • information about any DNACPR decisions, living wills, etc.
  • data revealing racial or ethnic origin
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
  • biometric data (where used for identification purposes)
  • data revealing religious or philosophical beliefs
  • data relating to criminal or suspected criminal offences related to health issues or police investigations.

Article 35 of the General Data Protection Regulations requires that a data controller carries out a data protection impact assessment (DPIA) if the processing of any personal or sensitive data is likely to result in a high risk to the rights and freedoms of natural persons. As stated in the Trust's Data Protection and Confidentiality Policy, DPIAs are conducted for any new system, process or data sharing to ensure that your information is processed lawfully, securely and using the minimum amount of data required to achieve the desired purposes.

If you have any queries, please contact our Data Protection Officer at informationgovernance@dchft.nhs.uk

Who do we share information with?

We may share information with the following types of organisations:

  • hospitals, community care teams, care homes
  • third party data processors (such as IT systems suppliers)
  • planners of health and care services (such as Integrated Care Boards)
  • NHS Partners within Dorset Integrated Care System and suppliers providing some of those shared care services to you.

In some circumstances we are legally obliged to share information. This includes:

  • when required by NHS England to develop national IT and data services
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information.

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • where a serious crime has been committed
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults.

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

Is information transferred outside the UK?

The Trust does not routinely transfer data outside of the European Economic Area and will assess any ad hoc transfers against adequacy (GDPR Article 45) and appropriateness of safeguards and data protection (GDPR Article 46) of the country of transfer. An adequacy agreement is in place with the EU to allow the UK continuance of secure data sharing with EU countries.

Any data that is hosted in any other country is only available to our staff and technical support staff.  All such data is protected by secure technical processes with robust data privacy and information security clauses in all contracts.

What is our lawful basis for using information?

Personal information
Under the UK General Data Protection Regulation (UK GDPR), Article 6, the lawful bases we rely on for using personal information is will be at least one of these:

(a)      We have your consent - this must be freely given, specific, informed and unambiguous. For example: to communicate with you by email, or for the use of website cookies, or specific Research and other programmes following discussion with your clinician. You have the right to change your mind at any time and can withdraw consent for us to use your personal data for these purposes by emailing informationgovernance@dchft.nhs.uk

(b)      We have a contractual obligation - between a person and a service, such as a service user and privately funded care home.

(c)      We have a legal obligation - the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.

(e)      We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

(f)       We have a legitimate interest - for example, a private care provider making attempts to resolve an outstanding debt for one of its service users.

More sensitive data
Under UK GDPR, Article 9, the lawful bases we rely on for using information that is more sensitive (special category) include:

(b)      We need it for employment, social security and social protection reasons (if authorised by law). See this list for the most likely laws that apply when using and sharing information in health and care.

(f)       We need for a legal claim or the courts require it.

(g)      There is a substantial public interest (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(h)      To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.  (Consent is rarely required for special category data in health and care.)

(i)       To manage public health (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(j)       For Archiving, research and statistics (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
  • we have a legal requirement to collect, share and use the data
  • for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service.

How do we store your personal information?

Your information will mostly be stored at the Trust, either physically, or on secure servers.  Some information may be stored securely in the Cloud, and a small proportion may be stored on some suppliers’ secure servers, depending on the service they provide to support your healthcare.  All contracts have clauses that control the access, movement and storage of data, and any companies with servers in the E.U. and, very rarely further afield, have additional clauses to ensure the same levels of protection.  Any data shared is retained to the same timescales, returned or destroyed at the end of the contract.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will securely dispose of your information by shredding paper records or wiping hard drives to legal standards of destruction.

Standard retention periods

  • health records are retained for eight years or more, depending on the specific conditions or treatments received by individuals, from the point of discharge or when the patient was last seen
  • paediatric records, including obstetrics and midwifery records, are retained for 25 years, or until the patients 26th birthday if the patient was 17 at the conclusion of treatment
  • deceased records are retained for eight years
  • staff records are kept in full for six years, then condensed to a summary file which is retained until the individual’s 75th birthday, or six years longer if they work beyond 75
  • our electronic records are managed with the same retention periods.

Non-standard retention periods

  • cancer and oncology records are retained for 30 years, or eight years after the patient has died
  • contraception, sexual health and genito-urinary medicine (GUM) records are retained for eight years, or 10 years if an implant or device is inserted
  • records of long term illnesses or an illness that may reoccur are retained for 30 years, or eight years after the patient has died.

Any non-standard retention periods can be found in the same policy.

What are your data protection rights?

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request).

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

If you wish to make a Subject Access Request to your medical record please complete the form and email your request to subjectaccessrequest@dchft.nhs.uk

Or by post to:

Access to Health Records Administrator
Dorset County Hospital
Williams Avenue
Dorchester
Dorset
DT1 2JY

National data opt-out

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services.

This may only take place when there is a clear lawful basis to use this information.  All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way and you can change your mind about your choice at any time.  If you have signed up with the national data guardian opt out service, we will remove your details from any planning or research data set. However, if you are happy with this use of your information you do not need to do anything. (If you do choose to opt out your confidential information will still be used to support your individual care.)

We apply the national data opt-out whenever we are using confidential patient information for planning or research purposes but we do not apply the national data opt-out when we are using confidential patient information for planning and research, where an agreed exemption applies.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at informationgovernance@dchft.nhs.uk

Following this, if you are still unhappy with how we have used your data, you can then complain to the Information Commissioner’s Office.  The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Date of last review - January 2025

This privacy notice will be updated as and when there are changes to the law or a new sharing of data by us.  The date of next scheduled review is January 2026.