Medway Foundation Trust Privacy statement 2016
, set out the basis on which we will process any personal information we collect from you or that you provide to us.
What information we keep about you and how we use it.
When you are a patient of the Trust we collect and keep your health and personal information confidential. This may include:
- basic details about you e.g. your address, date of birth or next of kin and how you want us to contact you
- your contact with us e.g. visits to clinics
- the notes of your treatment
- results of investigations including x-rays or laboratory tests
- if you contact us in writing, we will keep a record of that correspondence
We use your information to provide you with the best of care.
Sharing information with other organisations
In the main, we will not share your personal data without consent unless we have a duty to ensure your personal health and well-being.
There are some circumstances where we may share information, for example:
- where we have agreements with other organisations for sharing information. An example of this may be where you as a patient, move from our care to community care;
- with local authorities and particularly Medway Council under the Child Protection-Information Sharing (CPIS) scheme to protect the safety and well-being of vulnerable and looked-after children;
- with Virgin Care Services where they provide community care in Swale and Sheppey community hospitals;
- under section 251 of the NHS Act 2006 to support essential medical research where it is not possible to use anonymised information and where obtaining consent is not practical. We may only share information under section 251 with bodies that are approved to receive such information. For more details please visit the Health Research Authority website;
- where we are required by law to report information to appropriate authorities e.g.
- when a baby is born
- where an infectious disease may endanger the safety of others
- we can pass on personal data without consent to the police, to prevent and detect crime
- to produce anonymised statistics
Sending information abroad
The Trust sends very little information overseas. Where we do, we check to ensure that the companies that we use have excellent information security standards and practice.
How we keep your information safe and secure
The Trust takes the protection of your personal information seriously.
All our staff are regularly trained on the steps needed to keep patient information safe and secure. Staff are only able to access patient information on a ‘need to know’ basis.
The Trust ensures that patient information is stored and accessed securely, this means that our staff use passwords and other security measures to ensure that the ‘need to know’ philosophy is maintained.
We use technical security measures (such as data encryption) in combination with strong passwords and physical measures (such as Smartcards - these are special cards similar to an “Oystercard” that are held by staff and identify who the member of staff is and what systems they can access) to prevent unauthorised access to patient information. Passwords must be changed regularly and this is enforced by the systems.
In addition, the Trust employs other tools to guard our network and the devices on the network. Anti-Malware software is used by the Trust and the Network is monitored and managed to ensure that only devices belonging to the Trust can access the network and information. The Trust also has the benefit of two data centres such that patient information is fully protected in the event of failure of a single data centre.
Use of CCTV and body-worn cameras
The Trust has CCTV deployed around the site in order to manage and investigate the following circumstances:
- alleged security incidents, theft, assault or baby abduction on Trust premises
- staff, visitor and patient safety
- investigation of traffic incidents or congestion on the Trust site
- supporting the management of a fire or major incident alert
- the security of Trust premises
- investigation of persons acting suspiciously on Trust premises
CCTV images are retained for 28 days only.
Images are only viewed by Trust personnel, but images may be shared with the police to aid the investigation or prosecution of criminal activities within Trust grounds and premises.
Traffic enforcement officers and security personnel wear body-worn cameras that record both sound and images. Before cameras are activated staff will formally advise that they are going to do so. Images and sound will be used in the prevention and de-escalation of security incidents; patient, visitor and staff safety; traffic and parking enforcement; and the investigation of persons acting suspiciously on Trust premises.
Images and sound recording from body-worn cameras are retained for 28 days only.
How long do we keep your information for?
The time we keep information for can vary depending on treatment and the type of record. In the main we keep adult patient records for 8 years after a patient is discharged, but this time can extend up to 30 years for example where someone is diagnosed with cancer we will keep the record for 30 years from the time of diagnosis.
Visitors to our website
When someone visits www.medway.nhs.uk, we use a third party service, Google Analytics, to collect standard Internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Our website search function powered by Sitekit
. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either the Trust or any third party.
Calling us via our switchboard
When you call the Trust switchboard on 01634 830000 the number, time and date of your may be recorded – call content is not recorded.
People who email us
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
People who make a complaint to us
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for ten years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
If you apply to work at the Trust, we will only use the information you supply to us to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Scheme (DBS)
we will not do so without informing you beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once you join the Trust as an employee, we will compile a file relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment. If you subsequently leave our employ, we will retain the file in accordance with the requirements of our retention schedule and then delete it.
Access to personal information
We try to be as open as possible in terms of giving people access to their personal information. You can find out what information we may hold about you by making a ‘subject access request
’ under the Data Protection Act. If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form
To make a request to the Trust for any personal information we may hold you need to put the request in writing to our Information Governance Team (by email to firstname.lastname@example.org
), or write to the address provided.
If you disagree with the content of the disclosure, you may ask that the Trust’s Senior Information Risk Officer review the actions we’ve taken.
If, after an internal review you are still dissatisfied, you may escalate your concerns to the Information Commissioners Officer. The Information Officer is the regulatory body with responsibility for the Data Protection Act and can be contacted:
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 16 December 2016.
How to contact us
The Information Governance Team
Deceased Records Office
Medway Foundation Trust