There are many ways you can contact us, including by phone, email and post. More information is on our contact us page.

Pippa Whitfield is our Data Protection Officer (DPO) and if you have any concerns regarding how your data is processed please contact:

Wye Valley NHS Data Protection Officer
Wye Valley NHS Trust
The County Hospital
Union Walk
Hereford
HR1 2ER

Email Pippa.Whitfield@wvt.nhs.uk
Phone 01432 364089

Wye Valley NHS - ICO Registration Number – Z2977999

The European Union General Data Protection Regulations (GDPR) came into force on 25 May 2018 along with the Data Protection Act 2018 which forms part of the UK data protection legislation. The EU legislation has since been amalgamated into UK law as the UK GDPR.

This legislation places greater emphasis on being accountable and transparent when handling information. Data Controllers have to abide by a number of requirements and some of them relate to:

• Information held
• Transparency and sccountability
• Individual's rights
• Subject access requests
• Lawful basis for processing personal data
• Consent
• Children
• Data breaches
• Data Protection by Design and data protection Impact Assessments
• Data Protection Officers
• International organisations and data

Personal and special category data

The GDPR/Data Protection Act 2018 covers personal and special category data (sensitive data) personal data is: 'Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

• Name
• An identification number
• Location data
• An online identifier to one or more factors specific to the physical
• Physiological data
• Genetic data
• Mental data
• Cultural or social identity of that natural person

Special category personal data (sensitive personal data) identifiers:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data and biometric data
• Data concerning health
• Data concerning a natural person's sex life or sexual orientation

Transferring personal data to countries outside of the UK

GDPR and The Data Protection Act 2018 legislation primarily applies to controllers and processors located in the UK. As the Trust and the subcontractors adhere to GDPR and the Data Protection Act 2018 no data should be transferred to another country outside of the UK, unless there is a national data agreement in place or specific written contracts and appropriate technical and organisational measures have been implemented.

Most of the information we process is provided to us directly by you so we can make informed decisions regarding your health. In order for us to do this it is necessary for us to collect and hold information about you. This information may relate to you, your family and any other person. Data may include your:

• Name
• Address
• Email address
• Date of birth
• Telephone number
• NHS number
• Hospital (RLQ) Number
• GP
• Next of kin contact details

Your information may include details about:

• Referrals
• Clinic visits
• Hospital admissions
• Reports about your health
• Treatment and care you need and have received
• Results of investigations
• X-rays
• Scans and laboratory tests
• Relevant information from other health professionals
• Details/comments of relatives or those who care for you and know you well

Wye Valley NHS Trust is obliged to retain your data in accordance with the Department of Health's Records Management Code of Practice 2021.

Under data protection law, you have various rights (depending on the reason why we are processing your information). If you contact us to exercise your rights, we will usually have a month to respond to you, though we may need to extend this if your query involves complexity to resolve it. You can contact the Trust to do this using the contact details below:
Data Protection Officer/Caldicott Guardian
Wye Valley NHS Trust
Monkmoor Court
31-34 Commercial Road
Hereford HR1 2DX
Tel: 01432 262064/065
wvt.subjectaccess@nhs.net

Your right of access

You have the right to ask us for copies of your personal information. This is known as a "subject access request". Please see our guidance at our Request a copy of your WVT records page. There is also guidance on the right of access from the Information Commissioner's Office.

Your correction and deletion of data rights

You have the right to request that your information is amended or erased in certain circumstances. Mistakes can be rectified however where your opinion differs from that of your health care professional, we will record your view as an addendum to your record. Your opinion will be shared whenever that part of your record is shared. Your record can only be amended where there is a factual inaccuracy. There is information from the Information Commissioner's Office on both correction of records and on deletion.

Right to data portability

You have the right to ask that we transfer the information you gave us to another organisation, or to you, where processing of your data is carried out under the processing condition of consent or performance of a contract. There is guidance from the Information Commissioner's Office on your right to data portability.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. There is guidance from the Information Commissioner's Office on your right to restriction of processing.

Consent

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw your consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

Right to object

You have the right to object to the processing of your personal data on grounds relating to your particular situation. The right is not absolute and we may continue to use your data if we can demonstrate compelling legitimate grounds as to why we need to do so. There is guidance from the Information Commissioner's Office on your right to object.

Rights related to automated decision making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

Your doctor, nurse or any other health care professional involved in your care will have access to information about you, which will be used to assess your health care needs and to plan your treatment. We will ensure that appropriate information about you is available if you see another health care professional, are referred to a specialist or another part of the NHS. We may use your contact information to remind you of your health checks (for example, clinic appointments, immunisations, cervical smears, breast screening or other treatment etc).

National opt-out service

The national data opt-out is a service that allows patients to opt out of their confidential information being used for research and planning.

Wye Valley NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• Improving the quality and standards of care provided
• Research into the development of new treatments
• Preventing illness and diseases
• Monitoring safety
• Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed, and the national data opt-out does not apply.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do choose to opt out your confidential patient information will still be used to support your individual care. Before any research or planning is undertaken though, our staff will ensure that the patients who have opted out from this are not included.

Find out more or to register your choice to opt out.

On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: NHS Health Research Authority - Patient information and health and care research (which covers health and care research) and Understanding Patient Data - What you need to know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

For data processing to be lawful under the GDPR and the Data Protection Act 2018, we are obliged to identify a lawful basis before we can process personal and special category data. We will process personal data under Article 6 and special category data under Article 9.

We may apply Article 6(1)(e) for lawful processing: 'for the performance of a task carried out in the public interest or in the exercise of official authority'.

We may apply Article 9(2)(h) for the processing of special category data, 'Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional'.

We may apply Article 6(1) (a) when the data subject's consent provides the legal basis for the processing of personal data.

The table below details other reasons why we may process data under the law.

So that we can provide you with high quality health care services we are required to collect and use your information to support you. Your data may sometimes be shared with relevant departments within WVT, other NHS organisations, authorities and sometimes it may be used for training and auditing purposes.

WVT are committed to processing your data in accordance with the law.

We may share information about you with the following agencies to support the delivery of your care:

• Department of Health
• Clinical Commissioning Groups (CCGs)
• Other providers involved in your care, such as hospitals
• General Practitioners (GPs)
• Ambulance Service
• Midlands Air Ambulance
• Mental health services
• Social services

We may share information about you without your consent if there are safeguarding or crime prevention investigations.

We may share your information, with (subject to strict sharing agreements):

• NHS Digital
• NHS England
• NHS Improvement
• Education services
• Local authorities
• Voluntary sector providers
• Private sector organisations

We may share our information about you with others to:

• Check the quality of treatment and advice provided to you
• Protect the health of the general public
• Manage the health service
• Investigate any concerns or complaints you or your family have about your healthcare
• Undertake research
• Undertake clinical audits

Herefordshire One Record

Herefordshire patients will soon benefit from an improved digital sharing system called Herefordshire One Record.

This will enable sharing of patient records between GPs and other health care professionals in the county to ensure patients get the best possible treatment when needed.

Patient information is often only available within a single organisation. Herefordshire One Record will allow health care professionals in multiple organisations in Herefordshire to view patient records.

The following organisations will soon have access to the electronic systems to share information:

• Herefordshire GP Practices
• Wye Valley NHS Trust
• St Michael's Hospice
• Taurus Healthcare (for extended and out-of-hours GP services)

In addition, Hereford and Worcester Health and Care will also have access to view the records shared by the above organisations.

Dr Ian Roper, NHS Herefordshire CCG GP Lead said: "Improving the care of patients is always going to be at the forefront of any health care professional's mind. Herefordshire One Record will enable staff of these organisations to access up-to-date records that are held by the other organisations.

"It means that medical staff involved in patient care (whether they are a GP, Practice Nurse, District Nurse or a Consultant at the hospital) can make more informed choices about the care and medical treatment needed by a patient.

"It also means that patients won't need to explain their medical history or conditions each time they see a different health care professional.

"Herefordshire One Record will save time and could potentially be life-saving in some circumstances."

Jane Ives, Managing Director for Wye Valley NHS Trust said: "Sharing data is essential if we are to provide the very best care to patients we can.

"Better information means better patient care. Herefordshire is working towards a vision of safer, secure and more efficient care and Herefordshire One Record will be a key enabler for this.

"Through this new digital system the quality of patient care will be improved through not only the better coordination but reducing the time spent updating health records on different systems by clinical teams and having to request information from other health care providers.

"It will assist with patient information being available in the right place at the right time. We also hope this will reduce admissions and readmissions and decrease duplicate testing. It will help our healthcare services in Herefordshire working in the most efficient ways possible.

Herefordshire One Record is part of a wider Herefordshire and Worcestershire Sustainability and Transformation Partnership (STP) digital strategy which aims to maximise and improve the way the NHS uses digital technology to enhance patient care as outlined in the NHS Long Term Plan. The Herefordshire One Record initiative is part of a longer term Herefordshire and Worcestershire programme to improve how information can be shared across care settings, the primary element of this stage of the One Herefordshire project has been to roll-out an Electronic Patient Record System (EMIS) across community teams, and making it possible to view primary and community care records in A&E.

Herefordshire One Record will roll out starting in Mid-September 2019. For more information visit Herefordshire One Record - Frequently Asked Questions. View the Herefordshire One Record Leaflet.

Patient Portal

The Patient Portal has been commissioned by the Herefordshire and Worcestershire Integrated Care Board and implemented by the Wye Valley NHS Trust to enable patients to view aspects of their medical record and to manage appointments online.

The Patient Portal is made available through a digital platform using IT suppliers called Intersystems Ltd, Rhapsody and Mindwave Ventures Ltd. The Wye Valley NHS Trust has written contracts in place directly with these companies as our data processors for the hosting, development and maintenance of the Portal by them. Wye Valley NHS Trust has carried out due diligence with the companies to ensure that technical safeguards, such as firewalls, malware and antivirus software are used to help ensure that your information is kept safe and only disclosed to people who are authorised to view it.

Your personal data will be processed in line with the UK GDPR and Data Protection Act 2018 for the purpose of facilitating patient access to clinical records and appointments. Your personal data will not be further shared unless the Trust is legally obliged to disclose it. Please note that access to the Patient Portal is voluntary.

The personal data which is made available through the Patient Portal is provided and stored on the Trust’s electronic patient record system. The Patient Portal processes the following personal data items: full name, address, date of Birth, NHS number, record of patient appointments and appointment letters.  Technical data processed includes Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

Patient healthcare records are held in accordance with the NHS Records Management Code of Practice 2021. All healthcare data cached (made visible to you) on the portal from the Trust’s electronic patient record systems are deleted 90 days after your account is deactivated.

The processing conditions for your data are for the performance of a task carried out in the public interest and for the provision of health care. Your data rights and your right to complain are explained in the other sections of the Trust privacy notice.

We protect your information in the following ways:

Training

Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls

Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails

We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation

If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records management

All healthcare records are stored confidentially in a secure location.

Legislation

There are laws in place to protect your information, including the General Data Protection Regulation, The Data Protection Act 2018 and the Human Rights Act 1998.

Caldicott Guardian

Within each NHS organisation there is a designated person named the 'Caldicott Guardian' whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the Wye Valley NHS Trust is Dr David Mowbray.

We have a number of approved policies and procedure which we follow relating to the handling and processing of information. These policies will be available to view shortly:

• IG 03 Freedom of Information Policy
• IG 05 Confidentiality Code of Conduct Policy
• IG 08 Email Access and Use Policy
• IG 12 Data Protection Act Policy
• IG 64 Privacy Impact Assessment Policy
• IG 65 Subject Access Policy

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact:

Wye Valley NHS Data Protection Officer
Mrs Pippa Whitfield
Email pippa.whitfield@wvt.nhs.uk
Phone 01432 364089

If you are still dissatisfied then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You may contact the ICO helpline on 0303 123 1113.

Make a complaint directly to the ICO

The Freedom of Information Act 2000 (FOIA) gives members of the public certain rights to request information from public authorities.

Advice on making a Freedom of Information request

We make appropriate enquiries to trace relatives of patients who pass away at the hospital with no next of kin. For those who we are unable to trace, their details are forwarded on to: Government Legal Department, Bona Vacantia Division (BVD), PO Box 70165, London WC1A 9HG.

We do not hold any information on the value of any estate the person may have had, nor can we make any additional information available on individual cases through Freedom of Information requests.

Download the Government's bona vacantia estates referral form
View further information on bona vacantia

This privacy notice was reviewed in September 2023.

1. What is the GDPR?

The UK GDPR (General Data Protection Regulation) is the main data protection legislation in the UK, which is tailored by the Data Protection Act 2018.

2. What is the difference between the GDPR and the Data Protection (DPA) Act 2018?

The Data Protection Act 2018 fits alongside and supplements the UK GDPR, such as including exemptions from some of the rights and obligations in UK GDPR.

3. How does this affect current UK law on data protection (DPA 1998)?

The DPA 1998 has been completely repealed.

4. What are the penalties for non-compliance?

Fines under the GDPR are up to a maximum of €20 million or 4% of turnover. For health and social care organisations, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure their compliance.

5. How does this affect me?

The GDPR strengthens the controls that organisations (controllers) are required to have in place over the processing of personal data, including pseudonymised personal data.

Headline impacts are:

• Appointment of Data Protection Officer (DPO) mandatory for all public authorities
• Organisations are obliged to demonstrate that they comply with the law
• Increased penalties for breaches of the Regulation
• Legal requirement for security breach notification
• No charges, in most cases, for providing copies of staff and patient records
• Requirement to keep records of data processing activities
• Data Protection Impact Assessments (DPIA) are required for high risk processing activity - which includes the large-scale processing of health-related personal data
• Data protection risks must be reviewed and addressed in information processes
• Transparency and fair processing requirements have been included
• Tighter rules are applied where consent is the lawful basis for processing

6. What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are in place when any new process, system or ways of working involving the use of high risk i.e. "health data" is introduced.

7. What/who is the Data Protection Officer (DPO)?

The DPO is responsible for monitoring the organisation(s) compliance with the GDPR. The DPO reports directly to an organisation's highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.

8. Who can be a DPO?

Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are 'public authorities' taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest.

9. Do you need to re-seek consent if already obtained for the purposes of sharing data?

• It will not be necessary to seek new consent if your existing consents are GDPR compliant although you will need to ensure that you have compliant documentation and consent withdrawal mechanisms in place.
• If your existing consents do not meet the GDPR's requirements, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure the continued processing is transparent and fair (for example that the data subjects rights and freedoms are not undermined through a change in processing), or stop the processing
• Any exercise to contact individuals to refresh consent must comply with the Data Protection Act and Privacy and Electronic Communications Regulations (PECR)

10. How will the right to erasure be applied in a healthcare setting?

• A data subject's right to erasure is a fundamental right. However, it must be applied sensibly. There are legitimate areas under the GDPR where processing can lawfully continue and such a request refused. For example, where there is a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• There are other instances such as public interest in the area of public health (related to specific articles) or archiving
• This right aims to strengthen the ability to remove information made available online especially when made public by a child and making this right available when they are an adult
• A request from a data subject exercising this right should be taken seriously and reviewed on a case by case basis. Where it is legitimately not possible to erase the information, this should be communicated to the data subject promptly as per the requirements under Article 15 (right of access)

11. Is there a standard format to releasing information to the patient?

No. The GDPR describes what information should be provided to the patient but not the format of how it should it be provided.