search Menu

Protecting your data

Introduction

  • We respect your privacy and are committed to protecting your personal data. 
  • This privacy notice sets out details of the data that we may collect from you and how we may use that information. A separate privacy notice explains how we handle your personal data if you are a patient here.
  • This privacy notice also tells you about your privacy rights and how the law protects you. We have a legal duty under the Data Protection Act 2018 (“DPA 2018”) and General Data Protection Regulation (Regulation EU 2016/679) ("the GDPR") to handle your information in certain ways. 
  • This privacy notice is provided in a layered format so you can click through to the specific areas set out below.
  • Please take your time to read this privacy notice carefully.

About us

  • In this Privacy Policy we use "we" or "us" or "our" or "Berkshire Healthcare" to refer to Berkshire Healthcare NHS Foundation Trust (which is a statutory public benefit corporation established under the National Health Service Act 2006 (as amended)).

Our data protection officer and how to contact us

  • Berkshire Healthcare NHS Foundation Trust ("Berkshire Healthcare") is the data controller for the information we collect about you.
  • The Data Protection Officer ("DPO") for Berkshire Healthcare is the Clinical Information Governance Manager.  If you have any questions about this privacy notice, please contact the Data Protection Officer using the details set out below:

Email: information.governance@berkshire.nhs.uk

Postal address:

Berkshire Healthcare NHS Foundation Trust

Fitzwilliam House

Skimped Hill Lane

Bracknell

Berkshire

RG12 1BQ

Telephone number: 01344 415600

Changes to this privacy notice and your duty to inform us of changes

  • This privacy notice was last updated on 24th May 2018 and historical versions can be obtained by contacting us.
  • It is important that the personal data we hold about you is accurate and current. This is of particular importance if you are a patient.  Please keep us informed if your personal data changes during your relationship with us.

Complaints about how we handle your information

  • You have the right to make a complaint at any time to the Information Commissioner's Office ("the ICO"), the UK supervisory authority for data protection matters (website: ico.org.uk / address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF / telephone: 0303 123 1113). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.  If you wish to contact us to make a complaint, you can do so by contacting our Chief Executive, whose contact details are as follows:

Email: BHCT.complaints@berkshire.nhs.uk

Address: as above 

Phone: 01344 415662

This privacy notice aims to explain:

  • Why do we collect data about you?
  • What data do we collect about you?
  • How do we collect your information?
  • What are the purposes for which your data is used?
  • Who do we share your data with?
  • How long do we keep your data for?
  • What are your rights?

 Why do we collect data about you?

  • In general terms, we collect and process your data for the purposes of healthcare. We will collect and process data for other purposes, including those which are incidental to the provision of healthcare and for research purposes.

What data do we collect about you?

  • The data that we collect will depend on your relationship with us.
  • We may use “sensitive personal information” (otherwise known as "special categories of data") about you, such as information relating to your physical and mental health. For example, if you are a patient we will need to use information about your health in order to treat you.
  • If you provide personal information to us about other individuals you should inform the individual about the content of this privacy notice. We will process such information in accordance with this privacy notice. 

Personal information

The personal information we hold about you may include the following:

  • Name, address, date of birth.
  • Telephone numbers.  
  • Next of kin / emergency contact.  

Sensitive Personal Information

The sensitive personal information we hold about you may include the following:

  • Details of your current or former physical or mental health. This may include information about any health care you have received or need, including about clinic and hospital visits and medicines administered.
  • Details of services you have received from us.
  • Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives.
  • Details of your race and/or ethnicity.  
  • Details about any disabilities.
  • Details about your language preferences. 
  • Details of your religion.  
  • Details of any genetic data or biometric data relating to you.
  • Data concerning your sex life and/or sexual orientation.

The confidentiality of your medical information is of paramount important to Berkshire Healthcare.  We therefore make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health.  We provide further details about this in our patient privacy notice here

How do we collect your information?

  • How we collect your information will depend on your relationship with us. In general terms, we will collect personal data from you in a number of different ways as is explained below.  

Directly from you

Information may be collected directly from you when:

  • you submit a query to us including through our website, by email or by social media.
  • you correspond with us by email, telephone or social media.
  • you enrol as a patient (whether under NHS or other arrangements) with Berkshire Healthcare for the provision of healthcare services.
  • you use those services.
  • you complete forms (whether in electronic or hard copy form) regarding the provision of healthcare services.

From your use of our website

  • We will not use cookies to collect personally identifiable information about you.

From other healthcare organisations

Information may be collected from other healthcare organisations as follows:

  • medical records from your family doctor, your GP.
  • medical records from other NHS organisations (including Oxford University Hospitals NHS Foundation Trust, Royal Berkshire Hospital NHS Foundation Trust and Frimley Health NHS Foundation Trust) and private healthcare organisations.
  • Medical records include information about your diagnosis, clinic and hospital visits and medicines administered.

From third parties

Information may be collected from third parties as follows:

  • You are referred to us for the provision of services including healthcare services.
  • We liaise with your current or former family, employer, health professional or other treatment or benefit provider.
  • We liaise with your insurance policy provider.
  • We deal with experts (including medical experts) and other service providers about services you have received or are receiving from us
  • Government bodies, including local authorities and the police.

From publically available sources

  • Information may be collected from publically available sources including information obtained through internet search engines results and social media sites.

In general, we may process your data for a number of different purposes. For each purpose we must have a legal ground for such processing.  When the information that we process is classed as a special category of personal data, which is the most sensitive form of personal data from a legal perspective, we must have a specific additional legal ground for such processing.

  • Generally we will rely on the following legal grounds:
  • Taking steps at your request so that you can enrol as an NHS patient or non-NHS patient in order to receive healthcare and related services from us.
  • For the purposes of providing you with healthcare. We will rely on this for activities such as supporting your medical treatment or care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you.
  • We have a legitimate interest to process your personal data and this interest is not overridden by your privacy rights. We will rely on this for activities such as quality assurance, maintaining our business records and developing and improving our products and services. More detailed information about our legitimate interests is set out below.
  • We have a legal or regulatory obligation to process your data.
  • We need to use your personal data to establish, exercise or defend our legal rights.
  • It is in the public interest, in line with any laws that apply.
  • You have provided your consent to our use of your personal data. Ordinarily, we will only ask you for permission to process your personal information if there is no other legal reason to process it. You have the right to withdraw your consent at any time.

Legitimate interests

We may process your data for a number of legitimate interests in circumstances where these interests are not overridden by your privacy rights.  We will rely on this for activities such as quality assurance, maintaining our business records and developing and improving our products and services.  Taking into account your privacy rights, our legitimate interests include:

  • To manage our relationship with you and third parties who provide services for us.
  • To keep our records up to date.
  • To monitor how well we are meeting your clinical and non-clinical performance expectations.
  • To take part in, or be the subject of, any transfer or termination of functions in respect of Berkshire Healthcare.

You will find details of our legal grounds for each of our processing purposes below.  

Purpose 1: to set you up as a patient on our systems including carrying out any regulatory checks or checks required by law

Legal grounds:

  • Taking the necessary steps so that you can enrol as an NHS patient or non-NHS patient with us for the delivery of healthcare-related services.

Additional legal ground for sensitive personal data:

  • The use is necessary for reasons of substantial public interest.
  • The use is necessary for the purposes of preventative or occupational medicine.

Purpose 2: to provide you with healthcare and related services

Legal grounds:

  • Providing you with healthcare and related services

Additional legal ground for sensitive personal data:

  • The use is necessary for reasons of substantial public interest.
  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.
  • Fulfilling any contractual obligations for the delivery of healthcare and related services to you.

Purpose 3: Communicating with you and resolving any queries or complaints that you might have.  Communicating with any other individual that you ask us to update about your care

Legal grounds:

  • Providing you with healthcare and related services
  • We have a legitimate interest to use your data which does not overly prejudice you.

Additional legal ground for sensitive personal data:

  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • Fulfilling any contractual obligations for the delivery of healthcare and related services to you.

Purpose 4: Complying with our legal or regulatory obligations

Legal grounds:

  • The use is necessary in order for us to comply with our legal obligations.
  • We have a legitimate interest to use your data which does not overly prejudice you.

Additional legal ground for sensitive personal data:

  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • The use is necessary for reasons of substantial public interest.

Purpose 5: Providing improved quality, training and security (for example, in relation to recorded or monitored phone calls to our contact numbers)

Legal grounds:

  • We have a legitimate interest to use your data which does not overly prejudice you.

Additional legal ground for sensitive personal data:

  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • The use is necessary for reasons of substantial public interest.

Purpose 6: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (for example, tax or legal advice)

Legal grounds:

  • We have a legitimate interest to use your data which does not overly prejudice you.

Purpose 7: For medical research purposes 

Legal grounds:

  • We have a legitimate interest in helping with medical search and have put appropriate safeguards in place to protect your privacy.

Additional legal grounds for sensitive personal information:

  • The processing is necessary in the public interest for statistical and scientific research purposes.
  • You have provided your consent.

Purpose 8: For account settlement purposes

Legal grounds:

  • Providing you with healthcare and related services
  • Fulfilling our contract with you for the delivery of healthcare and related services.
  • We have a legitimate interest to use your information which does not overly prejudice you.

Purpose 9: For Trust Membership

Legal basis:

  • The use is necessary for the performance of a public task   

Additional legal ground for sensitive personal data:

  • The use is necessary for reasons of substantial public interest.

Purpose 10: For Talent Pooling

Legal basis:

  • The use is necessary for the performance of a public task  
  • We have a legitimate interest to use your data which does not overly prejudice you.

We may disclose your information to the third parties listed below for the purposes described in this privacy notice.

  • A doctor, nurse, carer or any other healthcare professional involved in your treatment.
  • Other members of support staff involved in the delivery of your care, like receptionists and porters.
  • Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin, carer, or your legal adviser.
  • NHS organisations, such as other NHS foundation trusts.
  • Other healthcare providers.
  • Third parties who assist in the administration of your healthcare, such as insurance companies.
  • Your GP or those GPs involved with your care.
  • Our regulators, including the Care Quality Commission, and for the purpose of our clinical audits.
  • Other bodies involved in the management of the NHS, including the NHS Counter Fraud Authority.
  • Government bodies, including departments (such as the Department for Work and Pensions) and local authorities.
  • Schools and other educational providers in connection with healthcare related matters.
  • Emergency services, including police forces.
  • HM Prison Service and the National Probation Service.
  • The police and other third parties where reasonably necessary for the prevention or detection of crime.
  • Our third party services providers such as, auditors, lawyers and document management providers..
  • Selected third parties in connection with any transfer or termination of our functions.

Where we regularly share information, we are required to have in place information sharing agreements. We provide further details on our information sharing agreements here

[In some circumstances we may also anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.]

International transfers

We do not transfer your personal data outside the European Economic Area ("EEA").

  • We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this privacy notice and in order to comply with our legal and regulatory obligations.
  • If you are a patient of Berkshire Healthcare, information relating to your current or former healthcare will be retained in accordance with our patient privacy notice (a link to which can be found here).
  • Non-clinical information is retained in accordance with our retention policy (a link to which can be found here).
  • Where your records are stored electronically Berkshire Healthcare has ensured that the storage facilities are secure and in line with Information Security principles (ISO27001) within the United Kingdom or EEA.

Under certain circumstances, you have rights under data protection law in relation to your personal data.  These are:

  • To be informed why, where and how we use your information – this is detailed in this privacy notice statement.
  • To ask for access to your information – You can request a copy of the information we hold about you by downloading this form. The information will be assessed and may have information provided by third parties or about third parties removed before it is given to you. The Berkshire Healthcare Subject Access Request policy is available by contacting the DPO at the address on this page.
  • To ask for your information to be corrected if it is inaccurate or incomplete. – If you think any information about you held by Berkshire Healthcare is incorrect, please discuss this with the service you are accessing either in person when attending an appointment, or by contacting the Data Protection Officer. We will discuss the changes with you and write to you to explain our decision.
  • To ask for your information to be deleted (also known as the right to be erasure) or removed where there is no need for us to continue processing it. In some circumstances, we must delete your personal information if you ask us to but in many other circumstances where we have a valid legal reason to retain your personal information. we do not have to comply with requests to delete personal information.
  • We will not usually delete healthcare related data before the expiration of any relevant retention period (see above). We may also need to retain data for regulatory purposes. We do not have to comply if we need to retain your personal information in case you make a legal claim against us.
  • To ask us to restrict the use of your information. In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information.  For example, we do not have to comply if we need to use your personal information to defend a legal claim against us.
  • To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information. In some circumstances, we must transfer personal information that you have provided to us to you or, if this is technically feasible, another individual or organisation of your choice. The information must be transferred in an electronic format. 
  • To object to how your information is used. – Where your information is used for research or statistical purposes you can object to it being processed for this purpose. Please make requests in writing to the Data Protection Officer or to the Berkshire Healthcare service you have used advising what changes you would like. Berkshire Healthcare does not participate in direct marketing and will never pass your information to anyone for this purpose.
  • To challenge any decisions made without human intervention (automated decision making) –information about your health may be entered into clinical applications to provide health recommendations but we will never carry out automated decision making that prevents healthcare or requires you to enter into a legal contract.
  • To withdraw consent where Berkshire Healthcare has relied on this as a condition for processing.

If you wish to exercise any of the rights set out above, please contact us using the details here

Fee

  • You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

  • We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

  • We are obliged by law to respond to all legitimate requests within one month unless your request is particularly complex or you have made a number of requests. In this case, we can take an extra two months to respond to the request and consider charging a fee. If this is the case we will notify you and keep you updated.

 

In addition to sharing with the Organisations listed in section E, Berkshire Healthcare will enter into sharing agreements with other organisations to share clinical information where there is a defined purpose for the sharing identifiable information to assist with your healthcare or unidentifiable information (known as anonymised data) to assist with healthcare services analysis. The following is a list of sharing agreements Berkshire Healthcare have entered into.

Which Berkshire Healthcare service is sharing?

Project Name (if applicable)

Who is the information shared with

What is being shared?

Why is it being shared?

Adult & Older Adult Social Care

 

Royal Borough of Windsor Maidenhead local authority & Optalis

 Patient personal and sensitive information of the Adults and Older Adults caseload in the Windsor and Maidenhead locality

To provide an integrated assessment and joint intervention and care plan which covers health and social care needs of patients.

Criminal Justice Liaison & Diversion Services

 

Thames Valley Police

Patient personal and sensitive information shared on a case by case basis on request from Thames Valley Police

Try to reduce reoffending through diverting people with mental health/learning difficulties alongside drug and alcohol misuse away from the criminal justice system and providing specialist support.

Urgent Care Health Hub

 

Slough Borough Council

 Patient personal and sensitive information shared on a case by case basis

To facilitate a coordinated and multi-agency response for Slough residents aged 18 years and above, who have been identified in need of a social care intervention.

Diabetes Service

 

Frimley Health NHS Foundation Trust

Patient personal and sensitive information can be accessed by Frimley Health Midwifery employees

To ensure that diabetes information is available to midwives in East Berkshire.

Maidenhead Health Visitors

 

Royal Borough of Windsor & Maidenhead

Patient personal and sensitive information, all patients on the Maidenhead Health Visitors caseload

Royal Borough of Windsor & Maidenhead Local Authority are contracted to provide HV services in Maidenhead

Information Management & Technology

 

Oxford Academic Health Science Network

De-identified patient statistics

The data will be used for analysis of patient caseload for Early Intervention in Psychosis Services to improve quality

Information Management & Technology

Share Your Care

Royal Berkshire NHS Foundation Trust
Frimley Health NHS Foundation Trust
Berkshire GP Surgeries
Berkshire Local Authorities
Royal Berkshire Ambulance Service

Patient personal and sensitive information uploaded to shared clinical system

To improve patient care by sharing information

Multiple Services

 

Sport in Mind (Reg. Charity No 1161323

Patient personal and sensitive information shared via a referral

To promote mental health wellbeing aid recovery and improve physical health of patients

Health Visiting

 

South, Central & West Commissioning Support Unit

Patient personal and sensitive information routinely shared

CSWCSU is commissioned to provide Child Health Services for Berkshire

No specific service, information will be provided based on the location of the emergency.

Thames Valley Local Resilience Forum

Thames Valley Police

Patient personal and sensitive information in the event of an emergency situation only.

To identify vulnerable people in the event of an emergency situation

Looked After Children (LAC) Team

Slough Multi Agency Safeguarding Hub (MASH)

Slough Children’s Trust Services
Slough Borough Council – Housing and Environment Services
Slough Borough Council – Adult Social Care
Thames Valley Police
Slough Health Clinical Commissioning Groups
National Probation Service

Patient personal and sensitive information shared on a case by case basis

To assist in identifying and assessing risks to children's wellbeing and welfare in the Slough area

Looked After Children (LAC) Team

Wokingham Multi Agency Safeguarding Hub (MASH)

Wokingham borough Council
Thames Valley Police

Patient personal and sensitive information shared on a case by case basis

To assist in identifying and assessing risks to children's wellbeing and welfare in the Wokingham area

Looked After Children (LAC) Team

Royal Borough of Windsor & Maidenhead  Multi Agency Safeguarding Hub (MASH)

Royal Borough of Windsor & Maidenhead
Thames Valley Police
The Dash Charity

Patient personal and sensitive information shared on a case by case basis

To assist in identifying and assessing risks to children's wellbeing and welfare in the Windsor & Maidenhead area

Looked After Children (LAC) Team

Reading Multi Agency Safeguarding Hub (MASH)

Reading Borough Council
Thames Valley Police
Thames Valley Community Rehabilitation Company
National Probation Service
Berkshire Women’s Aid

Patient personal and sensitive information shared on a case by case basis

To assist in identifying and assessing risks to children's wellbeing and welfare in the Reading area