-1,1147,1339,1220,9074
search Menu

Protecting your data

  • We respect your privacy and are committed to protecting your personal data
  • This privacy notice also tells you about your privacy rights and how the law protects you. We have a legal duty under the Data Protection Act 2018 (“DPA 2018”) and General Data Protection Regulation (Regulation EU 2016/679) ("the GDPR") to handle your information in certain ways
  • This privacy notice is provided in a layered format so you can click through to the specific areas set out below
  • Please take your time to read this privacy notice carefully
  • This privacy notice sets out details of the data that we may collect from you and how we may use that information.

Read our separate privacy notice about how we handle your personal patient data (opens new browser tab)

Read about our secure email standard (opens new browser tab)

Read our guidance to protect yourself against fraud (opens new browser tab)

About us

In this Privacy Policy we use "we" or "us" or "our" or "Berkshire Healthcare" to refer to Berkshire Healthcare NHS Foundation Trust (which is a statutory public benefit corporation established under the National Health Service Act 2006 (as amended)).

Our data protection officer and how to contact us

Berkshire Healthcare NHS Foundation Trust ("Berkshire Healthcare") is the data controller for the information we collect about you.

The Data Protection Officer ("DPO") for Berkshire Healthcare is the Associate Director of Information Governance.  If you have any questions about this privacy notice, please contact the Data Protection Officer.

Post address

Information Governance Team
Berkshire Healthcare NHS Foundation Trust
London House
London Road
Bracknell
RG12 2UT 

Call 0300 365 6565

Email: information.governance@berkshire.nhs.uk

Changes to this privacy notice and your duty to inform us of changes

This privacy notice was last updated on 24 May 2018 and historical versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. This is of particular importance if you are a patient.  Please keep us informed if your personal data changes during your relationship with us.

Complaints about how we handle your information

You have the right to make a complaint at any time to the Information Commissioner's Office ("the ICO"), the UK supervisory authority for data protection matters

Visit the ICO website (opens a new browser tab)

Call 0303 123 1113

We would however appreciate the chance to listen to your concerns before you approach the ICO, so please contact us in the first instance.  Your feedback helps us to continue improving our services.

You can find our complaints policy, and details about how to send a complaint to us.

Contact us to make a complaint

This privacy notice aims to explain:

  • Why do we collect data about you?
  • What data do we collect about you?
  • How do we collect your information?
  • What are the purposes for which your data is used?
  • Who do we share your data with?
  • How long do we keep your data for?
  • What are your rights?

 Why do we collect data about you?

  • In general terms, we collect and process your data for the purposes of healthcare. We will collect and process data for other purposes, including those which are incidental to the provision of healthcare and for research purposes.

What data do we collect about you?

  • The data that we collect will depend on your relationship with us.
  • We may use “sensitive personal information” (otherwise known as "special categories of data") about you, such as information relating to your physical and mental health. For example, if you are a patient we will need to use information about your health in order to treat you.
  • If you provide personal information to us about other individuals you should inform the individual about the content of this privacy notice. We will process such information in accordance with this privacy notice. 

Personal information

The personal information we hold about you may include the following:

  • Name, address, date of birth.
  • Telephone numbers.  
  • Next of kin / emergency contact.  

Sensitive Personal Information

The sensitive personal information we hold about you may include the following:

  • Details of your current or former physical or mental health. This may include information about any health care you have received or need, including about clinic and hospital visits and medicines administered.
  • Details of services you have received from us.
  • Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives.
  • Details of your race and/or ethnicity.  
  • Details about any disabilities.
  • Details about your language preferences. 
  • Details of your religion.  
  • Details of any genetic data or biometric data relating to you.
  • Data concerning your sex life and/or sexual orientation.

The confidentiality of your medical information is of paramount important to Berkshire Healthcare.  We therefore make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health.  We provide further details about this in our patient privacy notice here

How do we collect your information?

  • How we collect your information will depend on your relationship with us. In general terms, we will collect personal data from you in a number of different ways as is explained below.  

Directly from you

Information may be collected directly from you when:

  • you submit a query to us including through our website, by email or by social media.
  • you correspond with us by email, telephone or social media.
  • you enrol as a patient (whether under NHS or other arrangements) with Berkshire Healthcare for the provision of healthcare services.
  • you use those services.
  • you complete forms (whether in electronic or hard copy form) regarding the provision of healthcare services.

From your use of our website

  • We will not use cookies to collect personally identifiable information about you.

From other healthcare organisations

Information may be collected from other healthcare organisations as follows:

  • medical records from your family doctor, your GP.
  • medical records from other NHS organisations (including Oxford University Hospitals NHS Foundation Trust, Royal Berkshire Hospital NHS Foundation Trust and Frimley Health NHS Foundation Trust) and private healthcare organisations.
  • Medical records include information about your diagnosis, clinic and hospital visits and medicines administered.

From third parties

Information may be collected from third parties as follows:

  • You are referred to us for the provision of services including healthcare services.
  • We liaise with your current or former family, employer, health professional or other treatment or benefit provider.
  • We liaise with your insurance policy provider.
  • We deal with experts (including medical experts) and other service providers about services you have received or are receiving from us
  • Government bodies, including local authorities and the police.

From publicly available sources

  • Information may be collected from publicly available sources including information obtained through internet search engines results and social media sites.

In general, we may process your data for a number of different purposes. For each purpose we must have a legal ground for such processing. 

When the information that we process is classed as a special category of personal data, which is the most sensitive form of personal data from a legal perspective, we must have a specific additional legal ground for such processing.

  • Generally we will rely on the following legal grounds:
  • Taking steps at your request so that you can enrol as an NHS patient or non-NHS patient in order to receive healthcare and related services from us.
  • For the purposes of providing you with healthcare. We will rely on this for activities such as supporting your medical treatment or care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you.
  • We have a legitimate interest to process your personal data and this interest is not overridden by your privacy rights. We will rely on this for activities such as quality assurance, maintaining our business records and developing and improving our products and services. More detailed information about our legitimate interests is set out below.
  • We have a legal or regulatory obligation to process your data.
  • We need to use your personal data to establish, exercise or defend our legal rights.
  • It is in the public interest, in line with any laws that apply.
  • You have provided your consent to our use of your personal data. Ordinarily, we will only ask you for permission to process your personal information if there is no other legal reason to process it. You have the right to withdraw your consent at any time.

Legitimate interests

We may process your data for a number of legitimate interests in circumstances where these interests are not overridden by your privacy rights.  We will rely on this for activities such as quality assurance, maintaining our business records and developing and improving our products and services.  Taking into account your privacy rights, our legitimate interests include:

  • To manage our relationship with you and third parties who provide services for us.
  • To keep our records up to date.
  • To monitor how well we are meeting your clinical and non-clinical performance expectations.
  • To take part in, or be the subject of, any transfer or termination of functions in respect of Berkshire Healthcare.

You will find details of our legal grounds for each of our processing purposes below.  

Purpose 1: to set you up as a patient on our systems including carrying out any regulatory checks or checks required by law

Legal grounds:

  • Taking the necessary steps so that you can enrol as an NHS patient or non-NHS patient with us for the delivery of healthcare-related services.

Additional legal ground for sensitive personal data:

  • The use is necessary for reasons of substantial public interest.
  • The use is necessary for the purposes of preventative or occupational medicine.

Purpose 2: to provide you with healthcare and related services

Legal grounds:

  • Providing you with healthcare and related services

Additional legal ground for sensitive personal data:

  • The use is necessary for reasons of substantial public interest.
  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.
  • Fulfilling any contractual obligations for the delivery of healthcare and related services to you.

Purpose 3: Communicating with you and resolving any queries or complaints that you might have.  Communicating with any other individual that you ask us to update about your care

Legal grounds:

  • Providing you with healthcare and related services
  • We have a legitimate interest to use your data which does not overly prejudice you.

Additional legal ground for sensitive personal data:

  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • Fulfilling any contractual obligations for the delivery of healthcare and related services to you.

Purpose 4: Complying with our legal or regulatory obligations

Legal grounds:

  • The use is necessary in order for us to comply with our legal obligations.
  • We have a legitimate interest to use your data which does not overly prejudice you.

Additional legal ground for sensitive personal data:

  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • The use is necessary for reasons of substantial public interest.

Purpose 5: Providing improved quality, training and security (for example, in relation to recorded or monitored phone calls to our contact numbers)

Legal grounds:

  • We have a legitimate interest to use your data which does not overly prejudice you.

Additional legal ground for sensitive personal data:

  • The use is necessary for the purposes of preventative or occupational medicine.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • The use is necessary for reasons of substantial public interest.

Purpose 6: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (for example, tax or legal advice)

Legal grounds:

  • We have a legitimate interest to use your data which does not overly prejudice you.

Purpose 7: For medical research purposes 

Legal grounds:

  • We have a legitimate interest in helping with medical search and have put appropriate safeguards in place to protect your privacy.

Additional legal grounds for sensitive personal information:

  • The processing is necessary in the public interest for statistical and scientific research purposes.
  • You have provided your consent.

Purpose 8: For account settlement purposes

Legal grounds:

  • Providing you with healthcare and related services
  • Fulfilling our contract with you for the delivery of healthcare and related services.
  • We have a legitimate interest to use your information which does not overly prejudice you.

Purpose 9: For Trust Membership

Legal basis:

  • The use is necessary for the performance of a public task   

Additional legal ground for sensitive personal data:

  • The use is necessary for reasons of substantial public interest.

Purpose 10: For Talent Pooling

Legal basis:

  • The use is necessary for the performance of a public task  
  • We have a legitimate interest to use your data which does not overly prejudice you.

We may disclose your information to the third parties listed below for the purposes described in this privacy notice.

  • A doctor, nurse, carer or any other healthcare professional involved in your treatment.
  • Other members of support staff involved in the delivery of your care, like receptionists and porters.
  • Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin, carer, or your legal adviser.
  • NHS organisations, such as other NHS foundation trusts.
  • Other healthcare providers.
  • Third parties who assist in the administration of your healthcare, such as insurance companies.
  • Your GP or those GPs involved with your care.
  • Our regulators, including the Care Quality Commission, and for the purpose of our clinical audits.
  • Other bodies involved in the management of the NHS, including the NHS Counter Fraud Authority.
  • Government bodies, including departments (such as the Department for Work and Pensions) and local authorities.
  • Schools and other educational providers in connection with healthcare related matters.
  • Emergency services, including police forces.
  • HM Prison Service and the National Probation Service.
  • The police and other third parties where reasonably necessary for the prevention or detection of crime.
  • Our third party services providers such as, auditors, lawyers and document management providers..
  • Selected third parties in connection with any transfer or termination of our functions.

Where we regularly share information, we are required to have in place information sharing agreements. 

In some circumstances we may also anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

International transfers

We do not transfer your personal data outside the European Economic Area ("EEA").

  • We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this privacy notice and in order to comply with our legal and regulatory obligations.
  • Where your records are stored electronically Berkshire Healthcare has ensured that the storage facilities are secure and in line with Information Security principles (ISO27001) within the United Kingdom or EEA.

Under certain circumstances, you have rights under data protection law in relation to your personal data. 

These are:

  • To be informed why, where and how we use your information – this is detailed in this privacy notice statement.
  • To ask for access to your information – You can request a copy of the information we hold about you by contacting our Medical Records team. The information will be assessed and may have information provided by third parties or about third parties removed before it is given to you. The Berkshire Healthcare Subject Access Request policy is available by contacting the DPO at the address on this page.

Visit our Medical Records page to find out more (opens new browser tab)

  • To ask for your information to be corrected if it is inaccurate or incomplete. – If you think any information about you held by Berkshire Healthcare is incorrect, please discuss this with the service you are accessing either in person when attending an appointment, or by contacting the Data Protection Officer. We will discuss the changes with you and write to you to explain our decision.
  • To ask for your information to be deleted (also known as the right to be erasure) or removed where there is no need for us to continue processing it. In some circumstances, we must delete your personal information if you ask us to but in many other circumstances where we have a valid legal reason to retain your personal information. we do not have to comply with requests to delete personal information.
  • We will not usually delete healthcare related data before the expiration of any relevant retention period (see above). We may also need to retain data for regulatory purposes. We do not have to comply if we need to retain your personal information in case you make a legal claim against us.
  • To ask us to restrict the use of your information. In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information.  For example, we do not have to comply if we need to use your personal information to defend a legal claim against us.
  • To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information. In some circumstances, we must transfer personal information that you have provided to us to you or, if this is technically feasible, another individual or organisation of your choice. The information must be transferred in an electronic format. 
  • To object to how your information is used. – Where your information is used for research or statistical purposes you can object to it being processed for this purpose. Please make requests in writing to the Data Protection Officer or to the Berkshire Healthcare service you have used advising what changes you would like. Berkshire Healthcare does not participate in direct marketing and will never pass your information to anyone for this purpose.
  • To challenge any decisions made without human intervention (automated decision making) –information about your health may be entered into clinical applications to provide health recommendations but we will never carry out automated decision making that prevents healthcare or requires you to enter into a legal contract.
  • To withdraw consent where Berkshire Healthcare has relied on this as a condition for processing.

If you wish to exercise any of the rights set out above, please contact us.

Fee

  • You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

  • We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

  • We are obliged by law to respond to all legitimate requests within one month unless your request is particularly complex or you have made a number of requests. In this case, we can take an extra two months to respond to the request and consider charging a fee. If this is the case we will notify you and keep you updated. 

The National Data Opt-Out is a service that enables you to register to opt out of your confidential patient information being used for purposes beyond your direct care and treatment.

The national data opt-out applies to the use of confidential patient information for research and national NHS planning purposes.

The national data opt-out does not apply where:

  • Data is shared for your individual or direct care
  • There is a risk to public health or data is required for monitoring and control of infectious diseases, for example during an epidemic
  • There is an overriding public interest, for example: reporting of gun wounds in line with GMC guidance
  • There is a legal requirement to share information, for example: investigations by regulators of professionals (e.g. General Medical Council investigating a registered doctor’s fitness to practice) NHS fraud investigations notification of food poisoning
  • You have consented to take part in a specific project
  • Anonymised data is used 

You can change your national data opt-out choice at any time.

Further details about opting-out can be found on the NHS Digital Website.

Visit the NHS Digital website to learn more about the National Data Opt-Out service