One of the biggest changes to UK data privacy law came into effect on 25 May 2018 - the General Data Protection Regulation, also known as GDPR.
GDPR applies to all staff, patient and service users, our charity and volunteers and all organisations we work with.
As a patient and service user Dartford and Gravesham NHS Trust aims to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you.
Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and available in accordance with data protection laws, the NHS Constitution and common law.
Our staff members undertake annual training to process your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.
Your information is never collected for direct marketing purposes, and is not sold on to third parties. Your information is not sent outside the United Kingdom or the European Union unless the recipient has the same level of legal responsibility as we do.
Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations. We have a legal duty to share information for your care unless you tell us not to do so. We may also use sub-contractors to process your data. They will be bound by law to maintain your privacy.
Information is held for the periods of time recommended by the Records Management Code of Practice for Health & Social Care 2016.
The legal basis for the processing of almost all our data is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health and data protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.
If we need to use your personal information for any reason beyond those stated, we will discuss this with you.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online and manually.
Separate guidance is provided by the Healthcare Research Authority (HRA) about information to be published in relation to the role of the NHS organisation as sponsor and data controller for research projects, or data controller for research databases or tissue banks holding personal data. Please see link to the HRA webpages about research and about general use of patient information: HRA website
The changes introduced with GDPR, means that individuals have more control over how their data is used. And it ensures that organisations protect your personal data better. To reflect these changes and new obligations, we've updated our privacy notices which inform you about what we do with your personal data, how it's used and your rights as an individual under the new law.
We have tailored our privacy notices around specific groups of individuals, with one for patient’s and service users, one for staff, volunteers and applicants, one for our occupational health services and one for charities.
Should you have any queries on the uses of your information, wish to exercise one or more of your rights or complain about our use of your information please direct your enquiry to our Data Protection Officer – contact details held within the privacy notices (links below).
If you are unhappy with the outcome of your enquiry you can contact the regulator: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700.
Dartford and Gravesham NHS Trust is committed to ensuring that your privacy is protected and is compliant with GDPR with a few exceptions (none which effect the security or sharing of patient data).
We are confident that we are compliant in most areas and have systems and processes being put in place where gaps were recently identified through an independent audit process.
The work we need to undertake will be prioritised based on risk and risks and actions monitored and reported to our Board.
We will report up to date information on progress, on this webpage.
The current position is as follows:-
- The Trust has robust processes in place for Incident Reporting which includes prompt reporting of data breaches to us ( in the case of suppliers and other 3rd party providers assurance on this is currently being sought) and by us to the Information Commissioner.
- Processes are in place to ensure that no patient identifiable information/personal data is shared without a lawful basis to do so.
- Policies and procedure documents are currently being updated to reflect the changes required.
- Right of access to information is in place.
- Right to rectification is in place.
- Right to erasure (right to be forgotten) where appropriate is in place.
- Processes to ensure record retention periods are set for all data sets (and secure and permanent disposal of data where required) are being reviewed.
- Robust audit trails of activity (including view only) are in place for clinical systems (patient information) and in most other areas, with plans to review other areas.
- Role based access control to access data is in place and will only be accessed when required for patient care or to be able to carry out the Trust function of patient care.
- Training and awareness programme in place for staff on data protection/security.
- The Trust procedures to ensure GDPR compliance will apply to all organisations connected with processing our activity.
- All new contracts/new suppliers with the Trust will have clauses in contracts that ensure compliancy with GDPR.
- All existing suppliers will be issued with contract variations for clauses in contracts to be added or letters to say we require GDPR compliancy, notification of data breaches etc. and an audit will take place on GDPR compliancy with suppliers.
- Staff contracts were amended by 25th May to include a clause ensuring they are aware of GDPR and their obligations under this and all other data protection legislation and their need to comply with Trust policies in this area.
If you would like to know more please write to:
Data Protection Officer, Darent Valley Hospital, Darenth Wood Road, Dartford, Kent, DA2 8DA