Normal text size icon Increase text size by 30% icon 

Privacy Notice

PRIVACY NOTICE

In the National Health Service (NHS), we aim to provide you with the highest quality healthcare. To do this the Northampton General Hospital Trust (NGH or Trust) must keep information about you, your health and the care we have provided to you or plan to provide to you.

As an employer, the Trust keeps information about its employees in order to meet its contractual, statutory and administrative obligations.

This privacy statement provides a summary of how we use the information we collect from our data subjects.

The Data Protection Act and UK General Data Protection Regulation (UK GDPR) 2018 controls how your personal information is used by organisations, businesses, or the government. Under the Act, Northampton General Hospital NHS Trust is defined as a ‘data controller’ of your personal information. The Trust is registered with the Information Commissioners Office.

Our Registration number is Z4694847.

 

Personal Data: ‘Personal Data’ is information relating to a natural (living) person which can be used to identify the person, for example:

  • Name
  • Address
  • Telephone number
  • Employee number
  • Gender
  • National Insurance (NI) Number
  • NHS Number

Sensitive personal data (Special Category): ‘Special Category’ data is information which is classed as more sensitive personal data, for example:

  • Religious beliefs
  • Ethnic Origin
  • Sexual Orientation
  • Criminal convictions
  • Disabilities
  • Trade Union Membership

Data controller: ‘Data controller’ means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.

Processing: ‘Processing’ includes the collection, recording, storage, use, disclosure or destruction of personal data.

Non-urgent advice:WHAT IS DATA PROTECTION LAW?

The Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the Data Protection Act 2018 and the UK General Data Protection Regulation 2016 (UK GDPR). Together, they are referred to as Data Protection Law in this privacy statement.

Under Data Protection Law, organisations must be able to demonstrate compliance with the 6 Principles governing the protection of personal data. Below is a summary of the 6 Principles and how the Trust complies with them.

1) Processed lawfully, fairly and in a transparent manner in relation to individuals.

2) Purpose limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.

3) Data Minimisation: Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4) Data Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5) Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals.

6) Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5, Clause 2 states “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

This means that under the UK GDPR, organisations must be able to demonstrate and prove that they are compliant with the 6 Principles.

We will process your personal information fairly and lawfully by: 

a) Only using it if we have a lawful reason to do so and when we do, we make sure we inform you about how we intend to use it and tell you about your rights;

Whilst we do not rely on consent as a legal basis for processing your information, we are obliged to inform you of how and when we use it. We do however rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

This allows us to use your personal information to provide you with your care. However, you do have the right to say ‘NO’ to our use of your information, but this is likely to impact on our ability to provide you with care.

b) Only collecting and using your information to provide you with your care and treatment and not using it for anything else that is not considered by law to be for this purpose;

We would never share your information for marketing or insurance purposes.

c) Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks for the delivery of your care;

d) Keeping your information accurate and up to date when using it and if it is found to be wrong, we will correct it, where appropriate, as soon as we can;

e) Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;

f) Having secure processes in place to keep your personal information safe when it is being used, shared, and stored.

    KEY ROLES

  • Group Head of Information Governance (Interim) University Hospital of Northamptonshire Sally Shocklidge
  • Senior Information Risk Officer (SIRO) and Digital Director Dan Howard
  • Interim Medical Director & Caldicott Guardian Hemant Nemade

Non-urgent advice:PATIENT PRIVACY NOTICE

The Northampton General Hospital NHS Trust (NGH or Trust) is a data controller under the Data Protection law as we collect and process personal information about you in order to provide health services and meet our statutory obligations.

The Trust is committed to protecting and respecting your privacy. Through this Privacy Notice we have sought to be as transparent as possible to fully explain how your personal data is held and processed. This notice explains how we collect, process, share, transfer and store your personal information and forms part of our accountability and transparency to you under Data Protection Law.

A lot of the personal information provided to us comes directly from our patients. In certain circumstances, we may also receive personal data from:

  • Health and social care professionals working with you such as GPs, support workers, social workers, hospices
  • Ambulance Trusts
  • Private healthcare providers
  • Carers,relatives or next of kin in situations where you are incapable of communicating with us
  • Local Authorities
  • Law enforcement agencies
  • CCTV images taken using our own CCTV systems

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you receive. Collectively, this is called your Health Record which may include:

  • Basic details such as name, address, date of birth, phone number, and email address - where you have provided it to enable us to communicate with you by email
  • Special Category Personal data such as:
    • Notes and reports about your physical or mental health and any treatment, care or support you need and receive;
    • Results of your tests and diagnosis;
    • Relevant information from other professionals, relatives or those who care for you or know you well;
    • Ethnicity, religion and, where appropriate, genetic/biometric information and sexual orientation;
    • Details of any contact you have with us such as home visits or outpatient appointments;
    • Information on medicines, side effects and allergies.
    • Clinical photographs for clinical imaging
  • We may also record CCTV images in public areas as part of the Trust's security arrangements and for criminal prevention.
  • Other personal information such as your next of kin and their contact details, patient experience feedback and treatment outcome information you provide.
  • Most of your records are electronic and are held on a computer system and a secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers. To assist this, the use of other electronic patient record systems to share your information will be implemented.

It is essential that the personal data that the Trust holds about you is accurate and kept up to date. You should inform the hospital as soon as possible of any changes to your contact details, including Name, Address, Telephone and Mobile numbers, Email Address and GP provider. You can do this by speaking to the team at any reception within the hospital or contacting either of the teams below:

Access team: ngh-tr.mraccess@nhs.net

Data Quality Team: ngh-tr.data.quality@nhs.net

We process personal data to enable us to provide healthcare services to our patients; carry out research; maintain our accounts and records; the use of CCTV systems for crime prevention; and data matching under the national fraud initiative. Records about you are used by those caring for you to:

  • Provide a good basis for all healthcare decisions by you and healthcare professionals
  • Enable you to work in partnership with those providing your care
  • Enable us keep all details of our contact with you, such as referrals and appointments and services you have received
  • Make sure the care we provide is safe and effective
  • Work effectively with others providing you with care
  • Remind you about appointments using 3rd party processors.
  • Enable investigations if you and your family have a concern or a complaint about your healthcare
  • Facilitate you providing feedback on your experience to the Trust. You can opt out from this process either for a particular hospital attendance or permanently by informing a member of Trust staff who will advise the Information Department to remove your consent.

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

  • Move to another area
  • Need to use another service
  • See a different healthcare professional.

Others within the Trust, the NHS and other government bodies may also need to use records about you to:

  • Assess the quality of care we give you (called clinical audit)
  • Protect the health of the general public
  • Keep track of NHS spending
  • Manage the health services we provide
  • Help us to plan new services
  • Help investigate untoward incidents, complaints or legal claims
  • Prevent fraud
  • Teach healthcare staff
  • Help with research

If we need to use information that identifies you for purposes other than your direct care (or to check the quality of that care), we will always seek your consent beforehand.

Everyone working for the NHS has a legal duty to maintain the highest levels of confidentiality, and all NGH staff receive training on how to handle your information securely.

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format. All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information.

We ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

All employees and our partner organisations are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these procedures is treated seriously, and could result in disciplinary action, including dismissal.

If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.

We will process your personal information only when we are permitted to do so by law. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as when:

  • processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for medical purposes

Please be aware that we do not normally use consent as a legal basis for processing your personal information under UK GDPR. This is different to consent to treatment. This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information, but this could have an impact on our ability to provide you with care.

Information sharing for purposes of direct care

We may need to share your information with trusted organisations when they are caring for you and are providing you with treatment. This includes outside agencies, such as social services, public service authorities and private healthcare organisations in addition to other NHS organisations.

Please note the circumstances below when we may share your information with these organisations:

  • To ensure the provision of your direct care
  • To ensure the provision of the most appropriate treatment and support for you and your carers
  • Sharing your information via the Northamptonshire Care Record (NCR) to enable effective collaboration with other professionals who are directly involved in your care
  • To deliver services relating to your direct care e.g. processing of blood tests
  • For research, statistical and data analysis to give us insight on how we may improve the services we provide (please note that we will ask your explicit consent when processing your identifiable data for research purposes)
  • For conducting patient surveys to support care improvements facilitated by the Trust
  • To help us monitor and evaluate performance to develop the services we provide
  • To meet our NHS contract obligations

We have processes in place to ensure that we do not share excessive information with any organisations. We only share information that is relevant, necessary, and adequate to the care you are receiving at any given time

We have relevant assurances in place to ensure that third-party organisations will not disclose your information without explicit written consent of the Trust, and this will only be provided if it is necessary to do so for the provision of your care.

The third-party organisations with whom we share your information for the purposes of your direct care include:

  • Northamptonshire Health and Care Partnership – key health and care providers in the county working in partnership to improve health and care for people living in Northamptonshire
  • Other partnerships working together to provide health and care for you such as, The East Midlands Radiology services (EMRAD) and National Pathology Exchange (NPEx)
  • GPs
  • Independent Contractors such as dentists, opticians, pharmacists, medical concierges
  • Private Sector Healthcare Providers
  • Charities and other Voluntary Sector Providers such as Hospices
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police and Judicial Services
  • Funeral Service providers
  • Other National and Government agencies e.g. National Confidential Enquiry into Patient Outcome and Death, National Cancer Registration and Analysis Service and Public Health England

We may also need to share your information with third party suppliers. These suppliers may not be directly involved with your care, but they provide us with support services in order for us to provide direct care to you. The support services they provide include:

  • supplying us with management information systems, databases and solutions used for administration processes and data-driven care delivery
  • diagnostic and health monitoring solutions
  • radiology services including medical and diagnostic imaging services
  • healthcare technologies and solutions
  • innovative prosthetic services
  • consulting, auditing, counter fraud, data analytics and innovation services
  • computer disposal and data destruction services
  • solutions for risk management, monitoring patient safety, reporting incidents and adverse events and ensuring the cyber security, availability, integrity and confidentiality of our information
  • survey services
  • systems for managing policies, training and learning content
  • physical security solutions and services
  • managing and maintaining the sites and systems to ensure they work effectively
  • technical support on the systems when required

Information shared with these organisations are subject to strict information sharing agreements established following robust risk assessments. Personnel from these organisations may have access to your information during the course of providing the above support services. However, it will be limited to only personnel who need access in order to deliver the services they provide. The information disclosed will be limited to what is relevant, necessary and adequate for the purposes for which we have engaged with the third-party supplier.


Legal Basis for sharing with third-party organisations

The legal basis relied on by the Trust to share your personal data with third party organisations and suppliers is set out in Article 6(1)(e) of the GDPR which allows data to be processed where the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Where special category personal data such as health records are shared, the Trust relies on an additional condition set out in Article 9 (2)(h) of the GDPR which allows data to be processed where “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional subject to safeguards.”


Exceptions

We will always seek your permission to share your information with third party organisations for purposes other than your direct care. However, in exceptional situations we may need to share your information without your permission if:

  • It is in the public interest – for example, there is a risk of death or serious harm to yourself or another person or a child
  • The Registrar of Births, Deaths and Marriages asks for the contact details of the next of kin, to help carry out their statutory duty to register the birth or death of a patient.
  • There is a legal need to share it – for example, to protect a child under the Children Act 1989
  • A court order tells us that we must share it
  • We are subject to the Care Quality Commission’s powers under the Health and Social Care Act 2008 to access and use information where they consider it necessary to carry out their functions as a regulator.
  • There is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime
  • You are subject to the Mental Health Act (1983), there are circumstances in which your nearest relative must receive information even if you object
  • Your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases.

Further Information

If you would like further information on a specific third-party organisation or supplier with whom we share information, please contact the Data Security and Protection team at:

Data Security and Protection Team
Northampton General Hospital
Cliftonville
Northampton
NN1 5BD
Telephone:01604 543881
Email: ngh-tr.data.protectionact@nhs.net

The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA).

As a result, it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made, the Trust will carry out the necessary risk assessments including Data Protection Impact Assessments to make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage and retention are securely controlled and in full compliance with the requirements of the Data Protection law.

If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including the purposes of providing health care services and satisfying any legal obligation.

Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.

You should be aware that Care Records are ordinarily retained for eight years after which, it will be reviewed and transferred to the place of deposit if appropriate for archiving.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

The Trust has a Documentation Management Policy (NGH-PO-123). This is based on the NHS Records Management Code of Practice. You can access the NHS Records Management Code of Practice here. Records Management Code of Practice - NHSX

For information on your rights and how you may exercise them, please see your ‘Your Information Rights’ section on the Trust website here.

The Trust may use photographs, video footage and audio recordings where an individual can be clearly identified for the purposes of promoting its work. We will only use your image or audio if we have obtained your explicit written consent. You can request the photo, video or audio to be removed from the NGH photo library at any time by contacting ngh-tr.communications@nhs.net. Every effort will be made to remove the content however it may not be possible to control use of the photograph, video or audio completely.

Photographs, videos and audio recording may be:

  • Used in the hospital magazine Insight
  • Used in promotional materials such as posters or adverts
  • Used on the NGH website, social media channels and other digital communications
  • Used in news media and their associated websites and social media channels including print, television and radio
  • Stored in the NGH photo library

The Trust has the ability to record telephone calls. Calls are recorded for the purposes of quality and training, protection of patients and staff, documenting information on your medical record or identifying issues in processes with a view to improving them. Calls may be shared internally with healthcare professionals and support staff who are involved in your direct care provision on a need to know basis. In the event of an incident, certain members of staff in the Audit, Risk or Governance teams may have access to call recordings in order to facilitate the investigation of the incident. Call recordings will not be shared outside of the Trust, unless we have a legal requirement to do so.

All records held by the Trust are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your information before we are able to review and securely dispose of it. We will keep your call recordings as long as we are required to do so by the Code. Recordings for children are kept for a maximum of 25 years and recordings for adults are kept for a maximum of 15 Years.

You have a right to access your call recordings under data protection law, this is called a Subject Access Request (SAR). You may request access to your call recordings through a secure electronic method. To make your request, please follow this link. Choose “Don’t have an account? Sign up”, then you can either: register on the site or enter as a guest. Then choose the most appropriate on-line application form.

If you have any problems accessing the on-line form, please give the Access Team a call on 01604 544776. Your Subject Access Request (SAR) will be dealt with under the terms of the Data Protection Act 2018, the General Data Protection Regulation 2016 and the Access To Health Records Act 2018. Follow this link for further information on Subject Access Requests.

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information on gov.uk is also available.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.  The Trust is working with several local Health Providers including Three Shires Hospital and Isebrook and who will also need to share your confidential patient information with, if they are dealing with your care directly.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. 

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In order to ensure that eligible patients are offered a vaccination as quickly as possible, we may use data about upcoming outpatient appointments to identify patients that can be offered a vaccine. If you are identified as eligible you will be contacted by a member of Northampton General Hospital staff and offered the opportunity to make a booking for a vaccination at the Moulton Park vaccination centre. This is optional and you do not have to accept this offer.

We are also working with other companies which are providing tools and systems which enable the Trust to work more effectively.  These include:

Doccla

Butterfly IQ

Attend Anywhere

Microsoft Teams

Consultant Connect

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Non-urgent advice:Mental Health Act Data

Most people who receive treatment in hospitals or psychiatric units for mental health conditions are there voluntarily and have the same rights as people receiving treatment for physical illnesses. However, a small number of patients may need to be compulsorily detained under a section of the Mental Health Act.

In such situations, the Trust is permitted under Data protection law to process personal data for the purposes of providing mental health care services to you under the following legal bases when it is:

  • necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.
  • necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
  • necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

At Northampton General Hospital we are committed to providing the best possible experience to our patients.

We use national surveys such as the friends and family test to find out about your experience after receiving a service from Northampton General Hospital. Information about the friends and family test can be found here.

From time to time we may contact patients that have been on a specific care pathway to find out about their experience in order to improve our services. We take care to ensure that any patients that have opted out of receiving patient experience questionnaires are not contacted.

Whilst responses from patients are really important to us and help us to shape our services and provide the best possible care for our future patients, you do not have to respond to these requests if you don’t want to.

If you would like to opt out of receiving patient experience questionnaires please contact the Patient Experience Team using the following email address: ngh-tr.patientexperience@nhs.uk

Non-urgent advice:PRIVACY NOTICE FOR EMPLOYMENT

As an employer, the Northampton General Hospital NHS Trust (NGH or Trust) must meet its contractual, statutory and administrative obligations. We are committed to ensuring that the personal data of our employees is handled in accordance with the principles set out in Data Protection Law.

NGH collects, holds and processes personal data and sensitive data about prospective, current and former employees including substantive employees, bank and agency workers, contracted staff, volunteers, trainees and those carrying out work experience. This privacy notice tells you what to expect when NGH collects personal information about you. The information we will process about you will vary depending on your specific role and personal circumstances.
NGH is the data controller for this information. Details of our Data Protection Officer can be found below:

Telephone: 01604 523224

Email: ngh-tr.dpo@nhs.net

This notice should be read in conjunction with other relevant Information Governance policies and procedures.

We get information about you from the following sources:

  • Directly from you
  • From an employment agency
  • From referees, either external or internal, providing confidential information about your suitability to the role
  • Inter Authority Transfer (IAT) – information held by your previous NHS employer
  • From the Disclosure and Barring Service where applicable, which will inform us about any criminal convictions you may have
  • From Occupational Health and other health providers
  • From Pension administrators when transferring within the NHS
  • From Her Majesty’s Revenue and Customs (HMRC) relating to your pay, tax and employment
  • From government departments about your right to work and visa applications
  • From your Trade Union
  • From providers of staff benefits
  • Confirmation of your registration with a professional body
  • CCTV images taken using our own CCTV systems

When you apply for a position within the Trust you will provide us with relevant information about you, including:

  • Name
  • Address and telephone contact details
  • Employment history
  • Qualifications
  • Referee details

During the recruitment and selection process we will add further information including:

  • Publicly available information such as social media presence
  • Selection information including correspondence, interview notes, and results of any selection tests etc.

For the purposes of carrying out employee verification checks prior to an employment offer, we will collect additional information from you including:

  • Copy of qualifications/ certificates
  • Pre-employment checks, including references, identity documents and ‘right to work’ information
  • Bank details

Following your appointment, we may add any other information you supply to us or is required as part of your employment including:

  • Training, appraisal and revalidation information
  • Occupational health information (medical information including physical or mental health conditions)
  • Details of any absences (other than holidays) including statutory parental leave and sick leave
  • Vaccination status (including Flu and COVID-19)
  • Information relating to health and safety
  • Employment tribunal applications
  • Complaints
  • Accidents
  • Incident details

We will only use your personal data when the law allows us to. The Data Protection law sets out the legal bases for processing personal data. The most common legal bases we rely on for processing your personal data are:

  • Where we need to perform the employment contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where it is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

We ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
Your personal data is held in both electronic and paper formats. Information may be held centrally by the Human Resources (HR) department and locally with your line manager.

All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information.

Electronic information is accessed on a need-to-know basis only using the Trust’s Electronic Staff Record (ESR) system. Some information may be held on the Trust’s secure drives or shared folders where access is only granted to appropriate individuals.

The Trust will use your information to administrate your employment and associated functions. Your personal data will be shared between relevant colleagues who legitimately need the information to carry out their duties e.g. your line manager and the Human Resources (HR) department.

The Trust uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations. The purposes for which we may use staff data (including sensitive personal information) include:

PurposeLegal Basis
Recruitment and Selection Legitimate interest – the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest
Assessing qualifications for a particular job or task Legitimate interest - the legitimate interest being employment of a suitable workforce/Performing a task in the public interest
Checking you are legally entitled to work in the UK Legal obligation
Where eligible, checking your criminal record Legal obligation
Uploading information onto Employment Staff Record Legitimate interest – the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest
Paying you, deducting tax, National Insurance contributions and trade union fees Contract/Legal obligation
Pension Administration Contract
Making decisions about salary reviews and compensation Contract
Conducting performance reviews, managing performance and determining performance requirements Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices in the provision of the healthcare service/Performing a task in the public interest
Managing sickness absence and assessing your right to occupational sick pay Contract/ Legal obligation
Provision of Occupational Health services Contract/ Legal obligation
Administering the contract we have entered into with you Contract/ Legal obligation
Education, training and development requirements Legitimate interest - the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest
Business management and planning, including accounting and auditing Legitimate interest - the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest
Compliance with legal obligations such as making external/statutory returns to NHS England, sharing information with HMRC Legal obligation
Managing a safe environment and ensuring fitness to work Legal obligation
Equal opportunities monitoring Legal obligation
Compliance with Health and Safety obligations Legal obligation
Sharing and matching of personal information for national fraud initiative Legal obligation
Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work Legal obligation
Gathering evidence for possible grievance or disciplinary hearings Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services/Performing a task in the public interest
Making arrangements for the termination of our working relationship Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services/Performing a task in the public interest
To monitor your use of information and communication systems to ensure compliance with IT policies Legitimate interest – the legitimate interests being to monitor and manage staff access to our systems and facilities; to protect our networks, and the personal data of employees and service users, against unauthorised access or data leakage; to ensure our policies, such as those concerning security and internet use, are adhered to for operational reasons, such as maintaining employment records, maintaining service user records, training and quality control to ensure that sensitive information is kept confidential

At the time of your recruitment, we take photographs which are then used for smartcards and ID Cards. This photograph may also be used in local/departmental areas and on the hospital intranet page to support with identification of employees. You may be asked to update this image on a regular basis to ensure that it is still usable for the purpose of employee identification.
If you agree to your photograph being taken, or take part in a video or audio recording for any purpose other than for smartcards and ID cards (such as publishing, republishing, transmitting or broadcasting across a range of print, online, broadcast and social media channels to promote the principles and practices of the hospital), we will first seek your consent.
We will also seek your consent to store images and recordings in the NGH photo library for three years.

The Trust may disclose personal and sensitive information to a variety of recipients including:

  • Our employees, agents and contractors where there is a legitimate reason for them receiving the information
  • Current, past or potential employers of our employees to provide or obtain references
  • Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC)) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process
  • Government departments and agencies where we have a statutory obligation to provide information (e.g. HMRC, NHS Digital, Department of Health and the Home Office)
  • The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
  • Third parties who work with us to provide employee support services (e.g. counselling)
  • Third parties who provide systems to help us provide quality health care to our patients
  • Internal and external auditors
  • Debt collection and tracing agencies
  • Courts and tribunals
  • Trade union and staff associations
  • Survey organisations for example for the annual national NHS Staff Survey
  • Training providers

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it and we will only ever use/share the minimum information necessary.

However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There are a number of circumstances where we must or can share information about you to comply with or manage:

  • disciplinary/investigation processes and serious incident management, including but not limited to referrals to professional bodies, e.g. the Nursing and Midwifery Council and the General Medical Council and to seek advice from relevant professions for expert opinions
  • legislative and/or statutory requirements
  • court orders which may have been imposed on us
  • NHS counter-fraud requirements
  • requests for information from the police and other law enforcement agencies for the prevention and detection of crime, and/or fraud if the crime is of a serious nature

The University Hospitals of Northamptonshire NHS Group consisting of Kettering General Hospital and Northampton General Hospital have chosen to partner with Qualtrics to offer a ‘People Pulse Survey’ to Trust employees.

The aim of the survey is to obtain views and feedback from employees on a number of topics, and to gather ideas, thoughts and feelings about our individual workspace or the broader workplace and to understand what it is that the Group is doing well and what we can be doing even better. The People Pulse Survey will run frequently throughout each year.

Results will be presented at Group briefings and/or NGH briefings to share with you, what you and other colleagues have shared.

Results will be non-attributable and small number suppression will be used to prevent individuals being identified from aggregated responses.

In order to provide access to the survey and to allow the results to be grouped by department, NGH will share personal information with Qualtrics, this includes:

  • Name
  • Work Email Address
  • Job Role

Whilst this information is not being shared at present, NGH will also be looking to transfer the following information:

  • Age
  • Gender
  • Sexual Orientation
  • Disability
  • Ethnicity

Our legal basis for sharing this information is Article 9 (2) (b) of the UK GDPR. Sharing this special category data allows the Group to identify staff groups that may feel disadvantaged or marginalised, and to take action to address this. This is in line with our obligations to the Public Sector Equality Duty (Part 1 of Equality Act 2010).

On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used to effectively manage the workforce leading to improved efficiency and improved patient safety.

Factual references

In accepting employment, you accept that the following personal data will be transferred under a reference request programme if your employment transfers to another organisation:

  • Name
  • Date of Birth
  • Dates of employment
  • Most recent role title held on ESR
  • Days and episodes of sickness in the last two years
  • Any formal warnings or formal investigations pending including safeguarding concerns,
  • Date, Level and outcome of DBS check undertaken

In accordance with the Trust’s Acceptable Use Policy (NGH-PO-1202) the Trust monitors the use of its IT systems and equipment and reserves the right to notify HR and the line manager of an employee where a violation of the policy is identified. All employees consent to the monitoring and recording of electronic communications and IT systems for safety and security, namely for the purpose of ensuring that rules are being complied with and that usage is for legitimate business purposes. All employees shall comply with any electronic communications systems policies that the Trust may issue from time to time.

The Data Security and Protection Team will monitor access to all clinical systems. Any access without a justifiable and professional need will be investigated to ensure the access was appropriate. Unauthorised access to any clinical system will be classed as a breach of the Acceptable Use Policy and may result in disciplinary action.

All information created on Trust devices is the property of the Trust and therefore may be subject to audit and review. Records created on Trust systems, such as emails, may be required and disclosed in relation to a Subject Access Request or to support an investigation. In these situations, where doing so would not prejudice the investigation, the Trust will make every effort to inform employees of the requirement to access this information prior to access.

Your personal data may be transferred outside of the UK, for example, if the Trust uses a cloud information technology service which has servers in the EU or outside of the European Economic Area (EEA). A Data Protection Impact Assessment will have been completed to ensure that data is held securely and within the requirements of the law.

If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

It is important that the personal data that the Trust holds about you is accurate and kept up to date. It is your responsibility to ensure that the information held in the Electronic Staff Record (ESR) is correct and you should notify your line manager promptly of any changes to your details.

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.

You should be aware that employee documentation is ordinarily retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. A summary of your records will be kept until your 75th birthday or six years after leaving whichever is the longer and then reviewed. For unsuccessful job candidates, documentation is retained for six months after candidate is rejected for a role and then deleted.

However, it should be noted that there is some legislation which requires certain health monitoring data to be retained for up to 40 years and for clinical staff where there is a negligence claim in relation to a child, the normal three year personal injury limitation period is extended until that child reaches 21 years of age. We have put a system in place so that the data of staff who may be at risk of certain diseases or where they were involved in an incident that could give rise to a clinical negligence claim which requires a longer retention period than six years, are marked appropriately as needing to be retained for a longer period.

If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.

The Trust has a Documentation Management Policy (NGH-PO-123). This is based on the NHS Records Management Code of Practice. You can access the NHS Records Management Code of Practice here - Records Management Code of Practice - NHSX

For information on your rights, please see the ‘Your Information Rights’ section of the website, here.

Non-urgent advice:COVID and your life

In May 2021, The Prime Minister announced that the Government will launch an independent Public Inquiry into the Government and public sector response to the COVID-19 pandemic.

Public Inquiries can ask for a broad range of documents and records, and the Trust will provide our fullest support and transparency to any requests for information.

Both current and former employees may be contacted by the Trust or appointed representatives of the Inquiry to provide information and input into the Inquiry. The Trust will retain a list of all former employees who have had a key role in the decision-making processes surrounding the Trust’s response to the COVID-19 pandemic to assist with responding to the requests of the Inquiry.

In addition, the Trust reserve the right to retain access to the mailboxes of former employees until such a time that the Inquiry is concluded.

Part of the national response to the coronavirus (COVID-19) pandemic is the need to record the details of staff who have been vaccinated against COVID-19. For further information please see the ‘Staff Vaccination Privacy Notice’ section of the website.

This Privacy Notice relates to COVID-19 Testing for Essential Workers and Household members. The Department of Health and Social Care has implemented a COVID-19 national testing programme for those defined as ‘essential workers’ (a definition of essential workers can be found at the end of this notice) and for people living within the same household as those workers. For further information please see the ‘COVID 19 Staff Testing Privacy Notice’ section of the website.

The Trust works with partner academic organisations to support and mentor students and apprentices during their placements. Student and apprentice information is processed in accordance with the individual learning agreements in place with the academic institution.

This data is required to facilitate support and mentoring of individuals and to ensure compliance with the terms and conditions outlined via contract or learning agreement.

The lawful basis relied on to process student personal data for the purposes of employment is:

when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller(Art 6(1)(e))

As a Trust we have a duty to eliminate unlawful discrimination, harassment or victimisation, to advance equality of opportunity and to foster good relations. All public bodies must treat people from different groups fairly and equally. Data on equality and diversity is captured in accordance with the Equality Act 2010.

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

Below are the lawful bases relied on by the Trust to process Equality and Diversity Data:

Special Category Personal Data provided to the Trust for the purpose of compliance with Equality legislation:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.

Non-urgent advice:CHILDREN'S PRIVACY NOTICE

Our Children's privacy notice tells you what happens to the information that Northampton General Hospital collects about you when you visit the hospital and what we do to keep it safe. Please read all about it by clicking on this link.

If you have any concerns about the use of your information you can contact:

Data Protection Officer

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

ngh-tr.dpo@nhs.net


If you wish to ask the Trust about a data protection issue, request information on data we process, request a copy of your data, make a request for data to be erased, rectified or you have concerns about the processing of your personal data by us you may contact our Information Governance Team at:

Data Security and Protection Team

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Telephone:01604 543881

Email: ngh-tr.data.protectionact@nhs.net


Other Useful Contact Numbers

The Data Controller

The Chief Information Officer and SIRO

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Telephone:01604 634 700

Email: ngh-tr.dpo@nhs.net


Patient Advice and Liaison Service (PALS) for complaints

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Telephone:01604 545784

Email:ngh-tr.pals@nhs.net


Data Protection Officer

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Telephone:01604 523224

Email:ngh-tr.data.protectionact@nhs.net


Freedom of Information Officer(for Freedom of Information requests and concerns)

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Telephone:01604 548661

Email:ngh-tr.foi@nhs.net


Caldicott Guardian(to request and raise concerns around the confidentiality of your information)

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Telephone: 01604 544722

Email:matthew.metcalfe3@nhs.net


CCTV Request (to request for CCTV recordings)

Information Governance Team

Northampton General Hospital

Cliftonville

Northampton

NN1 5BD

Email:ngh-tr.data.protectionact@nhs.net

 

CHANGES TO THIS PRIVACY NOTICE

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.


FURTHER INFORMATION

If you wish to ask the Trust about a data protection issue or raise concerns about the processing of your personal data by us, you may contact the Data Protection Officer on:

Telephone: 01604 523224

Email: ngh-tr.dpo@nhs.net


RIGHT TO CONTACT THE INFORMATION COMMISSIONER'S OFFICE

You should be aware that you have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The contact details of the ICO are as follows:

Helpline: 0303 123 1113

https://ico.org.uk/concerns/

© Northampton General Hospital NHS Trust 2022       Privacy Notice | Social Media | Cookie PolicyTerms of Use | Accessibility | Accessibilty Statement