For your benefit we may need to share information from your health records with non-NHS organisations from which you are also receiving direct care, such as social services or private healthcare organisations. We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the Trust. We will always seek your permission to share your information with organisations for purposes other than your direct care.
However, in exceptional situations we may need to share information without your permission if:
- It is in the public interest – for example, there is a risk of death or serious harm
- The Registrar of Births, Deaths and Marriages asks for the contact details of the next of kin, in order to help carry out their statutory duty to register the death of a patient.
- There is a legal need to share it – for example, to protect a child under the Children Act 1989
- A court order tells us that we must share it
- There is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime.
We hold a list of the information sharing agreements we currently have in place with our partner organisations.
National & Local Surveys
Your personal data may be used for the purposes of the NHS Patient Survey Program, and this may include passing data to a CQC approved contractor. The anonymised reports produced by the survey programs are used to help make service improvements.
The processing basis for the Trust to use your information for the NHS Patient Survey Program is set out in Article 6(1)(e) of the General Data Protection Regulations which allows data to be processed where the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
NHS Digital Personal Demographics Service (PDS) and Your NHS Number
If you are receiving care from a health or care organisation then that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number, the health and care organisations can work together more closely to improve your care and support. Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS).
A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in the organisation’s case management system. These data are retained in line with the organisation’s record retention policies and in accordance with the Data Protection Act 2018, Government record retention regulations and best practice.
We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional. For example, social workers will only have access to information that is relevant to the execution of their care duties. Case management systems are provided by system suppliers, who are bound by the same rules. In such cases, systems may access the PDS directly or use third party software to access the PDS, such as the PDS FHIR API. The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process because hospital staff will know who to talk to.
We may share data for approved research projects. Your consent will always be requested before any information is shared with the approved research project. In most instances the information will be made anonymous so that you cannot be identified. We will always request approval from the NHS Health Research Authority's Confidentiality Advisory Group. The Health Research Authority has further details on patient information and health and care research.
Personal data provided by individuals for the purpose of research:
6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:
9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
There is a duty of care to report safeguarding concerns to partner organisations to support an individual’s welfare. There is useful information on the Trust’s safeguarding page on the importance of safeguarding for adults and children and how staff are supported to act in the best interests of the individual.
Data may be shared with the police or other national security agencies where it is necessary and proportionate to support the prevention, investigation and detection of crime.
Data may be provided to the Trust by partner agencies to support the management of patients with tuberculosis or suspected tuberculosis.
Data may be provided to the Trust by partner agencies to support the management of public health.
CQC Accessing Records
CQC has powers under the Health and Social Care Act 2008 to access and use information where they consider this is necessary to carry out their functions as a regulator. Where possible inspectors should explain why they are asking to look at certain records. They will consider any concerns and objections raised to them, and whether they can achieve CQC’s purpose by accessing the records of someone else. However, CQC relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised.
More detail on how they ensure compliance with data protection law (including GDPR) are included in CQC’s Privacy Statement.
Effective of May 2021, Northampton General Hospital will be partnering with four Northamptonshire GP Practices, Brook, Park, St Luke’s and the Crescent, to run a pilot scheme providing enhanced services to patients accessing the Trust’s Frailty Services. If successful this scheme will be rolled out across Northamptonshire GP practices.
We are doing this because we recognise that Frail patients attending the emergency department (ED) at Northampton General Hospital often have complex medical, psychological and social needs.
The pilot will allow members of the frailty team to access their patient’s GP record to ensure that they have all necessary information to be able to conduct a Comprehensive Geriatric Assessments (CGA) at the earliest opportunity. Access to this information will be key to enabling a safe, early discharge from NGH as well as improving patient experience and reducing avoidable readmissions. The information recorded by the Frailty Team will be shared with the patient’s GP to allow optimum continuity of care.
Information will be shared through SystmOne. This is a secure system, and access is only available to authorised members of staff. All health and social care staff who use SystmOne are bound by the Computer Misuse Act 1990, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), as well as the common law duty of confidentiality and their employment contracts. NGH maintains a complete audit trail of who has accessed records within SystmOne. This audit trail can be examined at any time to show that only those with legitimate reasons for accessing your record have done so.
The legal basis to process your information under the GDPR in regard to this partnership is;
6 (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
9 (h) ‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to specific conditions and safeguards.
Your information will only be used in this way if you are a patient registered with one of the four practices referenced above and you are seen by the NGH Frailty Team. If you would like more information please contact your GP or the NGH Data Protection Officer.
This Trust is part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system, which is used by our healthcare professionals to access your radiology records. If necessary, your radiology records may also be accessed by healthcare professionals in other NHS hospitals in the East Midlands to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care. If you have any concerns about providing information or how we use it, please discuss this with radiology staff so that you fully understand the potential impact on your care or treatment. Further details on how they ensure compliance with data protection law (including GDPR) are included in EMRAD’s Privacy Notice.
The Trust has partnered with Ultramed Limited to use their ‘MyPreOp’ solution. This is a program used in the preparation of patients for procedures, operations and appointments. The Trust will ask patients to set up an account with Ultramed and input personal data to allow the management of their upcoming treatment. Ultramed will share this data with the Trust. The Trust do not provide any data about you to Ultramed. Ultramed are registered with the Information Commissioner’s Office and their registration number is ZA092775.
Waiting List Validation
The Trust has partnered with Healthcare Communications UK Ltd to undertake an exercise to review and validate our outpatient waiting lists. This review will allow us to understand your current position and future wishes.
The Trust will share a limited dataset with Healthcare Communications UK Ltd which they will then use to contact you via a text message regarding your appointment. This text message will state that it is from Northampton General Hospital and will ask you to access a link and log in using a personal identification number contained within the text message and your date of birth. If you do not want to receive these messages, you can opt out at any time.
If you do not reply to the text message or the Trust does not hold a mobile number for you, or you have previously told us that you do not want us to contact you via text, you will receive a letter which will be sent to your home address. The letter will ask for the same information regarding your appointment and your wishes.
The responses to the texts and letters will be complied by Healthcare Communications UK Limited and shared securely back to Northampton General Hospital to allow the Trust systems to be updated.
The legal basis to process your information under the GDPR in regard to this partnership is;
Article 6 1 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Article 9 2 (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Healthcare Communications UK Ltd are registered with the Information Commissioner’s Office and their registration number is Z6941651. The letters will be sent by UK Mail Group Limited on behalf of Healthcare Communications UK Ltd, they are also registered with the Information Commissioner’s Office and their registration number is Z9479069.
If you have any questions about this process please contact our contact centre on 01604 545 555.
Information Sharing Agreements
Northampton General Hospital NHS Trust has Information Sharing Agreements in place with the following organisations:
- 3D Lifeprints UK Ltd
- Abbott Nutrition
- Age UK Northamptonshire (Age UK)
- Alliance Medical Ltd
- AMS Ltd
- Carnall Farrar Ltd
- Carnall Farrar Ltd - Deed
- CCI Credit Management Ltd
- Colcoscopy Database
- Concept Management UK
- CORS - Templar
- Darktrace Ltd
- Datix Ltd
- Deceased Alliance (NHSBT)
- Dionach Ltd
- DMC Healthcare Ltd
- eTrauma (Open Medical)
- Harley Street Concierge
- Inventry Ltd
- KLS Martin UK Ltd
- KPMG - Quality Accounts Audit
- Medevolve Ltd
- Medtronic Ltd
- Movere - Trustmarque Solutions Ltd
- My Health and Care Directory
- National Cancer Patient Experience Survey
- NPEx (National Pathology Exchange)
- Newgate Technology Ltd - Nexus Theatres Dashboard
- Osirium Ltd
- Patient Surveys
- PHE Cancer Registry
- Pre-Hospital Feedback - EMAS
- Sectra Ltd
- Senseon Ltd
- Skylark Project (Hospital and Outreach)
- Smarter Security Solutions Ltd
- TIAA (counter Fraud)
- TPP - SystmOne eDSM
- Transformation Nous
- University of Northampton - Occupational Health
- University of Northampton - Teledermatology Trial
- Wright Medical UK Ltd - Blueprint