Purposes for using your information

Processing for direct care purposes

Unless you object, we will normally share information about you with other health and social care professionals who are involved in your direct care. This is so that you may receive the best quality of care. For example, every time you attend the hospital as a patient, we will send your GP a summary of any diagnoses, test results or treatment given.

You may be receiving care from other people as well as the NHS e.g. social care services. We may need to share some information about you with them so we can all work together for your benefit. We will only do this when they have a genuine need for it or we have your permission.

Examples of who we may share your direct care information with are:

• social care services
• education services
• local authorities
• voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances. Such as when either you or somebody else’s health and safety is at risk; or the law requires us to pass on information.

Benefits

Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.

Legal Basis

The processing is necessary for health and social care purposes:

• Preventative and occupational medicine
• The assessment of the working capacity of an employee
• Medical diagnoses
• The provision of healthcare and treatment
• The provision of social care, or
• The management of healthcare or social care systems and services

Bedfordshire, Luton and Milton Keynes (BLMK) Integrated Care System (ICS)

The Bedfordshire, Luton and Milton Keynes (BLMK) region operates as an Integrated Care System (ICS), where 11 NHS organisations work in partnership with four local councils and others.

Together, we take collective responsibility for delivering an enhanced quality of care, improving health and well-being, ensuring value for money and making BLMK a great place to work. 

This means sometimes we will securely share information to aide treatment or for referral purposes.

For more information about the BLMK ICS, our partners, plans and priorities, please visit www.blmkpartnership.co.uk

One London

OneLondon is a programme which enables secure information sharing between MKUH and some London’s NHS health and care providers.

Sharing information enables NHS clinicians to have real-time access to relevant care records, helping them to better understand the needs of their patients that have been referred from Milton Keynes and surrounding areas and make the best decisions about their care.

Information sharing between MKUH and these NHS providers based in London is enabled by a secure network of health information exchanges (HIE).   This linkup supports a wider NHS ambition to create a network of shared care records across England to benefit faster, safer, more effective patient care.

More information is available from the One London website

To read about how data is shared and processed in this partnership click here – Sharing Information – North East London Health & Care Partnership

Processing for indirect care purposes

We also use information we hold about you to:

• Review the care we provide to ensure it is of the highest standard and quality
• Ensure our services can meet patient needs in the future
• Investigate patient queries, complaints and legal claims
• Ensure the hospital receives payment for the care you receive
• Prepare statistics on NHS performance
• Audit NHS accounts and services
• Undertake health research and development (with your consent – you may choose whether or not to be involved)
• Help train and educate healthcare professionals

Nationally there are strict controls on how your information is used for these purposes. These decide whether your information has to be de-identified first and with whom we may share identifiable information with.

You can find out more about these purposes, which are also known as secondary uses, on NHS England the Health and Social Care Information Centre and the Information Commissioner’s Office website.

If you would like to “opt out”

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. There may be occasions when it is not possible to exercise your right to “opt out”. Such as when we have an obligation by law or for the purposes of safeguarding adults and children.

It is also important to note that by opting out there could be consequences. These will be discussed with you if you are considering to opt out. If you wish to opt out please contact the Information Governance Team.

For further information on NHS “opt out” please see below:

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

The Trust is currently compliant with the national data opt out.

Processing information for safeguarding

We will collect and process identifiable information where we need to asses and evaluate any safeguarding concerns. The identity could include name, address, date of birth and NHS number and will only be used if necessary for the protection of vulnerable individuals.

Use of CCTV and Bodycam

We are dedicated to ensuring the safety and security of our premises and the welfare of our patients, employees, and visitors. This technology is utilised for security, crime prevention, and the safeguarding of individuals and property. The CCTV and Bodycam systems may record audio and video footage, including images and sounds of individuals who enter our premises or interact with our staff.

We are responsible for collecting, storing, and processing this data. The data collected is exclusively used for security, investigating incidents, and preventing unlawful activities. It may be shared with law enforcement or other authorised authorities as required by law. We will keep CCTV and Bodycam footage for a period of 30 days, before securely deleting, unless it is used for evidence and will be stored as long as it is necessary.

Body worn cameras forms part of a security officer personal safety equipment and is provided for health and safety purposes. It will be used in an overt manner and will be clearly displayed with the correct identification. Prior to commencement of any recording, officers will give a clear verbal instruction that a recording is taking place. We are committed to maximising its effectiveness in tracking and reducing crime and disorder, anti-social behaviour and maintaining a safe, secure environment for staff, and members of the public.

Processing information for Crime and Policing

All Health and Care Services should, to the extent permitted by law, support other parts of the public sector in their work. This can include the provision of personal information about service users or staff but there are legal constraints on what can and should be provided depending upon the circumstances.

The Trust will satisfy itself that any disclosure is required by law. Common examples include:

• The Police and Criminal Evidence Act (1984) permits, but does not require, information to be disclosed to the Police if it is believed that someone may be seriously harmed or death may occur if they are not informed.
• The Crime and Disorder Act (1998) permits disclosure to the Police if there is a need for strategic cross organisational planning to detect, prevent or reduce crime and disorder that an individual may be involved in.
• Prevention of Terrorism Act (1989) and Terrorism Act (2000). We MUST inform the Police if we have information (including personal information) that may assist them in preventing an act of terrorism, or help in apprehending or prosecuting a terrorist.
• The Road Traffic Act (1988). We have a statutory duty to inform the Police, when asked, of any information that might identify any driver who is alleged to have committed an offence under the Act. We are not required to disclose clinical or other confidential information.
• The Female Genital Mutilation Act (2003). We have a statutory duty to report to the police under Section 5B of this Act where it appears that a girl under the age of 18 has been subject to genital mutilation. Court Orders are also sometimes obtained by the Police to acquire information from organisations or individuals.

Why we collect and process information for complaints

We will collect and process your information if it relates to a complaint where you or your representative has asked for our help or involvement.

Complaint processing activities

Upon receipt of a complaint, the Trust opens a file on the hospital’s complaints database. The team also keeps a minimal paper file containing the original letter of complaint or a management plan in relation to the complaint. This will normally contain the identity of the patient and the complainant and any other individuals involved in the complaint. The identity could include name, address, date of birth and NHS number. These will only be used if necessary for the handling of the complaint in line with the Trust’s process.

• We will only use personal information we collect to process the complaint. And to ensure an appropriate investigation is undertaken in line with the severity of the complaint.
• We usually have to disclose the patient’s identity to whomever the complaint is about. This is to ensure a full investigation can be undertaken. Especially if reference is made to the patient’s medical records.

If a patient/complainant does not want information identifying them to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint in line with Trust process on an anonymous basis.

We will keep personal information contained in complaint files in line with the NHS retention guidance. It will be kept in a secure environment and accessed by those only on a ‘need to know’ basis.

Purposes for invoice validation

Invoice validation ensure that after we provide you with care or treatment, we can be paid the correct amount.

NHS Shared Business Services (SBS) process invoices on behalf of Milton Keynes University Hospital NHS Foundation Trust (MKUH). In addition, SBS process invoices where the Trust is making payments to other NHS bodies.

SBS does not require, and should not receive any patient confidential information to provide their services. However, before payment can be received by the Trust, the respective Clinical Commissioning Group (CCG) needs conduct invoice validation. This is to ensure that the treatments and amount is correct.

In order to do this, personal confidential data is submitted by the Trust to an approved and controlled secure environment within the CCG. Only certain data can be submitted, and only when necessary for the validation process. The identifier used for invoice validation is your NHS number or the local provider ID (hospital number).

The CCG and the Trust has a duty to detect, report and investigate any incidents where a breach of confidentiality has been made.

Purposes for support services

Where processing is being carried out on behalf of the Trust, we will only use processors that provide us with sufficient guarantees that they understand their responsibilities under the Data Protect Act 2018. We will implement the appropriate technical and organisational measures that meet these requirements.

We will determine the purposes for and the manner in which personal data is processed. This means that the Trust exercises overall control over the ‘why’ and ‘how’ of a data processing activity.

Clinical research is an essential part of making healthcare better.

Clinical research can lead to new treatment or provide evidence of the best available treatments for a clinical condition.

Without research there would be no new ways to treat you. It is just as important to your healthcare as your doctor or your hospital.

Benefits

Researchers can provide direct benefits to individuals who take part in medical trials and indirect benefits to the population as a whole. Service user records can also be used to identify and invite people to take part in clinical trials, intervention studies, or studies purely using information from medical records.

Process

Where identifiable data is needed for clinical research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in a research study.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP practice know.

Legal basis

The data subject has given explicit consent to the processing for one or more specific purposes.

Sometimes research can be undertaken using anonymised or aggregated information that does not identify you. The law does not require us to obtain your consent in this case. However, the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

For further information on clinical research, click here.

Milton Keynes Hospital Charity (MKHC) is committed to ensuring that your privacy is protected.

MKHC will ask you to provide certain information by which you can be identified, it will only be used in accordance with the Data Protection Act 2018.

We may collect the following information:

• full name and title
• gender
• date of birth
• contact information including address and post code
• bank account details – if donating by debit/credit card or setting up a direct debit for regular donations
• information relating to your health – if you are volunteering for us
• emergency next of kin details – if you are volunteering for us

If you sponsor a person using an online giving platform such as JustGiving or Virgin Money Giving and you indicate that you would like to hear from us, they may pass your details onto us so we can tell you more about our charity. You should check the privacy statements of those sites before you give them your information.

We require this information for the following reasons:

• internal record keeping
• to thank you for your donations, volunteering or other support
• to respond to you if you have made an enquiry
• to keep you up-to-date with the MKH Charity
• to improve our products and services

We may also share your name and details of your donation with the hospital in order to ensure your donations are used according to your wishes. This will be limited to senior members of staff only. You can let us know if you would prefer your details to remain anonymous and we will always respect your wishes.

We are committed to making sure your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Our MKHC website may contain links to other websites of interest. However, once you have used these links to leave our site, we do not have any control over external websites. Therefore we cannot be held responsible for the protection and privacy of any information you provide whilst visiting site not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You have a right to restrict MKHC from collecting or using your personal information. When we ask you to fill in a form, there will be a box that you can tick if you DO NOT want the information to be used for marketing purposes. You can also control the means by which we contact you e.g. telephone, post or email. You can change your contact preferences at any time.

If you request that we do not contact you again for marketing purposes, we will respect your wishes. It may take up to 28 days for us to update our records and for you to stop receiving communications from us. After this time, we may still send you administrative communications e.g. in relation to payments you have made or events you have signed up for.

• We do not have access to your medical records.
• We will not sell or lease your personal information to third parties.
• We will not share your information with a third party for their own purposes unless required by law to do so.

We appreciate your supposed and aim to ensure that your privacy is treated with respect at all times and in compliance with the Data Protection Act 2018.

Purposes for patient experience and engagement

We will process your personal information if it relates to you being a member of the Patient Experience and Engagement Group. This could include being invited to events, being kept up to date and to take part in experience and engagement tasks. We will only do this if you have indicated an interest in being invited to the group.

Your personal information will be stored electronically in a database. Only members of the Patient Experience Team will have access to this information. If you are actively involved in the group and its related activities, we will collect and process personal confidential data which you share with us. We will ask for your name, address, contact email and phone number. We will also use your information for any involvement activities you would like to take part in. These activities could include feedback events, the ’15 steps’ challenge or surveys.

We may contact members from a specific demographic for a focused service improvement group. For example, we may wish to identify women who have or may use our Maternity Services.

You can opt out at any time by contacting [email protected]

NHS Patient Survey Programme (NPSP)

The NHS uses your information for the NPSP. If you are a patient of Milton Keynes University Hospital, your contact information may be used for the purposes of the NPSP. This is a task carried out under the public interest. Your data is used to produce anonymised reports which helps us to make service improvements.

National Registries

National registries, such as the Learning Disability Register, have statutory permission under Section 251 of the NHS Act 2006 to collect and hold service user identifiable information without the need to seek consent from each individual.

Purposes for public engagement

To keep our patients, visitors and local community up-to-date, we may use your details to send you information that is relevant and of interest to you. This may also include opportunities to get involved in appropriate projects and campaigns.

Currently (as of April 2024), the Trust does not have a platform in place to send targeted information to members of the public. This is something the hospital is actively seeking to develop and further updates will be added to this section to outline how user’s information will be utilised.

We will only collect personal information that is appropriate and relevant in-line with the General Data Protection Regulations.

If you have any questions or concerns, please contact [email protected].

MKUH Membership

The Data Protect Act 2018 and The General Data Protection Regulations became law on 25 May 2018. From this date, we now need your consent to be able to hold your personal information regarding membership.

Personal data is information that can be used to identify you and other details about you. This may include your:

• name
• date of birth
• address
• contact details e.g. phone number or email address

This information is collected for the purposes of your membership.

We may ask you for optional sensitive personal data. This would be about your gender, ethnicity or disability. This is so we can make sure we are reaching people who represent the whole Milton Keynes community. Such information may help us when we are looking at service re-design and improvements. We will hold your data for the purpose of sending you information such as the member’s newsletter and about ways you can get involved with services or plans for the future. You have no obligations as a member, but there are lots of ways to be involved.

• we won’t share your data with anyone else
• we have a secure electronic database in which we store information about you
• the database can only be accessed by MKUH membership staff

After recording your information in our database, we will keep any paper copies for 12 months. You can opt out at any time by replying ‘unsubscribe’ to any post or emailing [email protected]

We follow the NHS Employers Guidelines for recruitment of volunteers.

We collect and store the following:

• full name
• contact information
• enquiry source
• volunteer role preferences
• recruitment documents as per NHS Employers Recruitment Guidelines

This information is stored in both hard copy and electronic. All recruitment information is stored in lockable offices which are only accessible by the Voluntary Services Department.

We will contact volunteers by telephone, email or letter. We will use your information to manage our volunteer vacancies and to help identify improvements to our service.

Information may be shared with other departments within the Trust, should it be required to enable you to carry out your volunteering role. Your information may also share it with other third party volunteer organisations that are on site, should you express an interest in joining them as a volunteer.

After seven years, all recruitment information is deleted and destroyed. A record of destroyed information is kept indefinitely.

During the course of its employment activities, MKUH collects, stores and processes personal information about prospective, current and former staff.

The scope of this staff privacy notice includes applicants, employees (including former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience, clinical placements, observerships and honorary contract holders.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What type of personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:

• Personal demographics (including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, sex, sexual orientation, religion or belief)
• Contact details such as name, address, telephone number and emergency contact(s)
• Employment records (including professional membership, references and proof of eligibility to work in the UK)
• Bank and pension details
• Medical information including physical and mental health condition
• Information relating to health and safety
• Trade union membership
• Offences, criminal proceedings, outcomes and sentences
• Employee relations files (such as grievance, disciplinary, performance, sickness/absence)
• Employment Tribunal applications, complaints, accidents and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.

Your information will not be processed overseas unless we inform you otherwise.

What are the purposes for processing staff data?

Sharing your information
We will share your information due to our obligations to comply with legislation or our duty to comply any Court Orders which may be imposed.

Any disclosures of personal data are always made on a case-by-case basis. Using the minimal personal data necessary for the specific purpose or circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

Retention Periods
The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DH retention period.

We will retain your information in line with the Department of Health Retention Schedule.

Use of Third Party Companies

To enable effective staff administration MKUH may share your information with external companies to process your data on our behalf. This is in order to comply with our obligations as an employer.

Employee Records; Contracts Administration (NHS Business Services Authority)

The information which you provide during the course of your employment; including the recruitment process, will be shared with the NHS Business Services Authority for maintaining your employment records held on the national NHS Electronic Staff Record (ESR) system.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

Government Agencies

In order to comply with statutory requirements, we may be required to supply information about you and/or your employment/relationship with the Trust to central Government Agencies, departments or agents acting on their behalf (e.g. HMRC, DH, Home Office, DWP).

Payroll and Pensions Administration

Information will be shared with University Hospitals Birmingham NHS Foundation Trust (UHB) in pursuit of administering your pay and any associated pensions, under/overpayments.

NHS Streaming

Details may be transferred from this Trust to other NHS trists to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS organisation to another. The personal data shared includes: name, address, date of birth, national insurance number and registration details.

Lateral flow testing is being carried out with staff in the NHS, to help control and stop the spread of Covid-19.

Your data will be shared with Public Health England via a data upload to its portal on daily basis.

Consent to share data will be given at the time of receiving the kit, every member of staff will sign the consent form.

The results from the lateral flow antigen test will be documented at home by the individual using the guidance provided in the staff instruction booklet This should be returned to the staff member’s organisation for collation into the reporting template spreadsheet on a daily basis.

Legal basis is Article 6(1)(e) exercise of official authority:

9(2)(h) The condition is met if the processing is necessary for health and social care purposes – the provision of health care and treatment.

9(2)(i) Public health purposes

NHS England » National vaccination programmes