The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health.  

The organisation responsible for processing your data is Bolton NHS Foundation Trust.   

The teams of hospital and community professionals caring for you need to keep records about your health and any treatment and care you have received. 

Your health records help to ensure you receive the best possible care. 

Your doctor, nurse and the team of health & care professionals caring for you, keep records about your treatment and care both on paper and electronically.

These include, but are not limited to:

• Personal details such as name, address, date of birth, ethnicity and religion, NHS number and next of kin. 
• Contact we have with you e.g. hospital admissions, outpatients/clinic appointments and home visits. 
• Notes and reports by health and care professionals about your health, GP details etc. 
• Details and records about your treatment and care. 
• Results of x-rays, laboratory tests, and any other tests.  
• Relevant information about people that care for you and know you well. 
• Basic details about associated people e.g. children, partners, carers, relatives etc.  

This information may be given to us directly by you. We may also hold information relating to your direct care which has been provided to us by third parties, such as referral information from your GP, Optician or from other bodies such as schools.  

Your health records are used to make sure that the teams of health and social care professionals caring for you have accurate and up to date information about your medical condition and circumstances.  

Also we will manage your records with clear retention periods under the NHS Records Management Code of Practice for Health and Social Care.  

A copy of the code is available here. 

Information collected about you to deliver your health care is also used to assist with:  

• Making sure your care is of a high standard.  
• Using statistical information to look after the health and wellbeing of the general public and planning services to meet the needs of the population.  
• Assessing your condition against a set of risk criteria to ensure you are receiving the best possible care.  

• Preparing statistics on our performance for the Department of Health and other regulatory bodies.  
• Helping train staff, support research and conduct surveys to maintain the quality of our services.  
• Supporting the funding of your care.  
• Reporting and investigation of complaints, claims and untoward incidents.  
• Reporting events to the appropriate authorities when we are required to do so by law 

All members of staff working in the NHS and other healthcare organisations have a legal duty to keep information about you strictly confidential (unless in extreme circumstances where your safety or that of others is compromised). 

The NHS has a code of confidentiality which all staff must adhere to. 

We also keep all paper and electronic records securely to prevent unauthorised access in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. 

The law and your personal information 

There are many government policies and Acts of Parliament which require the Trust to report certain personal information to other organisations. 

The Trust will not disclose personal information about you without your permission, unless required by law to do so, such as: 

• When a baby is born.
• When a death occurs.
• When a court order has been issued.
• At the request of the Coroner.
• When an infectious disease is diagnosed.

We will also share relevant information about you to: 

Assess and plan the type of care or treatment you need. 

• Provide up to date information to other health and social care organisations involved in your care.
• Keep your GP fully informed.
• Share with external organisations for the purposes of continuity of your care and wellbeing when appropriate.
• Reviewing and auditing the quality of the services we provide.

Data Protection laws give individuals rights in respect of the personal information that we hold about you. These are:

Right to be informed

The information we supply about the processing of personal data must be:

• Concise
• Transparent
• Intelligible and easily accessible
• Written in clear and plain language
• Free of charge

Right of access

You can find out if we hold any personal information by making a ‘subject access request’ under the DPA 2018. If we do hold information about you, we will:

• Give you a description of it
• Tell you why we are holding it
• Tell you who it could be disclosed to
• Let you have a copy of the information in an intelligible format

Right to rectification (correction)

You are entitled to have personal data rectified if it is inaccurate or incomplete. If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.

We have one month to respond to a request for rectification. This can be extended by two months where the request for rectification is complex. If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority.

Right to erasure (to be forgotten)

The right to erasure does not provide an absolute ‘right to be forgotten.’ You have a right to have personal data erased and to prevent processing in specific circumstances.

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• When you withdraw consent
• When you object to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed (i.e., otherwise in breach of the DPA 2018 and UK GDPR)
• The personal data must be erased to comply with a legal obligation
• The personal data is processed in relation to the offer of information society services to a child

This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• To exercise the right of freedom of expression and information
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority
• For public health purposes in the public interest e.g., archiving purposes in the
• Public interest, scientific research, historical research, or statistical purposes
• The exercise or defense of legal claims

Please note that the right to be forgotten does not apply to special category data i.e., medical records.

Right to restrict processing

We will be required to restrict the processing of personal data in the following circumstances:

• Where you contest the accuracy of the personal data, we should restrict the processing until the accuracy of the personal data has been verified
• Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests) and we are considering whether we have legitimate grounds to override your rights
• When processing is unlawful, and you oppose erasure and request restriction instead
• If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim

We will continue to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.

Right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

• To personal data you have provided to the Trust
• Where the processing is based on your consent or for the performance of a contract and when processing is carried out by automated means.

Right to object

You must have an objection on ‘grounds relating to your particular situation’ to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no grounds to refuse.

You have the right to object to the following:

• Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
• Direct marketing (including profiling)
• Processing for purposes of scientific/historical research and statistics

Sometimes, we leverage the support of artificial intelligence to assist our clinical teams in diagnosing our patients. This advanced technology enhances our ability to provide accurate and timely diagnoses, ultimately improving patient outcomes and streamlining the diagnostic process. By integrating AI into our healthcare practices, we can offer more precise and efficient care to those in need.

Artificial Intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think and learn like humans.

AI can help a Health and Care professional to reach a decision about your care, e.g. diagnosing a condition you have or to help you in choosing treatment options.

Decisions will not be made solely by the AI system; Health and Care professionals will always review and provide you with advice, allowing you to make the final decision on the care and treatment you receive.

We will stop processing the personal data unless:

• We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
• The processing is for the establishment, exercise, or defence of legal claims.

We do not carry out profiling and/or automated decision-making. This is documented in our data protection policy.

For further information please contact the Information Governance Team.

The National Data Opt-Out was introduced to give you, the patient a choice on how your confidential patient information is used for purposes beyond their individual care. 

The information that the opt-out applies to is special category data as it includes information about your health care and/or treatment that has been collected as part of the care we provide for the patient. 

As a patient you can set or change their National Data Opt-Out choice using an online or contact centre service. When you set a National Data Opt-Out it is in held in a repository on a national database against the patient’s NHS number. 

In accordance with your wishes and National Data Opt-Out policy, we as a health and care organisation located in England, we are required to apply National Data Opt-Outs when applicable to a use or disclosure of confidential patient information for purposes other than your care or treatment. 

Applying the opt-out to a data use/disclosure requires that we check, by using the NHS numbers of patients, whether a patient has registered an opt-out before the data is used/disclosed. 

To do this a separate list of the NHS numbers in the data that is going to be used/disclosed needs to be created. 

The list of NHS numbers is then submitted to the Check for National Data Opt-Outs service via the secure Message Exchange for Social Care and Health (MESH) messaging service. The Check for National Data Opt-Outs service is an external service provided by NHS Digital. The service checks the list of NHS Numbers against a list of opt-outs created from the repository on the NHS Spine, where a match is found it removes the NHS number from the list and then returns an updated list of NHS numbers (with opt-outs removed) back to us via MESH. 

We then match the updated list of NHS numbers against our original set of data that was going to be used/disclosed and remove the entire record for those patient records where the NHS numbers match. This creates a ‘cleaned’ set of data with opt-outs applied that we can then use/disclose. 

To find out more information about the National Data Opt-Out please visit https://www.nhs.uk/your-nhs-data-matters/.  

We may use your details to contact you with regards to patient satisfaction surveys relating to services you have used within our Trust. This is to improve the way we deliver healthcare to you and other patients. 

At any time you have the right to refuse/withdraw consent to information sharing. The possible consequences will be fully explained to you and could include delays in receiving care.

The Greater Manchester Care Record is a vital digital resource for the city region’s 2.8m citizens, that is used to help improve health and care services and save lives.

It brings together your information from NHS and care services across all 10 Greater Manchester boroughs into one joined up record, so that your information can be accessed by frontline health and care workers, wherever you receive your care.

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provided. The GM Care record pulls together the information from these different health and social care records and displays it in one combined record.

You can get more information from here