The Hospital is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows: St Joseph’s Hospital, Harding Avenue, Malpas, Newport, NP20 6ZE

Data protection Officer (DPO) details

The hospital has a DPO who is responsible for ensuring independently that we apply the laws protecting your personal data. 

Tania Palmariellodiviney, Data Privacy Simplified Ltd, 31 Rooksmead Bedford, MK41 7QX
Mobile: 07384 780 865
Web: dataprivacysimplified.co.uk
Email: tania@dataprivacysimplified.co.uk

In relation to your personal data, we will comply with data protection law. This says that the personal information we hold about you must be:

• Processed fairly, lawfully and in a clear, transparent way
• Collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with those purposes
• Only used in the way that we have told you about
• Accurate and up to date
• Kept only as long as is necessary for the purposes we outline
• Processed in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed
• Kept securely

Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed.

We hold many types of data about you:

• Name
• Address
• Date of birth
• Email address
• Phone numbers
• Banking or financial information
• Gender
• Marital status
• Next of kin and their contact numbers
• Personal medical or health information, including past medical history
• Information concerning examination and treatment at your first and subsequent visits
• Letters of referral to or from the Hospital regarding your treatment with us.

In some cases, there are "special categories" of more sensitive personal data which require a higher level of protection, such as information about a person's health or sexual orientation. You would be prior informed if any of this information was required.

• Health
• Sex life
• Sexual orientation
• Race
• Ethnic origin
• Religion
• Genetic and biometric data

We will only use your special category data:

• When relevant, required and for sole use for medical and caring grounds
• To ensure the care you receive at the Hospital is appropriate to your condition
• To determine reasonable adjustments that should be made for access to the Hospital or to treatment

We must process special categories of data in accordance with more stringent guidelines. We will process special categories of data only when the following applies:

• You have given explicit consent to the processing (on our consent form)
• We must process the data to carry out our legal obligations
• We must process data for reasons of substantial public interest

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

Where we are seeking consent from you for the processing of your personal data, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

We collect data about you in a variety of ways and this will usually start when you make an enquiry to the Hospital and continue when you attend your first and subsequent appointments. At this Hospital, we keep paper and electronic records. Information we write down on paper may be transferred to our electronic system. 

We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the Hospital.

Personal data is kept electronically in the Hospital in our customer management systems called Compucare, NovaPacs and our electronic record store. All of these are hosted in a secure on-site location with back up and disaster recovery policies in place. All Physical copies are held in our Records department by our Record keeping staff. All data is governed by legal dates for expiry and more information can be acquired through contacting our Medical Records team via email at records@stjosephshospital.co.uk

The UK GDPR requires us to have a legal basis to justify any processing of personal data. Most commonly, we will use your personal information in the following circumstances:

• In order for us to carry out our contract with you (your requesting treatment and our agreement to provide it constitutes a contract) which will include confirming appointments, informing you of changes to appointments or Hospital arrangements, changes to facilities or services at the Hospital. The legal basis for this is contract.
• To provide you with the best possible treatment by recording health and treatment information which would be in your best interest. The legal basis for this is legitimate interest.
• To carry out legally required duties such as those required by me by my government appointed regulator. The legal basis for this is legal obligation.

Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and helping with medical research.We may use your personal information in these rare situations:

• Where we need to protect your or someone else’s interests
• Where it is needed in the public interest or for official purposes

One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of care with us. If you do not provide us with the data needed to do this, we will be unable to perform that care to ensure your best interests are being maintained. We may also be prevented from continuing with your treatment with us due to our legal obligations.

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. 

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Your data will be shared with colleagues within the Hospital but only where it is necessary for them to undertake their duties. This includes, for example, a doctor, nurse, carer or any healthcare profession involved with your care. 

Other members of support staff involved in your care, like medical secretaries. Your next of kin or anyone you have asked us to communicate with as an emergency contact. The NHS, other private sector healthcare providers, your GP, consultants and insurance companies.  

Third parties acting on your behalf in connection with legal proceedings.  

Our regulators, like the Care Quality Commission, Health Inspectorate Wales.  

Our third party service providers such as IT suppliers, actuaries, auditors, lawyers, document management providers and insurers.  

We may also share your data with third parties as part of a Hospital sale or restructure, or for other reasons to comply with a legal obligation upon us. We would always keep you informed of these situations.

There may be circumstances when we may need to share your personal data with a law enforcement authority, for example to the Police or Local authority of there are safeguarding or criminal reasons to share.  

We may share your data with bodies outside of the European Economic Area should the need arise. It is likely that this situation would be to share information regarding your treatment or ongoing care with healthcare practitioners in these countries in accordance with your wishes. However, we would not transfer your data unless we were assured that the country in question had data security and protection laws of equivalence to those of the UK and the European Economic Area. We have put the following measures in place to ensure that your data is transferred securely and that the bodies who receive the data that process it in a way required by EU and UK data protection laws.These measures are as follows:

•    Adequacy decisions: We may transfer your data to countries that the UK government has deemed to have an adequate level of data protection.
•    Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs): If the country does not have an adequacy decision, we will use contracts approved under UK GDPR, ensuring the same level of protection for your data as within the UK.
•    Transfer Risk Assessments (TRA): We may also conduct a risk assessment to evaluate the protection your data will receive in the destination country, ensuring it is consistent with UK GDPR requirements.

We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with UK GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data. Documentation on this is available on a written or emailed request to: GDPR@StJosephsHospital.co.uk

In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your being a patient with us and we are legally required, by the Physiotherapy regulator (CSP), to keep this data for eight years after your time as a patient has ended.  

At the end of this eight year period, we will conduct a review to determine the most appropriate way of handling the data (this may be destruction/deletion of the record, continued retention or archiving of the record). We actively maintain and update regularly a retention schedule that are also available upon request.

Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner that maintains data security.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.

The law on data protection gives you certain rights in relation to the data we hold on you.

• The right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice. We also must inform you of any changes to how we use your data.
• The right of access. You have the right to access the data that we hold on to you. To do so, you should make a subject access request. Find out how to do this from our Medical Records dept.
• The right to rectification. If any data that we hold about you is incomplete or inaccurate, you can require us to correct it.
• The right to erasure. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
• The right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
• The right to portability. You may request transfer the data that we hold on you for your own purposes.
• The right to object. You can object to how we use your data in certain situations, such as for direct marketing.
• The right to withdraw consent. Where we rely on your consent for processing, you can withdraw that consent at any time.

If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Records Manager at St Joseph’s Hospital, preferably in writing or download the below form.

https://www.stjosephshospital.co.uk/media/35oabbdq/subject-access-request-form.pdf 

No decision will be made about you solely based on automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for a second or subsequent copy of information or if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so.

To withdraw consent, contact records@stjosephshospital.co.uk or write to GDPR Response Team, St Joseph’s Hospital, Harding Avenue, Malpas, Newport, NP20 6ZE

If you have any questions about this Privacy Notice or how we handle your information, please contact the Hospital’s Data Protection Officer. They can be contacted on tania@dataprivacysimplified.co.uk or in writing to:  Medical Records Department, St Joseph’s Hospital, Harding Avenue, Malpas, Newport, NP20 6ZE

You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO).

If you do wish to make a complaint to the ICO, here are their contact details:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://ico.org.uk

We use analytics software to view IP addresses of visitors to this website. We do so in order to reduce/prevent Click Fraud. We do so as a Legitimate Interest.

We do not connect IP addresses with other behaviour or data.

We're always looking at ways to improve St Joseph's Hospital - if there's any aspect of the website or our policies that causes you concern, please tell us and we'll investigate.

The ‘NJR Quality Data Provider’ scheme has been devised to offer hospitals public recognition for achieving excellence in supporting the promotion of patient safety standards through their compliance with the mandatory National Joint Registry (NJR) data submission quality audit process and by awarding certificates the scheme rewards those hospitals who have met the targets. We are pleased to share we have been award NJR Quality Data Provider for 22/23. View our certifcate here.