Your health records
When you receive treatment or a service from our hospitals, we collect information about you.
We take your confidentiality and privacy rights seriously. Our duty is to keep your information safe and accurate.
This information explains:
- what information we collect and hold about you
- why we collect your information and how it helps you and other patients
- why we might need to share it with other organisations involved in your care
- how we collect and use your information
- ways you can manage your data
Information we collect
We collect and hold personal information about you when you use or come into contact with our services.
This normally includes your name, date of birth, NHS number, contact details (such as address and telephone number), your religion, gender, ethnic origin, and information about your health and the care that you have received.
We might collect this information from you, family members or people involved in your care, and other health and social care services.
This information will be held electronically in our computer systems or occasionally in paper form, depending on the services you have accessed.
To support your healthcare, we collect the following information.
- Basic details about you (demographic information), such as your name, address, date of birth, next of kin and GP.
- Contact information such as telephone number (home and/or mobile) and email address, where you’ve provided for us to communicate with you by email and text.
- A record of dates when we've had contact with you. For example, attending an outpatient clinic, a visit to the emergency department (A&E) or a stay in hospital.
- Clinical notes made by our doctors and other healthcare professionals during these contacts. These may detail symptoms, allergies, medicines, diagnosis and treatment, along with any chronic (long-lasting) health conditions, such as diabetes or asthma, and results of the clinical examination by doctors and other healthcare professionals.
- Results of investigations, like blood tests, X-rays and scans, and results of observations such as your heart rate and blood pressure.
- Photographs, images (including 3D) and videos.
- Information from other health professionals that have been involved in your care or that have asked us to be involved in your care, such as your GP.
- Lifestyle information that may be clinically relevant, such as whether or not you smoke, use alcohol or use illicit drugs.
- Information about your occupation and home setting as this may be relevant to your medical condition.
- Your ethnicity, as this can be linked to certain medical conditions.
- Your religious beliefs, as this may affect how you wish to be treated in certain circumstances.
- Information from other people involved in your external care, such as a relative or someone who helps to care for you.
- Personal data about other people who are involved in, or may have an impact on your health and social care, for example family members, friends, people you live with, people who attend hospital with you and people who visit you in hospital.
Giving us your information
We need information about you to support the provision of your healthcare. The information you provide to us helps us to understand any conditions that you may have.
If you do not want to provide us with information, or do not want us to share it, then that is your choice, but please be aware that this could seriously affect the care we are able to provide. In some cases we may not be able to treat you at all.
If you have concerns about telling us something or us sharing something about you (for example, if we want to refer you to another service), please talk to the healthcare professional in charge of your care, and hopefully we will be able to reassure you if you have any concerns.
We always keep your information securely, and have strict rules about how it can be used.
Under the UK General Data Protection Regulations (GDPR) 2021 and Data Protection Act 2018 we are required to keep your health records secure and confidential.
Every member of staff working for, or with the NHS, has an individual duty to keep your information confidential. We will only share it with other organisations in strict accordance with the law and where this will help us in providing high quality care.
We also do our best to keep it accurate and up to date, so we'll often check it with you when you come to our hospitals or clinics. We try to keep information for your lifetime (or the longest time allowed by law) to give you continuity of care.
We expect all our partner organisations to apply the same strict security to your records as we do, and we make sure that those restrictions are in place before sharing any information. We only share your information in strict accordance with the law.
How long we keep your information
The minimum length of time we keep your information depends on what sort of information it is and the purpose we have collected it for.
We follow the guidance provided in the Records Management Code of Practice 2023: NHS Innovation to support our actions in relation to records management, including retention periods. The Code is based on current legal requirements and professional best practice. We keep our records for at least the minimum stated required retention period.
Any extension to minimum levels are requested by relevant clinical leads to these minimum periods are approved based on a case by case basis.
We aim to provide you with high-quality, safe care. We use your personal information to:
- arrange and provide you with the best possible care
- inform decisions that we make about your care
- make sure your treatment is safe and effective
- work effectively with others who may be involved in your care, such as your GP
Sometimes we use other organisations to help us do this, some of which are international, and we have strict contracts in place to protect your information.
Doctors and other healthcare professionals create and keep a detailed record of your clinical care to provide a continuous record about your past and current health, because this helps to guide and manage the care you receive.
Your information may be used for clinical audit, where the team involved in your care will check the quality and results of the treatment provided. Your information may also be used to investigate incidents and complaints.
Using your data to improve our care
We may use information about you, and your healthcare, to improve the care that we provide to all patients. For example, to help us to:
- review the care we have given to our patients, helping us to ensure that it is of the highest possible standard
- report on how effective our services are or have been
- investigate complaints, legal claims, and untoward incidents
- look after the health of the general public
- plan services to meet patient needs in the future
- improve patient care and outcomes by reviewing and monitoring using certain criteria, and identifying areas where improvements could be made
- ensure that funds allocated to our Trust are used properly and provide value for money
- educate and train healthcare professionals
- undertake research (the local research and development and if necessary the Human Research Authority will be asked to review research requests)
- prepare statistics on our performance
We also take part in national schemes which collect data from NHS organisations all over the country. The department where you are being treated will give you information about any local or national schemes that we are participating in for the type of care that you are receiving.
When information is shared outside the team that cared for you, we take out any details that would identify you, unless we have another legal basis, your permission (consent) or specific authority from the Secretary of State for Health or the Health Research Authority via the Confidentiality Advisory Group (CAG).
Legal ways we can use your data
Guy's and St Thomas' NHS Foundation Trust uses personal data as part of our official authority identified in the Health and Social Care Act 2012, because it is necessary for providing care and treatment, and for managing our healthcare systems and services.
Sometimes, Guy’s and St Thomas’ may ask for your permission (consent) to use your data for other purposes. This will be made clear to you at the time and is separate from our primary purposes and consent that may be required for certain types of treatment or other NHS services offered to you.
As providers of health or social care, treatment or the management of health or social care systems and services, we are allowed to process your information on the legal basis UK GDPR Articles 6 (Personal Data) and Article 9 (Special Category Data).
The Trust meets the legal requirements because it’s our job to provide healthcare and, depending on the activity, other legal bases may apply, for example:
- to support safeguarding children and vulnerable adults
- to carry out obligation as an employer
- to protect an individual's vital interests (protect someone's life)
- to support research
- to comply with a legal obligation
- image recording (not for direct healthcare), eg CCTV, BWV, ANPR
There may be instances where we ask for your consent to process your information for a different purpose covered in this notification if another legal basis does not apply. If this is the case you can expect that your agreement will be sought before any such use.
You have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for data protection in the UK.