Privacy Notice – Diabetes Research Registry

Introduction

Our research participants are very important to us and we are constantly striving to improve the service they receive, through looking at the ways we work and ensuring our staff are highly trained. As a Trust, University Hospitals of Leicester NHS Trust, we encourage research which allows us to offer our patients the latest technologies, techniques and medicines – and attract and retain our enviable team of more than 15,000 highly skilled staff.

We are one of the biggest and busiest NHS Trusts in the country, serving the one million residents of Leicester, Leicestershire and Rutland – and increasingly specialist services over a much wider area.

Our vision is clear: to be leading in healthcare and trusted in communities. The values we hold as we work towards our vision are vital:

  • We are compassionate,

  • We are proud,

  • We are inclusive, and

  • We are one team.

Our service users are at the heart of all we do and we believe that  our vision and values are  not just  about the treatments and services we provide, but about giving everyone who interacts with the hospital the best possible experience. That is why we are proud to be part of the NHS and we are proud to be Leicester’s Hospitals.

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.

This privacy notice applies to personal information processed by or on behalf of the Trust. This Notice explains:

✓   Who we are, how we use your information and who our Data Protection Officer (DPO) is

✓   What kinds of personal information about you we process

✓   What the legal grounds for our processing of your personal information are (including when we share it with others)

✓   What you should do if your personal information changes

✓   How long we retain your personal information

✓   What your rights under data protection law are

The EU General Data Protection Regulation (EU GDPR) became law on 24 May 2016 and later replaced by UK GDPR on 14th October 2020 as a result of UK exit from EU. This is a single UK-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (UK) 2020/679) (the "GDPR"), and the Data Protection Act 2018 (currently in Bill format before Parliament).

University Hospitals of Leicester NHS Trust is a registered “Data Controller”, Information Commissioner Office (ICO) registration number Z7882087. We collect and process personal information about you. This notice explains how we use and share your information. Information may be collected in the following formats - paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the “last updated” date as documented in the version control section.

Why we collect information about you

We need information about you so that we can contact you to share opportunities about diabetes research in which you may be interested in taking part. We will contact you using the details you provide to inform you of diabetes research you may be interested in participating in and you have the option to make contact.

For processing to be lawful under the UK General Data Protection Regulation (UK GDPR) we need to identify a legal basis before we can process personal data. These are often referred to as the ‘lawful basis for processing’.

The identified legal basis for University Hospitals of Leicester NHS Trust to process healthcare data  is:

‘6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’

The type of data we process (health data) is known as a ‘special category data’. The identified legal basis for University Hospitals of Leicester NHS Foundation Trust to process healthcare data is:

‘9(2)(h) Necessary for the purposes of preventative or occupational medicine, for medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under supervision of health professionals who in the circumstances owes a duty of confidentiality under and enactment of rule of law’.

This is the lawful basis for processing the health data that we collect to provide care directly to each patient, and the data that we collect for managing and planning our services to you.

What information we collect about you

For the purposes of registering your interest in receiving information of diabetes research we will only collect minimal data about you. This comprises:

✓     First name

✓     Last name

✓     Email address

✓     Preferred contact number

✓     NHS Number

✓     Year of birth

✓     Do you have: drop down menu to choose:

  • Type 1 diabetes

  • Type 2 diabetes

  • Pre-diabetes

  • At risk of type 2 diabetes

  • Gestational diabetes

  • Post weight loss surgery

  • Other (please state)

✓     How did you hear about us? Drop down menu to choose:

  • Website

  • Social media

  • Poster

  • Event

  • Other, please state:

What are the different types of data?

According to the UK General Data Protection Regulation, personal data means any information relating to an identified or identifiable natural person. An identifiable person may be someone who can be identified directly or indirectly.

Sensitive Personal Data relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.

Pseudonymised data takes the most identifying fields within a database and replaces them with artificial identifiers or pseudonyms. For example, a name is replaced with a unique number.

Pseudonymised data is not the same as anonymised data. When data has been pseudonymised it  still retains a level of details in the replaced data that should allow tracking back of the data to its original state.

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information as it changes it from personal data to statistical data. Where possible, University Hospitals of Leicester NHS Trust uses and shares anonymised data instead of identifiable data to protect the confidentiality of the subjects involved while still being able to plan services.

For the purposes of registering your interest in receiving information about upcoming diabetes research studies we will only collect the data outlined above.

This information is taken so that we can offer you the best care available and tailor it to your needs.  It is kept securely and only those with a need to see it are allowed access.

We will not share identifiable information regarding your health with other agencies and organisations, including other healthcare providers. We will share anonymised reporting within the Trust, as well as with the Clinical Research Network as funders in the project. This work is completed in accordance with Data Protection law, and will have had any information that identifies you removed.

How long will we store your information?

For the purposes of registering your interest we will contact you on an annual basis to ask you if you would like to remain on our register. If you do not respond, or choose to withdraw your consent, your data will be permanently deleted from our digital register. No paper copies of the database will be retained or stored.

Why we collect information about ethnicity

We do not collect information about your ethnicity for the purposes of registering your interest in receiving information about diabetes research studies

How we use your information

We will use the information you provide in a manner that conforms to the UK General Data Protection Regulation and which is supported by the Data Protection Act 2018. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary.

The data you have provided for registering your interest in diabetes research activities will not be used for any other purpose than to share opportunities for you to participate in diabetes research run by University Hospitals of Leicester NHS Trust.

Is any information transferred outside the European Economic Area

Information given to us for the purposes of registering your interest will not be transferred outside the European Economic Area.

How we protect your information

We understand the personal and sensitive nature of your information. In addition to the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA18) everyone working for the NHS is subject to the Common Law Duty of Confidence. Staff are required to protect your information under the NHS Confidentiality Code of Conduct and must inform you how your information will be used and allow you to decide if and how your information can be shared.

We may use external companies to process personal information such as for archiving or destruction of data. These organisations will be bound by contractual agreement to ensure information is kept confidential and secure in compliance with the UK GDPR/DPA18.

Who else might see your information?

The data you have provided for registering your interest in diabetes research will not be used for any other purpose than described above, therefore no one else will see your information.

We will not disclose your information to a third party unless there are exceptional circumstances, such as when the health and safety of others is at risk or if the law requires us to pass on such information.

Information sharing in the NHS

Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of service users.

The Trust co-ordinates the sharing of information through the use of official Information Sharing Agreements to ensure that data is handled in accordance with the framework. This framework ensures that the responsibilities of the owner of the data (Controller) and the party processing the data (Processor) are set out, what will happen in the event of a confidentiality breach and who takes responsibility for this.

Patient control of information

You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. You have a right to opt-out of the NHS or other organisations using your information. If you wish to do this please contact the Trust via the contact details highlighted below:

Data Protection Officer- Saiful Choudhury Email: saiful.choudhury@nhs.net

We do however need to remind you that we may not be able to provide you with this service or be able to undertake the appropriate care needed unless we have enough information about you, or your permission to use that information.

Your rights

Correcting inaccurate information

We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you. If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention. If you wish to have any inaccurate information altered, please click here to contact the Patient Information and Liaison Service:

https://www.uhleicester.nhs.uk/patients-visitors/support/feedback-complaints/pals/

Accessing your information held by University Hospitals of Leicester NHS Trust

You have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust. Requests should be addressed to the Trust and we will aim to respond to your request within one month from receipt of your request. For more information please click here:

https://www.uhleicester.nhs.uk/patients-visitors/commitment/health-records/

Freedom of Information Requests (FOI)

The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust that is deemed to be in the public interest. Your request for information must be made in writing and you are entitled to a response within 20 working days. For more details on submitting a Freedom of Information request please click: 

https://www.uhleicester.nhs.uk/foi/about-freedom-of-information/

Complaints

Although we work hard to offer high standards of service and care, things can sometimes go wrong. Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again. If you would like to know more information on complaints or wish to make a complaint, please click here:

https://www.uhleicester.nhs.uk/patients-visitors/support/feedback-complaints/pals/

Should you have any concerns about how your information is to be used having read this Privacy Notice, you wish to request the notice in another accessible format or if you do not wish your information to be shared by University Hospitals of Leicester NHS Trust then please contact the Trust here:

https://www.uhleicester.nhs.uk/patients-visitors/support/feedback-complaints/pals/ or email:  uhl-tr.pals@nhs.net

The NHS is introducing a tool so that people can opt out of their confidential patient information being used for reasons other than their individual care and treatment. This service is available through NHS Digital – National Data Opt-Out programme. Further details can be found at the following link:

https://digital.nhs.uk/services/national-data-opt-out-programme

There may be circumstances where we are legally obliged to share your personal data with other third parties, for reasons such as safeguarding purposes or a court order. In such cases you will not be able to opt out of data sharing.

If you are not happy with our responses and have exhausted all the avenues in the University Hospitals of Leicester NHS Foundation Trust’s process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office.

Contact information and further advice

If you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described, please contact:

Data Protection Officer- Saiful Choudhury Email:  uhl-tr.infogov@nhs.net

For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner:

The Information Commissioner Wycliffe House

Water Lane Wilmslow Cheshire SK9 5AF

Telephone number 0845 306 060 or 01625 545 745 Website: www.ico.org.uk