Data privacy notice and your health record

How do we protect your health record?

Croydon Health Services NHS Trust is the data controller for the information you give us, kept in your health record. 

The Trust is responsible for ensuring that your information is managed according to your data protection rights. The following privacy notice explains how your information is used along with the rights you can exercise in relation to your information.

What information the Trust holds about you

If you are a patient of the Trust as an outpatient (attending a clinic), an inpatient (for an operation or tests), an emergency (attending through accident and emergency) or as a patient visited in your own home we collect information about you to make sure you receive the right treatment and healthcare. The information we hold includes information you have given us, or information provided by other people involved in your care. This personal information includes your contact details your name, date of birth, details of the care and treatment you receive, results of investigations and tests and any other relevant information about your health and healthcare needs, this information is stored in your health record.

How your health record is used and kept secure and confidential

Your health record is used to make sure health professionals involved in your care can provide you with the best possible healthcare and treatment; to check the quality of care you receive (known as clinical audit) and to help investigate any concerns or complaints you or your family have about your healthcare.

Information about you is kept confidential and used by staff involved in your treatment and care. The people involved in your care may include doctors, nurses, therapists, technicians and administrative staff. All staff follow strict rules on confidentiality. There may be occasions where we need to discuss information about you with your partner or family. We limit the information we share to ensure you receive the right care.

The Trust uses a variety of technical measures to keep electronic health records secure with access limited to those who involved in your care and treatment.

Information in your health record can also be used for other NHS purposes and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Croydon Health Services NHS Trust is compliant with the national data opt-out policy (from 1st January 2021).

Information shared with other organisations and partners

Sometimes your care may be provided by other organisations the Trust is working with in partnership. You can find out more about partnership working from: www.croydonhealthservices.nhs.uk/partnership-working  or visit the Patient Advice and Liaison Service (PALS) We only share information with partners to meet your healthcare needs where you have not objected.  Your hospital health record will be available to your doctor (at your GP practice) through a secure system known as 'Connecting Your Care' resulting in faster, up to date information that can help to speed up your care and treatment when you need it. You can find out more about 'Connecting Your Care' what information is shared and which organisations are part of Connecting Your Care here

Where required by law the Trust must share information with other organisations, for example; help prevent or detect crime and safeguard children or vulnerable adults, notify births, deaths and infectious diseases. 

The Trust uses other organisations to help deliver healthcare, these other organisations are known as data processors they work under contract and process patient information under written instruction from the Trust. Any organisation used as a data processor by the Trust has the same legal duties towards patient confidentiality and data protection.

Patient surveys 

We (the Trust) may use your contact details to request your help in completing surveys and questionnaires. Your views and comments can help shape and improve the services we deliver to make them even better. We value your time and effort in completing any survey and hope that by working together we can continue to deliver the best possible services to patients.

The legal basis for using your data

The Trust uses your information as a provider of health services, to provide healthcare and treatment, to manage healthcare systems and services and for ensuring high standards of quality and safety. Where the use of your information falls outside these areas we will inform you in advance. 

How long your information is kept and held

Your information is kept according to national guidance and any legal obligations. Guidance published for NHS organisations called the Records Management Code of Practice for Health and Social Care describes how long the Trust keeps health records. The length of time information is kept varies. You can find out more from the retention schedule here.

Your right to have data corrected

We want to make sure your records are accurate and up-to-date.  You have the right to ask us to rectify and correct any information if there is an error in your health record. To correct any information or to let us know if you have any concerns about the accuracy of your information contact PALS  or the Trust’s Data Protection Officer.

Your right to object to processing

If you believe you have a good reason for wanting to object to the use of your health record and want to object you should contact us using our contact details.You can find out more about your right to object by visiting the ICO right to object .

Your right to access your health record

From September 2022 you can access your health record, including your outpatient hospital appointments, associated letters and a selection of results via our 24/7 online patient access system called - MyCare Croydon Health Services. Please see here to read more.

If you can't find the information you need on MyCare portal you can still ask to see a full copy of your health record, to do so please contact the subject access Team using the contact details below. We recommend that you first read the Application Form & Guidance before contacting us. Completing an application form to access your record is not essential but will make it easier for you to provide the information needed to process your request. 

Application Form & Guidance SARs Nov 2018 

A completed application form will help us to respond to your request efficiently, alternatively you can phone us or send an email with the details of your request.

To protect the privacy of your health record you will need to provide us with proofs of your identity. The guidance and application form describe the information you need to provide to us in support of your request.

We acknowledge all requests received and will provide a response within a calendar month.

Application forms are also available from the main reception at Croydon University Hospital, our contact details are:

Subject Access Team
Croydon Health Services
Woodcroft Wing, HQ Offices
530 London Road
Croydon CR7 7YE

Email: CH-TR.infogov@nhs.net

Tel: 020 8401 3000 ext. 3475 or 4049

You can only access other people’s medical records with their written consent or if you have proof that you have a legal right of access, for example; a Power of Attorney or Court Order.

If you are asking to see the health records of someone who has died, under the  Access to Health Records Act 1990 you will need to prove that you are the patient’s legal personal representative or that you have a claim arising from the death.

If you are asking to see your child’s records, you can only do so if you have legal parental responsibility.  Depending on the age of your child and their capacity to understand the request, we may also request confirmation that your child has understood and consented to your request.  The best interest of the child is paramount at all times and may, on occasion, mean that we limit or even refuse your request to access your child’s health record.

Please note that if you access MyCare using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the 'controller' for any personal information you provide to otain or acces your NHS login account and verify your identity. NHS Digital uses that personal information solely for the purpose of providing and validating your access to your NHS login account, for this personal information, the Trust is a “processor” and must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. 

To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to the Trust separately.

How to contact us

If you have any questions, comments, concerns about your information rights or want to make a complaint about your health information you can contact the Data Protection Officer who has responsibility to ensure the protection of your information in accordance with your rights. Alternatively you can contact PALS   or write to the Caldicott Guardian at: Caldicott Guardian, Medical Director’s Office, Croydon Health Services, Trust HQ,  Woodcroft Wing, 530 London Road, Croydon CR7 7YE.

Our Data Protection Officer can be contacted by email at: CH-TR.dpo@nhs.net or by post at: Data Protection Officer, Information Governance, Croydon Health Services, HQ  Woodcroft Wing, 530 London Road, Croydon CR7 7YE.

After contacting us, if you still have concerns about your personal information and want to make a complaint to the supervisory authority or find out about your information rights, contact the Information Commissioners Office at: ico.org.uk