Routine direct care

Purpose

Direct care is a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering. It includes supporting your ability to function and improve participation in life and society. 

It also includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, and person satisfaction, including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team who have a legitimate relationship for your care. 

Direct care is care delivered to the you if you are a patient, most of which is provided at the trust's main hospitals. 

After you agree to a referral for care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about you, your circumstances and health will need to be shared with the other healthcare workers, such as the specialist or therapist. 

The information shared is to enable the other healthcare workers to provide you with the most appropriate advice, investigations, treatments, therapies and care.  

To meet our stated purpose, we must collect information about you. We will not always collect all the categories of data, but only what is relevant to your care and treatment with us. 

This could include:

  • who you are
  • where you live
  • your occupation
  • your family, your friends, your employers
  • your habits
  • your problems and diagnoses
  • the reasons you seek help
  • your appointments
  • where and when you are seen; who by
  • referrals to specialists and other healthcare providers
  • tests carried out here and in other health settings
  • investigations and scans, treatments and outcomes of treatments
  • your treatment history
  • the observations and opinions of other healthcare workers, within and without the NHS, as well as comments and notes reasonably made by healthcare professionals in the trust who are appropriately involved in your healthcare

We receive this information securely from your GP or other healthcare providers when you are referred to us. Only those that are involved in your direct care would have access to this information. 

Where you give us permission, we will access the Health Information Exchange (HIE)

HIE integrates data from those multiple electronic health and care systems to provide a real-time and read-only summary of that data to a health or social care professional when required for the purpose of your direct care. 

If you are unable to give us permission because, for example, you are unconscious, we will assess whether under the circumstances it is reasonable and in your best interest to access your HIE record.

Where you are brought in by ambulance we will receive information from the ambulance trust about their observation and treatment of you. 

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Data Protection Act 2018 Schedule 1 (2) Health or social care purposes. 

Data Protection Act 2018 Schedule 1 (4) Research. 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law. 

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

We share a summary of your treatment with you GP, unless you ask us not to. When you ask us not to share information with your GP, we will consider whether there is a significant risk to you or others before deciding whether to agree. 

Other times we may share your information are: 

  • Where you agree to be referred to other healthcare providers, we will share only the necessary and relevant information with that healthcare provider in order for them to treat you. 
  • We may share some limited information with patient transport services where we are arranging for you to get to appointments or your home. 
  • We may share information with your local authority to support you in arranging social care support. 
  • Further specific details of who we share your personal data with, for example because of a specific legal obligation, are detailed in this privacy notice.  

Your information is shared with the HIE unless you have opted out. 

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. 

We do not allow our processors to use your information for their own purposes or allow them to link this to other personal data they may. 

The category of our processors are organisations who: 

  • provide our IT systems
  • provide some of our medical devices 
  • dispose of confidential waste (paper records, laptops or other IT equipment
  • provide some of our clinical service under contract with us

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Health regulation

Purpose

The Care Quality Commission (CQC) is an organisation established in law by the Health and Social Care Act 2012. 

It is the regulator for English health and social care services to ensure safe care is provided. It inspects and produces reports on all trusts in England. 

The law allows the CQC to access identifiable patient data as well as requiring the trust to share certain types of data with it in certain circumstances, for instance following a significant safety incident.  

We do not collect any additional personal data for this purpose, but may share any or all of the information we have collected as part of the routine direct care and emergency direct care privacy notices on this website.

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Data Protection Act 2018 Schedule 1 (2) Health or social care purposes. 

Data Protection Act 2018 Schedule 1 (4) Research. 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law. 

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

For our stated purpose, we will share information with the CQC

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.  

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team. 

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

This right does not apply to the sharing of personal data with the CQC, as we have a legal obligation to do so. 

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Research

Purpose

Clinical research, mainly clinical trials of medicines, is the key focus of our research activity. 

Our world class investigators and highly trained clinical research staff allow us to attract and host the latest national and international clinical trials and deliver them to international regulatory and ethical standards. 

We work with commercial, academic, medical charities, NHS and government department sponsors to deliver over 150 clinical studies at any one time. 

Our research activity works across a range areas. Our key strengths include: 

  • oncology 
  • haematology 
  • rheumatology 
  • cardiology 
  • infectious diseases 
  • transplant and immunology 
  • hepatology 
  • renal medicine 
  • gastroenterology 
  • dermatology 
  • child health 

We also host a significant academic research programme in collaboration with our main academic partner, University College London Royal Free Campus. 

We use your personal information to carry out health and social care research in the public interest. This means we have to demonstrate that our research serves the society as a whole, for example by improving existing services or introducing new treatments. 

You are not legally or contractually obliged to supply us with your personal information or to agree that information we already hold about you for care purposes, may be used for research purposes. 

Should you not wish information about you to be used for research, you can opt out via the national data opt-out programme, or by speaking to the clinical team who are treating you and informing them of your wishes. 

We will not:

  • share your identifiable data with third parties for marketing purposes 
  • sell your identifiable data 

Where you have agreed to the use of your information in a particular research project, the participant information leaflet would have been given to you as part of the process. 

This document will tell you what types of personal information we will use in connection with the specific research study or project you are taking part in and (where applicable) its sources. 

We will often get the necessary information directly from you. In other cases, we might already hold the required information due to the healthcare we provide to you. For information we are likely to already hold about you due to the care we provide, please refer to our main privacy notice for direct care

In situations where it has been impracticable to obtain your agreement, we will have sought approval from the secretary of state via the Confidentiality Advisory Group under section 251 of the National Health Service Act 2006 (‘CAG approval’). The Confidentiality Advisory Group provides independent advice on specific research projects which will use confidential medical information. 

Certain research studies also have to be approved by the Research Ethics Committees, which is another independent group that ensures all our research is ethical. 

In some instances, we will apply to the Health Research Authority who may approve that we can use pseudonymised information for research. 

Pseudonymised information is personal data which has had the identifiers removed, for example your name replaced with a research number and your data of birth changed to an age. 

Where there are other fields which will be able to identify you, these will also be appropriately pseudonymised.

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Article 9 (2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article89(1) [(as supplemented by section 19 of the 2018 Act)] based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

When you agree to take part in a research study, the information about your health and care may be provided to researchers running research studies at the trust and other third-party organisations. 

These external organisations may be non-commercial partners such as universities or other hospitals, or commercial companies involved in health and care research in this country or abroad. 

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. 

We do not allow our processors to use your information for their own purposes or allow them to link this to other personal data they may hold. 

The category of our processors are organisations who: 

  • provide our IT systems 
  • provide some of our medical devices
  • dispose of confidential waste (paper records, laptops or other IT equipment)
  • provide some of our clinical services under contract with us 

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.  

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

However, for the purpose of research, your rights to access, object, change, transfer and or delete/erase your information are limited. 

This is because we need to manage the data in specific ways to ensure the research we conduct is reliable and accurate, and that we are accountable to those organisations which fund and monitor our research. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

For the purpose of research, your rights to access are limited. This is because we need to manage the data in specific ways to ensure the research we conduct is reliable and accurate, and that we are accountable to those organisations which fund and monitor our research. 

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team. 

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

If you withdraw your consent to participate in a research project, we may not remove all your data. 

We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and that publicly funded research meets its goals. 

To safeguard your rights, we will strive to use the minimum personal information possible following your withdrawal. 

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Safeguarding

Purpose

Some members of society are recognised as needing protection, for example children and adults with care and support needs. 

Safeguarding is the action that is taken to promote the welfare and protect children and adults from harm. 

If a child or adult is suffering or likely to suffer significant harm, professionals have a statutory responsibility to protect them. This statutory responsibility is enshrined within the Care Act 2014, Children Acts 1989 and 2004 and Social Care Act 2014.

Where there is suspected or actual safeguarding concerns, we will aim to get agreement to share information, but we will be mindful of situations where to do so would place a child or adult at increased risk of harm. 

We may share information without agreement if we have reason to believe there is good reason to do so, and that the sharing of information will enhance safeguarding. 

Read more information on safeguarding.

Safeguarding is covered in the following legislation guidance: 

•    The Mental Capacity Act 2005   
•    Section 47 of The Children Act 1989  
•    Section 18 Schedule 1 Part 2 of Data Protection Act 2018  
•    Section 45 of the Care Act 2014 

For children who are identified as a child in need, we are required to seek consent in regards to sharing information. The relevant guidance is covered in Section 17 Children Act 1989.

Please see our direct care privacy notice for details of the information we collect. 

We may use or share any of this information where it is reasonable and necessary to safeguard a child or adult. 

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Data Protection Act 2018 Schedule 1: 

(2) Health or social care purposes. 

(18) Safeguarding of children and of individuals at risk. 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Or  

Article 6 (1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject. 

And  

Article 9 (2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law insofar as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. 

Or  

Article 9 (2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

We may share information with other NHS organisations, the local authority, police, or London-wide safeguarding teams where necessary

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. 

We do not allow our processors to use your information for their own purposes or allow them to link this to other personal data they may hold. 

We have no additional processors from those detailed in our direct care privacy notice for this purpose. 

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.  

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

CCTV and body worn images

Purpose

The trust has CCTV (closed circuit television) cameras installed in various locations across our buildings for the purposes of preventing and detecting crime, disorder, anti-social behaviour and the fear of crime by helping to provide a safer environment for those people who work for the trust, our patients, and visitors.  

A number of trust security staff and some clinical staff operate body worn video (BWV). 

These cameras process video images and audio data of members of the public and people who come into contact with these staff members. 

BWV will only be used after a warning has been given and only when an offence is being committed or likely to be committed. Once an incident is over, BWV will be turned off. 

Areas where fixed CCTV cameras and BWV is in place will be clearly marked by visible signage. 

Recorded footage is secure and encrypted, meaning that only authorised staff can access it. In the case of BWV, the operator will not be able to access the footage directly.

Images of you, where you are, what you do, and who you are with. Audio of what you say. 

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDRP). 

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Data Protection Act 2018 Schedule 1: 

(10) Preventing or detecting unlawful acts. 

(11) Protecting the public against dishonesty etc. 

(12) Regulatory requirements relating to unlawful acts and dishonesty etc. 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Relevant law enforcement bodies and organisations. 

The trust uses the following processor: 

  • CCTV and BWV supplier (who provide the actual camera) 
  • external security company (who provide on-site security) 

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.  

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Reporting gunshot and knife wounds

Purpose

Patients may require treatment for injuries related to gunshot and knife wounds. In certain circumstances, we may need to share information with the local police force in order to safeguard you and others. 

Wherever possible, we will speak to you about this and ask you to agree, however, in limited circumstances, such as where asking for you permission is impractical or if the public interest outweighs patients’ rights to confidentially, personal data may be shared without your knowledge. 

We do not collect any additional personal data for this purpose, but may share any or all of the information we have collected as part of the routine direct care and emergency direct care privacy notices on this website.

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Data Protection Act 2018 Schedule 1 Schedule 1 (10) Preventing or detecting unlawful acts. 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Article 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data  protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law. 

Under the Data Protection Act 2018

(Chapter 12) Schedule 1 - Special categories of personal data and criminal convictions etc Part 2 — Substantial public interest conditions, section 10 Preventing or detecting unlawful acts and/or Section 18 of that same chapter, Safeguarding of children and of individuals at risk.

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

Relevant law enforcement bodies and organisations. 

The trust does not use additional processors for the sharing of this information. 

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.  

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Emergency department patient feedback

Purpose

Patient feedback on our services is critical to allow us to provide better services and improve patient experience. 

Patients who have been treated at the Royal Free London’s emergency department will receive a conversational text message (SMS) where they will be asked to provide feedback on their experience.

Each data subject can then opt to respond to the survey to share their experiences of their most recent interaction with the Royal Free London. There is a 48-hour delay from discharge to receiving a text message. 

You can opt out of receiving text messages by scanning a QR code in the emergency department and completing the form which opens, or by emailing rf.patientexperience@nhs.net and stating you do not wish to receive a text message in regards to your emergency department visit. 

Finally, you can reply STOP when you receive the text message to prevent any further messaging being sent.

The personal data which is processed as part of this project will enable the Royal Free London to continue to improve patient services.

All feedback provided is anonymised when viewed by our staff, meaning the team that treated you will not know it was you who provided the feedback, therefore, please do not include personal information which might identify you in your responses as this may inadvertently allow you to be identified.

In order to meet our purpose above, we need to process information from you. 

This processing happens within a secure system and no human is able to link any of the information below to you as an individual:

  • gender — for equality monitoring
  • date of birth — to ensure you are over 18
  • mobile phone number — to send you a text message
  • emergency department as the location for treatment — to ensure only emergency department patients receive a text message
  • the feedback you provide — to allow us to monitor and improve services.

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is: 

Data Protection Act 2018 Schedule 1 (2) Health or social care purposes. 

Data Protection Act 2018 Schedule 1 (4) Research. 

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest. 

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law. 

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. 

We do not allow our processors to use your information for their own purposes or allow them to link this to other personal data they may have.

The category of our processors are organisations who:

  • provide our IT systems

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team. 

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

There is 48-hour delay from discharge to receiving a text message. 

You can opt out of receiving text messages by scanning a QR code in the emergency department and completing the form which opens, or by emailing rf.patientexperience@nhs.net and stating you do not wish to receive a text message in regards to your emergency department visit. 

Finally, you can reply STOP when you receive a text message to prevent any further messaging being sent.

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Private patients

Purpose

Direct care is a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering. 

It includes supporting your ability to function and improve participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction, including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team who have a legitimate relationship for your care.  

Direct Care is care delivered to you if you are a private patient, most of which is provided through the Royal Free London Private Patients Unit and at the trust's main hospitals. 

After you agree to a referral for care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about you, your circumstances and health will need to be shared with the other healthcare workers, such as a specialist or therapist. 

The information that is shared is to enable the other healthcare workers to provide you the most appropriate advice, investigations, treatments, therapies and care.   

Where you receive treatment under the NHS, for example as an inpatient of the trust, or other NHS funded care, please also see our other privacy notices on this page

To meet our stated purpose, we must collect information about you. We will not always collect all the categories of data, but only what is relevant to your care and treatment as a private patient. 

This could include:

  • who you are
  • where you live
  • your occupation
  • your family, your friends, your employers
  • your habits
  • your problems and diagnoses
  • the reasons you seek help
  • your appointments
  • where and when you are seen; who by
  • referrals to specialists and other healthcare providers
  • tests carried out here and in other health settings
  • investigations and scans, treatments and outcomes of treatments
  • your treatment history
  • the observations and opinions of other healthcare workers, within and without the NHS, as well as comments and notes reasonably made by healthcare professionals in the trust who are appropriately involved in your healthcare

We may also collect financial information relating to cost of treatment, health insurance, and banking information for payment purposes.  

Where you give us permission, we will access the Health Information Exchange (HIE). HIE integrates data from those multiple electronic health and care systems to provide a real-time and read-only summary of that data to a health or social care professional when required for the purpose of your direct care. If you are unable to give us permission because for example you are unconscious, we will assess whether under the circumstances it is reasonable and in your best interest to access your HIE record.  

Where you are brought in by ambulance we will receive information from the ambulance trust about their observation and treatment of you.  

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR). 

Our lawful basis for the purpose of processing data in our stated purpose, under GDPR, is:  

Data Protection Act 2018 Schedule 1 (2) Health or social care purposes. 

Article 6(1)(f) “Processing shall be lawful only if and to the extent that at least one of the following applies: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

These legitimate interests are to provide you with healthcare services as a private patient.

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law. 

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

We share a summary of your treatment with you GP, unless you ask us not to. When you ask us not to share information with your GP, we will consider whether there is a significant risk to you or others before deciding whether to agree.  

  • Where you agree to be referred to other healthcare providers, we will share only the necessary and relevant information with that healthcare provider in order for them to treat you.  
  • We may share information with your local authority to support you in arranging social care support.  
  • Further specific details of who we share your personal data with, for example because of a specific legal obligation, are detailed in this privacy notice.   

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. 

We do not allow our processors to use your information for their own purposes or allow them to link this to other personal data they may.  

The category of our processors are organisations who:  

  • provide our IT systems 
  • provide some of our medical devices
  • dispose of confidential waste (paper records, laptops or other IT equipment)
  • provide some of our clinical services under contract with us

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule.   

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. 

You can access some information, such as information from your hospital record, hospital appointments, test results and messages from the My RFL Care Patient Portal. Read more information on how to do this

To access any other personal information we hold, please see our guidance on health records, or contact the access team at rf-tr.AccessRequests@nhs.net.  

You have the right to have inaccurate information about you corrected or incomplete information completed. 

This is not that same as disagreeing with a clinical observation or opinion and asking for this to be changed. If you disagree with a clinical opinion, you should discuss this with the team whose care you are under. 

To update your basic contact details or address, please contact the patient advice and liaison team

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The right to data portability does not apply to the processing of your personal data for this purpose. 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust’s clinical staff use tools to help assist in you diagnoses and treatment. However, the results are always reviewed and interpreted by an appropriately trained clinician who will have the final say in your diagnoses and treatment. 

The trust does not make any solely automated decisions about you. 

Applying for a job

Purpose

Our purpose for processing this information is to assess your suitability for a role you have applied for and to help us develop and improve our recruitment process. 

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary. 

The information we ask for is used to assess your suitability for employment. You do not have to provide what we ask for, but it may affect your application if you do not. 

We will use any feedback you provide about our recruitment process to develop and improve our future recruitment campaigns. 

All the information you provide during the recruitment process will be used to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary. 

We will not share any of the information you provide with any third parties for marketing purposes. 

The contact details you give us will be used to contact you to progress your application. We may also contact you to request your feedback about our recruitment process, but you do not need to provide feedback if you do not want to. 

We will use the other information you provide to assess your suitability for the role. 

In order to meet our purpose above and to protect your fundamental rights as an employee, we need to collect information from you. 

We ask you for your personal details, including name and contact details. We will also ask you about previous experience, education, referees, health and for answers to questions relevant to the role. 

Our recruitment team will have access to all this information. The recruiting manager and interview panel will also have access to this information, however, during the early stages of your application, this will exclude your name. 

You will also be asked to provide equal opportunities information. This is not mandatory ¬¬— if you do not provide it, it will not affect your application. 

We will not make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics. 

We may ask you to take part in assessment days, complete tests or occupational personality profile questionnaires, attend an interview, or a combination of these. 

Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by us in line with our records retention schedule. 

If you are unsuccessful after assessment for the role, we may ask if you would like your details retained in our talent pool. If you say yes, we would proactively contact you should any further suitable vacancies arise. 

If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. 

We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability. 

You must therefore provide: 

  • Proof of your identity — you may be asked to attend our office with original documents, where we will take copies, or submit your documents via our secure digital platform. 
  • Proof of your qualifications — you may be asked to attend our office with original documents, where we will take copies.
  • A criminal records declaration to declare any unspent convictions. 
  • Criminal record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions. 
  • We will contact your referees, using the details you provide in your application, directly to obtain references. 
  • We will also ask you to complete a questionnaire about your health to establish your fitness to work. 
  • We will also ask you about any reasonable adjustments you may require under the Equality Act 2010. This information will be shared with relevant trust staff to ensure these are in place for when you start your employment.  

If we make a final offer, we will also ask you for the following: 

  • bank details — to process salary payments 
  • emergency contact details, so we know who to contact in case you have an emergency at work 
  • any membership of a pension scheme 

If you are coming from another NHS organisation, we will request further information from your current NHS employer via the ESR interface. This information is your mandatory training record and vaccine status. 

Our code of conduct requires all staff to declare if they have any potential conflicts of interest — this includes any secondary employment. Depending on the conflict and your seniority within the trust, this may be published on the trust website in line with NHS guidance. 

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR). 

Our lawful basis for the purpose of processing data in our stated purpose, under GDPR, is: 

Data Protection Act 2018 Schedule 1: 

(1) Employment, social security and social protection. 

(8) Equality of opportunity or treatment. 

(9) Racial and ethnic diversity at senior levels of organisations. 

  • Article 6(1)(b) processing necessary to perform a contract or to take steps at your request, before entering a contract. 

If you provide us with any information about reasonable adjustments you require under the Equality Act 2010, the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under the Act. 

The lawful basis we rely on to process any information you provide as part of your application or subsequent pre-employment checks, which is special category data, such as religious or ethnicity information or biometric data, under GDPR, is:

  • Article 9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; and Data Protection Act 2018, Schedule 1, part 1(1) which again relates to processing for employment purposes.  

We may also process some health data under UK GDPR Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment.  

If we identify fraudulent or suspicious activities as part of identity check, we may share information with the police under UK GDPR Article 9 (2) (g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law; and Data Protection Act 2018 (c. 12) Schedule 1 — Special categories of personal data and criminal convictions etc data Part 2 — Substantial public interest conditions. Preventing fraud: Paragraph 14 of Schedule 1 of the DPA 2018. 

We process information about applicant criminal convictions and offences. The lawful basis we rely on to process this data are UK GDPR Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition Data Protection Act 2018, Schedule 1, part ,1 paragraph 1(1)(a). 

By processing your health data, we will also recognise your rights established under English case law, collectively known as the Common Law Duty of Confidentiality. 

This means we only use your personal data in ways that would reasonably be expected, including where we share your information with your consent or where we can reasonably expect that you would consent in order to provide you with care, or for reasons of substantial public interest. 

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. 

We do not allow our processors to use your information for their own purposes or allow them to link this to other personal data they may have.  

The category of our processors are organisations who: 

  • provide our IT systems
  • provide the platforms which process your application 
  • dispose of confidential waste (paper records, laptops or other IT equipment)
  • provide some of our recruitment services
  • provide identity checking service

We will keep your personal data in line with the retention periods detailed in the NHS retention schedule

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

The trust is required by law to provide you with information about how it collects and uses your personal data. The trust, by way of this privacy notice is providing you with this information. 

You have the right to access the information we hold about you. To access personal information we hold, please contact the access team at: rf-tr.AccessRequests@nhs.net

You have the right to have inaccurate information about you corrected or incomplete information completed. 

To update your application details, please login to the platform you applied on or contact the recruitment team.

To request any other inaccurate information corrected, please contact rf-tr.AccessRequests@nhs.net

The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. 

This is limited to: 

  • Where we still hold your personal data, but it is no longer necessary for the purpose for which we originally collected or processed it. 
  • We have to erase it to comply with a legal obligation.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way we use your data. 

This is an alternative to requesting the erasure of your data. The right is not absolute and only applies in certain circumstances. 

This is limited to:  

  • Where you contest the accuracy of your personal data and we are verifying the accuracy. 
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim.

To exercise this right, please contact rf-tr.AccessRequests@nhs.net

You have the right to data portability in some limited circumstances. This only applies to information you have given us. 

You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. . 

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent us from processing your personal data. 

An objection may be in relation to all of the personal data we hold about you or only to specific information.  

The right to object only applies in certain circumstances. You must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. 

In these circumstances, your right to object is not an absolute right, and we do not need to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. To exercise this right, please contact rf-tr.AccessRequests@nhs.net

The trust does not use automated decision making and profiling for recruitment purposes.

Health Information Exchange

To help health and care professionals make quicker and safer decisions about your care, wherever they are treating you, healthcare records are joining up across Barnet, Camden, Enfield, Haringey and Islington (north central London). 

This is part of the North Central London Integrated Care System's (NCL ICS) Health Information Exchange project.

Health and care professionals have shared information on paper for many years — we are now able to do this using digital technology.

When you visit one of our hospitals or your GP, your healthcare worker will have all the information to hand to treat you effectively and efficiently. 

You will not need to relay the full story of your symptoms, what happened or the medicines you were prescribed, as this will be already accessible from your notes.

Information will be available in real time — or in some cases within 24 hours — and will ensure your health and care teams have the most up to date information about your care. 

Under the General Data Protection Regulation, information will only be shared and accessed on a strictly need to know basis by health and care professionals across the five boroughs of Barnet, Camden, Enfield, Haringey and Islington and only for the purposes of direct care. Data will always be securely held.

In order to legally be able to process your personal data, we must have a lawful basis under the United Kingdom General Data Protection Regulation (GDPR).

Our lawful basis for the purpose of processing data in our stated purpose, under UK GDPR, is:

Data Protection Act 2018 Schedule 1 (2) Health or social care purposes. 

For people using health and care services, there are many advantages to having joined-up records, including:

  • Everyone involved in your direct care will have the whole picture.
  • When you visit somewhere different for care or meet a new care professional, they will have access to your health and care information and you will not need to repeat your story.
  • The results of common tests (for example, blood tests) will be available to everyone involved in your care, regardless of where the test took place, reducing the need to repeat them or obtain printed results.

For us and other health and social care professionals, advantages include:

  • We will have up-to-date information to plan and improve your care and make more informed decisions.
  • We will have to spend less time finding out relevant information from different health and social care organisations and IT systems, and will not have to spend time recording duplicate information across records. 
  • We can work as a team across north central London to identify opportunities for improvement, such as seeing if there needs to be more focus on providing physical health checks for people with learning disabilities.

More information on the benefits and what is means for you is available on the NCL ICS website
 

Other health and care organisations in North Central London’s Sustainability and Transformation Partnership, such as GP practices and other hospitals/providers across the boroughs of Barnet, Camden, Enfield, Haringey and Enfield. 

Due to the COVID-19 pandemic and in the public interest, all health and care organisations are legally required to share and process data. 

This is to ensure health and care professionals have access to vital information to make quicker, safer decisions about your care. 

The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure. 

Therefore, the national data opt-out will not apply to data sharing for the purposes of responding to COVID-19. 

Read more about this on the NCL ICS website.

You can also read the Royal Free London's privacy notice.

North London Partnership Shared Service (NLPSS) occupational health privacy notice  

The NLPSS occupational health (OH) shared services is delivered by the Royal Free London NHS Foundation Trust (RFL) to the trusts within NLPSS, including an internal OH service to RFL employees. As RFL (the trust) is the hosting partner of NLPSS OH services, it must meet its contractual, statutory and administrative obligations. We are committed to ensuring that the personal data of NLPSS and RFL employees is handled in accordance with the United Kingdom General Data Protection Regulation, and Data Protection Act 2018. 

This privacy notice tells you what to expect when the trust collects personal information about you. It applies to all NLPSS staff using the shared NLPSS OH services. However, the information we will process about you will vary depending on your specific personal circumstances. 

The trust is a sole controller of own employee data and a joint controller for the OH shared services, unless it is processing legacy data (staff member no longer employed) for another trust within NLPSS, in which case, RFL is a processor. This notice should be read in conjunction with our patient privacy notice for staff and our other corporate policies and procedures. When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document. 

As a public authority we must appoint a Data Protection Officer (DPO). The DPO’s tasks are defined in law and include:  

  • to inform and advise the trust and its employees about obligations to comply with the UK GDPR and other data protection laws;  

  • to monitor the trust’s compliance with the UK GDPR and other data protection laws, and data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;  

  • to advise on, and to monitor, data protection impact assessments;  

  • to cooperate with the Information Commissioner’s Office (ICO); and  

  • to be the first point of contact for the ICO and for individuals whose data is processed (employees, patients etc).  

Our Data Protection Officer is Kevin Winter – Associate Director of Information Governance. You can contact the Data Protection Officer on rf-tr.rfldpo@nhs.net  

We use the following information to carry out the following functions; 

  1. Occupational Health NLPSS undertake in employment health consultations to address health impairments affecting or affected by work and advise on fitness for work. 

  2. Preemployment Health Checks:  

    1. review of applicant health declarations, 

    2. blood tests (screening) for blood borne viruses in healthcare workers carrying out exposure prone procedures, 

    3. pre-employment health monitoring (e.g. night workers), 

    4. pre-employment baseline health surveillance (e.g. lung function tests, hearing tests, blood tests for blood borne viruses), 

    5. pre-employment assessment of declared health impairments requiring reasonable adjustment. 

  3. Physiotherapy advice services – where a referral is made by either an employee self-referral or Occupational Health Advisory Services, self-management physiotherapy advice provided to employee. 

  4. In employment health monitoring e.g. night worker questionnaires, stress and / or musculo-skeletal symptom questionnaires. 

  5. In employment health surveillance e.g. skin checks, symptom questionnaires, self-reporting consultations. 

  6. Data set extract for all customer organisation’s staff to populate the OH system referral module: person match. 

  7. Legacy (staff member no longer employed) Occupational Health NLPSS undertook in employment health consultations to address health impairments affecting or affected by work and advise on fitness for work. 

  8. Legacy (staff member no longer employed) Preemployment Health Checks:  

    1. review of applicant health declarations, 

    2. blood tests (screening) for blood borne viruses in healthcare workers carrying out exposure prone procedures, 

    3. pre-employment health monitoring (e.g. night workers),

    4. pre-employment baseline health surveillance (e.g. lung function tests, hearing tests, blood tests for blood borne viruses),

    5. pre-employment assessment of declared health impairments requiring reasonable adjustment. 

  9. Legacy (staff member no longer employed) physiotherapy treatment services. 

  10. Legacy (staff member no longer employed) In employment health monitoring e.g. night worker questionnaires, stress and / or musculo-skeletal symptom questionnaires. 

  11. Legacy (staff member no longer employed) In employment health surveillance e.g. skin checks, symptom questionnaires, self-reporting consultations.

 

We collect information we hold about you from: 

  • your paper health or electronic questionnaires, 

  • your line manager through referral questionnaires, 

  • providing clinical services to you (e.g. vaccination history, blood test results, and GP reports). 

 

We process the following categories of personal data: 

  • name, 

  • contact details, 

  • date of birth, 

  • directorate/ICSU and department/department affiliation, 

  • employment start and leaving dates, 

  • job title, 

  • information supplied by you through questionnaire, email, telephone or face to face consultation. 

  • health /medical history, 

  • lifestyle information and social circumstances, 

  • your interests and extra-curricular activities, 

  • racial information which may be relevant to clinical assessments (e.g. lung function). 

  • information supplied by your line manager which may include information such as attendance history, medical information. 

  • medical information supplied by your GP/ Specialist with your consent. 

  • covid-19 vaccination history. 

 

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the GDPR; 

  • for sole processing of RFL own employee data, see RFL privacy notice for staff, 

  • for supporting OH Shared Services. 

 

Royal Free London Lawful basis for hosted services  

  1. Occupational Health NLPSS including in employment health consultations to address health impairments affecting or affected by work and advise on fitness for work RFL as joint controller UK GDPR Article 6 (1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. RFL are not providing OH advisory services as part of their public function and therefore are able to utilise legitimate interest’s lawful basis in this instance. 

  2. Preemployment Health Checks:  

    1. review of applicant health declarations. 

    2. blood tests (screening) for blood borne viruses in healthcare workers carrying out exposure prone procedures. 

    3. pre-employment health monitoring (e.g. night workers). 

    4. pre-employment baseline health surveillance (e.g. lung function tests, hearing tests, blood tests for blood borne viruses). 

    5. pre-employment assessment of declared health impairments requiring reasonable adjustment RFL as joint controller UK GDPR Article 6 (1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

    6. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 

    7. RFL are not providing pre-employment screening services as part of their public function and therefore are able to utilise legitimate interest’s lawful basis in this instance. 

  3. Physiotherapy advice services: RFL as joint controller UK GDPR Article 6 (1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

    1. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

    2. RFL are not providing OH advisory services as part of their public function and therefore are able to utilise legitimate interest’s lawful basis in this instance. 

  4. In employment health monitoring e.g. night worker questionnaires, stress and / or musculo-skeletal symptom questionnaires: 
    1. RFL as joint controller UK GDPR Article 6 (1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 
    2. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 
    3. RFL are not providing employment health monitoring as part of their public function and therefore are able to utilise legitimate interest’s lawful basis in this instance. 
  5. In employment health surveillance e.g. skin checks, symptom questionnaires, self-reporting consultations: 

    1. RFL as joint controller UK GDPR Article 6 (1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

    2. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 

    3. RFL are not providing employment health surveillance as part of their public function and therefore are able to utilise legitimate interest’s lawful basis in this instance. 

  6. Data set extract for all customer organisation’s staff to populate the OH system referral module RFL as joint controller UK GDPR Article 6 (1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

    1. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 

    2. RFL are not providing OH services as part of their public function and therefore are able to utilise legitimate interest’s lawful basis in this instance. 

  7. Legacy (staff member no longer employed)Occupational Health NLPSS including in employment health consultations to address health impairments affecting or affected by work and advise on fitness for work. RFL is a processor. 
  8. Legacy (staff member no longer employed) Pre-employment Health Checks:
    1. review of applicant health declarations,
    2. blood tests (screening) for blood borne viruses in healthcare workers carrying out exposure prone procedures, 
    3. pre-employment health monitoring (e.g. night workers),
    4. pre-employment baseline health surveillance (e.g. lung function tests, hearing tests, blood tests for blood borne viruses), 
    5. pre-employment assessment of declared health impairments requiring reasonable adjustment 
    6. RFL is a processor. 
  9. Legacy (staff member no longer employed) physiotherapy treatment services: RFL is a processor. 

  10. Legacy (staff member no longer employed) In employment health monitoring e.g. night worker questionnaires, stress and / or musculo-skeletal symptom questionnaires: RFL is a processor. 

  11. Legacy (staff member no longer employed) In employment health surveillance e.g. skin checks, symptom questionnaires, self-reporting consultations: RFL is a processor. 

In line with the principles of medical confidentiality no medical information (diagnosis, results of tests etc.) is shared without your informed consent (permission). This is a professional requirement separate to any requirements of data protection legislation. 

Where specific health assessment processes are undertaken, information on the outcome of such assessments is shared internally to nominated individuals who have a business need to know. 

All pathology is undertaken by an accredited external laboratory who are GDPR compliant. 

Referrals to NHS Specialist’s, Employee Assistance Program or Independent Practitioners are not made without consultation with service users and only with their agreement. 

We have no electronic interface with NHS record keeping systems. 

Occupational health records are archived using a third-party document management system. 

We may in exceptional circumstances process your personal data because it is necessary to protect your or another person's vital interests, for example, where you have a life-threatening accident or illness in the workplace, and we have to share your personal data in order to ensure you receive appropriate medical attention. 

Processors are organisations who act on our behalf and under our authority. They carry out some of the technical processes, for example, providing a system that stores information. We do not allow our Processors to use your information for their own purposes or allow them to link this to other personal data they may. We don’t routinely transfer staff personal data overseas but when this is necessary, we ensure that we have appropriate safeguards in place. 

The category of our processors are organisations who: 

  • provide our IT systems; 

  • provide the platforms which process your OH record 

 

Record retention for employing organisations is as follows:

Record type 

 

Exposure monitoring information 

Category 

 

Staff Records and Occupational Health 

Retention period 

40 years or 5 years from the date of the last entry made in it 

Disposal action 

Review and if no longer needed destroy 

Notes 

 

A. Where the record is representative of the personal exposures of identifiable employees, for at least 40 years or B. In any other case, for at least 5 years. 

Occupational health reports 

Staff Records and Occupational Health 

Keep until 75th birthday or 6 years after the staff member leaves whichever is sooner 

Review and if no longer needed destroy 

 

Occupational health report of staff member under health surveillance 

Staff Records and Occupational Health 

Keep until 75th birthday 

Review and if no longer needed destroy 

 

Occupational health report of staff member under health surveillance where they have been subject to radiation doses 

Staff Records and Occupational Health 

50 years from the date of the last entry or until 75th birthday, whichever is longer 

Review and if no longer needed destroy 

 

Staff record 

Staff Records and Occupational Health 

Keep until 75th birthday (see notes) 

Review, and consider transfer to PoD 

This includes, but is not limited to, evidence of right to work, security checks and recruitment documentation for the successful candidate including job adverts and application forms. Some PoDs accession NHS staff records for social history purposes. Check with your local PoD about possible accession. If the PoD does not accession them, then the records can be securely destroyed once the retention period has been reached. 

 

For RFL employees the retention period is as above. 

Customers set own retention for their data.  

Data protection laws give you a number of rights over your personal data. These rights are detailed below. 

 

The right to be informed 

It is the responsibility of each controller to ensure data subjects for who’s data they are a controller, are informed regarding transfer of data to and processing by a third party OH provider. Your employer is controller, please see your employer’s privacy notice for full details. It is also the responsibility of each controller to ensure notification to staff include, where relevant, the sharing of personal data with any outsourced HR/recruitment function. 

 

The right of access 

Data subjects are able to exercise this right for data of which RFL is the controller by following the Trust’s established processes detailed on the Trust’s privacy notice on the public facing website at Information management and technology (IT) - Staff privacy notices (royalfree.nhs.uk) and Privacy notice | For patients, carers and visitors | The Royal Free 

It is the responsibility of other controllers to honour this right to their data subjects. Your employer is controller, please see your employer’s privacy notice for full details. RFL are able to provide information within the system to support a controller’s response. Controllers can access this service by contacting rf.occupationalhealth@nhs.net who will access the records on the controller's behalf.  

 

The right to rectification 

Data subjects are able to exercise this right for data of which RFL is the controller by following the Trust’s established processes detailed on the Trust’s privacy notice on the public facing website at Information management and technology (IT) - Staff privacy notices (royalfree.nhs.uk) and Privacy notice | For patients, carers and visitors | The Royal Free 

It is the responsibility of other controllers to honour this right to their data subjects. Your employer is controller, please see your employer’s privacy notice for full details. RFL are able to provide information within the system to support a controller’s response. Controllers can access this service by contacting rf.occupationalhealth@nhs.net who will access the records on the controller's behalf. 

Arrangements on this right for joint controller relationships, including where one controller may not have access to the data shall be detailed in joint controller agreements. 

 

The right to erasure 

Data subjects are able to exercise this right by following the Trust’s established processes detailed on the Trust’s privacy notice on the public facing website at Information management and technology (IT) - Staff privacy notices (royalfree.nhs.uk) and Privacy notice | For patients, carers and visitors | The Royal Free 

It is the responsibility of other controllers to honour this right to their data subjects. RFL are able to provide information within the system to support a controller’s response. Your employer is controller, please see your employer’s privacy notice for full details. Controllers can access this service by contacting rf.occupationalhealth@nhs.net who will access the records on the controller's behalf. 

Arrangements on this right for joint controller relationships, including where one controller may not have access to the data shall be detailed in joint controller agreements. 

 

The right to restrict processing 

Data subjects are able to exercise this right for data of which RFL is the controller by following the Trust’s established processes detailed at Information management and technology (IT) - Staff privacy notices (royalfree.nhs.uk) and Privacy notice | For patients, carers and visitors | The Royal Free 

It is the responsibility of other controllers to honour this right to their data subjects. Your employer is controller, please see your employer’s privacy notice for full details. RFL are able to provide information within the system to support a controller’s response. Controllers can access this service by contacting rf.occupationalhealth@nhs.net who will access the records on the controller's behalf. 

Arrangements on this right for joint controller relationships, including where one controller may not have access to the data shall be detailed in joint controller agreements. 

 

The right to data portability 

Data subjects are able to exercise this right for data of which RFL is the controller by following the Trust’s established processes detailed at Information management and technology (IT) - Staff privacy notices (royalfree.nhs.uk) and Privacy notice | For patients, carers and visitors | The Royal Free 

It is the responsibility of other controllers to honour this right to their data subjects. Your employer is controller, please see your employer’s privacy notice for full details. RFL are able to provide information within the system to support a controller’s response. Controllers can access this service by contacting rf.occupationalhealth@nhs.net who will access the records on the controller's behalf. 

Arrangements on this right for joint controller relationships, including where one controller may not have access to the data shall be detailed in joint controller agreements. 

The right to object 

Data subjects are able to exercise this right for data of which RFL is the controller by following the Trust’s established processes detailed at Information management and technology (IT) - Staff privacy notices (royalfree.nhs.uk) and Privacy notice | For patients, carers and visitors | The Royal Free 

It is the responsibility of other controllers to honour this right to their data subjects. Your employer is controller, please see your employer’s privacy notice for full details. RFL are able to provide information within the system to support a controller’s response. Controllers can access this service by contacting rf.occupationalhealth@nhs.net who will access the records on the controller's behalf. 

Arrangements on this right for joint controller relationships, including where one controller may not have access to the data shall be detailed in joint controller agreements. 

Rights in relation to automated decision making and profiling.

The trust does not use automated decision making and profiling for OH Services.