How we collect and use your information and health records
At Moorfields Eye Hospital NHS Foundation Trust (‘Moorfields’, ‘us’ or ‘we’), we are committed to protecting your privacy. Please read this Privacy Notice to find out how we use your information and what your rights are. This notice applies to personal data provided to us, both by individuals themselves or by third parties. We process your personal information lawfully, fairly and transparently, and only where we have a lawful basis to do so.
What we do
Moorfields Eye Hospital NHS Foundation Trust is the leading provider of eye health services in the UK and a world-class centre of excellence for ophthalmic research and education. We have a reputation, developed over two centuries, for providing the highest quality of ophthalmic care. Our 2,300 staff are committed to sustaining and building on our pioneering legacy and ensuring we remain at the cutting edge of developments in ophthalmology.
How we use your information
It would not be appropriate to rely on consent as a legal basis for processing your information in order to provide you with direct care. This is because it is necessary for us to use your personal information in order to provide you with safe and effective care, as a public healthcare provider. We are also obliged by law to record details of the care and treatment we provide to you. We cannot do this without your personal information, therefore it would not be appropriate to rely on your consent. For this reason, instead of consent, we rely on specific provisions under the law, such as ‘in the exercise of official authority vested in the controller’, under a ‘legal obligation,’ or as ‘a task carried out in the public interest.’
This means we use your personal information to provide you with your direct care without seeking your consent. However, you do have the right to object to our use of your information. We will consider your objection but if we comply with your wishes we will explain how this could have an impact on our ability to provide you with care. It also means that you do not have the right to be forgotten as we are legally obliged to keep your information, and do so under the Records Management Code of Practice for Health and Social Care 2016.
Covid-19 and your information
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Please view the Covid-19 notice about how we may use you information to protect you and others.
Using your record for your care
Your personal health record, which includes your name, address and date of birth, will be used to:
- Make sure that decisions about your care and treatment are always based on accurate, up-to-date information
- Sharing information with other NHS organisations or social care providers where there is a lawful requirement to do so, for example your GP, other NHS hospitals and local Authorities
- Investigate any concerns or complaints raised by you or your familyMeasure the outcomes of your treatment and ensure the service/care provided to you is excellent.however we will use minimal amount of personal information for this purpose
- Public bodies such as NHS Digital, Commissioners, Public Health England but only where there is a legal requirement to share personal information
Using it for other purposes:
Most of your information we process will be for direct healthcare purposes; however, there are other important reasons that we may need to process your personal information. For example:
- As a public healthcare provider to conduct health and social care research under the UK Policy Framework for Health and Social Care Research (please note that any published data is anonymised).
- As a world-class centre of excellence in ophthalmic education, we may use your information including images, but any information used is anonymised otherwise we would seek your consent.
- Unless we are under a legal obligation, where information is to be used beyond direct care purposes we would make you aware of the processing and seek your consent to use your information.
- We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose or where there is another lawful basis for processing.
We will only use enough of your personal information that is relevant and necessary for us to carry out various tasks within the delivery of your care or for other lawful reasons.
We will keep your information accurate and up to date when using it and, if it is found to be wrong, we will make it right, where appropriate, as soon as we can. However, where it is part of your health record, we are obliged to keep records of any changes, and so the incorrect information may not be erased, but instead would be crossed out with the correct information entered with a note..
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. You can find details of how long we keep information for in the Records Management Code of Practice for Health and Social Care 2016.
Protecting your privacy
Your health records are confidential. Your privacy is protected under the:
- Common law duty of confidentiality
- General Data Protection Regulations 2016
- Data Protection Act 2018
- Human Rights Act 1998
Everyone who works for the NHS has a legal duty to maintain the highest level of confidentiality.
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How you can help us to keep your health record up to date
- Let us know when you change address or name
- Keep a note of your unique NHS number
- Tell us if any information in your record is incorrect
- Tell us if you change your mind about how we share the information in your record
- Don’t let anyone – insurers, mortgage lenders, employers, solicitors – look at your records unless you are sure it is necessary for your purposes
Accessing your health record
To see a copy of your health record, or for further information about our records system, please contact our health records manager as follows:
- In writing: Health records department, Moorfields Eye Hospital NHS Foundation Trust, City Road, London EC1V 2PD
- By telephone: 020 7566 2200
- By email: firstname.lastname@example.org
If at any point you believe the information we process on you is factually incorrect you can request to see this information and even have it corrected or deleted. However, rather than delete information in your health record, we are usually obliged to cross it out and add the correct information with a note on to the record.
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate and respond to your concerns.
How long we keep your information for
We are required under UK legislation to keep your information for the full retention periods as specified by the NHS Records Management Code of Practice for Health and Social Care.
More information on records retention can be found online at https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
Under certain circumstances, you have rights under data protection legislation in relation to your personal information. These rights include:
- Requesting access to your personal information. – You are able to apply for a copy of personal information held about you free of charge. This process is called a subject access request
- Requesting correction of your personal information – This would apply if factual information held such as name, address or health information was incorrect. In this instance we usually be obliged to cross it out and add the correct information with a note on to the record. We would consider any requests regarding any professional opinions that may be in your records; however, we are not legally obliged to change them, but may enter a note on your comments.,
- Requesting erasure of your personal information – The right may apply if the information was no longer needed for your healthcare or it had been kept for longer than set out in the NHS Records Management Code of Practice, unless there is an overriding legal obligation for us to keep it.
- Objecting to processing of your personal information – You can object to us processing your information if there was no overriding legal reason for us to do so.
- Requesting restriction of processing your personal information – You can request to restrict processing of some of the information held about you in certain circumstances, such as instances where you believe it would cause you distress. Where this is the case we will discuss with you how the restriction this may have an impact your ongoing care .
- Requesting transfer of your personal information – This right would generally not apply for health related information as this information would be shared as part of ongoing direct care with another provider
- Right to withdraw consent – You can opt-out of activities where the basis of us using your information is consent such as marketing or research,
If you wish to exercise your rights in relation to the above please contact the Trust’s Data Protection Officer, contact details are provided below.
How the NHS and care services use your information
Moorfields Eye Hospital NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
- https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
- https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our Trust Foundation is currently compliant with the national data opt-out policy.
Moorfields’ contact details
The trust has Data Protection Officer, who is a dedicated individual responsible for data protection who can be contacted as follows:
Data Protection Officer
Information Governance Department
Moorfields Eye Hospital NHS Foundation Trust
162 City Road
Tel: 020 7253 3411
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO) as follows:-
- In writing: Information Commissioner’s Office, Wycliffe House, Cheshire SK9 5AF
- By telephone: 08456 30 60 60
- Online: www.ico.org.uk