Privacy Policy
The New Foscote Hospital Limited is committed to ensuring that your personal information is kept securely and used confidentially and lawfully only by authorised individuals and bodies and is processed only for the purposes for which you have given consent and for which we have a legal basis.
Our privacy policy has been written in compliance with the new European laws on General Data Protection Regulation 2016/679 (GDPR) from May 2018 which requires that: “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”
All of our staff at The New Foscote Hospital Limited and all external contacts (medical and business contacts) have a legal duty to keep your information confidential.
Data Protection Officer
The New Foscote Hospital’s Data Protection Officer (DPO) is the Hospital Manager, Dr Zahoor Khan.
If you have any questions or requests regarding the usage of your personal data at The New Foscote Hospital Limited please contact him on 01295 252281 or email the Data Protection Officer.
Where do you collect my information from and what data do you store about me?
Your personal contact information, such as your name, postal address, email and phone number may be collected from:
- an initial enquiry made by you via our website, by email, by phone or in writing
- a job application
- others involved in your healthcare, such as your GP, your consultant and their secretaries.
More sensitive information regarding, for example, your current physical or mental health, previous hospital visits (NHS and private), prescribed medications and financial status may be collected from:
- your current healthcare providers, such as your GP, consultant and their secretaries
- hospitals you have previously been admitted to
- debt collection agencies.
How is my information used?
We will use your information to:
- communicate with you regarding your healthcare appointment bookings, treatments, follow-up appointments, results and to request feedback on your treatments by telephone and/or email, based on your stated preference(s).
- provide the required healthcare services and treatments
- maintain business records and monitor outcomes for the purposes of our own and external regulatory body quality assurance
- provide information about you where we have a legal or regulatory obligation to do so (for example, in legal proceedings or for the prevention of fraud)
- process applications for employment.
Who has access to this information?
Healthcare provision and support
Your medical information will be shared with those involved in your health assessment, care and treatment, which may include:
- Consultants
- Anaesthetists
- Nursing staff
- Physiotherapists
- Radiographers
- Medical secretaries
Consultants, anaesthetists and their secretaries are not directly employed by The New Foscote Hospital Limited but are under contract to us and are legally bound by our strict confidentiality policies.
We may also share your medical information, where necessary to support your care, with:
- local NHS hospitals providing support services, such as blood testing and biopsies
- your GP
- other hospitals (NHS and private)
- the payor of your treatment – eg your health insurance company or employer
- the local safeguarding team, if we are concerned you may be vulnerable or ‘at risk’
- your nominated contacts and emergency contact.
Individuals and organisations not involved in your healthcare
We may, if necessary, share only such information as is relevant, with:
- our lawyers, auditors, financial and tax advisors and NHS organisations
- external document scanning and storage facilities
- electronic patient data storage systems
- radiology imaging storage and reporting systems
- external IT system providers
- debt collection agencies (if your bill is not paid on time)
Regulatory bodies
We are regulated by, and obliged to share patient data, with:
- The Care Quality Commission (which inspects all hospitals in England)
- NHS England (including for Patient Reported Outcome Measures (PROMS) data)
- The government’s Department of Health
- Private Healthcare Information Network (PHIN) ( – please see PHIN’s own privacy notice here).
This data is pseudonymised and individuals cannot be identified from these records.
Other bodies, due to legal obligation
We may be required to provide information about you because we are legally obliged to. This may be:
- because of a court order
- in relation to the prevention or detection of crime by the police
- in response to a legal request from the Home Office or HMRC.
Change of hospital ownership
If the hospital were to be sold or transferred to another organisation, your patient and health records would be transferred to the new owner, to minimise disruption to current or past patients.
Changes to our privacy policy
If changes are made to our privacy policy we will aim to notify patients through, for example, a notice on our website.
What legal basis does The New Foscote Hospital Limited have for using my personal information?
| Reason for using information | Legal basis | Legal basis for ‘special category’ (ie sensitive personal information) |
| Receiving an enquiry and creating an initial patient record | Pre-contractual relationship to provide you with the required information | Substantial public interest |
| Providing you with health services and treatments | Contractual relationship to provide fulfilment of the appropriate healthcare | To provide health assessment and care for you
To protect your vital interests when you are physically or legally incapable of giving consent |
| Liaising with other healthcare professionals regarding your care and updating others (eg your relatives) | Contractual relationship to provide fulfilment of the appropriate healthcare | To provide health assessment and care for you
Substantial public interest To establish, exercise or defend our legal rights |
| Settling your bill, if you are a self-paying or privately insured patient | Legitimate interest for internal administrative purposes | To provide health assessment and care for you
To establish, exercise or defend our legal rights |
| Providing improved quality, training or security (eg post-discharge surveys) | Appropriate business need | To manage and improve the healthcare services we deliver |
| Audit and research programmes run by external bodies | Legitimate interest in supporting health service research.
Legal obligation to provide data to key bodies – eg the CQC |
Consent will be gained or, where consent is not required, the legal basis is in the public interest (for statistical or scientific research purposes) |
| Contacting you and responding to queries | Contractual relationship to provide fulfilment of the appropriate healthcare
Appropriate business need |
To provide health assessment and care for you
To establish, exercise or defend our legal rights
|
| Investigating and responding to complaints or claims | Compliance with legal obligations | To provide health assessment and care for you
To establish, exercise or defend our legal rights To enable others to provide informed healthcare services for you |
| Managing our business | Appropriate business needs
Compliance with legal obligations |
To provide health assessment and care for you
To establish, exercise or defend our legal rights |
| Informing you of other services available at The New Foscote Hospital Limited | Appropriate business needs
Consent provided |
More sensitive information would not be used for this purpose |
| Transferring your records to a third party, should the hospital be sold or management be transferred | Contractual relationship to provide fulfilment of the appropriate healthcare
Compliance with legal obligations |
To provide health assessment and care for you
To protect your vital interests when you are physically or legally incapable of giving consent To enable others to provide informed healthcare services for you |
Where is my information stored and how do you keep it safe?
The information we store on you is held in the UK in paper format and on our secure servers. We take every possible step to ensure that your data is stored securely and is processed and used only in accordance with the General Data Protection Regulations (GDPR) 2018. Methods we use include:
- Encryption
- Pseudonymisation
- Controlling access to systems
- Training our staff to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates.
How long do you keep my information for?
We retain personal data for no longer than required and in line with The New Foscote Hospital’s detailed retention schedule. This is based on statutory requirements and legal obligations, including the Records Management Code of Practice for Health & Social Care 2016, as well as our business requirements.
Medical record retention periods
| Type of record | When retained | Minimum retention time | Notes |
| All health records | At the end of your treatment | 7 years (some can be up to 40 years) | |
| Ultrasound and x-ray images and reports | At the end of your treatment | As part of the patient record, these are retained as above. |
Other
| Type of record | When retained | Minimum retention time | Notes |
| Accident forms | At time of reporting of accident | 3 years | |
| CCTV (in communal areas, eg hospital car park and reception) | At time of recording | 31 days | Information Commissioner’s Code of Conduct |
| Complaints/litigation | At time of reporting of incident | 10 years | |
| Compucare records (patient administration software records) | At the end of your treatment | Permanent archive record | The National Archives guidance, Managing Electronic Records |
| Job applications | Following successful or unsuccessful application | 1 year (unsuccessful)
3 years following termination of employment (successful) |
|
| Subject access requests | At the point of response to the request | 3 years |
Please note that this list is not exhaustive. If you would like further information on the retention period of a particular type of patient record, please email your request to the Hospital Manager’s Personal Assistant.
What rights do I have regarding the storage and usage of my information?
You have certain rights, under law, regarding how your personal and medical data is stored and used. You can exercise these rights, verbally or in writing, at any time by contacting our Data Protection Officer or any of our administrative staff on 01295 252281 or by email. There will not normally be a charge to process your request. If, for any reason, we are unable to carry out your request, we will notify you of the reasons why not. Your rights, under the General Data Protection Regulation 2018 are listed below:
Right of access
You are entitled to:
- confirmation that we are processing your personal data
- a copy of your personal data which is held by us
- other supplementary information.
Right to rectification
You have the right to:
- have inaccurate personal data rectified, or completed if it is incomplete.
- make a request for rectification verbally or in writing.
- receive a response within one calendar month of your request.
In certain circumstances we may refuse a request for rectification, for example, if we consider it unfounded or excessive.
Right to erasure (or ‘the right to be forgotten’)
This right is not absolute and only applies in certain circumstances. It applies when:
- the personal data is no longer necessary for the purpose which we originally collected or processed it for
- we are relying on consent as your lawful basis for holding the data, and you withdraw their consent
- we are relying on legitimate interests as your basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing
- we are processing the personal data for direct marketing purposes and you object to that processing
- we have processed the personal data unlawfully
- we have to do it to comply with a legal obligation.
Right to restrict processing
You have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances.
- when processing is restricted, we are permitted to store your personal data, but not use it.
- you can make a request for restriction verbally or in writing.
- we have one calendar month to respond to a request.
Right to data portability
This right only applies to information an individual has provided to a controller. It gives you the right to obtain and reuse your personal data for your own purposes across different services.
It allows you to:
- move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
- take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
Rights relating to automated decision making
We do not use automated decision making or profiling at The New Foscote Hospital Limited.
Right to withdraw consent
You may withdraw consent for us to use your data for any purpose for which you have previously given consent. This will not affect the lawfulness of processing based on consent before its withdrawal.
To withdraw your consent, please contact our Data Protection Officer by phone on 01295 252281 or email.
Right to object
You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes.
You can also object if the processing is for:
- a task carried out in the public interest
- the exercise of official authority vested in us
- our legitimate interests (or those of a third party).
Right to complain to the Information Commissioner’s Office
If you are unhappy with the way in which we have responded to a request from you to exercise any of your rights or believe that we have not adhered to the legislation you can complain to the government’s Information Commissioner’s Office (the ICO). Further information can be found on the ICO website here.
Contacting our Data Protection Officer
If you have any questions regarding our management of your personal data or if you would like to exercise any of your rights relating to your information, please contact our Data Protection Officer:
Data Protection Officer, The New Foscote Hospital Limited, 2 Foscote Rise, Banbury, Oxfordshire OX16 9XP
Tel 01295 252281 Email z.khan@foscote.hospital