Guy’s and St Thomas’ Trust (GSTT)
Guy’s and St Thomas’ Trust (GSTT) aims to ensure the highest standard of health care for our patients. To do this we keep records about you, your health and the care we have provided or plan to provide to you.
GSTT is committed to ensuring that your privacy is protected. If we ask you to provide information by which you can be identified, you can be assured that it will only be used in accordance with this privacy statement.
What information we collect
GSTT will ask you to sign a consent form when you require secondary (hospital) healthcare. By signing this, you consent to GSTT holding personal information that you have provided and medical information that your healthcare professionals have recorded about your treatment.
How we use your information
Your records are used to:
- * Provide a basis for all health decisions made by care professionals with and for you; e.g. your record includes a medical history, your medication and any allergies, and helps staff review the care they provide to ensure it is of the highest standards;
- * Make sure your care is safe and effective; e.g. we may use your anonymized information in clinical audits or for staff training purposes;
- * Work effectively with others providing you with care; i.e. we may need to share information with other individuals or providers involved in your healthcare;
Sharing information with your consent
Having given consent to use your information, providing optimal care may necessitate sharing this information with your other healthcare providers, such as those below:
- * NHS hospitals
- * Host Nation hospitals
- * MOD Contracted Primary and Community Care providers
- * Host Nation GP Practices
- * Dentists, opticians and pharmacies
- * Host Nation Community Providers (private hospitals, care homes, hospices)
- * Voluntary Sector Providers who are directly involved in your care
- * HQ British Forces Germany Health Service
- * Translation service
We may receive requests from non-healthcare parties asking for medical reports (i.e. solicitors, life assurance companies or social services). In most cases, the request will be accompanied by your signed consent for us to disclose information. If we do not receive a consent form, we will not disclose information about you. We will not normally release details about other people that are contained in your records (i.e. family members) unless we also have their consent.
From time to time you may wish to involve other parties in decisions about your care, such as a parent or partner. We will ask for your specific consent in writing to do so; without such consent no information will be disclosed.
Sharing your information without your consent
We will normally ask you for your consent, but there are times when we may lawfully share your information without your consent, for example:
- In order to fulfill our contract to provide you with optimum healthcare; e.g. accounting practices associated with your healthcare, or having your healthcare records translated
- For legitimate purposes, e.g. helping staff to review the care they provide and undertaking audits
- Carrying out duties in the public interest; e.g. investigating complaints or concerns relating to healthcare providers
- Acting in your vital interests; e.g. protecting vulnerable children and adults
- When we are legally obliged to report certain information; e.g. to prevent fraud or serious crime.
How we keep your information confidential and secure
We will only use the minimum amount of information necessary about you and all information will be held confidentially on a secure and accredited electronic medical records system. We use strict controls to ensure that only a limited number of authorised staff are able to see information that identifies you - and only the information that is necessary for them to fulfil their role effectively.
All our staff and contractors receive appropriate and on-going training to ensure they are aware of their personal responsibilities and they have contractual obligations to uphold confidentiality; enforceable through disciplinary procedures.
Anyone who receives information from us is also under a legal duty to keep it confidential and secure
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998, GDPR May 18, Article 8 of the Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.
All persons in GSTT healthcare sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.
We will only keep information for as long as is necessary and in accordance with the retention periods set out in the Records Management Code of Practice for Health and Social Care 2016.
When the retention period has expired and the information is no longer necessary for the stated purpose, the information will be destroyed. Personal confidential data held on paper are securely destroyed by Kobusch Aktenvernichtung (www.aktenschredder.de).
Please be aware that your information will be accessed, when necessary, by non-clinical practice staff in order to share information as outlined above.
Your information will not be sent outside of the EU unless we are sure that your privacy will be protected in the same way as it would be in the EU. We will never sell any information about you.
Right of Access to your Health Information
The GDPR Act 2018 allows you to find out what information about you is held on computer and in manual records. This is known as “right of subject access” and applies to personal information held about you. If you want to see the information about you which is held:
- * you will need to make a written request to GSTT Data Protection Officer’s representative in Germany (see Privacy Information Contact details below)
- * we are required to respond to you within 30 days
- * you will need to give adequate information (for example full name, address, date of birth, NHS number etc.)
- * you will be required to provide ID before any information is released to you.
Right to change the data we use
In certain circumstances, you may have the right to request that GSTT erase, update or cease the processing of any or all of your information. If you wish to make a request of this nature, please contact the Data Protection Officer’s representative in Germany (see address below for Privacy Information Contact).
Changes to this privacy notice
Our privacy notice is kept under regular review and, where necessary, updated. A separate privacy notice is available for staff.
If you wish to request further specific information or clarification in respect of this privacy statement, or have any concerns, or you do not wish us to share your information, we will be very pleased to help you. Please contact the Privacy Information Contact in the first instance. If your request cannot be satisfactorily concluded in this way, the Data Protection Officer can be contacted on the address below.
The Data Controller for GSTT (Germany) is Guy’s & St Thomas’ NHS Foundation Trust, London.
Privacy Information Contact in British Forces Germany
Director of Medicine & Clinical Governance
Guy’s & St Thomas’ Trust
HQ SSAFA GSTT Care LLP
Data Protection Officer
Ms Yinka Williams
Director of Information Governance and Management
Technology and Information Directorate
First Floor, South Wing (near Chapel)
St Thomas' Hospital
Westminster Bridge Road
London SE1 7EH
Right to lodge a complaint with a supervisory body
You have the right to make a complaint if you feel that the processing of your personal data infringes the General Data Protection Regulation.
GSTT (Germany) is part of Guy’s & St Thomas’ NHS Foundation Trust in London, where the local supervisory authority is the Information Commissioner’s Office (ICO). For further information on your rights and how to complain to the ICO, please refer to the ICO website.
You can also lodge a complaint with another supervisory authority based in the country or territory where you are living, where you work or where the alleged infringement took place.