Your privacy is really important to us and we are committed to protecting your personal information.
This policy sets out how, in our day to day activities, The Royal Marsden NHS Foundation Trust processes and stores personal information relating to our patients and users of our websites. The Royal Marsden Cancer Charity has its own privacy policy which is applicable to charity supporters and users of its website.
We have published specific information elsewhere that is related to how we process, and how you can access, your personal information.
The Royal Marsden NHS Foundation Trust is a world-leading cancer centre specialising in cancer diagnosis, treatment, research and education.
The academic partnership with The Institute of Cancer Research (ICR) makes The Royal Marsden the largest comprehensive cancer centre in Europe with a combined staff of 4,300. Through this partnership, the Trust undertakes groundbreaking research into new cancer drug therapies and treatments.
The Royal Marsden has two hospitals: one in Chelsea, London, and another in Sutton, Surrey, and an ‘RM@’ Medical Day Unit at Kingston Hospital. Since 2011, the Trust has also been responsible for the effective delivery of The Royal Marsden Community Services, local to its Sutton site, improving patient pathways and delivering high quality services for patients at home.
To fulfil obligations to deliver cancer diagnosis, treatment, research, education and our community services we collect and process personal information. In doing this The Royal Marsden NHS Foundation Trust adheres to the requirements of all applicable legislation including the General Data Protection Regulation (“GDPR”) and applies to any personal information we hold that relates to you.
We aim to be clear about when and how we collect your information and will not to do anything with it you wouldn’t reasonably expect or which we have not made you aware of so please read this policy carefully to understand how we collect, use and store your information.
The Royal Marsden NHS Foundation Trust is a data controller in respect of your personal information. If you have any questions about this policy or the ways in which we may process your personal information, please contact us:
Data Protection Officer
The Royal Marsden NHS Foundation Trust
Fulham Road
London
SW3 6JJ
Switchboard number: 0207 352 8171
Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you are offered or receive. This may include:
Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers. To assist this, the use of other electronic patient record systems to share your information will be implemented. At the relevant point you will be given the opportunity to say no and to opt-out. Should you choose to opt-in, please note that at any point afterwards you can change your mind and opt-out by informing your GP and / or relevant health professional involved in your care.
We also collect and store personal information relating to our volunteers. The majority of our volunteers will be the “Friends of The Royal Marsden” and volunteers of The Royal Marsden Cancer Charity. Volunteers may be involved in many of the Trust’s services, including the activities associated with individual departments and are engaged by and report to the Chairs or Heads of these departments / services, whether they are in the hospital or community settings.
In joining as a volunteer, the Trust is required to carry out pre engagement checks which includes retaining a copy of the volunteer’s passport or another form of ID such as driving licence to confirm their identity. References are also obtained and a DBS check carried out for those volunteers who have more than incidental contact with patients or if their role involves visiting patients on any wards or departments. Sensitive data will also be collected and securely stored with regard to Occupational Health matters.
Those who are successful in their volunteer application will receive a Volunteer Agreement from the Trust and are made aware of their responsibilities regarding confidentiality. All information obtained on application about the volunteer is stored securely with authorised access only. Information is kept up-to-date via the ‘Volunteer Engagement Checklist’. Training records of volunteers is stored locally with the relevant department lead.
Please note that our lawful bases for processing the personal information relating to volunteers is on the grounds of legitimate interest.
When you visit our website, you may provide us with personal information such as your name, address, email address or telephone number.
Here are some examples of when you can provide us with personal information on this website:
Here are some examples of when you can provide us with personal information on this website:
Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
GDPR adds a special data category of genetic data and biometric data that is processed to uniquely identify an individual.
As a healthcare organisation, the Trust will therefore collect sensitive data as defined above. For example:
However we do not solely collect healthcare information. Other information will include religious information for example, to make us aware of dietary requirements or limits to treatment, or philosophical beliefs for example, patients who are vegan and therefore have requirements regarding particular medicines.
Furthermore, as our Workforce Strategy ‘Aspiring to Excellence’ and Annual Equality Report sets out, we are committed to ensuring equality, diversity and human rights are central to the way we deliver healthcare services to our patients and how we support our staff. Every day we are working to ensure that our staff provide inclusive services to all patients, which meet their needs and are delivered with kindness, dignity and respect, irrespective of any equality characteristic such as gender, race, religion or disability status. We also want to ensure that all our staff are treated similarly with kindness, dignity and respect. Staff and patient surveys are a key mechanism in helping us achieve this as we carefully consider their experiences and feedback to help shape our policies and culture. An equality monitoring form is also sent with all complaint acknowledgements to advise the Trust on this important area. As such, we gather, analyse, report and monitor our workforce and patients equality data by protected characteristic. The full set of equality information is detailed in the ‘Equality Information Report’.
We will process your personal information fairly and lawfully by only using it if we have a lawful reason to do so. Making you aware of your rights and how your information is used is important to us and therefore we have summarised this below.
However please note that we do not rely on consent as a legal basis for processing information that concerns your direct care. This is because we are obliged by law to make use of your personal information and record the care and treatment we provide to you. This is also necessary to allow us to provide you with safe and effective care. It would not be correct to say that you have a choice as to whether or not we will use your personal information if we are going to provide you with care and treatment. For this reason, instead of consent, we rely on specific provisions under the law, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’
This means we use your personal information to provide you with your direct care without seeking your consent. However, you do have the right to object to our use of your information. We will consider your objection but if we comply with your wishes we will explain how this could have an impact on our ability to provide you with care.
While most of the information we process will be for direct healthcare purposes, please note that there are other important reasons that we may need to process your personal information. For example:
We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.
We will keep your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code).The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.
Details of retention periods for different aspects of your personal information are (available in our retention policy which you can request from us by contacting us).
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Whilst the above policies will apply to all Private Care (Insured, Sponsored, or Self-pay patients) patients, there are some additional data sharing requirements that we have for Private Care patients. We share personal and clinical information, for example name, address, date of birth, insurer policy number, with third parties such as private insurance companies for the assessment and approval of funding requests for private treatment at The Royal Marsden. However before any information is shared with these third parties, Private Care patients are required to complete an ‘Undertaking to Pay Form’ which details the terms and conditions of payment for Private Care which explains that personal information is processed in accordance with Data Protection legislation for the relevant purposes set out on the form. For self-funding patients we share personal and clinical information to internal and external (GP’s, consultants and referring hospitals) clinical staff in order to determine the potential treatment costing.
Where necessary, The Royal Marsden will share non-clinical personal information for example your name, address, NHS number and/or insurance details and brief history of collection efforts, with credit reference agencies and / or third party debt recovery agencies to pursue recovery of unpaid debt. Such action is only taken only after internal processes have been exhausted i.e. when we have tried on three attempts to recover aged debt via written letters.
Your personal information will be shared with the team who are caring for you and are providing your treatment.
NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care. We will only share your information in this way if we have your consent and it is considered necessary.
You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care who can seek advice from our Information Governance Department. If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care we will explain this to you so that you can make a fully informed choice.
However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent and rely on other lawful grounds to process the data for example, our legitimate interests for the purposes of improving our services and website in order to run our organisation effectively and efficiently. We may also process data where it is necessary for the performance of a contract, for example for private patients we need to process billing information.
Other examples of this are:
NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP. Please note that no information about your care and treatment is provided to the organisation that does this survey.
NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.
You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data with NHS Digital please click on this link.
We work closely with The Royal Marsden Cancer Charity both in managing the volunteers that help in the hospital and enabling its supporters to get updates from clinical staff about the work they help to fund. In both cases it is necessary for us to disclose information to some staff working for The Royal Marsden Cancer Charity.
Under certain circumstances, you have rights under information protection laws in relation to your personal information. These rights include:
If you wish to exercise any of the rights set out above, please contact us.