We have published specific information elsewhere that is related to how we process, and how you can access, your personal information.
- Confidentiality and medical information
- How we use information about you
- How to access your information
The Royal Marsden NHS Foundation Trust is a world-leading cancer centre specialising in cancer diagnosis, treatment, research and education.
The academic partnership with The Institute of Cancer Research (ICR) makes The Royal Marsden the largest comprehensive cancer centre in Europe with a combined staff of 4,300. Through this partnership, the Trust undertakes groundbreaking research into new cancer drug therapies and treatments.
The Royal Marsden has two hospitals: one in Chelsea, London, and another in Sutton, Surrey, and an ‘RM@’ Medical Day Unit at Kingston Hospital. Since 2011, the Trust has also been responsible for the effective delivery of The Royal Marsden Community Services, local to its Sutton site, improving patient pathways and delivering high quality services for patients at home.
To fulfil obligations to deliver cancer diagnosis, treatment, research, education and our community services we collect and process personal information. In doing this The Royal Marsden NHS Foundation Trust adheres to the requirements of all applicable legislation including the General Data Protection Regulation (“GDPR”) and applies to any personal information we hold that relates to you.
We aim to be clear about when and how we collect your information and will not to do anything with it you wouldn’t reasonably expect or which we have not made you aware of so please read this policy carefully to understand how we collect, use and store your information.
The Royal Marsden NHS Foundation Trust is a data controller in respect of your personal information. If you have any questions about this policy or the ways in which we may process your personal information, please contact us:
Data Protection Officer
The Royal Marsden NHS Foundation Trust
Switchboard number: 0207 352 8171
What personal information do we collect?
Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you are offered or receive. This may include:
- Name, address, date of birth, phone number, and email address where you have provided it to enable us to communicate with you by email
- Your next of kin and contact details
- Notes and reports about your physical or mental health and any treatment, care or support you need and receive
- Results of your tests and diagnosis, including medical imaging.
- Relevant information from other professionals, relatives or those who care for you or know you well
- Any contacts you have with us such as home visits or outpatient appointments
- Information on medicines, side effects and allergies
- Patient experience feedback and treatment outcome information you provide.
Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers. To assist this, the use of other electronic patient record systems to share your information will be implemented. At the relevant point you will be given the opportunity to say no and to opt-out. Should you choose to opt-in, please note that at any point afterwards you can change your mind and opt-out by informing your GP and / or relevant health professional involved in your care.
We also collect and store personal information relating to our volunteers. The majority of our volunteers will be the “Friends of The Royal Marsden” and volunteers of The Royal Marsden Cancer Charity. Volunteers may be involved in many of the Trust’s services, including the activities associated with individual departments and are engaged by and report to the Chairs or Heads of these departments / services, whether they are in the hospital or community settings.
In joining as a volunteer, the Trust is required to carry out pre engagement checks which includes retaining a copy of the volunteer’s passport or another form of ID such as driving licence to confirm their identity. References are also obtained and a DBS check carried out for those volunteers who have more than incidental contact with patients or if their role involves visiting patients on any wards or departments. Sensitive data will also be collected and securely stored with regard to Occupational Health matters.
Those who are successful in their volunteer application will receive a Volunteer Agreement from the Trust and are made aware of their responsibilities regarding confidentiality. All information obtained on application about the volunteer is stored securely with authorised access only. Information is kept up-to-date via the ‘Volunteer Engagement Checklist’. Training records of volunteers is stored locally with the relevant department lead.
Please note that our lawful bases for processing the personal information relating to volunteers is on the grounds of legitimate interest.
When you visit our website, you may provide us with personal information such as your name, address, email address or telephone number.
Here are some examples of when you can provide us with personal information on this website:
- Your name
- Your contact details
- Your date of birth
- Your gender
- Your credit/debit card details
- Your job title
- Your employment history
- Information on your usage of our website
Here are some examples of when you can provide us with personal information on this website:
- When contacting us with an enquiry either via webform or email link
- When signing up to a newsletter
- When purchasing an event ticket
- When giving feedback
- When filling out a form
- When you apply for a job with us whereby our Human Resources Department will update you on progress of your application. Please note that the Trust retains evidence of a staff member’s right to work, security documentation and successful candidates application form for six years after the staff members leaves the Trust or the 75th birthday, whichever is sooner. However there is no legislation which prescribes how long information relating to unsuccessful candidates should be retained for. The Trust approach is therefore to retain this information for 400 days after the interview date for unsuccessful candidates.
Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
GDPR adds a special data category of genetic data and biometric data that is processed to uniquely identify an individual.
As a healthcare organisation, the Trust will therefore collect sensitive data as defined above. For example:
- When submitting a referral request
- When submitting your story to be considered as case study.
However we do not solely collect healthcare information. Other information will include religious information for example, to make us aware of dietary requirements or limits to treatment, or philosophical beliefs for example, patients who are vegan and therefore have requirements regarding particular medicines.
Furthermore, as our Workforce Strategy ‘Aspiring to Excellence’ and Annual Equality Report sets out, we are committed to ensuring equality, diversity and human rights are central to the way we deliver healthcare services to our patients and how we support our staff. Every day we are working to ensure that our staff provide inclusive services to all patients, which meet their needs and are delivered with kindness, dignity and respect, irrespective of any equality characteristic such as gender, race, religion or disability status. We also want to ensure that all our staff are treated similarly with kindness, dignity and respect. Staff and patient surveys are a key mechanism in helping us achieve this as we carefully consider their experiences and feedback to help shape our policies and culture. An equality monitoring form is also sent with all complaint acknowledgements to advise the Trust on this important area. As such, we gather, analyse, report and monitor our workforce and patients equality data by protected characteristic. The full set of equality information is detailed in the ‘Equality Information Report’.
Why do we collect and how do we use your information?
We will process your personal information fairly and lawfully by only using it if we have a lawful reason to do so. Making you aware of your rights and how your information is used is important to us and therefore we have summarised this below.
However please note that we do not rely on consent as a legal basis for processing information that concerns your direct care. This is because we are obliged by law to make use of your personal information and record the care and treatment we provide to you. This is also necessary to allow us to provide you with safe and effective care. It would not be correct to say that you have a choice as to whether or not we will use your personal information if we are going to provide you with care and treatment. For this reason, instead of consent, we rely on specific provisions under the law, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’
This means we use your personal information to provide you with your direct care without seeking your consent. However, you do have the right to object to our use of your information. We will consider your objection but if we comply with your wishes we will explain how this could have an impact on our ability to provide you with care.
While most of the information we process will be for direct healthcare purposes, please note that there are other important reasons that we may need to process your personal information. For example:
- For private care patients we will need to process your data for the administration and obtaining payment for services provided (further details below)
- To conduct clinical research (although any published data is anonymised)
- Information shared with The Royal Marsden Cancer Charity and / or other relevant charities that may be supporting you with your cancer.
- In all of the above cases we would make you aware of the processing and seek your consent on that basis.
- We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and / or within our legitimate interests.
We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.
We will keep your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code).The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.
Details of retention periods for different aspects of your personal information are (available in our retention policy which you can request from us by contacting us).
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Private Care patients
Whilst the above policies will apply to all Private Care (Insured, Sponsored, or Self-pay patients) patients, there are some additional data sharing requirements that we have for Private Care patients. We share personal and clinical information, for example name, address, date of birth, insurer policy number, with third parties such as private insurance companies for the assessment and approval of funding requests for private treatment at The Royal Marsden. However before any information is shared with these third parties, Private Care patients are required to complete an ‘Undertaking to Pay Form’ which details the terms and conditions of payment for Private Care which explains that personal information is processed in accordance with Data Protection legislation for the relevant purposes set out on the form. For self-funding patients we share personal and clinical information to internal and external (GP’s, consultants and referring hospitals) clinical staff in order to determine the potential treatment costing.
Where necessary, The Royal Marsden will share non-clinical personal information for example your name, address, NHS number and/or insurance details and brief history of collection efforts, with credit reference agencies and / or third party debt recovery agencies to pursue recovery of unpaid debt. Such action is only taken only after internal processes have been exhausted i.e. when we have tried on three attempts to recover aged debt via written letters.
Information sharing and disclosure
Your personal information will be shared with the team who are caring for you and are providing your treatment.
NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care. We will only share your information in this way if we have your consent and it is considered necessary.
You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care who can seek advice from our Information Governance Department. If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care we will explain this to you so that you can make a fully informed choice.
However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent and rely on other lawful grounds to process the data for example, our legitimate interests for the purposes of improving our services and website in order to run our organisation effectively and efficiently. We may also process data where it is necessary for the performance of a contract, for example for private patients we need to process billing information.
Other examples of this are:
- If there is a concern that you are putting yourself at risk of serious harm
- If there is concern that you are putting another person at risk of serious harm
- If there is concern that you are putting a child at risk of harm
- If we have been instructed to do so by a Court
- Immigration authorities / relevant third parties requiring information to obtain payment for services provided to overseas visitors
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
- If regulators use their legal powers to require us to provide them with patient information as part of any investigations they are undertaking.
NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP. Please note that no information about your care and treatment is provided to the organisation that does this survey.
NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.
You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data with NHS Digital please click on this link.
The Royal Marsden Cancer Charity
We work closely with The Royal Marsden Cancer Charity both in managing the volunteers that help in the hospital and enabling its supporters to get updates from clinical staff about the work they help to fund. In both cases it is necessary for us to disclose information to some staff working for The Royal Marsden Cancer Charity.
Under certain circumstances, you have rights under information protection laws in relation to your personal information. These rights include:
- Requesting access to your personal information.
- Requesting correction of your personal information.
- Requesting erasure of your personal information.
- Objecting to processing of your personal information.
- Requesting restriction of processing your personal information.
- Requesting transfer of your personal information.
- Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us.