A ‘privacy notice’ lets you know what happens to any personal data that you may give us or that we may collect from you or about you (as a patient, family member, carer or visitor). This notice is issued by Great Ormond Street Hospital for Children NHS Foundation Trust as a healthcare provider, and covers the information we hold about our patients, their families and other individuals who may use our services. A separate privacy notice is available for information we collect about staff as part of our responsibilities as an employer.
Great Ormond Street Hospital (GOSH) is an international centre of excellence in child healthcare.
Together with our research partner, the University College London Great Ormond Street Institute of Child Health, we form the UK’s only academic Biomedical Research Centre specialising in paediatrics.
Since its formation in 1852, the hospital has been dedicated to children’s healthcare and to finding new and better ways to treat childhood illnesses. GOSH’s mission and commitment is to put children at the heart of everything we do, ‘The child first and always’, and this is reflected in Our Always Values:
- Always be Welcoming
- Always be Helpful
- Always be Expert
- Always be One Team.
We are governed and monitored by a number of different organisations, including:
- The Information Commissioner’s Office
- Care Quality Commission
- Department of Health
- NHS Improvement.
Our consultants, doctors, nurses and healthcare professionals are also regulated and governed by professional bodies and numerous royal colleges.
We are committed to being open about the information we collect about you, how we use this information, with whom we share it, and how we store and secure it. We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with relevant law, regulations and guidance (please see Annex 1).
Your child and family’s information could be collected in a number of different ways. Information may be provided by your GP or another healthcare professional your child has seen when they refer your child for treatment at GOSH. Information may also have been provided directly from you – in person, over the telephone or on a form you have completed. Information may also be provided by third parties, for example, social services, education services or children’s charities.
The information that we collect about your child may include details such as:
- *Full name, title, address, telephone number (mobile and home), email address
- Date of birth, gender, age
- Who has parental responsibility
- Any contact we have had with your child through appointments, attendance or inpatient stays
- *Details and records of treatment and care/ notes
- *Health reports including any allergies or health conditions
- Information from research/ clinical trials
- *Results of x-rays, scans, blood tests, etc.
- *Genetic Information
- *Other relevant information from people who care for your child and know them well, such as health professionals, social workers, relatives and carers
- *Whether or not you or your child is subject to any protection orders regarding their health, wellbeing and human rights (safeguarding status).
- A record of contact with us by telephone or email for the purposes of the provision of healthcare including complaints, claims or PALS enquires.
We may also collect other information about your child, such as your child’s race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).
We collect personal and confidential information about you and your child to support the delivery of appropriate healthcare and treatment. In order to provide high quality care, we must keep records about your child, their health and the care that we provide, or plan to provide them. This may include certain information about you or family members (please see * above). It is important for us to have a complete picture as this information enables us to provide the right care to meet a child’s individual needs and this can include social care information.
If you ever have any questions as to why certain information is collected, our staff will be happy to discuss this with you.
We use your child’s information to ensure that:
- The right decisions are made about their care
- Their treatment is safe and effective; and
- We can work well with other organisations that may be involved in their care
- Remind the parent/ carer about appointments and send you relevant correspondence.
This is important because having accurate and up-to-date information will assist us in providing the best possible care. It also ensures that all information is readily available if your child sees another health professional or specialist within GOSH or another part of the NHS.
There is also the potential for you and your child’s information to be used to help improve health care and other services across GOSH and the wider NHS. Therefore, personal information may also be used to help with:
- Ensuring that our services can be planned to meet the future needs of patients
- Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
- Evaluating and improving patient safety
- Training other healthcare professionals
- Conducting clinical research and audits, and understanding more about health risks and causes to develop new treatments
- Preparing statistics on NHS performance and monitoring how we spend public money
- Supporting the health of the general public
- Evaluating Government and NHS policies and comply with legal and regulatory obligations and follow guidance and best practice issued by these bodies
- Supporting the funding of your child’s care
- Report and investigate complaints, claims and untoward incidents.
As part of our requirements under the law, GOSH must demonstrate a clear legal reason for collecting, using, sharing and retaining personal data about you or your child. For personal data used in the provision of health and social care our basis is outlined as ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ under 6(1)(e) of GDPR. This is because GOSH is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this.
Our legal basis for using sensitive personal data (called ‘special categories of personal data’ under GDPR) is that this is necessary for the ‘provision of health or social care or treatment or the management of health of social care systems and services’ under 9(2)(h) of GDPR. This is because GOSH must use health and social care information about you or your child in the delivery of their care.
Furthermore, these points cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.
There may be times when GOSH uses other different legal bases for other services it provides (eg research). A more detailed outline of the range of legal bases for processing information and the circumstances in which they arise, are set out in Annex 3.
Under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR), strict principles govern our use of information and our duty to ensure it is kept safe and secure. Information at GOSH may be stored within electronic or paper records, or a combination of both, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and other government guidance. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.
Everyone working for the NHS is subject to the common law duty of confidentiality. This means that any information about your child (or you/ your family) will only be used in connection with the purpose for which it was provided, unless we have specific consent from you (or a person with a legal right to provide it) or there are other special circumstances covered by law.
Due to our role in the treatment of rare diseases, GOSH works closely with other healthcare providers and will often seek advice from experts in specialist fields. Anyone involved in your child’s care at GOSH will be bound under NHS contracts and under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your personal information will be used, and allow you to decide if your child’s information can be shared.
Every NHS organisation has a senior person who is responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian, and the detail of this role within GOSH can be found in Annex 2.
In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post.
- to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders)), we may communicate with you by SMS in each case where you have expressed a preference in the patient registration form to be contacted by SMS.
- if we have your mobile number or your email address we may use this method of communication to contact you regarding patient surveys which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing.
Please note that although providing your mobile number and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, your consent is not the basis upon which GOSH will process your personal data in order to correspond with you about your child’s treatment. As set out further above, processing your personal data for those purposes is justified on the basis that it is necessary to provide your child with healthcare services.
To help provide the best possible care, sometimes we will need to share your child’s information with others (which may include information about you or a family member – please see above). However, any sharing of information will always be governed by specific rules and laws ensuring the security, access and transfer of any data is protected. We may share information with a range of health and social care organisations and regulatory bodies. As a parent/ carer of child, you may be contacted by any one of these organisations for a specific reason, and they will have a duty of telling you why they have contacted you.
We work with a number of other NHS organisations, independent treatment centres and clinics to provide children with the best possible care. To support this, information about you and your child may be securely shared.
For their benefit, we may also need to share some of your child’s information with authorised non-NHS authorities and organisations involved in their care. This might include organisations such as local authorities, social services, education services, the police, voluntary and private sector health and social care providers, and private healthcare companies. Private patient information may also be shared with insurers, debt collection agencies or third parties involved in the payment or delivery of care and this may include transfers to home countries outside the UK.
Where the sharing involves a non-NHS organisation outside the clear scope of care delivery, a specific information sharing protocol is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.
Outside of providing healthcare, unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify individuals without consent.
We outsource a limited number of administration and IT support services to external organisations. The majority of companies are based within the European Economic Area (“EEA”) and all services are provided under specific contractual terms, which are compliant with UK data protection legislation. We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the EEA. Where we make a transfer of your personal information outside of the EEA we will take the required steps to ensure that your personal information is protected to the standard required by UK and EU law. All flows of information outside of the EEA are annually reviewed.
Only organisations with a legitimate requirement will have access to personal information and only under strict controls and rules.
We will not sell personal information for any purpose, and will not provide third parties with you or your child’s information for the purpose of marketing or sales.
Sometimes we are required by law to disclose or report certain information which may include details which identify you or your child. However, this is only done after formal authority by the Courts or by a qualified health professional. This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.
We are required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by NHS Digital. This organisation takes advice from an independent board called the Security and Confidentiality Advisory Group, which reports to the government Chief Medical Officer.
There may also be occasions when GOSH is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.
GOSH is committed to carrying out pioneering research to find treatments and cures for some of the most complex illnesses, for the benefit of children here in the UK and worldwide. Your permission may be required for some of this work. If you agree to be involved, a full explanation will be given to you and your child and appropriate consent will be obtained before proceeding. Consent may not be required if the information being used has been de-identified/anonymised. This means that it cannot be used to identify an individual person.
If you would like further information about how your child’s data could be used for research purposes please see the NHS Health Research Authority’s website:
Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat your child and others. It is also possible that individuals, such as student nurses, allied health professionals and medical students are receiving training in the service that is caring for your child. If staff would like a student to be present, they will always ask for your permission and you have the right to refuse without this affecting the care or treatment that your child is receiving.
We also undertake audits within GOSH as part of our duty to review the care we provide to ensure it is of the highest standard and quality. Wherever possible we will do this in an anonymised format but you and your child’s information will only be accessible to appropriate NHS staff.
You may have signed up to join as a member of the GOSH Foundation Trust. Further information about the data we collect, hold and process and the legal basis for doing this can be found in a separate privacy notice available on the GOSH website.
Where we are relying on your consent to process information about you or your child, you have the right to refuse (or withdraw) from information sharing at any time. This is also referred to as ‘opting out’. If you choose to prevent your child or family information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided is limited and, in certain circumstances, it may not be possible to offer certain treatment options. The possible consequences of withholding your consent will be fully explained to you at the time should this situation occur.
You also have the right to ‘opt out’ of having your information used in any mandatory audits which GOSH is subjected to. If this is the case, you should write to our Information Governance team (using the information provided below) with your name, address, date of birth and hospital number or NHS number.
Under data protection law you have certain rights in relation to the personal information that we hold about you and your child. These include rights to know what information we hold about you or your child and how it is used. You may exercise these rights at any time by contacting us using the details set out below.
Your rights include:
The right to access personal information about you or your child
You are usually entitled to a copy of the personal information we hold about you and your child and details about how we use it.
The right to rectification
We take reasonable steps to ensure that the information we hold about you and/or your child is accurate and complete. At any attendance we will confirm your contact details we hold. However, if you do not believe we have correct information, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
In some circumstances, you have the right to request that we delete the personal information we hold about you or your child. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to restriction of processing
In some circumstances, we must "pause" our use of your child’s personal data if you ask us to. We do not have to comply with all requests to restrict our use of personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, we must transfer to you or (if this is technically feasible) another individual/ organisation of your choice personal information that you have provided to us. The information must be transferred in an electronic format and this will be done via a secure transfer.
The right to object to marketing
GOSH does not use any personal data for marketing.
The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)
Your child and you have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on either party.
If you or your child have been subject to an automated decision and do not agree with the outcome, you can challenge the decision.
The right to withdraw consent
In some cases we need your consent in order for our use of your child’s personal information to comply with data protection legislation.
Although consent is not our legal basis for processing data for healthcare purposes, we would always encourage you to contact us using the details below if you have any concerns with regards to how personal data is used.
The right to complain to the Information Commissioner's Office
You can complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. These details are below.
Making a complaint will not affect any other legal rights or remedies that you have.
We will only keep your or your child’s personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. A summary of the legal retention periods of NHS records can be found in the Records Management Code of Practice for Health and Social Care on the following link: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
If you would like further information regarding the periods for which your personal information will be stored, please contact our DPO for further details.
Under the terms of the Data Protection Act 1998 and the General Data Protection Regulations 2018, you have the right to request access to the information that we hold about you.
To support you through the process you can contact our Health Records Team through our website where you can also submit a request: https://www.gosh.nhs.uk/about-us/contact-us/contact-our-medical-records-department
Or you can contact our Health Records Team directly:
If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Information Governance team including your name and hospital number:
You can also find details of our registration with the Information Commissioner online here:
Our ICO registration number is Z6776821.
You have the right to make a complaint if you feel unhappy about how we hold, use or share you or your child’s information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.
It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before (or without the need to start) a more formal process:
Phone: 020 7829 7862
Alternatively drop into their office in the main reception area.
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:
Post: Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.
- Data Protection Act 1998
- Data Protection Act 2018
- General Data Protection Regulations 2018 (GDPR)
- Human Rights Act 1998
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Health and Social Care Act 2012, 2015
- Public Records Act 1958
- Copyright Design and Patents Act 1988
- Re-Use of Public Sector Information Regs 2004
- Computer Misuse Act 1990
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International information Security Standards
- Information Security Code of Practice
- Records Management Code of Practice
- Accessible Information Standards
Caldicott Guardians are appointed to develop and maintain responsible, appropriate and secure practices for sharing and handling of personal health information, in accordance with the six principles developed in the Caldicott Report.
Caldicott Guardian Responsibilities:
- Actively support work to facilitate and enable information sharing, and advise on options for lawful and ethical processing of information as required
- Represent Information Governance requirements and issues at Board level
- Support development of processes, including performance frameworks, that satisfy the highest practical standards for handling person-identifiable information and acts as the “the conscience” of the organisation.
Within GOSH this position can be contacted using the Mailbox address: Caldicott.Guardian@gosh.nhs.uk
Senior Information Risk Owner (SIRO)
The Senior Information Risk Owner in the organisation supports implementation of international / government standard for information management and security.
- Ultimately accountable for assurance of information security at the Organisation
- Champions information security at Board level
- Owns corporate policy on information security
- Provides an annual statement of the security of information assets for the Annual Governance Statement (as part of the audit process).
Within GOSH this role sits with Phil Walmsley, Chief Operating Officer.
Data Protection Officer
Data protection is a designated person within an organisation that is responsible for collection and protection of the personal data. The officer makes sure that the organisation follows the law and appropriate regulations.
Within GOSH this role sits with Dr Anna Ferrant, Company Secretary.
|Purpose of using personal data||Examples||Conditions for lawful processing of personal data (Article 6 of GDPR)||Conditions for lawful processing special categories (including health) of personal data (Article 9 of GDPR)|
|Direct care and Administrative Purposes||
||6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’||9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’|
|Commissioning and planning purposes||
6(1)(c) ‘…for compliance with a legal obligation…’
or6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
|9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’|
(GOSH will still require consent or an appropriate legal basis (e.g. section 251 support) that meets confidentiality and ethical requirements to use personal identifiable data for research ; Consent may not be required if the information being used has been de-identified/anonymised)
||6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’||9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …’|
|Regulatory and public health functions||
||6(1)(c) ‘…necessary for compliance with a legal obligation…’||9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’|
|Safeguarding (following the provisions of the Children Acts 1989 and 2004, and the Care Act 2014)||
||6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’||9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’|