We use cookies to ensure that we give you the best experience on our digital platform. Click here for more information.
This feature is currently in development and will be available soon.
This product is in beta Give feedback
Your privacy is important to us, for this reason we have designed a privacy statement which will outline how we protect your privacy. We ask you to read this statement so that you can make an informed decision about using My Health and Wellbeing.
This statement governs the agreement between you, the patient, service user or carer and My Health and Wellbeing in relation to your personal data and privacy.
My Health and Wellbeing is available to patients, service users and carers at the following NHS Trusts – from now on referred to as ‘the Trusts’:
Herefordshire & Worcestershire Health & Care NHS Trust
Worcestershire Acute Hospitals NHS Trust
Wye Valley NHS Trust
We aim to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you. Health Records are held on paper and electronic format and we have a legal duty to keep these confidential, accurate and secure at all times in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our staff are trained to handle your information correctly and protect your privacy. We aim to maintain high standards, adopt best practices for our record keeping and regularly check and report on how we are doing. Your personal information is never collected for direct marketing purposes and is never sold on to any third parties.
Sometimes your care may be provided by members of a care team, which may include people from other organisations such as health, social care, education or other care organisations who directly involved in your care.
Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2021. For more information visit: https://transform.england.nhs.uk/information-governance/guidance/records-management-code/.
Information collected about you to deliver your health care is also used to assist with:
Making sure your care is of a high standard.
Using anonymised statistical information to look after the health and wellbeing of the general public and planning services to meet the needs of the population.
Assessing your condition against a set of risk criteria to ensure you are receiving the best possible care.
Preparing statistics on our performance for the Department of Health and other regulatory bodies.
Helping train staff and support research
Supporting the funding of your care
Reporting and investigation of complaints, claims and untoward incidents
Reporting events to the appropriate authorities when we are required to do so by law.
Before we use your personal information for medical research, we will ensure that we contact you to get involved in the research and ask to give your consent via the portal. You will also have the right to withdraw your consent at any time.
If we need to use your personal data for planning, non-medical research, and statistical purposes, we will ensure that your personal data anonymised so that you can no longer be identified. Where personal data is anonymised for purposes beyond individual care consent need not to be sought from a data subject because the principles of data protection legislation do not apply to personal data that that has been rendered anonymous (see UK GDPR recital 26).
In order for the processing of personal, and special categories of personal data concerning health to comply with UK GDPR Article 5 and Section 86 of the 2018 Act, (principles of data protection) it must be fair, lawful and transparent, and must meet at least one of the Article 6 conditions as well as Article 9 (in the case of special categories of personal data). The processing of your personal data is therefore permitted under the following UK GDPR:
| Grounds relied on under UK GDPR Article 6 | Why the grounds are met |
|---|---|
Article 6 (1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes. |
Patient/service users will be required to register for the patient portal online or, at clinic/consultation appointment, and provide proof of identity. Patient will be required to consent to having a portal account at this stage. |
Article 6(1) (e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. |
Each NHS Trust is statutorily constituted to provide. Section 8 of the DPA 2018 confirms that processing data for the purpose of performing a task in the public interest will include processing which is necessary for statutory functions. It is therefore necessary for each of the Trust personal data to fulfil their functions as statutory healthcare bodies. |
| Grounds relied on under UK GDPR Article 9 | Why the grounds are met |
|---|
| Grounds relied on under UK GDPR Article 6 | Why the grounds are met |
|---|---|
Article 9(2) (a) - the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where domestic law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject. |
The provision, directly to the relevant patient/service user, of healthcare by any registered health professional who is been granted proxy access by the patient to access the patient’s health record via the Portal, and who is a member of Staff of the Trust and owes a duty of confidentiality by virtue of the employment contract. |
Article 9 (2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards. |
It is necessary for the Trusts to process personal data concerning health for the purposes of Individual Care, to provide a safe and effective system of healthcare to each individual patient. |
Each Trust, as a Data Controller, will not share your data with anyone without your explicit consent, unless the law permits us to do so.
We share data only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the UK GDPR. Our data processors are outlined below:
Microsoft Azure is a cloud computing service created by Microsoft for managing applications and services. We use Azure to host the platform and store its contents. Microsoft only stored data within the UK
To view their privacy policy please visit: https://www.microsoft.com/en-gb/trust-center/privacy
My Health and Wellbeing shares limited personal data with NHS Login to validate your identity and give you access to the platform. To view their privacy policy please visit: https://access.login.nhs.uk/privacy
Intersystems are our partner for our regional Herefordshire & Worcestershire Shared Care Record. Your hospital records are shared with My Health and Wellbeing via the Intersystems platform. To view their How is your information shared?
Each Trust, as a Data Controller, will not share your data with anyone without your explicit consent, unless the law permits us to do so.
We share data only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the UK GDPR. Our data processors are outlined below:
Data Processor - Microsoft Azure
Microsoft Azure is a cloud computing service created by Microsoft for managing applications and services. We use Azure to host the platform and store its contents. Microsoft only stored data within the UK
To view their privacy policy please visit: https://www.microsoft.com/en-gb/trust-center/privacy
Data Processor - NHS Login
My Health and Wellbeing shares limited personal data with NHS Login to validate your identity and give you access to the platform. To view their privacy policy please visit: https://access.login.nhs.uk/privacy
Data Processor - Intersystems
Intersystems are our partner for our regional Herefordshire & Worcestershire Shared Care Record. Your hospital records are shared with My Health and Wellbeing via the Intersystems platform. To view their privacy notice please visit: https://www.intersystems.com/uk/privacy-policy/
Data Processor – Mindwave Ventures
Mindwave Ventures Limited are our design and development partner for My Health and Wellbeing. They maintain the platform and undertake bug fixing where needed and are also working with us on further feature development for the platform. Their staff do not access any data within the platform. To view their privacy policy please visit: https://mindwaveventures.com/privacy-policy/
Data Processor - Modality
Modality are a partner who provide video conferencing for virtual appointments in the platform. To view their privacy notice please visit: https://www.modalitypartnership.nhs.uk/ (scroll down to the footer and click on ‘Patient
Privacy Policy’)
Your Rights:
Data Protection Laws gives individuals rights in respect of the personal information that we hold about you. These are:
To be informed why, where and how we use your information.
To ask for access to your information
To ask for information to be corrected if inaccurate or incomplete.
To ask for your information to be deleted or removed where there is no need for us to continue processing it.
To ask us to restrict the use of your information where the accuracy of the data is contested, the processing is unlawful or, where their data is no longer needed for the purposes of the processing.
To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
To object to how your information is used.
To challenge any decisions made without human intervention (automated decision making).privacy notice please visit: https://www.intersystems.com/uk/privacy-policy/
Mindwave Ventures Limited are our design and development partner for My Health and Wellbeing. They maintain the platform and undertake bug fixing where needed and are also working with us on further feature development for the platform. Their staff do not access any data within the platform. To view their privacy policy please visit: https://mindwaveventures.com/privacy-policy/
Modality are a partner who provide video conferencing for virtual appointments in the platform. To view their privacy notice please visit: https://www.modalitypartnership.nhs.uk/ (scroll down to the footer and click on ‘Patient
Privacy Policy’)
Data Protection Laws gives individuals rights in respect of the personal information that we hold about you. These are:
To be informed why, where and how we use your information.
To ask for access to your information
To ask for information to be corrected if inaccurate or incomplete.
To ask for your information to be deleted or removed where there is no need for us to continue processing it.
To ask us to restrict the use of your information where the accuracy of the data is contested, the processing is unlawful or, where their data is no longer needed for the purposes of the processing.
To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
To object to how your information is used.
To challenge any decisions made without human intervention (automated decision making).
Should you wish to exercise any of your rights from where you have been receiving treatment, , please contact the relevant staff member/team at any of the following addresses: :
The Records Manager
Herefordshire and Worcestershire Health and Care NHS Trust
2 Kings Court
Charlies Hastings Way
Worcester
WR5 1JR
Worcestershire Acute Hospitals NHS Trust
Access to Health Records
Legal Services Department
Alexandra Hospital
Woodrow Drive
Redditch B98 7UB
Wye Valley NHS Trust
Subject Access and Data Protection Act Administrator
Wye Valley NHS Trust
Monkmoor Court
31-34 Commercial Road
Hereford HR1 2BG
Tel: 01432 262064/262065
Email: wvt.subjectaccess@nhs.net
You have the right to complain if you are unhappy with the way your information is handled or disagree with your healthcare provider’s decision about your information. In these circumstances you can contact the healthcare provider and ask them to look again at the decision.
If you are not happy with any decision your healthcare provider makes, you can contact the Information Commissioner’s Office at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate)
Telephone: 01625 545 745 (national rate)
Fax: 01625 524 510
Email: casework@ico.org.uk