When someone visits www.jpaget.nhs.uk we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
How the Trust uses your information
This privacy notice tells you what to expect when the James Paget University Hospital (JPUH) collects personal information. It applies to information we collect about:
Visitors to the Trust websites
When someone visits http://www.jpaget.nhs.uk we use a third party service to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow third parties to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
The Service is managed by Block Solutions Ltd which captures personal data at the point of registration and during use of the Service. By registering for the Service the user gives consent for the following information to be captured by Block Solutions Ltd including (but not limited to): first name, last name, email address, media access control (MAC) address, operating system and browser. This information is used to support the administration of the Service e.g. password re-setting. The Service does not capture browsing history but does record key Service usage metrics such as session duration and total amount of data downloaded. Service data is held by Block Solutions Ltd in accordance with prevailing information governance legislation. If an account is inactive for longer than 12 months the user account, including all associated data, will be deleted from the database. In the event of such an eventuality you will have to re-register as a new user.
To login to the guest Wi-Fi service, please connect to the 'NHS WiFi' network when you will be asked to verify your age and acceptance of the terms and conditions via the following statement:
I agree to the terms and conditions of the acceptable use policy and am aged 13 or over. Whoever holds parental responsibility is required to accept the T&Cs of the AUP on behalf of children aged 12 or under.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
How do I change my cookie settings?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.
Our website search and decision notice search is powered by Mentor Digital and IE 11. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either James Paget University Hospital or any third party.
Security and performance
The James Paget University Hospital uses a third party service to help maintain the security and performance of the JPUH website. To deliver this service it processes the IP addresses of visitors to the JPUH website.
People who email the Trust
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
People who make a complaint to the Trust
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not, identify any complainants unless the details have already been made public.
People who use the James Paget University Hospital (JPUH) services
The JPUH offers various services to the public. We use a third party to deal with some publication requests, but they are only allowed to use the information to send out the publications.
We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.
James Paget University Hospital CCTV cameras
The JPUH have CCTV to protect assets and/or protect patients and staff. An example of this would be to help protect employees when it comes to health and safety or to capture footage of any incidents that occur within the Trust. The JPUH collect personal data from everything captured on camera. To inform people who operate in and around the Trust, the Trust does disclose that CCTV is in use and that they could be captured on footage obtained. The JPUH has signs with a clear and feature a number for those who want to contact the CCTV operators if they have any queries. Trust captured data, is normally retained for 31 days (a risk assessment is carried out if the data is retained longer than necessary) Images and videos acquired through the Trust CCTV system are requested by the police and the Trust has processes in place e.g. a written request. Police will usually view the CCTV footage on premises and this would not warrant any concerns about the data being leaked. Under the General Data Protection Regulations, the Trust meets compliance, CCTV is managed in-house.
Reporting a breach
The Trust is required by law to report any security breaches involving personal data to the Information Commissioner’s Office (ICO). So your data may be shared with a third party when a breach is reported. The ICO will retain personal information only for as long as necessary to carry out investigations, and in line with retention schedule.
Job applicants, current and former Trust employees
The Trust is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact RecruitmentAndWorkforce@jpaget.nhs.uk
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
If you use our online application system, this will be collected by a data processor on our behalf (please see below).
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.
You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by the Trust.
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies
- You will be asked to complete a criminal records declaration to declare any unspent convictions
- We will provide your email address to the Government Recruitment Service who will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions
- We will contact your referees, using the details you provide in your application, directly to obtain references
- We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work. This is done through a data processor (please see below).
- If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- Emergency contact details – so we know who to contact in case you have an emergency at work
- Membership of a Civil Service Pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme
Post start date
Some roles require a higher level of security clearance – this will be clear on the advert. If this is the case, then you will be asked to submit information via the National Security Vetting process to HMRC. HMRC will be the data controller for this information.
HMRC will tell us whether your application is successful or not. If it is unsuccessful, the Trust will not be told the reason(s) why but we might need to review your suitability for the role or how you perform your duties.
Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party. If you complete a declaration, the information will be held on your personnel file.
Use of data processors
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Workplace Health and Wellbeing
Workplace Health and Wellbeing provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.
We will send you a link to the questionnaire which will take you to Workplace Health and Wellbeing. The information you provide will be held by Workplace Health and Wellbeing who will provide us with a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you decline for us to see it, then this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Workplace Health and Wellbeing.
For senior vacancies, we sometimes advertise through various recruitment agencies. They will collect the application information and might ask you to complete a work preference questionnaire which is used to assess your suitability for the role you have applied for, the results of which are assessed by recruiters. Information collected by the agency will be retained for 12 months following the end of our agreement.
How long is the information retained for?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus six years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for six months from closure.
Information generated throughout the assessment process, for example interview notes, is retained by us for six months following closure.
Equal opportunities information is retained for six months following closure, whether you are successful or not.
How we make decisions about recruitment?
Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing RecruitmentAndWorkforce@jpaget.nhs.uk
External Reporting Services for Radiology
All imaging studies and examinations carried out within the Radiology department are issued with a formal Radiology report from Consultant Radiologists. Due to the number of examinations carried out within the Trust, there is a requirement to use third party external reporting services with a team of Radiologists; who provide Radiology reports for these examinations. This is to expedite formal reports to be provided within a specified timeframe. The third party organisations are responsible for security of your data. To find out more about the agencies we use; follow the links below:
4ways – www.4waysdiagnostics.co.uk
Medica - www.medicagroup.co.uk
Alliance - www.alliance-healthcare.co.uk/privacy-and-security
Under the General Data Protection Regulations (GDPR) in force 25th May 2018, you have rights as an individual which you can exercise in relation to the information we hold about you.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Complaints or queries
The Trust tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Trust’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed.
Any requests for this should be sent to the address below.
If you want to make a complaint about the way your information has been processed , in the first instance contact Information.Governance@jpaget.nhs.uk and if you are still not satisfied contact www.ico.org.uk/concerns.
Access to personal information
The Trust tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the General Data Protection Regulations (GDPR) in force 25th May 2018. If we do hold information about you the Trust will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form
To make a request to the Trust for any personal information we may hold you need to put the request in writing addressing it to our Information Governance department, or writing to the address provided below.
Forms for making Subject Access Requests can be obtained via this website (Access to Helath Records page) or by contacting us:
Subject Access Team, Health Records Department
James Paget University Hospitals NHS Foundation Trust
Lowestoft Road, Gorleston, Great Yarmouth, Norfolk. NR31 6LA
Email address: firstname.lastname@example.org
Telephone Number: 01493 452153
Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. Further information is available in our Information Charter about the factors we shall consider when deciding whether information should be disclosed.
You can also get further information on:
- agreements we have with other organisations for sharing information
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics
- our instructions to staff on how to collect, use and delete personal data; and
- how the Trust checks that the information held is accurate and up to date
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
The privacy notice is under regular review. This privacy notice was last updated on 1st April 2018.
How to contact us
Information Governance Department
James Paget University Hospitals NHS Foundation Trust
Lowestoft Road, Gorleston, Great Yarmouth, Norfolk. NR31 6LA
Email address: Information.Governance@jpaget.nhs.uk
Telephone Number: 01493 452153
Please see below for further details of our Privacy Notices and how we process the personal information that is collected.
Covid-19 and your information - Updated on 8th April 2020
Supplementary privacy note on Covid-19 for patients
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email
During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.