Looking after your confidential personal information (including GDPR) Privacy Notice
When we process your personal data, North Staffordshire Combined Healthcare NHS Trust is the Data Controller.
Registration Number: Z8606519
Date Registered: 08 November 2004
Registration Expires: 7 November 2021
Data Controller: North Staffordshire Combined Healthcare NHS Trust
As a Data Controller the Trust has a duty to:
- Keep sufficient information to provide services and fulfil our legal responsibilities
- Keep your records secure and accurate
- Only keep your information as long as is required
- Collect, store and use the information you provide in a manner that is compatible with the Data Protection Act and other applicable legislation.
Things you can do to help us:
- Make sure we have identified you correctly by letting us know when you change your details. This could include your address or name, telephone number, preferred correspondence address, GP or carer details and
- Tell us if any of your information we hold is wrong
What is personal data?
Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, bank details and information held about a person. This can include, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.
Information classed as sensitive personal data includes details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data and biometric and genetic data.
Lawful basis of processing
The basis for the Trust processing your information is described in Article 6 (lawfulness of processing) and Article 9 (processing of special categories of personal data) of the General Data Protection Regulation. The legal basis for using your data is dependent upon what we need to do with it.
In general, for the purposes of providing you with healthcare, the Trust relies on Article 6(1)(e) – processing is necessary for the purposes of a task carried out in the public interest or in the authority bested in the data controller
Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment or the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment (we refer to this as direct patient care).
The Trust may however choose alternate legal basis dependent on specific requirements, including:
- Consent – We would obtain freely give, specific and informed consent to process your personal data for some purposes
- Contract – The processing is necessary for a contract we have with an individual
- Legal Obligation – The processing is necessary for us to comply with the law
- Vital Interest – The processing is necessary to protect someone’s life
- Public Interest – The processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law
- If there is a safeguarding concern then data may be shared.
Why we collect and store personal data
For some of our services, we need to collect personal data so we can get in touch, or provide a service. The Trust is allowed to use your personal data only in line with the law. The legal framework includes:
- The Data Protection Act 2018
- General Data Protection Regulations
- The NHS Act 2006
- The Health and Social Care Act 2012
- The Human Rights Action 1998
- Access to Health Records Act 1990
There are many more laws surrounding data protection. In many cases there is a statutory requirement to process your data without your consent, but we must always act within the law and never pass on your details without your consent or with another legally justifiable reason.
Where we do not directly provide the service, we may need to pass your personal data onto the organisation that does. These providers are under contract and have to keep your details safe and secure, and use them only to provide the service.
Using your personal data
We will use the information you provide for the following purposes:
- Provision of Trust services
- Healthcare and regulatory functions which we are obliged to undertake
- All financial transactions to and from us, including payments
- To ensure we meet our statutory obligations, including those related to diversity and equal opportunity
- Improve the quality of Trust services through clinical audits.
Joined-up Service within the Trust
We share basic information between services within the Trust so that we can keep our information on you as up-to-date as possible and so that we can improve our services to you. For example, if you tell a clinical team you have moved house, they will pass this information on to other parts of the Trust.
Even though our systems are joined-up, we ensure that staff within the Trust can only access the information they need to do their job.
Organisation we share data with
There are a number of information sharing agreements in place which are designed to assist with the legitimate sharing of your information between the Trust and other organisations appropriately and always in line with the law.
Under certain laws, we are required to pass your data to law enforcement organisations such as, but not limited to, the police, the Immigration Service or Her Majesty’s Revenue & Customs.
We also have to make data submissions and statistical collections to several Government departments by law.
National Opt Out
North Staffordshire Combined Healthcare NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as Crisis Care or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy.
Transferring Data Abroad
Your personal data may be transferred outside of the UK, for example, if the Trust uses a cloud service that has host servers located in the United States. If your data is transferred, it is done so under contract and a Data Processing Agreement states what the required protection to your personal data under EU Data Protection law is.
North Staffordshire Combined Healthcare NHS Trust has a duty to improve the health of the population we serve.
To help us do this, we use data and information from a range of sources including the Office for National Statistics, NHS Digital, Clinical Commissioning Groups and other hospitals to understand more about the nature and causes of ill health in Staffordshire.
We may also share personal data without consent to prevent the spread of infectious diseases, in the vital interests of any individuals or when it is in the overriding public interest.
Preventing and Detecting Fraud
The Trust is under a duty to protect the public funds it administers, and to this end may use the information you have provided for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes.
We are working more closely in partnership with health (doctors, hospitals etc.) as health and social care services become more joined up. The Government says that we must share your NHS number with each other. When we work closely with our health partners on things such as Better Care Together Programme, Social Workers and health professionals may share data with part of your care team for your direct care. We will try, wherever possible, to do so with your consent. Sometimes we may need to share without telling you, for legal reasons, or when it is in your vital interest.
We may introduce new technologies that capture and store personal data e.g. biometric scanners, body worn video cameras etc. An appropriate assessment such as a Data Protection Impact Assessment will be carried out when such technologies, or new systems that capture personal data are introduced.
Website and Social Media
We will use the Internet to communicate with the public and promote public participation. Through our social media accounts and website, we will post photos, videos and sound recordings of our work and events, which may sometimes include personal data. Although we often try to seek consent, this may not always be possible when capturing large crowds or public street scenes. If you are ever unhappy about being included in any of these publications, please contact us.
Registration and Authentication
We may require you to register and be authenticated with us in order for you to access certain services on our internet. Where this is required a privacy statement will set out our commitment to you when you access our services via the internet.
E-Newsletters and Texts Alerts
As part of our role to promote awareness of local health and public health services and issues, we have a legitimate interest in using e-newsletters and other electronic communications. Everyone who receives these communications is always offered the option to unsubscribe or opt out of receiving them. We may also send you service announcements in this way.
We will only hold your personal information for as long as necessary for business purposes or if we are required to keep it by law. Upon request for information from you we will inform you whether your personal data is processed by the Trust. A copy of this information can be requested and subject to relevant law, will be provided.
You can find the address below if you want to ask for a copy.
You can also use this address to ask the Trust to:
- Correct your data if you think it is wrong;
- Stop processing your data if you think it is no longer necessary to do so;
- Stop processing your data until it is corrected;
- Ask that no automated processing takes place with your data
- Ask for any automated portable electronical data file we hold on you; or
- Consider any complaint you have about how we have used your data
Requests for Information or Complaints
If you wish to ask the Trust about a data protection issue, request a copy of your data, or you have concerns about the processing of your personal data by the Trust, you can contact the:
Information Governance Team or the Data Protection Officer
Health Records Department
Tel: 0300 123 1535
If you have any queries or concerns about how we use your information, please speak to the staff involved in your care. More detailed questions about how we use your information which cannot be discussed or resolved by a member of staff can be discussed with the Patient Experience Team on 0800 389 9676
For more information about Data Protection, or if you are unsatisfied with the way the Trust has handled your personal information after you have complained, you can contact the national regulator, the Information Commissioner’s Office, at:
The Office of the Information Commissioner
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 1 July 2020.