Looking after your confidential personal information (including GDPR) Privacy Notice
NORTH STAFFORDSHIRE COMBINED HEALTHCARE NHS TRUST
Data Protection Privacy Notice
This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations. This privacy notice will apply to all sites controlled by North Staffordshire Combined Healthcare NHS Trust (NSCHT).
This privacy notice applies to personal information processed by or on behalf of the Trust.
This notice explains:
- Who we are and how we use your personal information
- What your rights are under data protection laws
- Why we need to use your personal information
- How we lawfully use your personal information
- Information on teams working within NSCHT who may need to use your personal information
- When you can opt-out of your personal information being used for planning and research purposes
- The use of third-party processors
- Where we store your electronic personal information
- Partner organisations who we may share personal information with
- When we can share personal information without consent
- How long we retain your personal information for
- How to raise an object/complaint
- Contact information for our Data Protection Officer, Patient Experience Team and the Information Commissioner’s Office
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) became law on 25 May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive information and the DPA18 implemented the regulations into comprehensive UK legislation. Following the decision for the UK to leave the European Union and following the end of the transition period, from 1 January 2021, the UK has been subject to an Adequacy Agreement which allows data to continue to be shared with European Union countries without further safeguarding being necessary.
This was to allow the European Commission suitable time to grant the UK with adequacy status, and the UK has been granted adequacy status, meaning it has met the required standards in ensuring data transfers to and from the UK are safe. The adequacy arrangements will be in place until June 2025. All references to GDPR will be referred to as UK GDPR as a result of this arrangement.
For the purpose of applicable data protection legislation, including UK GDPR and the Data Protection Act 2018, the organisation responsible for your personal data, and referred to as the Data Controller, is North Staffordshire Combined Healthcare NHS Trust.
This notice describes how we collect, use, and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
How we use your information and the law
We collect basic personal data about you, which includes name, address, telephone number, email address, date of birth, next of kin information, NHS number etc. This enables us to provide the appropriate treatment for you across any of the sites owned by the North Staffordshire Combined Healthcare NHS Trust.
We will also collect sensitive confidential information known as ‘special category personal data’ in the form of health information, religious beliefs, (if required in a healthcare setting) ethnicity, sexuality, biometric data (if applicable) etc. and we may also receive this information about you from other health providers or third parties.
Your rights over your personal information
As an individual, you have the following rights in relation to your personal information:
Right to be informed
As a data controller, we are required to inform individuals when their personal information is collected and about the intended purposes behind the processing of that information. This privacy notice ensures as an organisation we satisfy this right. We will ensure we update this notice on a regular basis to ensure you continue to be appropriately informed of how your personal information will be used.
Right to access your personal information
You can request access to and/or copies of the personal data we hold about you, free of charge (subject to exemptions). We will aim to provide your information within one calendar month, as required by the Data Protection Act 2018, and will notify you if this is not possible for whatever reason.
Requests can be made verbally or in writing, but we do ask that you provide us with adequate information to process your request, such as providing full name, address, date of birth, NHS number and details of your request and, where necessary, any documents to verify your identity.
On processing a request, there may be occasions when information may be withheld if we, as an organisation, believe that releasing the information to you could cause serious harm or distress. Information may also be withheld if another person (i.e. a third party) is identified in the record, and they do not want their information disclosed to you.
However, if the other person mentioned in your records was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.
How to access your personal information
To request a copy or request access to information we hold about you, please use one of the following contact methods:
Health Records Department, North Staffordshire Combined Healthcare NHS Trust, Lawton House, Bellringer Close, Trentham, Stoke-on-Trent ST4 8HH
0300 123 1535
Right to rectification
The correction of personal data when incorrect, out of date or incomplete will be rectified by the Trust without undue or excessive delay. If, however, such requests are linked to legally significant matters, such as confirming legal identity, we may require proof of any alleged inaccuracy before we are able to rectify the information held. Please ensure that, when attending a site operated by the North Staffordshire Combined Healthcare NHS Trust, it has the correct contact details for you at all times and be prepared to have information checked at every appointment/telephone call.
Right to erasure
Under Article 17 of the UK GDPR, individuals have the right to have personal data erased or deleted. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances, for example when your personal data is no longer necessary for the purpose which it was originally collected or processed for, or if you wish to withdraw your consent after you have previously given your consent.
Right to restrict processing
Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that you can limit the way that the organisation uses your data. This is an alternative to requesting the erasure of your data. Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction.
Right to data portability
Under UK GDPR, individuals have the right to data portability in situations where the personal data that they have provided to the Trust is processed by automated means on the basis of consent, or where the personal information is necessary for the performance of a contract. Individuals are entitled to have their personal information transmitted directly from one data controller to another if it is technically feasible to do so. This means being in a structured, commonly used and machine-readable format.
Right to object to processing
Individuals have the right to object to the processing of their personal information on grounds relating to their particular situation and to data processed for direct marketing purposes, however if we can demonstrate compelling legitimate grounds to process the information then processing can continue. If we did not process any personal information about you and your health care needs it would be very difficult for us to care for and treat you.
Rights in relation to automated decision making and profiling
Automated individual decision making is a decision made by automated means (i.e. a computer system) without any human intervention. If any of the processes we use rely on automated decision making, you do have the right to ask for a human to review any computer-generated decision at any point.
Why we need to use your personal information
The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare and treatment.
NHS health records may be electronic, paper-based or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.
Records about you may include the following information:
- Details about you, such as your address, your carer or legal representative and emergency contact details
- Any contact the organisation has had with you, such as appointments, clinic visits, and emergency appointments
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc.
- Relevant information from other health professionals, relatives or those who care for you
- Contact details (including email address, mobile telephone number and home telephone number)
To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Limited information may be used by North Staffordshire Combined Healthcare NHS Trust for clinical audit purposes to monitor the quality of the services we provided.
How we lawfully use your personal information
We need your personal and confidential information in order to provide you with healthcare services and, under the UK GDPR, we will be lawfully using your information in accordance with the following legal bases:
- Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Article 9 (2) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
The Trust may, however, choose an alternative legal basis dependent on the specific requirements and purpose of the data sharing, including:
- Consent – We would obtain freely given, specific, unambiguous and explicit consent to process your personal data for certain purposes.
- Contract – The processing is necessary for a contract we have or wish to enter into.
- Legal Obligation – The processing is necessary for us to comply with the law.
- Vital Interest – The processing is necessary to protect someone’s life.
- Public Interest – The processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law.
Also, if there is a safeguarding concern, then data may be shared to protect the adult or child who safety is a concern to the healthcare professionals.
This Privacy Notice applies to the personal information of service users and any personal information given to us about carers/family members etc.
NSCHT would like to use your name, contact details, and email address to inform you of NHS services, or provide information about your health to manage your healthcare needs. There may be occasions where authorised research facilities would like you to take part in research in regard to your particular health issues to try and improve your health. Your contact details may be used to invite you to receive further information about such research opportunities, but you must give your explicit consent to receive messages for research purposes.
We do operate an SMS text messaging service and you will be asked whether you wish to provide your explicit consent to enable us to contact you via this method. When using electronic methods to communicate with our patients, we ensure we abide by the requirements of the Privacy and Electronic Communication Regulations 2003 and review these regulations alongside the UK GDPR to ensure we are using your data appropriately when communicating with you.
NSCHT is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistent and ethically and morally applied with the wellbeing of all patients being at the heart of what we do.
Our legal basis for processing information for safeguarding purposes, as stipulated in the UK GDPR, is:
Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For the processing of special categories data, the basis is:
Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’
Categories of personal information when handling safeguarding issues
The personal information collected by North Staffordshire Combined Healthcare NHS Trust staff in the event of a safeguarding situation will be minimised to include only the personal information that is necessary in order to handle the situation in the most appropriate way. In addition to basic demographic and contact information, the Trust will also share details of what the safeguarding concern is, which is likely to include special category information, such as health information, medication details if applicable and any additional information that has raised concern.
The Trust will either receive or collect information in the event that someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns requiring us to make enquiries to relevant health and social care providers.
We may share information in the most appropriate way to ensure our duty of care as a healthcare provider is evidenced and to enable any investigations as required with other partner organisations, such as local authorities, the police or healthcare professionals, to be carried out in the most appropriate way.
National Data Opt-Out
The National Data Opt-Out is a service that was introduced in May 2018, allowing patients to opt-out of their confidential personal information being used for planning and research purposes. It was introduced as a result of recommendations made by the National Data Guardian in her Review of data security, consent and opt-outs.
How the NHS and care services use your information
North Staffordshire Combined Healthcare NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this when allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters or call 0300 3035678. You will be asked to provide your name, contact information and NHS number when setting your preferences online or via the telephone helpline. You can also set your opt-out preferences via the NHS App if you are registered to use this application.
On the Your NHS Data Matters web page, you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
- https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research)
- https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
Please note: you can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 31 March 2022 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. The Trust is currently working towards compliance with the national data opt-out policy and further updates will be made via this privacy notice.
In order to deliver the best possible services to you, North Staffordshire Combined Healthcare NHS Trust will share data (where required) with other NHS bodies such as GP practices and hospitals. In addition, the Trust will use carefully selected third-party service providers. When we use a third-party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third-parties include:
- Companies that provide IT services and support, including our core clinical systems; systems which manage patient facing services; data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- Delivery services
- Payment providers
- Confidential waste companies
Further details regarding specific third-party processors can be supplied on request to the Trust.
How we maintain the confidentiality of your records
As a Trust, we are committed to protecting your privacy and will only use information collected lawfully in accordance with relevant legislation, regulations and directives, including:
- Data Protection Act 2018
- The UK General Data Protection Regulations (UK GDPR)
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Standards Codes on Confidentiality, Information Security and Records Management
- Department of Health Publication “Information: To Share or Not to Share”
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (‘Information to share or not to share’) where “The duty to share information can be as important as the duty to protect patient confidentiality”. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework advocated by the Caldicott Principles.
One of NSCHT’s philosophies is to respect the privacy of our patients, their families, and our staff and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.
All employees and sub-contractors engaged by North Staffordshire Combined Healthcare NHS Trust are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for North Staffordshire Combined Healthcare NHS Trust, an appropriate contract will be established for the processing of your personal information.
In certain circumstances, you may have the right to withdraw your consent to the processing of data. Please contact us if you wish to withdraw your consent. In some circumstances, we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes. In some circumstances, you can opt-out of North Staffordshire Combined Healthcare NHS Trust sharing any of your information for research purposes.
Where we store your electronic information
All the personal information we hold is held electronically on clinical systems implemented across NSCHT sites, including:
- Lorenzo, a system which is nationally advocated and used by a number of NHS Trusts across the country and has robust security measures and assurances in place in relation to the way it handles personal confidential information;
- Halo, an inpatient system used for the Substance Misuse Service;
- IAPTus, a system used for wellbeing services,
- CHIPS EPR, where historical patient information is held.
The Lorenzo system is backed up to a cloud storage solution hosted by Amazon Web Services (AWS). All information backed up to the cloud storage solution will remain in the UK at all times and will be fully encrypted both in transit and at rest. Using a cloud storage solution will not change the control of access to your personal information and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS) and it offers the very highest levels of security and support.
Scanning of patient records
NSCHT has implemented a system called the Electronic Document Management System to scan paper records into the electronic patient record to move towards achieving the requirements of the NHS Long Term Plan, which states the NHS needs to strive to be a paperless organisation reliant on advanced digital solutions to transform processes given we are in an ever-evolving age of digital innovation and transformation. Having comprehensive records all in one place enables us to provide the most appropriate care for you and have all of your documents easily accessible. The system adopted by NSCHT has undergone rigorous checks to ensure the information is scanned safely and securely with the key assurances provided to both NSCHT and to you as service users.
Our partner organisations
As stated in this Privacy Notice, we may have to share your information, subject to strict contracts and agreements, with any of the following organisations:
- Other NHS Trusts/Foundation Trusts
- GP practices
- Primary Care Networks (PCNs)
- Integrated Care Partnerships (ICPs)
- NHS Commissioning Support Units
- Independent contractors such as dentists, opticians, pharmacists
- Private sector providers
- Voluntary sector providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social care services
- NHS England (NHSE) and NHS Digital (NHSD)
- Multi Agency Safeguarding Hub (MASH)
- Local authorities
- Education services
- Fire and rescue services
- Police & judicial services
- Other ‘data processors’, which you will be informed of
You will be informed who your data will be shared with and, in some cases, asked for consent for this to happen when this is required.
Integrated care record – One Health and Care
Information regarding your health and care is recorded across NHS organisations and local authorities. One Health and Care pulls the key information from these different health and social care systems and displays it in one combined record. This enables registered health and social care professionals involved in your care to find all the key, most up-to-date information in one place which helps to provide better, safer care.
When you contact a partner organisation involved in your care as a patient/service user, information is collected about you and records maintained about the care and services that have been provided.
Aside from The North Staffordshire Combined Healthcare NHS Trust, the organisations across Staffordshire and Stoke-on-Trent that are participating in One Health and Care are:
- Staffordshire and Stoke-on-Trent GP practices
- University Hospitals of North Midlands NHS Trust (UHNM)
- University Hospitals of Derby and Burton NHS Foundation Trust (UHDB)
- Midlands Partnership NHS Foundation Trust (MPFT)
- Staffordshire County Council (social care division)
- Stoke-on-Trent City Council (social care division)
- Continuing Healthcare Services (based within the Staffordshire and Stoke-on-Trent Clinical Commissioning Groups)
- West Midlands Ambulance Service (WMAS)
During 2021, organisations in Shropshire, Telford and Wrekin will also be contributing data to One Health and Care. The organisations across Shropshire Telford and Wrekin that are participating in One Health and Care are:
- Shropshire, Telford and Wrekin GP practices
- Shropshire Community Health NHS Trust
- Midlands Partnership NHS Foundation Trust
- Shropshire Council (social care)
- Telford and Wrekin Council (Social Care)
- Shrewsbury and Telford Hospital NHS Trust
- Robert Jones & Agnes Hunt Orthopaedic Hospital
All partner organisations involved with One Health and Care are registered with the Information Commissioner’s Office (ICO) to process your personal data in accordance with the current data protection legislation and any subsequent revisions.
More information on this initiative can be found by accessing the One Health and Care website by clicking here.
Sharing your information without consent
There are times when we may be required by law to share your information without your consent, for example:
- Where there is a serious risk of harm or abuse to you or other people
- Safeguarding matters and investigations
- Where a serious crime, such as assault, is being investigated or where it could be prevented
- Notification of new births
- Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
- Where a formal court order has been issued
- Where there is a legal requirement, for example, if you had committed a road traffic offence
North Staffordshire Combined Healthcare NHS Trust is committed to ensuring that when required to share personal information, we will endeavour to share only the minimal amount of information as is necessary for the given purpose.
Section 251 (NHS Act 2006) approval
There are occasions when the North Staffordshire Combined Healthcare NHS Trust needs to access personal information without obtaining prior consent. The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information without patient consent. It provides advice to the Health Research Authority (HRA) for research uses and to the Secretary of State for Health and Social Care.
Its main purpose is to protect and promote the interests of patients and the public, while also making sure that confidential patient information can be used when it is appropriate, for purposes beyond individual care. CAG can give Section 251 approval (S251) for the use of confidential patient information without consent for a specific purpose by the HRA or the Secretary of State for Health and Social Care. This would usually only be granted when an organisation such as North Staffordshire Combined Healthcare NHS Trust requesting the data makes the case that it would be very difficult or impractical to seek consent from every individual whose data they wish to use.
Details of all approved applications are held in a register of approvals which is updated monthly. The register contains summary information about the activity, details of the identifiers approved, and applicant contact details.
The CAG register details all applications that have received approval from the Secretary of State for Health or the Health Research Authority (HRA approvals from 1 April 2013). Please click on the link for additional information on the CAG Register.
How long we store your information for
When storing your personal information, we ensure, as required under UK data protection legislation, that we keep your information for the required timeframes and as a Trust we adhere to the NHS Records Management Code of Practice for Health and Social Care and national archives requirements.
More information on the relevant retention periods can be found in the NHS Records Management Code of Practice 2021.
Disposal of information when no longer required
If, following the end of the retention period, any documents need to be securely disposed of, NSCHT will ensure it undertakes key responsibilities in relation to their secure disposal, including:
- Ensuring that information held in manual form is destroyed using a cross-cut shredder or contracted to a reputable confidential waste company that complies with European Standard EN15713 and obtain certificates of destruction.
- Ensuring that electronic storage media used to store, or process information are destroyed or overwritten to national standards.
Data Security and Protection Toolkit
As with all health and social care organisations, NSCHT is required to submit to the Data Security and Protection Toolkit (DSPT), an online assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 Data Security Standards. All organisations that have access to NHS patient information and systems must use the DSPT to provide assurance that they are practicing good data security and that personal information is handled correctly/NSCHT submitted the year submission for the 2021/21 DSPT in June 2021 and achieved a ‘Standards Met’ status.
Objections/complaints and key contacts
Should you have any concerns about how your personal information is managed, please contact the Trust’s Data Protection Officer in the first instance:
Data Protection Officer
Sahra Smith, firstname.lastname@example.org
North Staffordshire Combined Healthcare NHS Trust, Lawton House, Bellringer Road, Trentham, Stoke-on-Trent ST4 8HH
0300 123 1535
Patient Experience Team
You can also raise a complaint with the Patient Experience Team, available Monday–Friday, 9am–5pm:
Freephone: 0800 389 9676
Text: 07718 971 123
(please note: this text service is available Monday–Friday, 9am–5pm and is charged at your provider’s rate)
Information Commissioner’s Office
You also have the right to lodge a complaint with the UK’s independent authority on data protection issues, the Information Commissioner’s Office, using the contact details below, and quoting the NSCHT ICO registration number of Z8606519.
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF