privacy notice what is a privacy notice?€¦ · click here to find out more. web server log files...
TRANSCRIPT
v2.4
What is a Privacy Notice?
This is a statement made by the Rotherham Doncaster and South Humber NHS Foundation Trust to our patients, service users, visitors, carers and the public that describes how we collect, use, retain and disclose personal information which we hold. It is sometimes also referred to as a Privacy Statement, Fair Processing Statement or Privacy Policy. This privacy notice is part of our commitment to ensure that we process your personal information/data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act 2018 (DPA). This Trust will collect, store and use personal data about you to provide you with healthcare services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be. We are the Data Controller, and our registered address is: Woodfield House Tickhill Road Site Weston Road Balby Doncaster, DN4 8QN Our Information Commissioner’s Office (ICO) registration number is Z5863970 We take our duty to protect your personal data, and maintain confidentiality very seriously. We are committed to taking all reasonable measures to ensure the security of the personal data we are responsible for, whether this is computerised or in paper form. At Trust Board level we have a Senior Information Risk Owner (SIRO) who is accountable for the management of all the Trust’s information assets; a Caldicott Guardian who is responsible for the management of patient data and patient confidentiality. We have a Data Protection Officer (DPO) who ensures the Trust is accountable and it compliance with the GDPR and DPA. The Data Protection Officer can be contacted by: Post: Woodfield House, Tickhill Road Site, Weston Road, Balby, Doncaster, DN4 8QN; Email: [email protected] Phone: 01302 796189
What information do we collect about you?
The health professionals caring for you keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you, other care providers e.g. a GP, Social Care or Hospital. The maintenance of these records will ensure that you receive the best possible care. They may be written down on paper or held on a computer and include:
Basic personal details about you such as your name, address, date of birth, next of kin etc.
Privacy Notice
v2.4
Contacts we have had with you such as appointments or clinic visits Notes and reports about your health, treatment and care Results of x-rays, scan and laboratory tests Relevant information from people who care for you and know you well, such as health
professionals, relatives and carers It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible. The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing. If your information will be used for any secondary service, you will be notified of these. Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are in supporting the running of the day-to-day operations of the organisation. Cookies Our website utilises a standard technology called ’cookies’ to collect information about how our website is used and to record your preferences in order to give you the information you need during your visit. Information gathered through cookies allows us to monitor website traffic and to personalise the content of the site for you. Click here to find out more. Web server log files IP addresses are used by your computer/mobile device, ie smartphone, every time you are connected to the internet. Your IP address is a number that is used by computers on the network to identify your computer/mobile device. IP addresses are automatically collected by our web servers so that data (such as the web pages you request) can be sent to you. Web server log files are used to record information about our site, such as system errors. Log files do not contain any personal information or information about which other sites you have visited.
Why do we collect this information about you? Your information is used to guide and record the care you receive and is vital in helping us to; have all the information necessary for assessing your needs and for making decisions with you
about your care have details of our contact with you, such as referrals and appointments and can see the
services you have received can assess the quality of care we give you can properly investigate if you and your family have a concern or a complaint about your
healthcare Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you: Move to another area Need to use another service See a different healthcare professional Your information will also be used to help manage the NHS and protect the health of the public by being used to: Review the care we provide to ensure it is of the highest standard and quality
v2.4
Protect the health of the general public
Manage the health service
Ensure our services can meet patient needs in the future
Investigate patient queries, complaints and legal claims
Ensure the health care providers receive payment for the care you receive
Prepare statistics on NHS performance
Audit NHS accounts and services
Undertake health research and development
Help train and educate healthcare professionals
For these purposes we use the minimum amount of information necessary.
Improving Health, Care and Services through Planning and Research To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share information, for example with the NHS Clinical Commissioning Groups. The information we share has personal information removed so you cannot be identified and all access to and use of this information is strictly controlled. In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust. Information from your records helps staff to continually improve their work and ensures we are providing good patient care. The Trust actively promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented. If we use your patient information for research, we remove your name and all other personal data which would identify you. We may contact you to participate in clinical research. No information will be shared with the researchers until you have given your consent Some information is provided to NHS Digital - Your Data Matters to the NHS (National Data Opt Out) – click here to read more.
What our lawful basis is for processing your information under Data Protection legislation?
For healthcare purposes: Article 6(1)(e) - public task: the processing is necessary to perform a task in the public interest,
or our official functions, which have a clear basis in law; Article 9(2)(h) - processing is necessary for the purposes of preventative or occupational
medicine, for the assessment of the working capacity of the employee, medical diagnosis, the
provision of health or social care or treatment, or the management of health or social care
systems and services ….’
v2.4
For the CCTV system On site for the purposes of public and staff safety and crime prevention and detection. Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner.
CCTV images or other data held may be used in some circumstances where incidents require investigation by the Data Controller. Article 6(1)(f) is our lawful basis, as processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
How we use your personal information?
Your information will also be used to help manage the NHS and protect the health of the public by used to:
Review the care we provide to ensure it is of the highest standard and quality Protect the health of the general public Manage the health service Ensure our services can meet patient needs in the future Investigate patient queries, complaints and legal claims Ensure the healthcare providers receive payment for the care you receive Prepare statistics on NHS performance Audit NHS account and services Undertake health research and development Help train and educate healthcare professionals
Who do we share your personal information with? Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential. Legal reasons to share information – a person’s right to confidentiality is not absolute and there
may be other circumstances when we must share information from your patient record with other
agencies. In these rare circumstances we are not required to have your consent. Examples of this
are:
If there is a concern that you are putting yourself at risk of serious harm
If there is concern that you are putting another person at risk of serious harm
If there is concern that you are putting a child at risk of harm
If we have been instructed to do so by a Court
If the information is essential for the investigation of a serious crime
If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest
relative’ must receive information even if you object
If your information falls within a category that needs to be notified for public health or other legal
reasons, such as certain infectious diseases
v2.4
Health and social care professionals – you may receive care from other organisations, eg social care
services; other NHS trusts, etc, and therefore this Trust may need to share information to ensure
consistent and appropriate care and support is provided. This is only shared if there is a genuine
need to share or we have patient consent to do so.
We share information with the following partner organisations:
Other NHS Trusts and hospitals involved in your care
Clinical commissioning groups - responsible for planning the health needs of their patients, and for paying to keep their local hospitals running. Information in computerised form is sent to THIS TRUST’s, with your name and address removed, but including NHS numbers and postcodes. Exactly the same information is sent to the Office of National Statistics which produces information about the performance of hospitals. Other organisations such as specialist disease registries receive information about particular areas of healthcare. This is important to ensure that the NHS provides the best possible treatments both now and in the future.
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people’s access to their own records, controls on other’s access, how access will be monitored and policies, options people have to further limit access, access in an emergency, and what happens when someone’s cannot make decisions for themselves. Everyone who works for the NHS, or for organisations delivering services under contract to the NHS, has to comply with this guarantee.
Doncaster Integrated Care Record - an electronic record which allows health and care professionals in Doncaster to quickly and securely access medical information about you while they are caring for you. When you come into contact with health and social care services in Doncaster, staff will ask you for permission to view your Integrated Doncaster Care Record. Click here for more information
NHS digital - on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services - we share information such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data for research and development purposes only - please click on this link
NHS improvements
NHS England
Care quality commission (CQC)
General Practitioners (GP’s)
Ambulance Services
You may be receiving care from other people as well as the NHS, for example Social Care services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with: Social care services Education services Local authorities Voluntary and private sector providers working with the NHS
v2.4
We will not disclose your information to any other third parties unless: We have your permission We have to share it by law We have good reason to believe that failing to share the information will put you or someone else
at risk of serious harm or abuse We hold information that is essential to prevent, detect, investigate or punish a serious crime The information from your patient record will only be used for purposes that benefit your care - we
would never share it for marketing or insurance purposes.
Do we use any data processors? Communications & Engagement Purpose for processing This Trust offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information from the Trust, opportunities, events and details on how to get involved and surveys. We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint. Lawful Basis Article 6(1)(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Sources of the data The personal data is provided by data subjects when signing up to receive one of our newsletters or interest in an engagement event, either via our website or by completing one of our sign-up forms at one of the stakeholder events that we hold from time to time. Categories of Personal data We only require you to provide us with your name and email address or residential address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of the population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information. Invoice Validation Purpose for processing
v2.4
Invoice validation is an important process. It involves using your NHS number to see who is responsible for your care, in order for us to invoice the correct commissioners to recover the income back for the care that has taken place. This Trust is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables them to process patient identifiable information on behalf of This Trust without consent for the purposes of invoice validation – Confidentiality Advisory Group CAG 7-07(a)(b)(c)/2013. Lawful Basis Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Sources of the data We are the provider who submit invoices to NHS Shared Business Services for the Commissioners for validation and payment. Categories of Personal data The data required for effective invoice validation can be found in Appendix B, of “Who Pays? Information Governance Advice for Invoice Validation” here Recipients of personal data Commissioners who the Trust has invoiced for the charges related to your care. This Trust only shares personal data via NHSE England’s published list of accredited commissioner emails addressed – this data includes your NHS number and GP code at the time the service was accessed. Safeguarding Concerns and reviews Purposes for processing This Trust are dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and thoroughly applied with the wellbeing of all, at the heart of what we do. Lawful Basis
Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
Article 9(2)(g) – ‘processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’
Categories of personal data The data collected by this Trust staff including hosted bodies, in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information). Sources of the data The Trust will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns.
v2.4
Recipients of personal data The information is used by the Trust when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as Local Authorities, the Police, Care Homes, healthcare professional (i.e. their GP or mental health team). Quality Purposes for processing The Trust have a statutory duty to the improvement of quality and delivery of services, therefore use incident events, investigations, evidence and reports relating to incidents under various policy and procedural structures. The Trust monitor patient healthcare and the way in which their information is handled within care homes or services provided which the Trust fund; this is to assess the quality of care given to patients, and close monitoring of staff delivering these services. Where there maybe concerns identified an investigation is carried out. It is important to carry out quality assurance visits to ensure the correct processes are being adhered to, patients are getting the best service and the correct paperwork is being completed. This information is shared with Healthcare providers and Care homes so that services and care can be reviewed and maintained at a high level. In order to promote quality and compliance, the Trust has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission. Apart of this monitoring allows the Trust to review, hospital discharge data so that delayed transfers of care are identified and so that the Trust can assess how these can be reduced for more efficiency. Lawful basis Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services ……”. Categories of personal data NHS Number and other personal details, including relevant healthcare records and information about the concerns, including others involved or impacted by the event are used by the Trust to facilitate concerns/incident investigations. Sources of the data Data received in order to fulfil the duties relating to concerns investigation will be received directly from the organisation in concern or the reporting organisation, such as a Care Home or provider. Recipient of personal data Information relating to outcomes will be sent back to the relevant providers. Medicines Optimisation Purpose for processing The Trust has a duty to secure continuous improvement in the quality of services provided to individuals for or in connection with the prevention, diagnosis or treatment of illness. Taking that into
v2.4
account, the Pharmacy Team supports the Trust with commissioning services that make best use of available medicines. Your personal data will be used to fulfil this duty in respect of promoting cost-effective use of medicines as well as implementing projects or actions to optimise the use of medicines to improve outcomes, enhance patient safety and improve capacity within the local health economy. Lawful Basis
Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services ……”.
Source of Data Data used to fulfil the above duties is received directly from the primary and secondary healthcare providers for which the Trust has responsibility for. Categories of Data Typically, clinicians and pharmacists will require access to patient information including NHS Number and medication lists. Recipients of Personal Data Personal data is shared between the Trust and local healthcare providers including GP Practices. They do this to facilitate the implementation of recommendations by the Pharmacy Management Team.
What are your legal rights?
We will ensure your rights are respected. You have: The right to be informed - of how their data will be used. This applies to both patient and staff data. Click here for more information on how your data is used. The right of access – to their personal data, and this is commonly referred to as a subject access request. Individuals can make a subject access request verbally or in writing, and we have one month to respond to a request. This is a free service, although there are specified examples where a fee may be applicable, such as, where the request is ‘manifestly unfounded’ or ‘excessive’; or if an individual requests further copies of their data following a request. We can charge a reasonable fee covering our admin costs. For more information on how to make a request – click here The right to rectification - to have inaccurate personal data rectified or completed. For more information on this right, click here. The right to erasure - often referred to as the “right to be forgotten” and is not absolute. The right does not apply to special category data if processing is necessary for the provision of health or social care; or for the management of health or social care systems or services. For more information on this right, click here. The right to restrict processing - to require organisations to restrict processing where:
v2.4
• accuracy is contested by the individual • processing is unlawful and the subject opposes erasure • the organisation no longer needs the data, but the subject requires it to be kept for legal
claims • the individual has objected, pending verification of legitimate grounds. The right to data portability - to receive personal data about them in a ‘commonly used and machine readable format’. This right is only available where the processing is based on consent and the processing is automated. Please note that this is not the legal basis for the majority of our processing, therefore for with regards to most of the data held by this Trust, this right does not apply. The right to object - to: • processing based on legitimate interests or the performance of a task in the public interest /
exercise of official authority (including profiling); • direct marketing (including profiling); and • processing for purposes of scientific/historical research and statistics. Rights in relation to automated decision making and profiling - when making a decision solely by automated means without any human involvement this is known as automated individual decision-making; and any automated processing to evaluate certain things about an individual is known as profiling, although it can also be part the same process. We can only carry out solely automated decision-making that has legal (or similarly significant) effects on you, where the decision is: • necessary for the entry into or performance of a contract; or • authorised by Union or Member state law applicable to the controller; or • based on your explicit consent. and if so, we must ensure we give you information about the processing and introduce simple ways for you to request human intervention or challenge a decision. We must also carry out regular checks to make sure that our systems are working as intended.
How can you access your personal information?
You have a right to see the information we hold about you, both on paper or electronic, except for information that:
Has been provided about you by someone else if they haven’t given permission for you to see it
Relates to criminal offences
Is being used to detect or prevent crime
Could cause physical or mental harm to you or someone else
Your request must be made in writing and we will request proof of identity before we can disclose
personal information. You can find out more about accessing your information by visiting our “Your
Information - Your Rights” web page here
If you would like to request a copy of your records, please contact Information Governance. Application forms are available here.
v2.4
By post at: Information Governance, Woodfield House, Tickhill Road Site, Weston Road, Balby, Doncaster, DN4 8QN
Via email at: [email protected] Or phone on: (01302) 796189
Do we send your data to other Countries?
Sometimes your data may be processed outside of the UK, in most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within this country. When this is outside the EEA we will identify the data protections in place prior to transfer.
How do we keep your information safe?
We are committed to keeping your information secure and have operational policies and procedures
in place to protect your information whether it is in a hardcopy or electronic format.
This Trust is registered with the Information Commissioner’s Office (ICO);
All of the Information Systems used by our Trust are implemented with robust information
security safeguards to protect the confidentiality, integrity and availability of your personal
information.
The security controls adopted by the Trust are influenced by a number of sources including the
10 National Data Guardian Standards and guidelines produced by NHS Digital and other
Government standards.
We have very strict rules about who can and cannot use our computers. We also put restrictions
in place as to which records staff can access.
Our computers and networks are protected against hackers and unauthorised access.
Any information about you that is sent electronically to another healthcare provider or service is
sent securely (encrypted).
Every time someone accesses your information an audit trail is created.
All employees and our partner organisations are legally bound to respect your confidentiality; all
staff must comply with our security operating procedures. Any breach of these is treated
seriously, and could result in disciplinary action, including dismissal.
Under the NHS Confidentiality Code of Conduct, all staff are required to protect information,
inform you of how your information will be used and allow you to decide if and how your
information can be shared. This will be noted in your records.
All Trust employees are required to undertake annual training in data security and protection.
Teaching clinicians - Some medical files are needed to teach student clinicians about rare cases.
Without such materials, new doctors and nurses would not be properly prepared to treat you.
Clinical placements - Clinical placements for students commonly take place within the NHS.
Students, such as student nurses, medical students, social work students, could be receiving
training in the service that is caring for you. This may be when you are an inpatient, in a
community setting such as a day hospital, or when you are being visited by health or social care
staff at home.
v2.4
If staff would like a student to be present they will always ask for your permission before that
meeting or episode of care. The treatment or care you receive will not be affected if you refuse to
have a student present during your episode of care.
Occasionally, for assessment purposes, students may request that their supervisor be present. You may refuse this if it makes you feel uncomfortable.
How long do we keep your information?
All records held by the NHS are subject to, and kept in line with the retention periods in, the Records
Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out
best practice guidance on how long we should keep your patient information before we are able to
review and securely dispose of it.
A copy of the Trust’s Retention & Disposal Policy (Records Management) can be found here.
Notification The Data Protection Act 2018 requires organisations to notify with the Information Commissioner to describe the purpose for which they process personal information. These details are publically available on the information Commissioner’s website: www.ico.gov.uk.
How do you make a complaint?
If you are not happy how your data or request has been handled, please: Speak to your health professional, ie key worker, support worker, consultant, etc;
Click here to visit our Information Governance web page; or telephone them on 01302
796189, or email at [email protected]
Should you have any further queries about the uses of your information, please email the
Trust’s Data Protection Officer at [email protected]
click here to access our Complaints Team / Patient Advice and Liaison Service web page; or
to get further advice or report a concern directly to the Information Commissioners Office
(ICO), the UK’s independent authority, you can click here to access their website or
telephone them on 0303 123 1113
What about information about the Trust itself? The Freedom of Information Act 2000 provides any person with the right to obtain information held by this Trust, subject to a number of exemptions. If you would like to request information from us, please contact the Information Governance Team: Post: Woodfield House, Tickhill Road Site, Weston Road, Balby, Doncaster, DN4 8QN Email: [email protected] Phone: (01302) 796189
Where can you find more information?
v2.4
Leaflets – click here to take you to our “Your Info – Your Rights” page where IG leaflets are identified. Policies, procedures and strategies – click here to take you to Information Policies Data Protection Impact Assessments Data Protection law introduced a new obligation to do a Data Protection Impact Assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ interests. A DPIA is a process to help identify and minimize the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data. We publish a log of completed DPIAs – click here to view a summary and any requests for the full DPIA can be sent to [email protected] The new Data Protection Legislation supports your right to have your privacy respected and your data protected. It gives you easier access to the personal information the Trust holds about you, if you wish to check or change it. It is designed to give you confidence that this information is accurate, up to date and well managed.
Definition of Terms
Data controller The organisation which determines the processing of Personal Data. The Data Controller is the legally responsible organisation.
Data processor An organisation which the Data Controller appoints to provide a service on its behalf. The Data Processor must follow the legal instruction of the Controller.
Data subject The individual who personal data is about. The individual must be identifiable from the data.
Data Protection Officer
The person appointed by the Data Controller as the single point of contact for data protection enquiries. The Data Protection Officer acts independently and monitors compliance with data protection obligations.
Data processing
The activities which relate to Personal Data. Data Processing includes: Obtaining, recording or holding the information; organisation, adaption or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; alignment, combination, blocking, erasure or destruction of the information or data.
Information Commissioner’s Office (ICO)
The regulator of information rights in the United Kingdom. The ICO website is - https://ico.org.uk/
Personal data Data which relates to an individual and enables them to be identified.