Privacy notice for patients and service users

North Tees and Hartlepool NHS Foundation Trust (the “TRUST”) is a ‘Data Controller’ under Data Protection Legislation, including but not limited to the UK General Data Protection Regulation (“UK GDPR”), and the Data Protection Act 2018 (“DPA”).

This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity.

Our registration number is Z1142263 and our registered entry can be found on the Information Commissioner’s website.

The Trust takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under current Data Protection Legislation.

We recognise the need to treat your personal and sensitive data in a fair and lawful manner. We will process your personal information fairly and lawfully by;

• Only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;
• Only collecting and using your information to provide you with your care and treatment and will not use it for anything else that is not considered by law to be for this purpose;
• Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care;
• Keeping your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can;
• Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;
• Having secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored

What types of information do we collect about you?

We collect basic “personal” data about you which does not include any special types of information or location-based information, however we will also collect sensitive confidential data known as “special category personal data”, during the services we provide to you and or linked to your healthcare through other health providers or third parties.

This “personal” and “special category” information may include:

• Basic details such as name, address, date of birth, phone number, and email address
• Your next of kin and contact details
• Your religious beliefs, ethnicity and sex (if required in a healthcare setting)
• Notes and reports about your physical or mental health condition and any treatment, care or support you need and receive
• Results and images of your tests and diagnosis
• Records of vaccination
• Relevant information from other professionals, relatives or those who care for you or know you well
• Records of any contacts you have with us such as home visits or outpatient appointments or with other health professionals or service providers
• Information on medicines, side effects and allergies
• Information on your personal preferences relating to your care
• Patient experience feedback and treatment outcome information you provide
• Recordings of telephone calls, meetings (where advised)
• CCTV Images form within the estate of the Trust whilst on site
• And other health information that is relevant to us providing your care

The information which you provide us and which we hold about you may be in an electronic or paper format, or a mixture of both.

What is our purpose of processing your data?

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers, administrators and other staff involved in your care including administrators – keep records about you, your health and any care and treatment you receive.

Your information is used to guide and record the care you receive and is vital in helping us to;

• provide quality healthcare to you as a patient / user of our services
• have all the information necessary for assessing your needs and for making decisions with you about your care
• have details of our contact with you, such as referrals and appointments and can see the services you have received from us and to which we have referred you to
• keep you informed about your care and contact you with details of appointments, attendances and outcomes though mail, telephone, SMS (text), automated voice reminder calls, in person, email or other electronic means.
• confirm your identity to provide our services
• contact you via mail, telephone, SMS (text), in person, email or other electronic means following attendance at a Trust service to seek feedback via our ‘Friends and Family Test’ and/or other Local and National surveys
• assess and improve the quality of care we give you and provide to others including through local audit and surveys
• ensure we can properly investigate if you and your family have a concern, complaint or claim about your healthcare or the services we provide
• ensure we meet our statutory and legal obligations under the Health and Social Care Act and meet other statutory legal requirements
• to protect the health of the public and to help us manage and impove the NHS services we provide
• to protect the vital interests of our patients and service users
• to protect staff, patient’s visitors and Trust property (CCTV Images)

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

• Move to another area
• Need to use another service
• See a different healthcare professional
• Receive private care in our hospitals

What is our legal basis for processing your data?

We do not rely on consent to use your information as a ‘legal basis for processing’ unless otherwise stated. We rely on specific legal provisions under Article 6 and 9 of the UK GDPR to provide you with Healthcare services, for the purposes described in this notice we will be lawfully using your information in accordance with:

Your Personal Data – will ordinarily be processed under UK GDPR Article 6(1)(e) where the “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller(Trust)”. In some limited circumstances we may also rely on UK GDPR Article 6(1)(d) where this is appropriate “to protect the vital interests of the data subject or another person”, UK GDPR Article 6(1)(c) where the processing is necessary “to comply with a legal obligation to which we are subject” or where private care is provided UK GDPR Article 6(1)b “to fulfil the performance of a contract”.

Your Sensitive (Special Category) Personal Data – will ordinarily be processed under Article 9(2)(h) where “processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”. In some limited circumstances we may also rely on GDPR Article 9(2)(c) but only when it is necessary “to protect the vital interest of a person who is physically or legally incapable of giving consent” or Article 9(2)(f) where we need to process or share your data for the “establishment, exercise or defense of legal claims”.

This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

Who might we share your information with?

Your information will be shared with the team who are caring for you and are providing treatment to you, including with the teams whom provide administration services to enable your care and only where necessary.

In order for the Trust to fulfil its functions, information may also be shared between various organisations with strict agreements on how it will be used, examples of these include:

• General Practices (GP’s)
• Other Acute Hospitals
• Community Services
• Mental Health Care Providers
• Walk-in Centres / Urgent Care Centres
• Ambulance Services
• Dentists
• Pharmacists
• NHS England
• NHS Digital
• General Medical Council (GMC)
• Nursing and Midwifery Council (NMC)

Information may also need to be shared with other non-NHS organisations, from which you are receiving care and other agencies that are supporting your care, examples of these include:

• Social care services
• Education services
• Hospices
• Nursing homes
• Respite centres
• Voluntary sector providers
• Private healthcare organisations
• Or with other professionals and services involved in your care with whom we work together with

We do this in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved. We will only share your information in this way if it is considered necessary and we have a legal basis to do so.

There are times when we need to share information with other organisations such as our local authority partners, outside healthcare providers, clinical commissioning groups, the Department of Work and Pensions and the DVLA. We will only share information in this way if we have your permission, or we have a legal basis and it is considered necessary.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent.

Examples of this are:

• If there is a concern that you are putting yourself at risk of serious harm
• If there is concern that you are putting another person at risk of serious harm
• If there is concern that you are putting a child at risk of harm
• If we have been instructed to do so by a Court
• If the information is essential for the investigation of a serious crime
• If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
• If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases

The Trust may also share information in the following scenarios:

Sharing to improve Health, Care and Services through planning

To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.

In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.

Your feedback which we collect via the Friends and Family Test may also be shared with NHS England, NHS Improvement or NHS Commissioners and will be fully anonymised, and care taken to remove any references to you in the free text data fields.

Sharing to improve Health, Care and Services through Research

The Trust actively promotes research with a view to improving quality of services for the future. You may have the opportunity to participate in an important research study. If you would like to get involved in our research, please discuss this with the team who are providing your treatment. If we use your patient information for research, we remove your name and all other personal data which would identify you. If we need the information in a form that would personally identify you, we would ask for your permission first.

Sharing to enable region wide care provision

The Trust is a partner in the Great North Care Record (GNCR) which facilitates:

• the sharing of your electronic health record with other Hospitals, GPs and local authorities for the provision of your direct care and ongoing support;
• the access to the different electronic health record systems which is managed through a secure third party, Cerner who as a data processor controls the view and access of any records held by the different organisations ensuring all access is appropriate, authorised and audited.
• the sharing of appointment and clinical correspondence data with NHS Digital for users of the My GNCR service accessed through NHS App. More information on the My GNCR service can be found on their website.

For further information about the GNCR or to opt out of sharing your information via the GNCR then please contact the GNCR team directly by telephone 0344 811 9587 or email [email protected] or via their website.

Please note that opting out of sharing your information via the GNCR may negatively impact the care the NHS and adult social care services can provide you if health and social care staff can’t access your medical record.

Sharing for the Prevention and Detection of Crime

We may also use the information we hold about you to detect and prevent crime or fraud and where appropriate and where we have a legal basis share with relevant agencies. We may also share this information with other bodies that inspect and manage public funds.

Sharing for safeguarding

Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Sharing for Patient Surveys

It is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of national surveys and audits. You do not have to participate in these surveys and the information you receive will contain contact details to opt out of the National Surveys.

The Trust also actively promotes local surveys to help develop and improve the quality of the services we provide our patients. If you don’t want to receive a survey from us then please contact 01429 522278 to let us know.

If you do provide us with your views, we will always remove your name and all other personal information which would identify you.

Sharing for Teaching

Some medical files are needed to teach students about real and/or rare cases. These materials allow students to understand and learn real scenarios before qualifying.

Sharing for National Cancer Registration and Analysis

Where appropriate we may share the data we collect with Public Health England (PHE) as part of the National Cancer Registration process, you may opt out of this should you wish, please inform your health professional or ask for a leaflet or visit https://www.ndrs.nhs.uk for more information.

Sharing for Cardiac CT Analysis

The Trust may with your consent share your cardiac CT scan data with HeartFlow Inc. for analysis to create a personalised 3D model of the coronary arties and analyse the impact that blockages have on blood flow to optimise your cardiac care. The data will be de-identified by HeartFlow in the UK before sending to HeartFlow in the USA for analysis.

Sharing with NHS Digital

Whom on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. We do this in order to assess the effectiveness of our care so that we can provide you with the best possible care and ensure that we can continually improve our services.

The data is securely sent to NHS Digital, which is the central organisation that receives the same data from all publicly-funded services across England. NHS Digital removes all identifying details and combines the data we send with the data sent by other care providers.

The data sets are used to produce anonymised/pseudonymised reports that only show summary numbers of, for instance, patients referred to different types of services. It is impossible to identify any individual patient in the reports, but the reports do help us to improve the care we provide to you and other patients.

Find more information about how NHS Digital uses your personal data including their lawful basis for processing, how long they hold it for and your rights.

You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data with NHS Digital please visit the NHS Digital National Data Opt-Out Programme Website. https://www.nhs.uk/your-nhs-data-matters/

Can patients opt out of sharing for purposes beyond care?

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out:

Please visit www.nhs.uk/your-nhs-data-matters

On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

• www.hra.nhs.uk/information-about-patients – which covers health and care research
• understandingpatientdata.org.uk/what-you-need-know – which covers how and why patient information is used, the safeguards and how decisions are made

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Do we use third parties to process data on our behalf?

Yes. As a Trust we have entered into contracts with other approved organisations to provide services for us. These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf.

These contractors are known as ‘Data Processors’ and are subject to the same legal rules and conditions for keeping personal information confidential and secure as we are. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

How do we keep information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format.

We ensure that we comply with current data protection legislation including the Data Protection Act (DPA) and UK General Data Protection Regulation (UK GDPR)
All of the Information Systems used by our Trust are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the Trust are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other Government standards.

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and/ or consented to, unless it is required or permitted by the law. All of our staff receives annual Data Security training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.

Your information is never collected or sold for direct marketing purposes.

Do we process information overseas?

On occasions your data may be processed outside the UK, in most circumstances it will remain within the European Economic Area (EEA). The same protection would be applied as if processed within this country. If your data is transferred outside the EEA we are required to comply with the Data Protection Act 2018 and the UK GDPR, and ensure there is adequate protection is in place ensuring that appropriate and suitable safeguards and binding contractual clauses are in place.

Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements. Where this is applied copies of information regarding the safeguards put in place can be provided on request to the Data Protection Officer.

Do we record telephone calls or video consultations?

The Trust may undertake the recording of phone calls where it is necessary, to archive the content of the call in order to provide a record for any subsequent investigation, analysis of an incident or training purposes. Indiscriminate recording or monitoring of the content of telephone calls are not undertaken. The Trust does not record video consultations.

How long do we retain information?

Your information is retained in compliance with the NHS Records Management Code of Practice 2021 which details retention periods for your records.

• Currently we keep adult health records for a minimum of eight years
• Maternity records are kept for a minimum of 25 years
• Children’s records until at least their 26th birthday
• CCTV images for 28 days from the day of capture

For a full list of the retention periods that we apply to your information please see the NHS Records Management Code of Practice 2021 or on the Trust’s website https://www.nth.nhs.uk.

What are your rights and how are these applied?

Data Protection law gives individuals rights in respect of the personal information that we hold about you and these apply in circumstances where the relevant conditions are met.

These rights are:

1. Right to be informed

You have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.

2. Right of access by the data subject

You have the right to request a copy of the information the Trust holds about you and supplementary information about what we process and the legal basis for processing. Further information on this process can be found in this privacy notice under the ‘How can I access my information?’ section. This is also commonly known as a Subject Access Request.

3. Right to rectification

Data must be accurate; you have the right to request correction of any data that you believe is incorrect. However, where the Trust is not the author /creator/originator of the information this request will be forward to the relevant party for them to take forward.

Any requests for information to be rectified will be considered on a case by case basis and requests should be made initially to your health professional.

4. Right to erasure (‘right to be forgotten’)

A data subject has the right to have personal data concerning them erased by the Trust without undue delay where one of the following applies:

• The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed (and no new lawful purpose exists);
• The lawful basis for the processing is your consent, and you withdraw that consent, and no other lawful ground exists;
• Where the data subject exercises their ‘right to object’ regarding processing in the public interest or legitimate interests of the DC, (UK GDPR Article 21(1)) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes, (UK GDPR Article 21(2))
• The personal data have been unlawfully processed
• The personal data must be erased for compliance with a legal obligation
• The personal data have been collected in relation to the offer of information society services referred to in UK GDPR Article 8(1) relating to a child’s data.

The Trust can refuse to erase your data in the following circumstances:

• When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
• When the Trust is legally obliged to keep hold of your data.
• When keeping hold of your data is necessary for reasons of public health.
• When keeping your data is necessary for establishing, exercising or defending legal claims.
• When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

The majority of processing of healthcare related personal information is undertaken under our statutory duty to provide such care and not on the grounds of consent. This means that we are required by law to hold your personal data and you do not have the ability to have that data erased in most circumstances. All requests will be considered on a case by case basis and requests should be made to the Data Protection Officer (DPO).

5. Right to restriction of processing

You have the right to request restriction of processing of personal data where one of the following applies:

• Accuracy of personal data is contested
• Processing is unlawful
• The Trust no longer requires the information but the data subject has requested it is retained to enable them to establish, exercise or defense of legal claims
• Pending verification of the outcome of the Right to object
• Where processing has been restricted

Where we have disclosed personal data to any third parties, and you have subsequently exercised any of the rights of rectification, erasure or blocking, we must notify those third parties of the data subject’s exercising of those rights.

We are exempt from this obligation if it is impossible or would require disproportionate effort. You are also entitled to request information about the identities of those third parties. Where we have made the data public, and the data subject exercises these rights, the controller must take reasonable steps (taking costs into account) to inform third parties that the data subject has exercised those rights.

Any requests for information to stop processing will be considered on a case by case basis and requests should be made to the Data Protection Officer.

6. Right to data portability

The right to data portability allows data subjects (you) to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

However, it should be noted that this is unlikely to apply to information processed under this privacy notice as the processing is not carried out based on consent or by an automated means. For further information into this right please contact the Data Protection Officer.

7. Right to object to processing

You have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either:

• public interest – GDPR Article 6(1)(e) or
• legitimate interests of the controller – GDPR Article 6(1)(f)

In such cases we must cease such processing unless we can:

• demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or
• require the data in order to establish, exercise or defend our legal rights

8. Right to object to processing for direct marketing

You have the right to object to the processing of personal data for the purpose of direct marketing, including profiling. We do not use your personal data for Direct Marketing purposes unless you have provided us with explicit consent to do so.

9. Right to object to processing for scientific, historical or statistical purposes

You have the right to object where your personal data are processed for scientific and historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

10. Rights in relation to automated decision making and profiling

You also have the right to object to any automated decision-making including profiling. Currently the Trust does not undertake any automated decision-making or profiling.

11. Right to Lodge a complaint to the supervisory authority, Information Commissioners Office (ICO)

You have the right to lodge a complaint if you are not content with the outcome of your confidentiality and data protection complaint and/or concern raised with the Trust.

More Information about Your Rights

There are additional restrictions to the above rights of individuals and these are listed in UK GDPR Article 23 and can be obtained from the Trust on request.

You retain the right to seek remedy from a court under section 167 of the Data Protection Act 2018 where you feel these rights have not been appropriately applied.

For further information on your rights please visit the ICO website www.ico.org.uk or contact the Trust Data Protection Officer.

How can you access your information?

You have the right to obtain from the Trust confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the following information if required:

1. The purposes and legal basis of the processing;
2. The categories of personal data concerned;
3. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. The existence of the right to request from the Trust rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. The right to lodge a complaint with the ICO;
7. Where the personal data are not collected from the data subject, any available information as to their source;
8. The existence of automated decision-making, including profiling giving meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
9. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer

Once your request has been received and your identity / entitlement verified, your request will usually be completed within one calendar month. However, if your records are extensive we may take longer to process your request but will inform you from the outset where possible, and in any case within one calendar month.

To submit a formal request for information you can do so by:

What if I have concerns about how the Trust is handling my data?

Please speak to us first.

Data Protection Officer (DPO)

The DPO is the person to contact if you would like to know more about how we use your information, if you require information in any accessible format or language, you wish to make a complaint or if (for any reason) you do not wish to have your information used in any of the ways described. The DPO can be contacted by:

Patient Services and Complaints

We welcome comments about your care and about how we use your information. If you have any comments or complaints, please contact:

Information Commissioners Office (ICO)

You have the right to lodge a complaint if you are not content with the outcome of your confidentiality and data protection complaint and/or concern raised with the Trust.

Further Information

Should you have any further queries on the uses of your information, please speak to your health professional or our Data Protection Officer.

Changes

It is important to point out that we may amend this privacy notice from time to time to ensure that it reflects how we handle your information; we recommend that you review this regularly and we will show below when we last reviewed it.

Last reviewed: 21/12/2022