This Privacy Notice tells you what HUC will do with your personal information when you contact us or use our services. Given the complexity of HUC, the requirements of the legislation and our desire to ensure full compliance with the legislation, this Privacy Notice is lengthy. The contents are as follows:
We’ll tell you:
- why we are able to process your information;
- what purpose we are processing it for;
- whether you have to provide it to us;
- how long we store it for;
- whether there are other recipients of your personal information;
- whether we intend to transfer it to another country (we do not!); and
- whether we do automated decision-making or profiling (we do not!).
Data Protection Officer
Our Data Protection Officer can be contacted at firstname.lastname@example.org or via our postal address. Please mark the envelope ‘Data Protection Officer’.
Most of the personal information we process is provided to us directly by you or by our healthcare partners, such as:
- You have used one of our services.
- Your information has been passed to us by our partners, such as results of tests and information from people who care for you, including health professionals and relatives
- You have applied for a job or secondment with us.
- You are representing your organisation.
- The professionals caring for you keep records about your health and any care you receive to ensure that you are provided with the best possible treatment.
Your records are used to direct, manage and deliver the care you receive to ensure that:
- The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate treatment for you
- Your concerns can be properly investigated if a complaint is raised
- Appropriate information is available if you see another doctor, or are referred to another part of the NHS, for example, the ambulance service.
How your information helps us improve services:
Your information may also be used to help us improve services by:
- Reviewing the care we provide to ensure it is of the highest standard and quality
- Ensuring our services can meet patient needs in the future
- Investigating patient queries, complaints and legal claims.
Please let us know if you do not wish for us to contact you to ask for your views on our services.
We do process children’s personal data. Children need particular protection because they may be less aware of the risks involved. We need to have a lawful basis for processing a child’s personal data. Where we are using ‘consent’ as a lawful basis, only children aged 13 or over are able to provide their own consent. For children under 13, we will obtain consent from whoever holds parental responsibility for the child.
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased
Data is kept according to our retention guidelines, which are largely set by statute. Retention guidelines are available from the Data Protection Officer.
Your rights depend on the nature of the data that is held in our files. You can find more detail about the type data we collect, how we collect, when and why throughout this page.
You can submit a request for the data that we hold on you. This request can be completed in writing, by email, or verbally. You do not have to make any mention of legislation, or use specific wording, although we may ask you for clarification. The request can be made to any member of staff, who will forward the details to the Data Protection Officer, who will coordinate the response. Alternatively, you can contact the Data Protection Officer directly at email@example.com. We will need to confirm your identification.
You can also ask a third party (eg a relative, friend or solicitor) to make a SAR on your behalf. We will need to be satisfied that the third party making the request is entitled to act your behalf, and it will be your and the third party’s responsibility to provide evidence of their authority.
We have to supply the data within one month and, in most circumstances, we cannot charge a fee for this service. If the request is complex, or if we receive a number of requests, we can extend the time limit by a further two month.
Before responding to a SAR for information held about a child, we will consider whether the child is mature enough to understand their rights. If the request is from a child and we are confident they can understand their rights, we will usually respond directly to the child. We may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.
The data will be supplied to you in an accessible, concise and intelligible format, usually using the same means by which the request was made; thus if the request has been made by email, the response will be sent by email.
We can refuse to provide the information if an exemption or restriction applies, or if your request is manifestly unfounded or excessive.
The Data Protection Act 2018 gives you the right to access the information we hold about you on our records. This is generally done by contacting your GP surgery, but we can assist with some data requests.
We will ask you to provide proof of your identity before releasing records.
Please contact our Clinical Governance team: firstname.lastname@example.org to make your access requests.
Everyone working within HUC receives training and knows that they have a legal duty to keep information about you confidential. Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Equally anyone who receives information from us also has a legal duty to keep it confidential. Any information we share is processed under secure conditions to give you peace of mind that your personal data is protected and we ensure that any NHS organisation that we share your details with handles your data with the same high level of confidence.
We will share information with the following main partner organisations:
- General Practitioners
- Clinical Commissioning Groups (CCGs), other NHS bodies such as ambulance services
- Police (if a crime has been committed) or if we are concerned about your safety following a call to our service.
We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as when the health and safety of others is at risk or where the law requires it.
Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.
My Care Record is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This may include individuals working within hospitals, GP practices, treatment centres, care homes, social care and community teams. This will make it easier and faster for them to make the best decisions. An administrator may access your records under the direction of a health and care professional providing care to you. For example, to check details of appointments and co-ordinate care.
Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed. The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.
The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.
Certain information – that doesn’t identify you – will also be used to help improve services and plan for the future. For example, it will help us plan for the number of doctors, nurses and care workers needed to look after you in the future.
You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.
- It is important to understand that not allowing access to your information may affect the quality of the care you receive.
- In many situations it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.
- There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety.
Please see the My Care Record website www.mycarerecord.org.uk for more information. More information about the areas where your information may be used can be found on the My Care Record website www.mycarerecord.org.uk.
Each partner organisation participating is responsible for the information they share/access within the shared environment, including personal and special category data incorporated from individual records held by partner organisations. The information that can be accessed from your record from each service or organisation will depend on the system that is used.
It may sometimes be necessary to share confidential information without consent or where the individual has explicitly refused consent. There must be a legal basis for doing so (e.g. to safeguard a child) or a court order must be in place.
Where there is a legal requirement to disclose, for example, a direction under the Health and Social Care Act 2012 or disclosures under public health legislation, the lawful basis for processing would be: ‘… for compliance with a legal obligation…’ (Article 6(1)(c)). 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’.
For issues such as notifiable diseases, the most appropriate special category condition for processing in the face of a legal requirement to disclose is ‘…for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
In deciding on any disclosure certain considerations and steps need to be taken:
- Discuss the request with the appropriate personnel such as the Caldicott Guardian and/or SIRO.
- Disclose only that information which is necessary or prescribed by law.
- Ensure recipient is aware that they owe a duty of confidentiality to the information.
- Document and justify the decision to release the information.
- Take advice in relation to any concerns you may have about risks of significant harm if information is not disclosed.
Requests may be received by other agencies which are related to law enforcement such as:
- The Police or another enforcement agency where the appropriate section 29 request form (in line with the Access to Records Procedure) needs to be submitted from the law enforcement agency in order for the CCGs to consider the request.
- The Local and National Counter Fraud specialists in relation to any actual or suspected fraudulent activity.
Staff will also take into account the seventh Caldicott principle and Information Governance Alliance guidance if there is a clear legal basis to share.
In some circumstances we are legally obliged to share information. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information. The organisation will ensure that information sharing takes place within a structured and documented process and in line with the Information Commissioner’s Code of Conduct and in accordance with the Health and Social Care Act 2012 and Health and Social Care (Safety and Quality) Act 2015.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
The data is all held in England. We do not process data outside England.
We will not share your information with any third parties for the purposes of direct marketing.
You have the right to restrict how and with whom we share the personal information in your records. This must be noted explicitly within your records so all healthcare professionals and staff treating you are aware of your decision.
By choosing this option, unfortunately it may make the provision of treatment or care more difficult or unavailable. You can also change your mind at any time about a disclosure decision.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here.
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at email@example.com and we’ll respond.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office . Please follow this link to see how to do that.