Privacy policy

Most of the personal information we process is provided to us directly by you or by our healthcare partners, such as:

• You have used one of our services.
• Your information has been passed to us by our partners, such as results of tests and information from people who care for you, including health professionals and relatives
• You have applied for a job or secondment with us.
• You are representing your organisation.
• The professionals caring for you keep records about your health and any care you receive to ensure that you are provided with the best possible treatment.

Your records are used to direct, manage and deliver the care you receive to ensure that:

• The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate treatment for you
• Your concerns can be properly investigated if a complaint is raised
• Appropriate information is available if you see another doctor, or are referred to another part of the NHS, for example, the ambulance service.

How your information helps us improve services:

Your information may also be used to help us improve services by:

• Reviewing the care we provide to ensure it is of the highest standard and quality
• Ensuring our services can meet patient needs in the future
• Investigating patient queries, complaints and legal claims.

Please let us know if you do not wish for us to contact you to ask for your views on our services.

We do process children’s personal data.   Children need particular protection because they may be less aware of the risks involved.  We need to have a lawful basis for processing a child’s personal data. Where we are using ‘consent’ as a lawful basis, only children aged 13 or over are able to provide their own consent.   For children under 13, we will obtain consent from whoever holds parental responsibility for the child.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased

Data is kept according to our retention guidelines, which are largely set by statute.  Retention guidelines are available from the Data Protection Officer.

Your rights depend on the nature of the data that is held in our files. You can find more detail about the type data we collect, how we collect, when and why throughout this page.

You can submit a request for the data that we hold on you.  This request can be completed in writing, by email, or verbally. You do not have to make any mention of legislation or use specific wording, although we may ask you for clarification.  The request can be made to any member of staff, who will forward the details to the Data Protection Officer, who will coordinate the response.

Alternatively, you can contact HUC at huc.informationrequests@nhs.net. Or, write to us at HUC Head Office, The Old Ambulance Station, Ascots Lane, Welwyn Garden City, AL7 4HL.

We will need to confirm your identification.

You can also ask a third party (eg a relative, friend or solicitor) to make a SAR on your behalf. We will need to be satisfied that the third party making the request is entitled to act on your behalf, and it will be your and the third party’s responsibility to provide evidence of their authority.

We have to supply the data within one month and, in most circumstances, we cannot charge a fee for this service.  If the request is complex, or if we receive a number of requests, we can extend the time limit by a further two months.

Before responding to a SAR for information held about a child, we will consider whether the child is mature enough to understand their rights. If the request is from a child and we are confident they can understand their rights, we will usually respond directly to the child. We may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.

The data will be supplied to you in an accessible, concise and intelligible format, usually using the same means by which the request was made; thus if the request has been made by email, the response will be sent by email.

We can refuse to provide the information if an exemption or restriction applies, or if your request is manifestly unfounded or excessive.

The Data Protection Act 2018 gives you the right to access the information we hold about you on our records. This is generally done by contacting your GP surgery, but we can assist with some data requests.

We will ask you to provide proof of your identity before releasing records.

Please contact our Information Governance team at: huc.informationrequests@nhs.net to make your access requests. Or, write to us at HUC Head Office, The Old Ambulance Station, Ascots Lane, Welwyn Garden City, AL7 4HL.

We may share information with relevant third parties for direct care or safeguarding purposes.

Everyone working within HUC receives Data Protection training and knows that they have a legal duty to keep information about you confidential. Under the Data Protection Act and the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used and that it will be shared across your integrated care team when relevant.

We will share information about you with staff in other organisations when it is necessary for your care. These may include:

• Your GP practice
• Other hospitals involved in your care
• Ambulance services
• Social services and care homes.

Sometimes we must pass on personal information by law, for example:

• When required to by a formal court order
• When sharing information with the police may prevent a serious crime or prevent harm to you or other people.

Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.

My Care Record is an approach to improving care by joining up health and care information.  Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This may include individuals working within hospitals, GP practices, treatment centres, care homes, social care and community teams. This will make it easier and faster for them to make the best decisions. An administrator may access your records under the direction of a health and care professional providing care to you. For example, to check details of appointments and co-ordinate care.

Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed. The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.

The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.

Certain information – that doesn’t identify you – will also be used to help improve services and plan for the future. For example, it will help us plan for the number of doctors, nurses and care workers needed to look after you in the future.

You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.

• It is important to understand that not allowing access to your information may affect the quality of the care you receive.
• In many situations, it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.
• There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety.

Please see the My Care Record website www.mycarerecord.org.uk for more information. More information about the areas where your information may be used can be found on the My Care Record website www.mycarerecord.org.uk.

Each partner organisation participating is responsible for the information they share/access within the shared environment, including personal and special category data incorporated from individual records held by partner organisations. The information that can be accessed from your record from each service or organisation will depend on the system that is used.

It may sometimes be necessary to share confidential information without consent or where the individual has explicitly refused consent.  There must be a legal basis for doing so (e.g.  to safeguard a child) or a court order must be in place.

Where there is a legal requirement to disclose, for example, a direction under the Health and Social Care Act 2012 or disclosures under public health legislation, the lawful basis for processing would be: ‘… for compliance with a legal obligation…’ (Article 6(1)(c)).  9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’.

For issues such as notifiable diseases, the most appropriate special category condition for processing in the face of a legal requirement to disclose is ‘…for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).

In deciding on any disclosure certain considerations and steps need to be taken:

• Discuss the request with the appropriate personnel such as the Caldicott Guardian and/or SIRO.
• Disclose only that information which is necessary or prescribed by law.
• Ensure recipient is aware that they owe a duty of confidentiality to the information.
• Document and justify the decision to release the information.
• Take advice in relation to any concerns you may have about risks of significant harm if information is not disclosed.

Requests may be received by other agencies which are related to law enforcement such as:

• The Police or another enforcement agency where the appropriate section 29 request form (in line with the Access to Records Procedure) needs to be submitted from the law enforcement agency in order for the CCGs to consider the request.
• The Local and National Counter Fraud specialists in relation to any actual or suspected fraudulent activity.

Staff will also take into account the seventh Caldicott principle and Information Governance Alliance guidance if there is a clear legal basis to share.

In some circumstances we are legally obliged to share information.  In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.  The organisation will ensure that information sharing takes place within a structured and documented process and in line with the Information Commissioner’s Code of Conduct and in accordance with the Health and Social Care Act 2012 and Health and Social Care (Safety and Quality) Act 2015.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

The data is all held in England.  We do not process data outside England.

We will not share your information with any third parties for the purposes of direct marketing.

You have the right to restrict how and with whom we share the personal information in your records. This must be noted explicitly within your records so all healthcare professionals and staff treating you are aware of your decision.

By choosing this option, unfortunately it may make the provision of treatment or care more difficult or unavailable. You can also change your mind at any time about a disclosure decision.

Your Data Protection Rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here.

Your right to data portability

This only applies to the information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at dpo@huc.nhs.uk and we will respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office.

The purpose for implementing some of the steps above is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users.

The lawful basis we rely on to process your personal data is either Article 6(1)(a) of the GDPR, for example when we require your consent for the optional cookies we use, or Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. For example in order to maintain the integrity of our IT systems and the continuity of our business.

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at dpo@huc.nhs.uk and we’ll respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office . Please follow this link to see how to do that.