Privacy Notice

As a data controller, Northamptonshire Healthcare NHS Foundation Trust (NHFT) process both personal data and special category personal data (sensitive).

Northamptonshire Healthcare NHS Foundation Trust,

St Mary’s Hospital
London Road
Kettering
NN15 7PW

Tel 01536 410141

Our Data Protection Registration number is Z6769102.

We have an obligation to ensure compliance with the terms of the General Data Protection Regulations and the Data Protection 2018.

What is personal or special category data?

Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, NHS Number, and information about that person held in records. Records can be in different formats e.g. written correspondence, emails, photographs, audio recordings and video recordings.

Information classed as special category (sensitive) personal data, can include details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data, biometric data and genetic data. 

Why we collect and store personal data?

We process personal data to enable us to provide healthcare services for patients, data matching under the national fraud initiative; research; supporting and managing our employees, maintaining our accounts and records and the use of CCTV systems for crime prevention.

The Trust has a duty to:

  • Process data lawfully, fairly and in an open manner
  • Only use data for a specific defined purpose
  • Only gather and record data that is relevant and limited to the defined purpose
  • Take every reasonable step to ensure data is kept accurately
  • Only hold data in an identifiable form for the minimum period necessary
  • Hold data securely and prevent any unlawful processing

How will we use information about you?

The Types of Information that we may collect and use include the following:

  • personal details
  • family details
  • education, training and employment details
  • financial details
  • goods and services
  • lifestyle and social circumstances
  • visual images, personal appearance and behaviour,
  • details held in the patients record
  • responses to surveys

What is the Legal Basis for processing data?

Under the terms of the General Data Protection Regulations, we are required to notify you of the legal basis for processing the data we handle.

Healthcare

Personal data provided to the Trust for the purpose of healthcare delivery, management and treatment:

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

 

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

To manage our contractual obligations for the services we have been commissioned to deliver:

  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or important incidents
  • Make sure that services offered give value for money
  • Make sure services are planned to meet patients’ needs in the future
  • Review the care given to make sure it is of the highest possible standard 
  • To improve the efficiency of healthcare services                                                                                                                                                                                                                                                                                                                

Staff Data

If we are your employer we process your data to enable us to undertake our responsibilities under law.

Personal data provided by staff members for the purpose of employment:

6(1)(f) Necessary for the purposes of legitimate interests

Special category data provided by staff members for the purpose of employment:

This data is required to manage the operation of the organisation and to ensure compliance with the terms and conditions outlined in your contract, as part of your employment.  

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

National Fraud Initiative:

The Trust has a duty to protect the public funds it administers and as such participates in the National Fraud Initiative. This is an electronic data matching exercise conducted by the Cabinet Office, carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of employees.

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

 

For more information see the link below:

https://www.gov.uk/guidance/national-fraud-initiative-public-sector-data-requirements

Staff Occupational Health Data

Special category data gathered by the Trust in relation to employee health is processed for the reasons of preventative or occupational medicine and for assessment of working capacity.

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

 

Student Data

Student Information Privacy Notice

The Trust is the Data Controller for your personal information and is subject to the General Data Protection Regulation (GDPR).

The Trust works with partner academic organisations to support and mentor students and apprentices during their placements. Student and apprentice information is processed in accordance with the individual learning agreements in place with the academic institution.

This privacy notice explains how the Trust uses and shares your personal data and outlines your rights in relation to the personal data we hold.

What information are you collecting?

The Trust may obtain, hold and process data of applicants and students including personal data and special category data.

Personal data and special category data held by the Trust relating to students is obtained directly from the student or applicant.

Why are you collecting my data?

The Trust holds the personal data and special category data of its applicants and students to facilitate support and mentoring of individuals and to ensure compliance with the terms and conditions outlined via contract or learning agreement.

Only information required for these purposes is obtained and processed for operational purposes, and without it the Trust may not be able to provide its services to you or meet its statutory obligations. 

Personal data provided by students for the purpose of employment:

6(1)(e) whereby processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Northamptonshire Healthcare).

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

Additional Information on the e-leaning toolkits used and their Privacy Polices can be accessed via links below.

Training Tracker Privacy Policy link: https://www.trainingtracker.co.uk/policies/privacy/

Highfield e-learning Privacy Policy link: https://www.highfieldelearning.com/privacy-policy

 

Trust Membership and Involvees

As Members or Involvees of the trust you will likely receive information that may be of interest as a patient, carer or member of the community that we serve.  In common with all other NHS foundation trusts we have a statutory duty to engage with our communities and encourage new Members and Involvees of the Trust.

Personal data provided by Members or Involvees for the purpose of engaging with communities:

6(1)(e) whereby processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Northamptonshire Healthcare).

Equality and Diversity Data

As a Trust we have a duty to eliminate unlawful discrimination, harassment or victimisation, to advance equality of opportunity and to foster good relations. All public bodies must treat people from different groups fairly and equally. Data on equality and diversity is captured in accordance with the Equality Act 2010.

Special Category Personal Data provided to the Trust for the purpose of compliance with Equality legislation :

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.

Mental Health Act Data

Most people who receive treatment in hospitals or psychiatric units for mental health conditions are there voluntarily and have the same rights as people receiving treatment for physical illnesses. However, a small number of patients may need to be compulsorily detained under a section of the Mental Health Act 1983.

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.

9(2)(c) Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

Use of Photographs

Photographs where an individual can be clearly identified will only be used as part of promotional materials and website where explicit consent has been given by the individual.

Personal data for the purpose of promoting the work of the Trust:

6(1)(a)Consent of the data subject

Recovery College

Recovery College NHFT supports individuals with experience of mental health difficulties to live the life they want to lead and become experts in their own self-care. The college supports individuals through courses designed to contribute towards wellbeing.

Data captured during enrolment is required to manage this service and to provide you details of available courses and resources.

Personal data provided by individuals for the purpose of enrolment:

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

Research

Data is gathered for research with the same controls as for the collection and processing of data for healthcare purposes. Consent will be sought for participation in research trials under the common law duty of confidentiality.

Personal data provided by individuals for the purpose of research:

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

 

Data sharing with partner organisations

We hold a list of the information sharing agreements we currently have in place with our partner organisations. As part of the Northamptonshire Health and Care partnership we work with other health and public sector organisations for the delivery of services.

Other ways your data may be shared

National Surveys

Your personal data may be used for the purposes of the NHS Patient Survey Programme, and this may include passing data to a CQC approved contractor. The anonymised reports produced by the survey programmes are used to help make service improvements.

The processing basis for the Trust to use your information for the NHS Patient Survey Programme is set out in Article 6(1)(e) of the General Data Protection Regulations which allows data to be processed where the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Safeguarding

There is a Duty of Care to report safeguarding concerns to partner organisations to support an individual’s welfare. There is useful information on the Trust’s Safeguarding Page on the importance of safeguarding for Adults and Children and how staff are supported to act in the best interests of the individual.

https://www.nhft.nhs.uk/safeguarding

Supporting families

We are committed to supporting the health and wellbeing of families. This means to protect you and your child we may need to share information with other agencies such as social services or the police.

Public security

Data may be shared with the Police or other national security agencies where it is necessary and proportionate to support the prevention, investigation and detection of crime.

Tuberculosis

Data may be provided to the Trust by partner agencies to support the management of patients with Tuberculosis or suspected Tuberculosis.

Infection Control

Data may be provided to the Trust by partner agencies to support the management of public health.

Is my data transferred overseas?

Your personal data may be transferred outside of the UK, for example, if the Trust uses a cloud service that has servers in another country. A Data Protection Impact Assessment will have been completed to ensure that data is held securely and within the requirements of the law.

If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

Is my data handled using automated decision processes?

The Trust does not currently use automated decision processes this privacy notice will be regularly reviewed and updated as necessary.

How do we store and safeguard your data?

We may introduce new processes or technologies that capture and store personal data e.g. biometric scanners, body worn video cameras etc. The Trust considers privacy at the initial design stages and throughout the complete development process by invoking the Data Protection Impact Assessment and Change Management Processes; thus ensuring the appropriate technical and organisational measures are in place to safeguard individual’s rights and adherence to GDPR/DPA 18.

We keep your information in accordance with timescales set out in the Records Management Code of Practice for Health and Social Care. Personal data that does not have a national retention schedule in the Code of Practice is managed for as long as is necessary to fulfil the purpose of obtaining it or if we are required to keep it by law. A link to this document can be found below:

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016

Patient Led Sharing

Across a number of NHFT services a secure computer system is used called SystmOne to hold medical records.

SystmOne is also used in Northamptonshire, by most GPs as well as the out of hours GP service. For those services that use SystmOne, since October 2013 you have been able to decide which NHS services can view your record, with the aim of providing you with control and reassurance regarding how your secure medical records are used.

With your permission, clinicians using SystmOne are able to share your medical record easily and safely with the other healthcare services involved in your care. This will mean that when you attend any service using SystmOne they will be able to view your NHFT medical record so that the clinicians who see you have all the information they need to enable them to provide the best possible health care for you.

Why is this necessary and how does it work?

Patient Led Record Sharing puts YOU in control of your NHFT medical record – you will be asked whether you wish to share your information with other health care services, like your GP and the benefits and any risks of your decision will be fully explained to you.

Sharing your medical record will improve communication about your care between healthcare professionals – it is important that you give your consent to this sharing, to ensure that your clinicians have all the information they require to offer you the best possible care.

Patient led record sharing enables high quality, joined up care across the different NHS services.

This sharing was designed to align SystmOne with the NHS care record guarantee. This guarantee states that patients should be able to control which services, (that are caring for them) are able to see information held on their record.

All staff members are trained in confidentiality and information governance. If you decide to share your record you can be sure that healthcare professionals will always treat your health record with the greatest care and discretion.

Will all my medical record be shared?

If you do not wish another service to see particular items in your medical record, please discuss this with your GP or healthcare professional. You can request for individual entries in your patient record to be marked as ‘Private’. These will not be visible at any NHS care service other than the one that recorded the information.

Can I opt out of processing?

If you wish to opt out of sharing your information with other healthcare settings please discuss with your healthcare team at your next appointment. They can discuss with you the impact to your individual health care.

If you wish to opt out of having your information used for the purpose of national surveys detailed in the section of the privacy notice called “Other ways data may be shared”, please complete the form below:

 

How do I make a request for Information or make a complaint?

If you wish to ask the Trust about a data protection issue, request information on data we process, request a copy of your data, make a request for data to be erased, rectified or you have concerns about the processing of your personal data by us you may contact our Information Governance Team at:


Information Governance Team
Information Governance Team Office,
1st Floor,
RCI Building,
Kettering Venture Park,
Kettering,
NN15 6EY

Telephone: 0300 0111133

Email: information.governance@nhft.nhs.uk

If you wish to contact our Data Protection Officer directly then please use the details below:

Sarah Ratcliffe
Data Protection Officer
Information Governance Team Office,
1st Floor,
RCI Building,
Kettering Venture Park,
Kettering,
NN15 6EY

Email: DPO@nhft.nhs.uk

If you wish to make a complaint then please contact the relevant team below:

You can call the patient advice and liaison service PALS free on 0800 917 8504 9am-4pm

You can call our complaints department free on 0800 917 7206, 9am-4pm

You can e-mail PALS pals@nhft.nhs.uk or the complaints team at complaints@nhft.nhs.uk

Care will not be adversely affected by any comments or complaints you make.

If you are not content with the outcome of your complaint, you may apply directly to the Information Commissioner for a decision.  Generally, the Information Commissioner cannot make a decision unless you have exhausted the complaints procedure provided by the Trust.  The Information Commissioner can be contacted at:

The Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

How do I make a request for information relating to someone who has died?

Access to the health records of deceased patients is covered by The Access to Health Records Act AHRA) 1990
 
The Act provides certain individuals with a right of access to the health records of a deceased individual. These individuals are defined under Section 3(1)(f) of that Act as, ‘the patient’s personal representative and any person who may have a claim arising out of the patient’s death’. A personal representative is the executor or administrator of the deceased person’s estate.
 
There is no statutory right of access to records of deceased patients which fall outside of the time period covered by the Act and Northamptonshire Healthcare NHS Foundation Trust is unable to process requests for records of Deceased Patients where the date of death is prior to 1st November 1991.
 
The Trust will consider requests for access where a patient has died after 1st November 1991; these requests will be considered on a case by case basis.

Information Governance Team
Information Governance Team Office,
1st Floor,
RCI Building,
Kettering Venture Park,
Kettering,
NN15 6EY

Is this Privacy Notice regularly reviewed?

We keep our privacy notice under regular review. This privacy notice was last updated on: 19/10/18