Privacy & Data Protection

Dudley and Walsall Mental Health Partnership Trust (the Trust) works within the NHS Constitution and in line with the NHS’s values, which place patients at the heart of everything the NHS does.

Further information about the NHS Constitution can found at

https://www.gov.uk/government/publications/the-nhs-constitution-for-england/

2    Freedom of Information
The Trust is a public authority as defined by the Freedom of Information Act (FOIA).

It will ensure that any patient-related data provided under the FOIA is only released where allowed by law and anonymised within context.

3    Trust Oversight
The Trust and its Board are supported by a number of key roles. These include:

the Senior Information Risk Owner (SIRO), who is accountable to the Board with regards to information risk management, and the Caldicott Guardian, who advises on specific issues relating to the use of Personal Confidential Data (PCD) and the Data Protection Officer.  This is a role required by the General Data Protection Regulation (GDPR) and provides oversight for data protection within the Trust

4    NHS Care Record Guarantee
The NHS Care Record Guarantee sets out the rules for England about how patient information is used in the NHS and what control a patient has over the use of their data.

Further information can be found at http://systems.digital.nhs.uk/rasmartcards/strategy/nhscrg

The Trust will seek to abide by this at all times when it comes to the use of patient data to allow it to fulfil its statutory functions.

5  Definitions
5.1 What is Personal Confidential Data?
This is a term used in the Caldicott Information Governance Review. It describes personal information about identified or identifiable individuals that should be kept private or secret, and includes dead as well as living people.

The review interprets ‘personal’ as including the Data Protection Act definition of personal data, but includes data relating to the deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’, as defined in the Data Protection Act.

Examples of identifiable data are:

Name
Address
Postcode
Date of birth
NHS Number (which is now a legal requirement to share for direct care purposes as a consequence of the Health & Social Care Act 2015)

5.2 What are Personal Data?
The definition used comes from the General Data Protection Regulation (GDPR) and as enacted by UK data protection.

Personal Data means data which relate to a living individual who can be identified:

from those data, or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. (Under the General Data Protection Regulations, this means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws.) It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
5.3 What are Sensitive Personal Data/Special Category Data?
Sensitive Personal Data/Special Category Data are different from Personal Data. They are personal data consisting of information about the data subject’s:

racial or ethnic origin
political opinions
religious beliefs or other beliefs of a similar nature
membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
physical or mental health or condition
sexual life
commission or alleged commission of any offence,
or
any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings
genetics
biometrics

5.4 How is Direct Patient Care defined?
The Caldicott Review defines it as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society.

It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction, including measurement of outcomes undertaken by one or more registered and regulated health or social care professional and their team with whom the individual has a legitimate relationship for their care.

Primary use data is information / data generated through and used for the provision of direct patient care (not to be confused with primary care data, which is created, used and shared from GP practices and similar organisations).

5.5 How is Indirect Patient Care defined?
The Caldicott Review defined it as activities that contribute to the overall provision of services to a population as a whole or to a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine and medical research. Examples of activities include risk prediction and stratification, service evaluation, needs assessment and financial audit.

This is also called secondary use data (not to be confused with secondary care data, which is created, used and shared from acute trusts and similar organisations).

5.6 Information Commissioner’s Office Definitions
The Information Commissioner’s Office (ICO) has further definitions from the Data Protection Act 1998 at https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions

6    Why we collect information about you
In carrying out its role and responsibilities as a provider of services for people working and living in its catchment area, it is essential that the Trust has an understanding of the health and social care needs of the local and wider community to ensure that appropriate services are identified and made available across our responsible area and nationally as required.

This means we need to use information about our patients for direct clinical care and to understand how services should be provided.

We do not, however, need to have and use all the information that is available and provided for purposes other than the provision of direct care.

Where excessive data is identified, information is either removed or de-identified (a form of anonymisation) prior to subsequent reuse.

We may keep your information in written format and/or in digital format, and your record will include basic details about you, such as your name and address, and may also contain more sensitive information about your health and social care conditions, usage of current services and details such as outcomes of needs assessments.

6.1 Legal Basis – Staff

We need to know your personal, sensitive and confidential data in order to employ you, under the General Data Protection Regulation we will be lawfully using your information in accordance with: –

Article 6, (b) Necessary for performance of/entering into contract with you

Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment.

Article 10 processing of personal data relating to criminal convictions and offences or related security measures…

This Privacy Notice applies to the personal data of our employees and the data you have given us about your carers/family members.

6.2 Legal Basis – Patients

We need to know your personal, sensitive and confidential data in order to provide care to you, under the General Data Protection Regulation we will be lawfully using your information in accordance with: –

Article 6, (b) Necessary for performance of/entering into contract with you

Article 6, (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

Article 6 (c) processing is necessary for compliance with a legal obligation to which the controller is subject

Article 6 (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person

Article 6 e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Article 9 (2) a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Article 9 (2) c) processing is necessary to protect the vital interest of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

Article 9 (2) f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

Article 9 (2) h) processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services…

Article 9 (2) i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Article 10 processing of personal data relating to criminal convictions and offences or related security measures…

This Privacy Notice applies to the personal data of our patients.

6.3 Legal Basis – Families, Friends, Representatives

We may need to know personal, sensitive and confidential data of family members, friends or representatives as part of the care that is provided to you.

This Privacy Notice applies to the personal data of family, friends or representatives of patients, under the General Data Protection Regulation we will be lawfully using your information in accordance with: –

Article 6, (b) Necessary for performance of/entering into contract with you

Article 6, (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

Article 6 (c) processing is necessary for compliance with a legal obligation to which the controller is subject

Article 6 (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person

Article 6 e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Article 9 (2) a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Article 9 (2) c) processing is necessary to protect the vital interest of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

Article 9 (2) f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

Article 9 (2) h) processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services…

Article 9 (2) i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Article 10 processing of personal data relating to criminal convictions and offences or related security measures…

6.4 Legal Basis – Research

We may process personal, sensitive and confidential data about you for research information in accordance with: –

Article 6, (b) Necessary for performance of/entering into contract with you

Article 6, (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

Article 9 (2) a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Article 9 (2) j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…

7. CCTV

The Trust may obtain, record, capture and use information that is collected by the following means:

CCTV
Automatic Number Plate Recognition
Facial/Biometric Recognition
Body Worn Cameras
Photo ID Badges
Electronic Access Control
Voice Recording

Depending on the circumstances and the activity, legal basis for processing will be:

Article 6 1 a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

Article 6 1 c) processing is necessary for compliance with a legal obligation to which the controller is subject

Article 6 1 d) processing is necessary in order to protect the vital interests of the data subject or of another natural person

Article 9 2 a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Article 9 2 b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the filed of employment and social security and social protection law…

Article 9 2 c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of consent

Article 9 2 f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

Article 10 processing of personal data relating to criminal convictions and offences or related security measures…

8    How your records are used to help the wider NHS
Your anonymised information will be used to help assess the needs of the general population and support the Trust in making informed decisions about the provision of future services. Information can also be used to conduct health research (see http://www.hra.nhs.uk) and to develop and monitor NHS performance.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

9    Why we keep your information confidential and safe
It is everyone’s legal right to expect that information held and used about them is safe and secure, and is only used for the agreed purpose(s).

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality (https://www.health-ni.gov.uk/articles/common-law-duty-confidentiality). Information provided in confidence will be used only for the provision of direct care or for the purpose(s) advised with consent given by the patient, unless there are other specific circumstances covered by current UK and European legislation.

The Trust takes this responsibility very seriously and has ensured that it has robust and effective measures, processes and procedures in place to achieve this expectation for you and the information we hold and process about you.

Supporting this approach, under UK law, NHS guidance and directions such as the Common Law Duty of Confidence and the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you how your information will be used, and enable you to decide if and how your information can be shared.

The Trust has incorporated the NHS Digital Guide to Confidentiality into its daily working practice.

This guide is available at http://content.digital.nhs.uk/media/12822/Guide-to-confidentiality-in-health-and-social-care/pdf/HSCIC-guide-to-confidentiality.pdf

10    Processing your Personal Data
9.1 Mechanisms for processing your Personal Data
The Trust processes Personal Data for a number of reasons in various ways. These are outlined below:

For the purpose of internal operations, the Trust will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
For the purpose of direct patient care, the Trust will ensure that any information collected about you is initially provided by you, and where any additional information is collected or used, it will be with your explicit consent for that purpose or activity.
For the provision of indirect care, and to maintain rules for use of information, the Trust uses a number of approved and secure services / systems to process information about you.

11  Data Protection and Confidentiality
The Trust complies with the General Data Protection Regulation (GDPR) and data protection legislation enacted by the UK. It places a responsibility on the Trust as a data controller to ensure that your information is collected and managed in a secure and confidential way.

Data protection legislation also provides you with a right of access to personal information that the Trust holds about you. (This applies equally to service users, members of staff and any other individual that the Trust may hold information about in its legal capacity.) Requests for access to personal information we hold about you are called Subject Access Requests – see below for more information.

The Trust will comply with the Data Protection Act 2018.

The Trust also issues an annual report on its Information Governance compliance. This identifies what governance and controls it has in place in line with legal and national guidance.

The Trust may process information in relation to:

staff administration
accounts and records (including debt collection, collection of fees linked to overseas visitors, cross border i.e. patients whose treatment is funded by Scottish, Welsh and Northern Irish health bodies)
health administration and services (defined by statute and contract)
research
crime prevention and prosecution of offenders
public health
data matching, which involves comparing computer records held by one body against those held by the same or another body to see how far they match. When a match is found it may indicate that there is an inconsistency which will then require further investigation
advertising, marketing and public relations
administration of Membership records
education
fundraising
pastoral care
property management
processing for not-for-profit organisations.

We also process sensitive classes of information that may include:

racial and ethnic origin
offences (including alleged offences), criminal proceedings, outcomes and sentences
trade union membership
religious or similar beliefs
employment tribunal applications, complaints, accidents and incident details
ordinary country of residence and nationality

It may sometimes be necessary to transfer personal information overseas. When this is required, information may be transferred to countries or territories around the world. Any transfers will be made in full compliance with all aspects of the DPA.

We may at times request additional proof of identity.

12  How will we use information about you?
Your information is used to run and improve the Trust and the services that it provides. It may be used to:

check and report on how effective the Trust has been in providing direct services to patients and the community and any services it has commissioned from other providers
ensure that money is used properly to pay for the services it provides
investigate complaints, legal claims or serious incidents
make sure that the Trust delivers value for money
make sure services are planned to meet patients’ needs in the future
review the care given to make sure it is of the highest possible standard
where the Trust has been commissioned to provide specialised services
improve the efficiency of healthcare services, by sharing information with other organisations (sometimes non-NHS) for a specific, legally justified purpose
support the Trust when seeking reimbursement for treatment that has been provided (the amount of information used will be the minimum necessary)
fulfil contractual obligations as set out in the NHS Standard Contract.

13   Information sharing with other NHS agencies and non-NHS organisations
To support our functions, we may share your information for health purposes and for your benefit with other organisations such as NHS England, other NHS trusts, General Practitioners etc. We may also need to share information with our partner organisations, such as King’s Health Partners.

Where necessary or required we may also share information with:

our patients
family, associates and representatives of the person whose personal data we are processing
staff
current, past or potential employers
healthcare social and welfare organisations
suppliers, service providers, legal representatives
auditors and audit bodies
educators and examining bodies
survey and research organisations
people making an enquiry or complaint
financial organisations
professional advisers and consultants
business associates
police forces
security organisations
central and local government
voluntary and charitable organisations
professional regulatory bodies.

Information may also need to be shared with other non-NHS organisations.

Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement in place and will not disclose any detailed health information without your explicit consent, unless there are exceptional circumstances such as when the health or safety of others is at risk, or where the law requires it, or to carry out a statutory function.

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births and notification of infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.

Our guiding principle is that we are holding your information in the strictest confidence.

We may be asked to share basic information about you, such as your name and address which does not include sensitive information where the Trust holds such information. This would normally be to assist another organisation to carry out their own statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we will inform you through a Privacy Notice (such as this one), under the Data Protection Act.

 14   Your right to withdraw consent
The Trust has its own local consent / opt-out processes and mechanisms for allowing information not to be shared or to be restricted. However, it must be emphasised that this cannot be totally restricted and at times consent may be overridden, especially in relation to matters such as safeguarding children/vulnerable adults, female genital mutilation (FGM) or the correct charging for services provided by the NHS. These are just some of the examples that may apply.

Where you wish to restrict your information across the NHS, generally the process is the same for local and national schemes: you can opt out at any time by speaking to your GP practice reception. But please be clear about which scheme you want to opt out of.

Further information can also be found here:

National Data Opt-out Programme:

https://digital.nhs.uk/national-data-opt-out

National data opt-out enquiries mailbox :

newoptoutenquiries@nhs.net

15.1 What is the patient opt-out?
The NHS Constitution states: “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.”

You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care, unless one of the following criteria applies, which means that it is not possible to opt out of having your information shared:

the information is used to support your direct care and treatment
you have consented to the use of your information (whether before or after registering a type 2 opt-out – see below for explanation) for a specific purpose such as a research study
a mandatory legal requirement (such as a court order) exists.
the information released is not considered to be identifiable personal confidential data
the information is made available in anonymised form
the information is used to support the management of communicable diseases and other risks to public health under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

There are several forms of opt-outs available at different levels. These include, for example:
information directly collected by the Trust. Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation
information not directly collected by the Trust, but collected by organisations that provide NHS services

16   Accessing the information about you held by the Trust
Under data protection legislation you have the right to see or be given a copy of the Personal Data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust.

In line with all NHS organisations, we comply with the Information Governance Alliance Records Management Code of Practice for Health and Social Care 2016 (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016)

Please note that this guidance not only defines how long an organisation should keep information for but also when it can be legitimately destroyed. That means there may be occasions where the Trust no longer has data because their retention was no longer required in line with this guidance.

Data may be destroyed via a combination of methods depending on how the information has been stored and which organisations may have been processing data on behalf of the Trust.

If you wish to make a SAR, please email the Subject Access Team at ig.dwmh@nhs.net

The Trust Senior Information Risk Owner (SIRO) is Robert Pickup and the Trust Caldicott Guardian is Dr Mark Weaver. Both can be contacted via our Patient Advice and Liaison Service (PALS): sed.dwmh@nhs.net

The Data Protection Officer can be contacted by emailing ig.dwmh@nhs.net

If you wish to complain about anything in this Privacy Notice, please contact us via the Data Protection Officer email address identified above.