Privacy notice

Personal data means any information relating to an identified or identifiable, living natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, for example by reference to an identifier such as a name, an identification number, or factors specific to the mental, physical or genetic identity of that person. It can also include Closed-Circuit Television (CCTV) images and still photographs.

Special categories of personal data include:

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics;
• health;
• sex life; or
• sexual orientation

Nottinghamshire Healthcare NHS Foundation Trust (the Trust) is a major provider of mental health, intellectual disability and specialist mental health services, and community physical health for both adults and children, and our low, medium and high secure hospitals including Rampton Hospital. The Trust works in partnership with other healthcare providers.

The Trust is also involved in a number of collaborations in research and innovation with the Institute of Mental Health, the University of Nottingham and other partners.

The Trust has approximately 9,600 staff who carry out a wide range of roles, working together to provide integrated and coordinated care and support to those using our services.

The Trust is registered to collect and process personal information. For this responsibility, the Trust is known as a 'Data Controller'.

To safeguard your information and support your rights, and in accordance with the UK GDPR, the Trust has appointed a Data Protection Officer (DPO).

The role of the DPO is to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority (Information Commissioner's Office).

The DPO can be contacted via DPOEnquiries@nottshc.nhs.uk

The European Union General Data Protection Regulation came into force on 25 May 2018 and was designed to bring laws for the use of information up to date throughout the European Union (EU). The UK Government also introduced the Data Protection Act 2018.

Since leaving the EU, the UK Government has further updated our data protection laws through the UK General Data Protection Regulation (UK GDPR).

The legislation:

• Introduced special protection of children's (defined to be under 13) personal data;
• Requires 'explicit' consent to be necessary for processing special category personal data (unless very specific and limited circumstances apply);
• Expanded the definition of 'personal data' to include IP (computer) addresses, internet cookies and DNA;
• Updated and strengthened data protection law to reflect the changing nature and scope of the digital economy;
• Makes it easier and free for individuals to require an organisation to disclose the personal data it holds about them;
• Makes it easier for individuals to move data between service providers;
• Makes it simpler to withdraw consent for the use of personal data;
• Allows people to ask for their personal data held by companies to be erased;

For more information about data protection and how the Trust processes your personal information, please visit the Nottinghamshire Healthcare website.

The Trust is registered with the Information Commissioner's Office and the Trust's registration number is Z8086442. You can find out more about the work of the Information Commissioner's Office and view their register.

The UK GDPR requires data controllers and organisations that process personal data to demonstrate compliance with its provisions. This involves publishing the basis for lawful processing.

The Trust primarily processes personal data to allow us to deliver healthcare in other words, to perform our statutory functions. The legal bases for processing personal data as listed in Article 6 of the UK GDPR include:

• 6(1)(c) Processing is necessary for compliance with a legal obligation;
• 6(1)(d) Vital interests: the processing is necessary to protect someone's life;
• 6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, such as the delivery of health or care.

The Trust may also process personal data for other purposes such as ensuring our digital information systems are secure and are being used appropriately. For these other functions, the legal basis for processing personal data as listed in Article 6 of the UK GDPR is:

• 6(1)(f) Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

If none of the above legal bases are applicable, the Trust will seek to obtain the explicit consent of the data subject (section 6 (1) (a)).

Where the Trust processes special categories of personal data, its additional legal bases for processing such data as listed in Article 9 of the UK GDPR, for example:

• 9(2)(b) Carrying out the obligations and exercising the specific rights of the controller or of the data

subject in the field of social protection law in so far as it is authorised by Union or Member State law;

• 9(2)(c) Processing is necessary to protect the vital interests of the data subject or of another natura person where the data subject is physically or legally incapable of giving consent;
• 9(2)(d) Processing is carried out in the course of its legitimate activities, with appropriate safeguards by a foundation, association or any other not-for-profit body;
• 9(2)(e) Processing relates to personal data which are manifestly made public by the data subject;
• 9(2)(f) Processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity;
• 9(2)(g) Processing is necessary for reasons of substantial interest, on the basis of law;
• 9(2)(h) Medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems;
• 9(2)(i) - Processing is necessary for reasons of public interest in the area of public health.9(2)(j) Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

If none of the above legal bases are applicable, the Trust will seek to obtain the explicit consent of the data subject (Article 9(2) (a)).

The Trust keeps records about the health care and treatment you receive as one of our patients. This helps to ensure that you receive the best possible care from us.

It helps you because:

• Accurate and up-to-date information assists us in providing you with the right care
• Full information is readily available if you see another doctor or are referred to a specialist or another part of the NHS

It helps the NHS to:

• Prepare statistics on NHS performance
• Audit NHS Services
• Monitor how we spend public money
• Plan and manage the health service
• Teach and train healthcare professionals
• Conduct health research and development
• Assist in the purposes of planning and developing better services across the healthcare community

Sometimes we keep records to help investigate incidents for example, CCTV images of incidents during which someone is hurt. These data may be used during internal investigations and may also be shared with the police.

• Name, address, date of birth, NHS Number and next of kin
• Contacts we have had with you such as referrals to our services, clinic visits, in patient stays
• Details of diagnosis and treatment
• Allergies and health conditions
• Special Category data (see section 2)
• Images such as photographs or CCTV images.

Some of the information that we hold about you will be information that you share with us as part of the care you receive. We will also process information about you from other sources for example, information from your GP or other health and social care providers.

If we don't have sufficient or accurate information about you then it may affect the care that we are able to provide to you.

The processing of personal information complies with the UK GDPR and UK Data Protection Act 2018 principles in line with the Trust's data protection registration held with the Information Commissioner's Office.

The information we hold may be held as an electronic record on information systems or as a securely stored paper record. Information is accessed on a need to know basis.

Systems where your information may be held include:

• Clinical Information Systems (for example RiO and SystmOne)
• Paper Clinical Records
• Systems used for research and service evaluation (for example, the CRIS (powered by Akrivia Health) platform)
• Central and/or local storage of CCTV images which is time limited.

The security of the information is assured through the implementation of the Trust's Information Security and Information Governance policies.

The Trust completes an annual mandatory information assurance return to NHS England known as the Data Security and Protection Toolkit. The Data Security and Protection Toolkit is an online self-assessment tool that enables NHS organisations to measure and publish their performance against the National Data Guardian's ten data security standards.

Whilst we make every effort to keep your personal information accurate and up to date, we are also reliant on you, as the data subject, to notify us of any necessary changes to your personal information. If there any changes to your personal information, please notify us so that we can update your records as soon as is possible.

We will keep personal information for no longer than necessary and in line with the NHS records retention schedule within the NHS Records Management Code of Practice .

Your information is not routinely processed outside of the European Union by the Trust for the purpose of your healthcare.

We may need to share information from your health records with other organisations from which you are also receiving care. There will also be times when we have to share your information with other third parties, but we will not disclose information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have consent.

The organisations we might share your information with may include, but are not restricted to:

• Other healthcare providers
• Social Services
• Police
• Courts
• Local authorities
• Education Services
• Care Quality Commission
• Medical Examiner's Office
• Information Commissioner's Office

There are occasions when we are required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust participates in the Nottinghamshire Care Record which is a secure digital platform that provides 'view only' access to medical records held by different providers in one place. The platform enables different healthcare providers to electronically share health and social care information, such as hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. Health and social care professionals, or staff who are supervised by health and social care professionals, are able to access relevant information when they need it to better coordinate and provide care. Access is strictly controlled, and only staff who are appropriately trained and authorised can access the information. Data in the platform is only used to provide direct care to you, it is not used for research or service planning purposes.

The Trust is Data Controller for all data that we share via the platform. The Interweave Consortium are the Data Processors and provide all the technical infrastructure needed to operate and maintain the platform. Rotherham NHS Foundation Trust is a sub-processor of the Interweave Consortium. They provide support to users of the platform. A Data Processing Agreement is in place between the different healthcare providers that use the platform and the Interweave Consortium. The Agreement is a legally binding document which stipulates how, when and by whom data should be processed.

The Interweave Consortium was designed and built by the Yorkshire and Humber Care Record as part of NHS England's Local Health and Care Record Exemplars programme. More information about the Interweave Consortium is available on the Interweave Digital website.

Patients Know Best (PKB) is Nottinghamshire Healthcare's free online patient portal which provides you with access to your personal health records and is designed to improve your patient experience. PKB is a free online patient portal that you can access from any computer, tablet or smartphone or through the NHS App. PKB securely stores all your health information in one place. It sends you instant notifications when new details, such as appointments, test results, or questionnaires, are available. Further information can be found on the Nottinghamshire Healthcare website.  

PKB cannot see your health record and has no control over your record. They keep your information on secure servers. They encrypt the data so no one can see your health record except the people you choose or those with a lawful basis. PKB are registered with the Information Commissioner's Office (ICO), which regulates data protection in the UK, and their registration number is Z2704931.  

Any information that you choose to input in your PKB account is yours to decide who to share it with, if anyone.  

PKB tracks software usage to improve software quality. PKB does not track identifying information or records. PKB uses cookies to improve website operation and usage; for example, we use cookies to set a user's language and to monitor usage trends. Cookies do not contain identifying information such as IPs, health data or personal details.  

You are able to see a view of who has viewed the data that you have given your health and care team permission to see by using the access log functionality on the Patients Know Best website.  

For more information, please see PKB's privacy notice on the Patients Know Best website.

Right to be informed

The UK GDPR introduced an enhanced concept of transparency, meaning the Trust has a duty to provide you with information in relation to how your personal and special category data is collected, stored and processed. This is provided within this document. Should you have any additional questions please contact  DPOEnquiries@nottshc.nhs.uk

Right to rectification and erasure

The UK GDPR extends and strengthens your rights as a data subject. Under the UK GDPR you have the right to request the rectification of inaccurate personal data and the right to request the erasure of your personal data. However, the rights to rectification and erasure are not an absolute right and it may be necessary for the Trust to continue to process your personal data for lawful and legitimate reasons.

Right to object to, or restrict processing

You have the right to ask the Trust to stop processing your personal data in relation to any Trust service. You can also request that you do not wish to receive information from the Trust. However, the right to object to, or restrict processing are not absolute rights and it may be that it is necessary, in certain circumstances, for the Trust to continue to process your personal data for a number of lawful and legitimate reasons.

If you wish to object to your information being processed, receiving information from the Trust, or if you wish to have information rectified or erased, in the first instance, please send your request in writing via email to  informationgovernance@nottshc.nhs.uk

Rights in relation to automated decision making and profiling

The Trust do not use your information to make automated decisions about you, nor to undertake profiling.

Access to Information/Subject Access

You can request a copy of the information the Trust holds about you by emailing  accesstoinformation@nottshc.nhs.uk.  You can also telephone us to make this request. This information is generally available to you free of charge subject to the receipt of appropriate identification. Please contact the Data Security and Data Protection Service for further information.

Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. If you wish to make such a request, please email  accesstoinformation@nottshc.nhs.uk

Raising a concern and Complaints

If you are worried about anything to do with your care or treatment or about the way your records have been managed, please contact the Trust's Patient Advice and Liaison Service (PALS) in the first instance:

Telephone: 0115 993 4542

Mental Health and Community Health Services email:  PALSandComplaints@nottshc.nhs.uk

Forensic Services email:  PALSandComplaintsFS@nottshc.nhs.uk

Write to: PALS and Complaints, Highbury Hospital, Highbury Road, Nottingham NG6 9DR

Website: Nottinghamshire Healthcare - Patient Advice and Liaison Service

You can also contact the Information Commissioner if you have a complaint about our processing of your personal data:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 if you would prefer not to call an '03' number, or +44 1625 545745 if calling from overseas) Fax: 01625 524510

Studies show that patients do better when services are actively engaged in research.

The Trust promotes research to improve our services for everyone who uses them or is involved in them. We are committed to offering service users, carers and staff the opportunity to get involved.

Service evaluations help us to determine whether a particular service or care pathway is effective and whether it is meeting the needs of our patients. Clinical audits assess the care provided by the Trust against agreed standards.

Whenever you use a health or care service, such as attending an outpatient clinic appointment, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• Improving the quality and standards of care provided
• Research into the development of new treatments
• Preventing illness and diseases
• Monitoring safety
• Planning services

Using data in these ways helps the Trust and the NHS to provide better health and care for you, your family and future generations.

Most of the time, anonymised data is used for research, service evaluation and clinical audits. Anonymised data does not contain any information that could be used to identify you. We do not need to use your confidential information if we are able to use anonymised data.

The Trust will only use confidential patient information about your health and care for research, service evaluations or clinical audit when we are allowed to by law.

Most research studies and service evaluations that are sponsored or approved by the Trust are based on consent (agreement). This means that we have to ensure that you agree to allow us to use your confidential information as part of the research study or service evaluation.

If you are invited to take part in a research study or service evaluation, the team running the project will provide you with information about how your confidential data will be processed. This information will help you to decide whether you consent (agree) for your data to be used.

You can change your decision about whether you want your confidential data to be used in a research study or service evaluation at any time and the team running the project will provide you with information about this if you decide to take part.

If you decide that you don't want your confidential information to be used it won't affect the care that you receive from us.

Sometimes, depending on the type of research study, service evaluation or clinical audit, you won't be contacted to ask for permission to use your confidential information. This is because the project that will be using your data has been approved under Section 251 of the NHS Act 2006. The National Data Opt-Out Policy gives you the opportunity to choose whether you want your confidential patient information to be used in these types of projects.

If you are happy for your information to be used then you don't need to do anything.

If you decide that you don't want your confidential information to be used for research studies, service evaluations or clinical audits which are approved under Section 251 without your consent, you can 'opt-out' under the National Data Opt-Out Policy.

The Trust is compliant with the National Data Opt-Out Policy and will apply your choice to any confidential patient information we use or share for purposes beyond your individual care.

If you choose to opt-out then your information will still be used to support your care.

You can find out more about the National Data Opt-Out and register your choice to opt-out on the NHS website.

On this web page you will be able to:

• See the types of information that are referred to as 'confidential patient information'
• Find examples of when confidential patient information is used for individual care
• Find examples of when confidential patient information is used for another reason
• Find out more about the benefits of sharing data
• Understand more about the organisations who use your personal data
• Find out how your data is protected
• Be able to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to record or change your opt-out decision by phone
• See the situations where the opt-out will not apply

Please remember, you can change your decision to opt-out of allowing your information to be used for research, service evaluations and clinical audits which have been approved under Section 251 at any time and the care you receive from us won't be affected.

The Trust also uses the CRIS (powered by Akrivia Health) platform for research studies, clinical audits and service evaluation projects.

The platform is a safe and secure digital warehouse which has received ethical approval from an independent research ethics committee. It allows authorised researchers and auditors to look at large volumes of anonymised or pseudonymised information which makes it easier to see patterns and trends for example, what treatments work for some people but not for others.

The data within CRIS (powered by Akrivia Health) platform is copied from the Trust's Electronic Patient Record System, but any information that could be used to directly identify you is removed before it can be accessed by researchers and auditors unless you have consented to allow your personal data to be accessed or unless another legal basis to allow sharing of those data applies.

The CRIS platform also allows information that the Trust holds about you to be linked with records held by other organisations such as physical healthcare providers. This will help to improve mental and physical healthcare as a whole. For example, a study that linked data (which was run by another mental healthcare provider) looked at whether physical health conditions and medications affected people with Alzheimer's disease. Another study looked at how mental health conditions in children and teenagers affected their school performance.

If you don't want your information to be held within the CRIS (powered by Akrivia Health) platform, you can 'opt-out' (as referred to above) by registering your preference on the NHS website.

Please remember, you can change your decision to opt-out of allowing your information to be used for research studies, service evaluations and clinical audits which have been approved under Section 251 at any time and the care you receive from us won't be affected.

If you would like more information about the CRIS (powered by Akrivia Health) platform, please contact: CRIS@nottshc.nhs.uk

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

The Trust has compliance obligations in relation to quality improvement and to support a medical practitioner's professional development, which is essential if they are to meet the requirements of the Good Medical Practice. The General Medical Council (GMC) are the independent regulator of medical practitioners in the UK and their focus is to support good, safe patient care and under legislation including the Medical Act 1983, they are responsible for making sure that medical practitioners are suitably qualified.

To fulfil their role as a regulator, the GMC will collect data on a medical practitioner and the organisations where medical practitioners practice and train and this may also require the access to health data, to carry out and commission investigations, audits, data analysation and research. The GMC oversees any serious concerns raised about a medical practitioner's behaviour, health or performance and they can investigate to determine whether patient safety, or the public's confidence in a medical practitioner, is at risk.

A medical practitioner who has worked within the Trust and have since moved on, including in a short-term locum capacity, has formed a continuing professional connection to the Trust and the Trust's patients and the Trust will be required to share with the GMC patient personal and health data to support the GMC as the regulator. More information on the GMC and their Privacy Notice, can be found on the GMC website.

The Caldicott Principles help determine if access to personal information is appropriate in a specific context and the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (2018) set out general requirements which recognise that it is legitimate to share data to support professional development and quality improvement. As such a medical practitioner may contact you to request feedback relating to appointments you have attended.

Closed Circuit Television (CCTV) systems are installed in Trust premises and within Trust car parks where it can be used to enhance observation and the security of the environment, and generally support patients', staff, and visitors' safety. CCTV can also deter and detect crime and provide evidence to the police for investigations where complaints have been made about unlawful or untoward incidents.

The Trust is Data Controller for all images captured on the CCTV systems it operates, and there is a specific policy for operation and management of CCTV systems (13.02 Closed Circuit Television (CCTV)) which is available on the Nottinghamshire Healthcare website. The policy includes information about how, when and where CCTV images are stored. It also contains information about when, how, and by whom recordings may be viewed and the circumstances under which copies of recordings might be provided.

CCTV images are generally not kept for longer than a 31-day period, although some recordings may be kept for longer if they are needed for an ongoing investigation.

Most Trust sites operate CCTV systems in public areas such as car parks and reception areas. Some locations also operate CCTV systems in restricted areas for example, within some ward areas. Clear signage will be displayed in all areas where CCTV is in operation; the signage will provide information about how you can access copies of your personal data processed within the recordings if you want to.  

To learn more about how we use, manage and maintain confidentiality of your information, contact the Data Security and Data Protection Service: informationgovernance@nottshc.nhs.uk

Or visit the Nottinghamshire Healthcare website.

You can find out more about how patient information is used for health and social care research on the Health Research Authority website.

You can find out more about the work of the Trust's Research and Evidence Department on the Nottinghamshire Healthcare website.

You can find out more about the CRIS (powered by Akrivia Health) platform on the Nottinghamshire Healthcare website.

You can find out more about how and why patient information is used, the safeguards and how decisions are made on the Understanding Patient Data website.