Privacy notice - children and young adults

Personal data means any information that can identify a person. The person is known as a data subject. Examples of personal data include your name, address, date of birth, next of kin and GP. Personal data can also include images of you, for example, photographs or video recordings made using Closed Circuit Television (CCTV) systems.

Special categories of personal data include:

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetic information (for example, DNA);
• biometrics (for example, fingerprints);
• health;
• sex life; or
• sexual orientation

Nottinghamshire Healthcare NHS Foundation Trust (the Trust) is a major provider of mental health, intellectual disability and specialist mental health services, and community physical health for both adults and children. We also provide forensic mental health services both in the community and in our low, medium, and high secure hospitals including Rampton Hospital. The Trust works in partnership with other healthcare providers like GPs and hospitals where people go to have operations.

The Trust is registered to collect and use personal data and special category personal data to help us provide care to our patients. For this responsibility, the Trust is known as a 'Data Controller'.

To help us to look after your personal data and support your rights, the Trust has appointed a Data Protection Officer (DPO).

The role of the DPO includes making sure that the Trust is looking after personal data properly and to provide advice on data protection. The DPO can be contacted via DPOEnquiries@nottshc.nhs.uk.

The European Union (EU) General Data Protection Regulation came into force on 25 May 2018 and was designed to bring laws for the use of information up to date throughout the European Union. The UK Government also introduced the Data Protection Act 2018.

Since leaving the EU, the UK Government has further updated our data protection laws through the UK General Data Protection Regulation (UK GDPR).

The UK GDPR:

• Introduced special protection of children's (defined to be anyone aged under 13) personal data.
• Says that unless very specific and limited circumstances apply, we need to ask you (seeking your consent) to use special category personal data (see Section 2 about this)
• Includes IP (computer) addresses, internet cookies, and DNA as personal data.
• Makes it easier and free for you to ask for copies of your personal data - if you are aged over 13 you may be able to make this request yourself without your parent/guardian's permission.
• Makes it easier for you say you don't want your personal data to be used for certain things.
• Allows you to ask for your personal data to be removed or corrected.

For more information please visit the Trust's website.

The Information Commissioner's Office is responsible for making sure organisations in the UK use personal data properly. The Trust is registered with the Information Commissioner's Office and the Trust's registration number is Z8086442.

You can find more about the Information Commissioner's Office on their website.

The Trust uses personal data for lots of reasons, including to help us to care for our patients. The reason for using personal data is called a 'purpose'. UK GDPR says that the Trust must have both a 'purpose' and a legal reason to use your personal data. A legal reason is called a 'lawful basis'. The UK GDPR also says that the Trust needs to make people aware of what the Trust does with personal data for example, we will securely store your personal data in your medical record and use it to provide you with care. What we do with personal data is called 'processing'.

The UK GDPR says that the Trust has to let people know what legal bases allow us to process personal data.

The lawful bases for processing of personal data is listed in Article 6 and 9 of the UK GDPR. It says that the Trust can use personal data to provide health care, protect someone's life, and to meet our legal obligations. We sometimes use personal data for other reasons such as making sure our computer systems are secure and are being used properly. This type of processing helps the Trust to meet our 'legitimate interests'.

Sometimes we keep records to help investigate what happened if something goes wrong for example, CCTV images of an incident when someone got hurt. We might also share the CCTV images with the police if we need to.

There are times when we will need to ask your permission to use your personal data. If you are over 13 years old, we can ask you. If you are under 13 years old, we will need to ask your parent/guardian for permission.

There will also be times when we have to share your personal data with other organisations, but we will not share your personal data with those organisations unless there are specific reasons, such as when your health and safety or the health or safety of someone else is at risk. If we can, we will ask for your permission (or the permission of your parent/guardian) before we share your personal data with another organisation. We will only share your personal data with other organisations without asking for your permission if we are allowed to by law.

The Trust keeps records about the health care and treatment you receive as one of our patients. This helps to ensure that you receive the best possible care from us.

It is important for us to have a complete picture of you as this will help our staff to deliver the right treatment and care plans in accordance with your needs.

The personal data we collect about you may also be used to:

• inform you (if you are over 13 years old) or your parent/guardian about your appointments,
• review the care we provide to make sure it is of the highest quality,
• support the funding of your care,
• prepare figures for the Department of Health and other regulatory bodies,
• help to train and educate our healthcare professionals,
• report and investigate complaints,
• report events to the appropriate authorities,
• review your suitability to take part in a research study or clinical trial.

• Name, address, date of birth, NHS Number and next of kin.
• Your GP.
• Contacts we have had with you such as referrals to our services, clinic visits, in patient stays.
• Details of diagnosis and treatment.
• Allergies and health conditions.
• Images such as photographs or CCTV images.

Some of the personal data that we hold about you will be information that you have given to us. We will also hold personal data about you from other sources for example, your GP or another organisation that is working with you or provided you with care in the past.

If we don't have enough personal data about you then we might not be able to provide you with the right type of care.

The Trust will hold your personal data as an electronic record on information systems or as a securely stored paper record. Only those people who are allowed to will access your personal data.

We make every effort to keep your personal data accurate and up to date, and we need you to let us know when there are changes to your personal data so that we can update our records.

We don't keep your personal data for any longer than we need to. The Department of Health gives us guidance about how long records must be kept. More information about this can be found in the NHS Records Management Code of Practice.

Your personal data is not routinely processed outside of Europe by the Trust for the purpose of your healthcare.

If you are worried about what personal data we have about you, please speak to any of the doctors, nurses and staff who look after you so they can answer your questions.

We may need to share personal data from your records with other organisations from which you are also receiving care. But, we will not disclose any personal data to other organisations your permission (or the permission of your parent/guardian if you are under 13 years old) unless there are special circumstances, such as when your health or safety or the health or safety of someone else is at risk, or where the law says that we have to.

The organisations that we might share your personal data with may include but are not restricted to:

• Other healthcare providers
• Social Services
• Police
• Courts
• Local authorities
• Education Services

The Trust also works in partnership with organisations that we will need to share personal data with. These organisations may include but are not restricted to:

• Family Action
• Rotherham North Notts (RNN Group)
• Women's Aid
• Homestart UK
• Early Years providers

The Trust participates in the Nottinghamshire Care Record. This is a secure digital system that allows the people who are caring for you to see relevant personal data about you that is held by other organisations. For example, our healthcare staff can see information about when you've been to the hospital or to see your GP. They can also see test results, medication and care plans. Having access to the information they need in one place at the right time helps our healthcare staff to provide you with the best care. Only staff who are properly trained and authorised will be able to access your records in the Nottinghamshire Care Record. Personal data in the Nottinghamshire Care Record is securely processed on behalf of the Trust and the other healthcare providers who share data by the Interweave Consortium. To make sure your personal data is kept safe, a legal agreement is in place that says how and when your personal data can be processed.

Right to be informed

The UK GDPR says that the Trust has a duty to provide you with information about how your personal and special category data is collected and used. This is provided within this document. If you have any additional questions, please contact DPOEnquiries@nottshc.nhs.uk or speak to any of the doctors, nurses and staff who look after you.

 

Right to rectification and erasure

The UK GDPR says that you have the right to request the correction of personal data about you that isn't accurate. You also have the right to request the erasure of your personal data. However, we may not be able to meet these rights in full because it might be necessary for us to continue to use your personal data for lawful reasons.

 

Right to object to, or restrict processing

You have the right in certain situations to ask us to stop using your personal data. You can also ask us not to send you information. However, we may not be able to meet these rights in full because it might be necessary for us to continue to use your personal data for lawful reasons.

 

Rights in relation to automated decision making and profiling.

We do not use your personal data to make automated decisions about you, or to undertake profiling.

 

Access to information/subject access

You can ask for a copy of the personal data that the Trust holds about you by emailing accesstoinformation@nottshc.nhs.uk. You can also telephone us to make a request. Copies of your personal data are generally available to you free of charge as long as we receive appropriate identification. Please speak to any of the doctors, nurses and staff who look after you if you would like to ask for a copy of the personal data we hold about you.

 

Data portability

The right to data portability allows people to have and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.

 

Raising a concern and complaints

If you are worried about anything to do with your care or treatment or about the way your personal data has been managed, please contact the Trust's Patient Advice and Liaison Service (PALS) in the first instance:

Tel: 0115 993 4542

 

Mental Health and Community Health Services:

Email: PALSandComplaints@nottshc.nhs.uk

 

Forensic Services:

Email: PALSandComplaintsFS@nottshc.nhs.uk 

Write to: PALS and Complaints, Highbury Hospital, Highbury Road, Nottingham NG6 9DR

Website: PALS and Complaints

You can also contact the Information Commissioner if you have a complaint about our processing of your personal data:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 if you would prefer not to call an '03' number, or +44 1625 545745 if calling from overseas)

Fax: 01625 524510

Research helps us to improve our services for everyone who uses them or is involved in them, and you might be asked if you would like to get involved in a research study or a service evaluation while you are receiving treatment from us or if you have received treatment in the past.

We collect important personal data about you when you use our services and record it to help to ensure you get the best possible care and treatment. This personal data can also be used and provided to other organisations for things other than your individual care, for instance to help with:

• Improving the quality and standards of care we provide
• Research into the development of new treatments
• Preventing illness and diseases
• Monitoring safety
• Planning services

Using personal data in these ways helps the NHS to provide better health and care for you, your family and future generations.

Most of the time, anonymised data is used for research, service evaluations, and clinical audits; anonymised data does not contain any information that could be used to identify you. Sometimes, we can't complete the research, service evaluation or clinical audit unless we use your personal data. But we will only use your personal data for research studies, service evaluations, or clinical audits when we are allowed to by law.

Most research studies and service evaluations that the Trust sponsors or takes part in are based on consent (agreement). This means that we have to ensure that you agree to allow us to use your personal data as part of the research study or service evaluation.

If you are invited to take part in a research study or service evaluation, the team that's running the project will provide you with information about how your personal data will be processed. This information will help you to decide whether you want to take part in the project or not, and if you consent (agree) for your personal data to be used.

You can change your decision about whether you want your personal data to be used in a research study or service evaluation at any time and the team that is running the project will provide you with information about this if you decide to take part.

If you decide that you don't want to take part in a research study or service evaluation, it won't affect the care that you receive from us.

Sometimes, depending on the type of research project, service evaluation, or clinical audit, you won't be contacted to ask for permission to use your personal data. This is because the project that will be using your personal data has been approved under Section 251 of the NHS Act 2006. The National Data Opt-Out Scheme allows you to choose if you want your personal data to be used in these types of research studies, service evaluations, and clinical audits.

If you are happy for your personal data to be used, then you don't need to do anything.

If you decide that you don't want your personal data to be used for research, service evaluations, or clinical audits without your consent, you can 'opt-out'. If you decide to opt-out then we will still use your personal data to support your care.

Trust has put systems and processes in place so we can be compliant with the National Data Opt-Out Scheme and can apply your choice about whether you want your personal data to be used for things other than your treatment without your consent.

You can find out more about the National Data Opt-Out Scheme and register your choice on the NHS website.

On this web page you will be able to:

• See what types of information we mean when we refer to 'confidential patient information'.
• Find examples of when confidential patient information is used for individual care.
• Find examples of when confidential patient information is used for another reason.
• Find out more about the benefits of sharing data.
• Understand more about the organisations who use your personal data.
• Find out how your data is protected.
• See the situations where your opt-out decision won't apply.

You can also look at, set and change your decision about whether you are happy for your personal data to be used for research, service evaluations, or clinical audits without your consent.

The Trust also uses the CRIS (powered by Akrivia Health) platform to help us deliver research studies, service evaluations, and clinical audits. The CRIS platform contains copies of the personal data in the Trust's electronic patient records. The CRIS platform is safe and secure and allows researchers and auditors to look at lots of pseudonymised personal data from our patients' medical records. This helps to identify trends and patterns which may lead to improvements in patient care. Pseudonymised personal data is personal data that has been changed so that the researcher or auditor can't identify you without having other information.

Researchers and auditors who use the CRIS platform won't be provided with any information that might identify you, like your name or address, unless you have already agreed to allow your personal data to be shared with the researcher or auditor, or unless the law says the Trust can share your personal data with them.

If you don't want your personal data to be available in the CRIS (powered by Akrivia Health) platform then you can 'opt-out' by visiting NHS website as mentioned above.

Please speak to the doctors, nurses and staff who look after you if you would like to know more about this or if you need help to tell us that you don't want your personal data to be used for research, service evaluations or clinical audits.

Closed Circuit Television (CCTV) systems are installed in Trust buildings and in Trust car parks. The images that are recorded using the CCTV systems can help keep people safe. CCTV images can also be used to prevent or detect crime, and the Trust sometimes shares CCTV recordings with the police to help them investigate complaints for example, if someone gets hurt.

The Trust is Data Controller for all images recorded using the CCTV systems it operates, and there is a specific policy that explains how we manage CCTV systems. You can find the policy on the Trust's website. The policy explains how we store CCTV recordings, who can access the recordings, and when copies of recordings might be shared with other organisations.

We don't usually keep CCTV images for longer than 31 days however, some recordings may be kept for longer if we need them for an ongoing investigation.

Most Trust sites have CCTV systems in areas that can be accessed by the public such as reception areas and car parks. CCTV systems are sometimes installed in wards too. Clear signs will be displayed in areas where CCTV is in operation, and those signs will also tell you how you can access copies of your personal data in the recordings if you want to.

To learn more about how we use, manage and maintain confidentiality of your personal data, please contact the Data Security and Data Protection Service:

Email: informationgovernance@nottshc.nhs.uk 

Tel: 0115 969 1300

Or visit the Trust's website: Your information including privacy notices and statement

You can find out more about how and why personal data is used in the NHS, the safeguards that are in place to protect the personal data and how decisions are made on the Understanding Patient Data website.

You can find out more about how personal data is used for health and social care research on the Health Research Authority website.

You can find out more about the Trust's Research and Evidence Team on the Trust's website.

You can find out more about the CRIS (powered by Akrivia Health) platform on the Trust's website.

Or you can speak to the doctors, nurses and staff who look after you so they can answer your questions.