Staff privacy notice
What is a privacy notice?
This is a statement made by the Rotherham, Doncaster and South Humber NHS Foundation Trust to our employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees, students, secondees and those carrying out work experience.
By issuing this privacy notice, we demonstrate our commitment to openness and accountability. It is sometimes also referred to as a privacy statement, fair processing statement or privacy policy.
This privacy notice is part of our commitment to ensure that we process your personal information or data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (2016) (GDPR) and the Data Protection Act (2018) (DPA).
During the course of its employment activities, Rotherham, Doncaster and South Humber NHS Foundation Trust collects, stores and processes personal information about staff.
We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.
Contact the data controller
We are the data controller, and our registered address is:
Our information commissioner’s office (ICO) registration number is Z5863970 (opens in a new window).
We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to ensure the security of the personal data we are responsible for, whether this is computerised or in paper form.
At trust board level we have a senior information risk owner (SIRO) who is accountable for the management of all the trust’s information assets and a Caldicott guardian who is responsible for the management of patient data and patient confidentiality. We have a data protection officer (DPO) who ensures the trust is accountable and compliant with the GDPR and DPA.
Contact the data protection officer
What information do we collect about you?
In order to carry out our activities and obligations as an employer we handle data in relation to:
- name, address, phone, email, date of birth and next of kin or emergency contacts
- recruitment and employment checks (for example, professional membership, references, proof of identification and right to work in the UK, etc.)
- bank account and salary or wages, as well as pension, tax and national insurance details
- trade union membership
- personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
- medical information relevant to your employment, including physical health, mental health and absence history
- information relating to your health and safety at work, and any incidents or accidents
- professional registration and qualifications, education and training history
- information relating to employee relations (for example, disciplinary proceedings, grievances and complaints, tribunal claims, etc.)
- supervision and appraisal documentation
- sickness absence and annual leave details
- depending on the position you hold with us, we may also collect information in relation to any current or previous criminal offences
- vehicle information
This list is not exhaustive but is indicative of the types of information recorded.
We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
Most of the information the trust collects about you is received directly from you, generally via application forms or where you have notified changes to your personal information either in writing or electronically, when you have made amendments via employee self service.
You can check and ensure that your information is kept up to date by viewing the information we hold on the HR system via your online access to employee self service.
However, we do receive some information about you from other sources, for example, when we undertake DBS or reference checks as part of the recruitment process; where you may apply for childcare vouchers; or where we receive information from courts, where a county court judgement may have been made.
Contact details provided, including mobile phone numbers, will be used to contact you by text or call in cases of work-related emergencies. All contact information will be held securely in line with Data Protection legislation.
Cookies
Our website utilises a standard technology called cookies to collect information about how our website is used and to record your preferences in order to give you the information you need during your visit. Information gathered through cookies allows us to monitor website traffic and to personalise the content of the site for you.
Web server log files
IP addresses are used by your computer, mobile device or smartphone, every time you are connected to the internet. Your IP address is a number that is used by computers on the network to identify your computer or mobile device. IP addresses are automatically collected by our web servers so that data (such as the web pages you request) can be sent to you. Web server log files are used to record information about our site, such as system errors. Log files do not contain any personal information or information about which other sites you have visited.
Why do we collect this information about you?
We will only process your personal data where the processing can be legally justified under UK law or where we have obtained your consent. These include circumstances where the processing is necessary for the performance of staff contracts with us or for compliance with any legal obligations which applies to us as your employer, such as:
- staff administration and management (including payroll and performance)
- pensions administration
- business management and planning
- accounting and auditing
- accounts and records
- crime prevention and prosecution of offenders
- education, training and development
- health administration and services
- sharing and matching of personal information for national fraud initiative
- mileage claims
- car parking permits
- CCTV images to identify as part of various security access systems
- monitoring investigations, disciplinary procedures and other staff processes
Closed-circuit television (CCTV)
We have CCTV systems on site for the purposes of public and staff safety and crime prevention and detection. Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. We operate CCTV and disclose in accordance with the codes of practice issued by the information commissioner.
CCTV images or other data held may be used in some circumstances where incidents require investigation by the data controller. This information is processed under article 6(1)(f) as processing may be necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child or article 6(1)(e) public task, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, dependent upon the specific processing which is necessary.
How we use your personal information?
Your information will also be used to support you in your employment, and to enable us to meet our legal responsibilities as an employer. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
Most of the information the trust collects about you is received directly from you, generally via application forms or where you have notified changes to your personal information either in writing or electronically, when you have made amendments via employee self service. You can check and ensure that your information is kept up to date by viewing the information we hold on the HR system via your online access to employee self service.
However, we do receive some information about you from other sources, for example, when we undertake disclosure and barring service (DBS) or reference checks as part of the recruitment process; where you may apply for childcare vouchers; or where we receive information from courts, where a county court judgement may have been made.
Who do we share your personal information with?
There are a number of reasons why we share information. This can be due to:
- our obligations to comply with legislation
- our duty to comply with any court orders which may be imposed
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons. Sometimes we are required by law to disclose or report certain information, which may include details which identify you, which may include, but is not limited to:
- our recruitment system: NHS Jobs (opens in a new window)
- electronic staff record system (via IBM): ESR (opens in a new window)
- disclosure and barring service (via ESR): (DBS (opens in a new window).
- our online training systems: OLM (opens in a new window) and Elearning for Health (opens in a new window).
- occupational health: (PAM (opens in a new window) see below
- our e-Rostering system: Allocate (opens in a new window)
- our expenses system: Allocate (opens in a new window)
- our e-bank: Allocate (opens in a new window)
- our payroll company (ESR)
- HM revenues and customs (HMRC) or department for works and pensions (DWP) via ESR
- external request for reports (anonymised)
- professional registration boards (as appropriate) via ESR
- offsite storage facility: Restore (opens in a new window)
- banks, mortgages or tenancy references (if agreed by individual).
- law enforcement agencies, for example, the police (it may be necessary to share information without your consent, for example, when the health and safety of others is at risk)
- the cabinet office (participation in national fraud initiative)
- the home office: Home Office (opens in a new window)
- regulatory bodies, for example, the nursing and midwifery council (opens in a new window) or general medical council (opens in a new window)
Where mandatory disclosure is necessary only the minimum amount of information is released.
Do we use any data processors?
Yes, to enable effective staff administration this trust may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.
Recipients and third-party disclosures:
Contracts administration (NHS shared business services authority)
The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS business services authority for maintaining your employment records, held on the national NHS electronic staff record (ESR) system. ESR’s terms and conditions (opens in a new window).
Trac jobs
Trac jobs (opens in a new window) has an interface to the electronic staff record system (ESR) which is a payroll and human resources system used by the trust. If you apply for any trust positions, the data you submit to Trac may be transferred to ESR for the purposes of:
- establishing the human resources and payroll record
- completing the recruitment process or parts of the process on ESR
- for reporting purposes such as equal opportunity monitoring
The first time you log into your account, you will need to agree and accept the terms and conditions before you can continue. The monitoring and safeguarding sections of the application form make it clear who within the Recruitment team has access to these sections of the form.
Occupation health
The trusts occupational health provision is provided by a third party the PAM group. If you are referred to the Occupational Health team you, as the staff member, will liaise directly this provider and your consent will be obtained by the occupational health professional to enable them to share your information back to the organisation. Occupational health information online (OHIO) (opens in a new window).
Office 365
RDaSH has procured and made available the Microsoft 365 platform signed under the national discount agreement known as N365 for employees in the functioning of the trust’s activities. The N365 platform is a productivity suite of interconnected solutions comprising tools and systems that include:
- Microsoft Office, Outlook, Word, Excel, PowerPoint, OneNote, Access (which includes web-based cloud versions and locally installed applications now known as Apps for Enterprise)
- NHSmail, formal messages distributed by electronic means (email). NHSmail is the trust’s secure email service approved by the department of health and social care for sharing patient identifiable and sensitive information
- Microsoft Teams, a collaboration hub of multiple teams sites that combines voice and video conferencing with WhatsApp style chat, instant messaging and document storage with other integrated applications
Microsoft N365 collects personal information such as name, work address, geographical location, occupation, IP address, images, this data is stored or processed by Microsoft in the UK.
Palo Alto Global Protect virtual private network (VPN)
Global Protect is one of the trust’s VPN systems allowing access to the corporate RDaSH network on Internet connections away from the RDaSH LAN network. The VPN provides a means to access the RDaSH network, the system itself is not storing any sensitive data.
The data collected is staff member’s IP addresses in order to monitor activity on the VPN.
Govroam
Govroam is a national roaming service which provides ‘zero touch’ internet access to public sector staff across the UK and is easy-to-use internet access across thousands of locations, once configured, trust work devices will connect automatically at any participating site.
The Govroam hosting organisation (for example, NHS trust, Local Authority) will collect a user’s IP address, which will be stored on that organisation’s encrypted server and firewall for 60 days maximum.
Zoom
Zoom unifies cloud video conferencing, simple online meetings, and cross platform group chat into one easy-to-use platform and provides an alternative to face-to-face meetings and reduces travel time. Meetings can be recorded and stored.
Zoom will collect a user’s name, address and occupation.
More information can be found via Zoom’s privacy notice (opens in a new window).
Eventbrite
Eventbrite is an event management and ticketing website. The service allows users to browse, create, and promote local events. It has been used by RDaSH to create time slots for COVID-19 vaccine sessions.
Eventbrite will collect a user’s name, occupation, email address and mobile number (optional)
More information can be found via Eventbrite’s privacy notice (opens in a new window).
Survey Monkey
Survey Monkey is an online questionnaire platform which allows online questionnaires to be developed and shared with research participants via a link sent by email or text message. The platform allows a potential participant to read information about the research, complete pre-screening eligibility questions and then provide confirmation of consent to take part, and complete the questionnaire. To provide an alternative to face-to-face meetings with participants for research RDaSH provides research questionnaires online via Survey Monkey.
Survey Monkey will collect a user’s name, postcode, date of birth, emergency contact or carer’s details, gender, GP or consultant, geographical location, occupation, health information, race, ethnic origin, religion, sex life or sexual orientation.
Data will be deleted from Survey Monkey at the end of each study once data analysis has been completed. The data will then be archived as per regulatory and RDaSH requirements. A retention schedule is approved for each trial to set out how data will be stored and when it will be destroyed.
Tendable
The Tendable app is an established quality assurance tool, rolled out nationally to over 40 NHS trusts. It provides a user friendly audit system for quality inspections, which facilitates real time reporting and results.
Tendable will collect user’s name, address, postcode, date of birth, gender, geographical location, occupation, IP address.
Records will be held in line with the health and social care records management code of practice. Once the app is no longer in use by the organisation all records will be deleted or transferred back.
Data is currently stored outside the UK, in their Dublin data centre.
QUIT programme
QUIT is a new smoking cessation support programme which is being implemented across several trusts in the South Yorkshire and Bassetlaw ICS, including RDaSH. The main service this programme will provide is smoking cessation and abstinence support for smoking in-patients and staff. The QUIT programme is aimed at addressing significant health inequalities that arise due to smoking.
QUIT will collect a user’s name, address, postcode, date of birth, emergency contact or carer’s details, NHS number, gender, GP or consultant, geographical location, occupation, health information.
Information will be retained in line with the Health and Social Care Code of Practice (2016).
Safehinge Primera
The Safehinge Primera integrated override lockset, electronic access control and door-alarm systems have been developed to provide a full solution for mental health wards incorporating anti-ligature and anti-barricade protection. The electronic passport door locking system allows patients to have independent access to their individual bedroom to improve privacy and dignity.
Safehinge Primera will collect a user’s name and occupation. Information will be accessed by RDaSH and by Safehinge Primera and Amadeo for maintenance purposes only.
Safehinge Primera will store information for as long as is necessary and for as long as the customer is in business with Safehinge Primera. Data is erased securely when it is no longer necessary in relation to the purpose for which it was collected.
Staff flu and COVID-19 vaccination data
RDASH is required to complete the national submission of staff flu data to the national immunisation vaccination system (NIVS). This is a mandatory requirement for all providers. The implementation of this service will deliver a centralised data capture tool for clinical teams delivering the seasonal flu immunisation and is an essential component of NHS England’s response to the COVID-19 pandemic.
This system will also be used to track vaccination status of staff for the COVID-19 vaccine. This is required by NHS England and NHS Improvement who state that it will support flu planning and response activities at both a national and local level.
Data collected will be a user’s name, postcode, date of birth, gender, occupation, health information.
Data will be retained in line with NHS England business requirements and the NHS records management code of practice. More information can be found via NHS England’s privacy notice (opens in a new window).
Medical e-Job planning
Online e-job planning system used by medics to streamline the review and sign off process.
Section 12 solutions app
Application used for section 12 approved doctors to indicate availability for work and their location in order for AMHPs to be able to access the data.
Prevention and detection of crime and fraud
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds. We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal or statutory obligation, such as providing evidence following an incident or criminal investigation.
CCI credit management
The trust may supply information to the trust’s authorised debt collector, CCI credit management (opens in a new window), in order to recover any monies owed to the trust by employees.
The data shared will be date of birth, national insurance number, former names, contact numbers, email addresses, next of kin and any other information required. The legal basis for sharing this information is article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If the contract is breached then it becomes necessary in some cases to pursue monies for the performance or fulfilment of the contract.
Oxehealth service, digital care assistant
The Oxehealth system is the technology platform that is deployed into mental health wards to support clinicians. The Oxehealth service will be implemented across all RDaSH adult and older peoples’ mental health wards and PICU wards. It uses an optical sensor (camera and infrared illumination in a secure housing on the wall) to monitor a patient in a room 24 hours a day, 7 days a week.
With this system clinicians can take medical grade cardio-respiratory measurements remotely, access cardio-respiratory trends from the last 24 hours to understand if a resting patient’s physical health may be deteriorating, receive real-time alerts to high-risk activity, prompting a safety check, and view objective patient activity reports to support clinical decision-making.
Using this technology in clinical areas will support safe delivery of care and can enhance and improve processes and proactively manage and prevent incidents.
ISOSEC virtual smart card
The use of virtual smart cards for system authentication, currently supported by physical smart cards authentication.
Deloitte connect
Online external and internal audits conducted on finances.
Integra Centros
Processing of payroll data to obtain accurate costing details to the relevant departments, and the collection of monies from individuals.
Courageous success
The courageous success programme allows individuals to provide feedback on their value preferences in both work and non-work situations so that they can operate with greater confidence as individuals and leaders. Feedback is provided from the answers in order to help develop leadership skills or styles.
VoiceAbility advocacy
RDaSH will provide information to VoiceAbility for the purpose of identifying newly admitted patients to enable them to offer their independent mental health advocacy services.
This agreement is only concerned with patients detained under or subject to the MHA.
Wagestream
Wagestream is a platform that a significant number of NHS trusts utilise as part of their financial wellbeing strategy for staff. Staff can access advice, charities to help with any financial issues as well as accessing their salaries for any unforeseen costs that they may incur that cannot wait until payday. Staff choose to sign up to Wagestream, and consent to their terms and conditions.
Further information can be found on Wagestream’s privacy policy (opens in a new window).
Refill
The Refill app details all locations where you can go for a free drink refill, staff can use this app.
Agiito train ticket and hotel booking platform
Agiito (opens in a new window) is a third party supplier for hotel and train ticket booking for staff.
Yorkshire and Humber shared care record
The Yorkshire and Humber shared care record (YHCR) system is developed by the health and social care partners to create a joint electronic care record for service users (patients and social care clients) within the Yorkshire and Humber region area.
For the provision of the processing of person data within system of systems for the YHCR. This project will allow partner organisations who have a legitimate relationship with an individual to provide direct care to them, to view the information held by other organisations that are also involved in individuals’ direct care in order to obtain a complete picture of the individuals’ requirements and improve clinical decisions.
SMI physical health check (PHC) outreach (primary care network (PCN))
Resource will be provided from MIND to support patients with a serious mental illness to access their annual physical health check appointment. The support will include working with the MH team in the primary care network and making contact with patients on the SMI register and providing support and explanation as to the need for the annual physical health check. The support includes an initial contact to explain the purpose and benefits of the PHC.
Peer support
As part of the national mental health transformation a contract has been awarded to the people focused group to provide a peer support service to people receiving care from Rotherham, Doncaster and South Humber NHS Foundation Trust secondary and primary mental health services. This is in line with national guidance to support the transformation of mental health services as set out in the community mental health framework for adults and older adults (2019).
Talking therapies eClinic
The Talking therapies eClinic will allow patients to make appointments and complete therapy with a psychological practitioner via an instant messaging service.
PAM occupational health system Interface with ESR
Bi-directional interface or connection between ESR and the RDaSH third party occupational health system Ohio (owned by PAM group). Vaccination and immunisation data will transfer into ESR via PAM and vice versa, so vaccination and immunisation data will transfer from ESR into Ohio. This data is required as part of the recruitment process across the NHS for the onboarding of staff. This information will be in addition to the basic employment details that are already shared via IAT Interface when staff move from one NHS organisation to another.
Live chat functionality on the Zone 5 to 19 website
Live chat to support children and young people to navigate the 5 to19 website and access the service, through a pop-up text box with live chat functionality. This is primarily a live sign-posting service.
North Lincolnshire child and adolescent mental health services (CAMHS) neurodevelopmental service inclusion project
This is an evaluation of the neurodiversity cluster of North Lincolnshire CAMHS. The service diagnoses autism, ADHD and in some cases intellectual difficulties. This will be undertaken as part of the national strategy and based on key learning from The challenge of co-production discussion paper (Boyle and Harris, 2009).
Participants can tailor their engagement in this project by opting for one of a range of options including; focus groups, in person interviews, online video calls or online chat functions.
Oceans Blue (eRostering with Allocate)
To identify cost and efficiency opportunities in workforce planning, using trust e-rostering data. Oceans Blue will provide detailed analysis of their findings with a view to reducing cost and producing more effective rosters.
Individual placement scheme
South Yorkshire housing association is the provider of the building better opportunities and working win individual placement support services and is working in partnership with the four NHS mental health trusts in South Yorkshire, Bassetlaw and Derbyshire. In conjunction with their specialist benefits advice partner, Sheffield citizens advice service they will deliver a single IPS service that aligns and improves employment support for people with severe mental illness.
Humber and North Yorkshire key worker service
The Humber and North Yorkshire key worker service has been developed as a response to the NHS England and NHS Improvement Long Term Plan (LTP) commitment that by 2024, children and young people with a learning disability, autism or both, with the most complex needs will have a ‘designated’ key worker.
6-month review provision by the stroke association
The stroke association provides an enhanced service for Doncaster residents where all patients are contacted directly for a 6-month review. Some will require a 6-month review, some will need rehabilitation and a 6-month review.
Minddistrict
IT system which allows registered patients to have access to evidence-based, self-help information. Patients are able to complete diaries and exercises and communicate via the IT platform with a therapist.
Acacium
Remote assessment service to provide clinical support services for the purpose of delivering attention deficit hyperactivity disorder (ADHD) and autistic spectrum disorder (ASD) assessments.
ER Tracker by Allocate
Casework management system by Allocate. The system will be used by the Employee Relations team to record casework activity.
Bookwhen
System to manage the bookings of health and wellbeing services to employees.
Learning from patient safety events (LFPSE)
The platform learning from patient safety events (LFPSE) has been created by NHS England. The system will bring an improved approach to learning from patient safety events, with improved analytics, but also the recording of good practice to allow for continuous quality and service improvement.
What our lawful basis is for processing your information under data protection legislation?
We have a legal basis to process this as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes following data protection and employment legislation. This lawful basis means that the individual’s right to ‘object’ does not apply.
All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act (2012); this duty is subject to both the common law duty of confidence and all current data protection legislation. The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing. As personal data is processed for purposes of the trusts statutory functions we have considered our lawful basis for processing personal data and have deemed:
His majesty’s revenue and customs (HMRC), health and safety and other statutory or lawful requirements
Article 6(1)(b), processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Article 6(1)(c), processing is necessary for compliance with a legal obligation, for example, employment law.
Administrative purposes including employment personal information
Article 6(1)(f), processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest
Article 6(1)(f), processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Where the trust processes special categories of personal data, there is an additional legal basis for processing such data as listed below:
Safeguarding
Article 9(2)(g), processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Some article 9 conditions require a corresponding schedule 1 condition from the DPA (2018) for special category data. See Data Protection Act (2018) part 2, paragraph 18: Safeguarding of children and of individuals at risk (opens in a new window).
Commissioning and planning
Article 9(2)(h), processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Research, regulatory and public health functions
Article 9(2)(j), processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Consent and withdrawal of consent
Where the above do not apply, any other processing will be reliant on your consent under article 6(1)(a); this will be based on explicit consent and as a result, you will be asked to make a definite decision; there will be no presumption of consent from silence, inaction or pre-selected choices. Activities which are optional will be conducted with consent. You will have the option of withdrawing that consent at any time. Any enquiries should be made directly to the contact the Information Governance team.
What are your legal rights?
We will ensure that your rights are respected (opens in a new window). You have:
The right to be informed
Individuals have the right to be informed of how their data will be used. This applies to both patient and staff data. More information on how your data is used can be found on our your information, your rights page.
The right of access
Individuals have the right to access their personal data, and this is commonly referred to as a subject access request. Individuals can make a subject access request verbally or in writing, and we have one month to respond to a request.
This is a free service, although there are specified examples where a fee may be applicable, such as, where the request is ‘manifestly unfounded’ or ‘excessive’; or if an individual requests further copies of their data following a request. We can charge a reasonable fee covering our admin costs. Information on how to make a request can be found on our your information, your rights page.
The right to rectification
Individuals have the right to have inaccurate personal data rectified or completed. More information on this can be found on our your information, your rights page.
The right to erasure
This is often referred to as the right to be forgotten and is not absolute. The right does not apply to special category data if processing is necessary for the provision of health or social care; or for the management of health or social care systems or services. More information on this can be found on our your information, your rights page.
The right to restrict processing
Individuals have the right to require organisations to restrict processing where:
- accuracy is contested by the individual
- processing is unlawful and the subject opposes erasure
- the organisation no longer needs the data, but the subject requires it to be kept for legal claims
- the individual has objected, pending verification of legitimate grounds
The right to data portability
Individuals have the right to receive personal data about them in a ‘commonly used and machine readable format’. This right is only available where the processing is based on consent and the processing is automated.
Please note that this is not the legal basis for the majority of our processing, therefore in regard to most of the data held by this trust, this right does not apply.
The right to object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific or historical research and statistics
Rights in relation to automated decision-making and profiling
When making a decision solely by automated means without any human involvement, this is known as automated individual decision-making; and any automated processing to evaluate certain things about an individual is known as profiling, although it can also be part the same process.
We can only carry out solely automated decision-making that has legal (or similarly significant) effects on you, where the decision is either:
- necessary for the entry into or performance of a contract
- authorised by union or member state law applicable to the controller
- based on your explicit consent
And if so, we must ensure we give you information about the processing and introduce simple ways for you to request human intervention or challenge a decision. We must also carry out regular checks to make sure that our systems are working as intended.
How can you access your personal information?
You have a right to see the information we hold about you, both on paper or electronic, except for information that:
- has been provided about you by someone else if they haven’t given permission for you to see it
- relates to criminal offences
- is being used to detect or prevent crime
- could cause physical or mental harm to you or someone else
Your request must be made in writing and we will request proof of identity before we can disclose personal information. You can find out more about accessing your information by visiting our your information, your rights page.
If you would like to request a copy of your records, please contact the Information Governance team.
Do we send your data to other countries?
Sometimes your data may be processed outside the UK, in most circumstances it will remain within the European economic area (EEA) and will have the same protection as if processed within this country. When this is outside the EEA we will identify the data protections in place prior to transfer.
How do we keep your information safe?
Under the General Data Protection Regulation and Data Protection Act, strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the NHS confidentiality code of conduct (opens in a new window), all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
How long do we keep your information?
All records held by the NHS are subject to, and kept in line with the retention periods in, the Records Management Code of Practice for Health and Social Care Act (2021) (opens in a new window). The code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.
All records are appropriately reviewed once their retention period has been met, and the trust will decide whether the record still requires retention or should be confidentially destroyed. All decisions and destructions will be documented.
The trust has a records management policy.
Notification
The Data Protection Act (2018) requires organisations to notify with the information commissioner to describe the purpose for which they process personal information. These details are publicly available on the information commissioner’s website (opens in a new window)
How do you make a complaint?
If you are not happy about how your data or request has been handled, please:
- speak to your health professional, for example a key worker, support worker, consultant, etc.
- should you have any further queries about the uses of your information, please email the trust’s data protection officer at rdash.dpo@nhs.net
- contact our Complaints team or patient advice and liaison service
- to get further advice or report a concern directly to the information commissioners office (ICO), the UK’s independent authority, you can visit the ICO website (opens in a new window) or by call on 0303 123 1113
What about information about the trust itself?
The Freedom of Information Act (2000) provides any person with the right to obtain information held by this trust, subject to a number of exemptions. If you would like to request information from us, please contact the Information Governance team:
Where can you find more information?
Further information can be found by visiting our your information, your rights page.
More information about or policies and procedures can be found by visiting our policies section.
Data protection impact assessments
Data protection law introduced a new obligation to do a data protection impact assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ interests. A DPIA is a process to help identify and minimize the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
We publish a summary log of completed DPIAs. Any requests for the full DPIA can be sent to rdash.ig@nhs.net.
The Protection Legislation supports your right to have your privacy respected and your data protected. It gives you easier access to the personal information the trust holds about you, if you wish to check or change it. It is designed to give you confidence that this information is accurate, up to date and well managed.
Information governance definitions
For more information about definitions of terms used in the notice please see information governance.
Page last reviewed: December 24, 2024
Next review due: December 24, 2025
Problem with this page?
Please tell us about any problems you have found with this web page.