About this notice and who it applies to
Data Protection law determines how organisations can use personal information.
In accordance with the Data Protection Act 2018, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the legislation.
We recognise the need to treat personal data in a secure, fair and lawful manner. No personal information held by St Andrew’s Healthcare will be processed unless the requirements for fair and lawful processing can be met.
This privacy notice applies to carers, families and friends of the people in our care.
This notice contains information about how the Charity processes your personal data and your rights in relation to this processing including what to do if you have a query or complaint.
Please also see our general Privacy Notice for further details.
In order to provide services as a healthcare provider, St Andrew’s may process your personal data including, but not limited to:
• Personal contact details such as name, address, phone number and email address
• Relationship to patient
• Preferred method of contact
• Details of any disabilities or needs that the Charity needs to be aware of
If you have a query or concern about any aspects of this privacy notice, or how your data is handled or shared please direct your concern to the Charity’s Data Protection Officer:
Data Protection Officer
St Andrew’s Healthcare
If you remain unsatisfied you also have the right to raise your concern externally with the Information Commissioner’s Office:
The Information Commissioner's Office
In certain circumstances, you may also have the right to:
• Object to the processing of personal data that is likely to cause, or is causing, damage or distress
• In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
• Require us to correct any mistakes in the data we hold on you
• Object at any time to processing of personal data concerning you for direct marketing.
If you believe you have any of these additional rights or you wish to exercise them, please let us know by contacting the Charity’s Data Protection Officer (details at the bottom of this privacy notice).
Data Protection law gives you the right to access the information which St Andrew’s Healthcare possesses about you. This includes supplementary information about the processing that this privacy notice is designed to address.
Requests for access to the personal data that the Charity processes about you can be made verbally or in writing to:
Health Records Team
St Andrew’s Healthcare
Telephone: 01604 616000
The Charity needs to validate that you are who you say you are. Therefore you may be asked to provide:
• Relevant information (for example full name, address, date of birth, staff number, etc.)
We may ask you for further information to help us locate what you are looking for.
We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one calendar month of receipt unless there is a reason for delay that is justifiable under UK Data Protection law.
If a subject access request is made and the request for access is thought to be unfounded or excessive, the Charity reserves the right to refuse to comply with the request in these circumstances.
We will only retain information for as long as necessary. Records are managed in line with the Charity’s Records Management Policy. This ensures that we regularly review records and securely destroy records at the appropriate time. There are times when we need to keep certain records for set legal time periods.
It is important that the information which we hold about you is up to date and accurate. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting the Charity’s Data Protection Officer using the contact details at the bottom of this privacy notice
Any corrections which are needed will be made promptly and we will promptly inform any third parties who have received the incorrect information from us, so that they can amend their records.
We take our duty to protect your personal information and confidentiality very seriously. The Charity is accredited to an international security standard, and we take all steps to ensure we have the right technical and organisational security control measures in place to protect your personal data from harm.
We have made some senior employees specifically responsible for data protection and confidentiality. For example, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information associated risks and incidents, and a Caldicott Guardian who is responsible for the management of confidential patient information.
There is a Data Protection Officer who has specific responsibility for and knowledge of data protection compliance, covering all aspects of this privacy notice.
There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data, and we ensure that our staff regularly undertake data protection training.
We ensure that any third parties who process your personal data on our behalf are contractually obliged to comply with our data protection and information security policies and procedures.
To provide the person that we are providing services to with the best care possible, sometimes we will need to share information about you with others.
We will only share your personal information with third parties in the following circumstances:
• Where you have given your consent to the information being shared
• Where there are issues or concerns, like the health and safety of yourself or others
• Where there is a legal requirement or responsibility on us to share the information
Some examples of third parties we may need to share your information with, but not limited to, include:
• Central and local government agencies and departments
• General Practitioners (GPs)
• Healthcare and Safeguarding bodies
• Police, courts and prisons
Any disclosures of personal data are made only on a case-by-case basis, using the minimum personal data necessary and with the appropriate security controls in place.
There are a number of reasons why St Andrew’s may need to process personal data about you, which include:
• To work in partnership with the Charity to bring about better outcomes for the person that you care for
• To help us inform decisions that we make about the health and wellbeing of the person you care for
• Reimbursement of funds for agreed transport in relation to attendance at events organised by the Charity, such as CPA meetings and carer participation at events
• To work effectively with other organisations who may be involved in the care and treatment of the person you care for
• To work in partnership with the Charity to review the care provided to the person that you care for
• For research and audit purposes
• For consultations on services, either internally or as part of external reviews with agencies such as NHS England
We seek to ensure that our information collection and processing is always proportionate and accurate. We will only process your personal data for the purpose it was collected for unless it is needed for another purpose and the reason is compatible with the original purpose that your data was collected for.
We will notify you of any material changes to information which we collect or the purpose for which we collect and process it, and explain the legal basis for doing so.
The Charity must have a lawful basis to process your personal data. Most commonly, personal data will be processed in the following circumstances:
• Where you have given consent
• To comply with laws and regulations
• When it is necessary to protect the vital interests of an individual (for example, in a medical emergency)
• Where it is necessary for the Charity’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests
• Where it is necessary for the Charity to perform a task in the public interest
If our services are commissioned or referred by third parties (for example, by General Practitioners (GPs), Clinical Commissioning Groups (CCGs) or local authorities), they will provide us with a variety of information about the people that we provide services to. This may include information about carers, families and friends.
The person who is using our services may also provide us with information about their carers, families and friends. As part of the Charity’s Carers, Family and Friends Strategy, we do endeavour to establish whether you would like key involvement with the person we are providing services to. We also understand that sometimes carers, families and friends do not want to be involved in the care of the people that we provide services to.
St Andrew’s Healthcare is registered as a ‘data controller’ with the Information Commissioner’s Office.
The details of the Charity’s notification are available on the ICOs Data Protection Public Register.
St Andrew’s registration number is Z5735699.