About this notice and who it applies to
Data Protection law determines how organisations can use personal information.
In accordance with the Data Protection Act 2018, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the legislation.
We recognise the need to treat personal data in a secure, fair and lawful manner. No personal information held by St Andrew’s Healthcare will be processed unless the requirements for fair and lawful processing can be met.
This privacy notice applies to patients and service users.
This notice contains information about how the Charity processes your personal data and your rights in relation to this processing including what to do if you have a query or complaint.
Please also see our general Privacy Notice for further details.
In order to provide services to you, St Andrew’s may collect and use your personal data including, for example:
If you have a query or concern about any aspects of this privacy notice, or how your data is handled, please contact the Charity’s Data Protection Officer:
Data Protection Officer
St Andrew’s Healthcare
If you remain unsatisfied you also have the right to raise your concern externally with the Information Commissioner’s Office:
The Information Commissioner's Office
In certain circumstances, you may also have the right to:
If you wish to exercise them, please let us know by contacting our Data Protection Officer (details at the bottom of this privacy notice).
Data protection law gives you the right to access the information that we hold about you. This includes supplementary information about the processing that this privacy notice is designed to address.
Requests for access to patient/service user records can be made verbally or in writing to:
Health Records Office
St Andrew’s Healthcare
Telephone: 01604 616000
We will need to check that you are who you say you are. Therefore you may be asked to provide:
We may ask you for further information to help us locate what you are looking for.
We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one calendar month of receipt, unless there is a reason for delay that is justifiable under the law.
If a subject access request is made and the request for access is thought to be unfounded or excessive, or if you ask for more than one copy of the information we may ask you pay a fee to cover the costs.
We will only keep information for as long as necessary. Records are managed in line with our Records Management Policy. This ensures that we regularly review records and securely destroy records at the right time. There are times when we need to keep some information for longer so we can comply with the law.
It is important that the information which we hold about you is up to date and accurate. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting the Charity’s Data Protection Officer using the contact details at the bottom of this privacy notice.
Any corrections which are needed will be made promptly and we will promptly inform any third parties who have received the incorrect information from us, so that they can amend their records.
We take our duty to protect your personal information and confidentiality very seriously. The Charity is accredited to an international security standard, and we take all steps to ensure we have the right technical and organisational security control measures in place to protect your personal data from harm.
We have made some senior employees specifically responsible for data protection and confidentiality. For example, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information associated risks and incidents, and a Caldicott Guardian who is responsible for the management of confidential patient information.
There is a Data Protection Officer who has specific responsibility for and knowledge of data protection compliance, covering all aspects of this privacy notice.
There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data and we ensure that our staff regularly undertake data protection training.
We ensure that any third parties who process your personal data on our behalf are contractually obliged to comply with our data protection and information security policies and procedures.
To provide you with the best care possible, we may need to share your information with others. We will only share your information in the following circumstances:
Some examples of third parties we may need to share your information with, but not limited to:
Any disclosures of personal data are made only on a case-by-case basis, using the minimum personal data necessary and with the appropriate security controls in place.
There are a number of direct care purposes why we may need to process your personal data, which include:
We may process your information without your knowledge or consent where this is permitted by law.
We will only process your personal data for reason it was collected for. An exception would be unless it is needed for another purpose and the reason is compatible with the original purpose for processing.
We will notify you of any material changes to information which we collect or the purpose for which we collect and process it, and explain the legal basis for doing that.
Additionally, we may use information we hold about you for the following indirect care purposes:
Nationally there are strict controls on how your information is used for these purposes. These decide whether your information has to be de-identified first and with whom we may share identifiable information with.
Much of the care we provide to patients is commissioned by our NHS partners and in May 2018 strict rules around how your data can and cannot be used were tightened. You can choose whether your confidential patient information is used for research and planning by the NHS. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.
To find out more or to make your choice visit www.nhs.uk/your-nhs-data-matters, or call 0300 303 5678.
We will only use your data where the law allows us to. Most commonly, we will process your personal data in the following circumstances:
If you come to us through your GP, local authority or another health or social care authority, they will provide us with a variety of information, including your name, contact details and medical history. This would include any significant episodes that we need to be aware of in order to assess your needs and deliver the right care and service to you.
We also conduct independent mental health reviews or medico legal reports for solicitors, the Crown Prosecution Service, the Police, Courts, Coroners, Magistrates and other healthcare providers etc. In order to provide this service, we will usually obtain information about you from these organisations, and use the information you have provided to us.
St Andrew’s Healthcare is registered as a ‘data controller’ with the Information Commissioner’s Office.
The details of the Charity’s notification are available on the ICO’s Data Protection Public Register.
St Andrew’s registration number is Z5735699.
Privacy Notice - NHS National Data Opt-Out
The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
All these uses help to provide better healthcare.
Confidential patient information about your health and care is only used like this where allowed by law.
We only do this when there is a clear legal basis to use this information. Currently, we ensure that anonymised data is used, wherever possible, so that you cannot be identified, in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. Otherwise, you have the right to opt out through the NHS National Data Opt-Out. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
Should a situation arise where we did need to use or share confidential patient information for one of these purposes, and we had a lawful right to do so, we would first consult the NHS National Data Opt-Out information in order to determine whether we could or could not include your confidential patient information.
To find out more or to register your choice to opt out, please visit the NHS website.
On this web page you will:
You can also find out more about how patient information is used on the NHS Health Research Authority website (which covers health and care research), and on the Understanding Patient Data website (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.