Patient Privacy Notice – How We Use, Share & Protect Your Personal Information
Coronavirus (Covid-19) Pandemic: how data about you is used
Please see our Covid-19 privacy notice for further information about how we may share personal data about you during the Covid-19 pandemic.
Northern Care Alliance NHS Group (Salford Royal NHS Foundation Trust and The Pennine Acute Hospitals NHS Trust) Privacy Notice
Name: Salford Royal NHS Foundation Trust and The Pennine Acute Hospitals NHS Trust
Address: Stott Lane, Salford, M6 8HD
Information Commissioner’s Office Registration Numbers:
Salford Royal NHS Foundation Trust - Z5006706
The Pennine Acute Hospitals NHS Trust - Z6519461
The purpose of this notice is to tell you what information we collect and hold about you, what we do with it, how we will look after it and who we may share it with. We also explain your rights in respect of your information and the choices you can make about the way your information is used and where you can opt out of your data being shared with other organisations.
This notice applies to all information we hold about you as an individual. Please note we have a separate privacy notice for members of staff available through the NCA intranet.
Please see our covid-19 privacy notice for further information about how we may share personal data about you during the covid-19 pandemic.
This privacy notice is not exhaustive. We are happy to provide any additional information or explanation needed, please email firstname.lastname@example.org.
Who we are and what we do
Salford Royal NHS Foundation Trust is an integrated provider of hospital, community, and primary care services, it also hosts the local adult social care team and children’s services.
Pennine Acute Hospitals NHS Trust provides a range of elective emergency, district general services, some specialist services and operates from three main hospital sites and community clinics. The three main Pennine hospital sites are:
- Fairfield General Hospital (Bury Care Organisation)
- The Royal Oldham Hospital (Oldham Care Organisation)
- Rochdale Infirmary (Rochdale Care Organisation)
North Manchester General Hospital is now managed by the Manchester University Foundation Trust. For more information please see The Pennine Acute Hospitals NHS Trust website and Manchester University NHS Foundation Trust website.
For more information about the Northern Care Alliance NHS Group please see https://www.pat.nhs.uk/about-us/northern-care-alliance.htm.
There are several services hosted within the Northern Care Alliance NHS Group, which include:
- Clinical Leaders Network
- East Lancashire Financial Services (ELFS)
- GM Clinical Support Services
- GM Mass Vaccination Centre
- GM Shared Services
- Neuro-Rehab Operational Delivery Network
- R&D North West
- Stroke Operational Delivery Network
- Local Care Organisations for Bury and Rochdale
The type of personal information we collect
We currently collect and process the following information:
- Personal details such as name, date of birth, ethnicity and religion, NHS number and next of kin
- Details of how to contact you such as address, telephone number, mobile number, and email address
- Contact we have with you for example hospital admissions, A&E visits, inpatient stays, outpatients/clinic appointments or home visits
- Details and records about your treatment and care including but not limited to:
- details and records of diagnosis, treatments, and care
- notes and reports by health and care professionals about your health, GP details etc.
- results from your visits, from scans, x-rays, pathology tests or any other test
- information about any allergies and health conditions
- Information about the people involved in your care such as your GP and Optician
- Details about people associated with you such as children in your care, contact details of partners, carers, relatives etc. This information may be given to us directly by you or by them
- Information sent about you to us from others involved in your care such as your GP, Optician, schools etc.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- To communicate with you about your healthcare, for example by letter, mobile, SMS or email
- Plan, manage, evaluate, and audit the services we provide
- Commission other organisations to support us in providing care and/or treatment
- Support and conduct research and development, including clinical trials
- Support applications for Individual Funding Requests (IFRs) for care and treatment which is not usually given by the NHS
- Reporting and investigating complaints and incidents
- Running patient satisfaction surveys
- To monitor how we spend public money
- To teach and train healthcare professionals
- Assess if you have eligible care needs and decide how best to meet them
- Calculate how much you can afford to pay towards your care service
- Keep track of spending on care services
- To identify and locate any vulnerable adults in a particular area who may require our support in the event of an emergency
- Reporting events to the appropriate authorities when we are required to do so by law.
- Provide appropriate care and treatment (statutory responsibility based on National Health Service and Community Care Act 1990, Health and Social Care (Community Health and Standards) Act 2003, NHS Act 2006, Health and Social Care Act 2012, Care Act 2014, Local Government Act 1974, Localism Act 2011, Children Act 1989, Children Act 2004)
We also receive personal information indirectly, from the following sources in the following scenarios:
- GP Practices in the form of patient referrals
- NHS England in the form of patient referrals
- Other NHS health and care providers in the form of patient referrals and for the continuity of care
- Independent health and care providers in the form of patient referrals and for the continuity of care
- Local authorities for the continuity of care
- NHS Digital to support the care and treatment of patients
We use de-personalised (anonymised) data to provide health care services including:
- Checking the quality and efficiency of the health services we provide
- Preparing performance reports
- Determining what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients
- National reporting of activity and outcomes.
- Reviewing the care being provided to make sure it is of the highest standard.
- Research and planning purposes.
We use de-identified (pseudonymised) information to:
- Assist with the payment of services you may use
- Prepare statistics on NHS performance to understand health needs and support service redesign, modernisation, and improvement
- Help us plan future services to ensure they continue to meet our local population needs
- Identify groups of patients who would benefit from some additional help from their care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.
If you would like further information regarding our data processing activities and third party suppliers, please contact us on email@example.com.
Purposes for which we use your information
Care and Administration Purposes
Most of the information held by the NCA is to support the care of patients, which can take place at various clinic/service locations, including the patient’s home. We normally receive information about new patients in the form of a referral from the patient’s GP or another hospital. To ensure that patients receive the best levels of care, we need to share information with professionals involved in supporting patients; this can also involve sharing information with professionals within other health or care organisations.
We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties not involved in your care without your explicit consent unless there are circumstances, such as when the health or safety of others is at risk or where current legislation permits or requires it.
The NCA is part of the Greater Manchester Care Record, which allows workers in health or social care, easy access to patient information that is critical to support decision-making about patient care and treatment.
We may need to share relevant personal information with other NHS organisations. We will also share information with other parts of the NHS and those contracted to provide services to the NHS to support your care needs. All information is shared in a confidential manner and via a secure method of transfer. Examples of where we would share personal data include:
- GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration
- Social workers or to other non-NHS staff involved in providing care
- Specialist organisations for the purposes of clinical auditing
- Those with parental responsibility for patients, including guardians
- Carers without parental responsibility (subject to explicit consent)
As part of our administration purposes, we process information about:
- Our patients
- Employees (see staff privacy notice)
- Complainants, enquirers
- Survey respondents
- Professional experts and consultants
- Individuals captured by CCTV images
Commissioning, Planning and Research Purposes
The services delivered by the NCA are commissioned by the NHS; any data flowing commissioning or planning purposes may involve NHS Digital, NHS England, or local Commissioners. Other examples of where we would share personal data include:
- Medical researchers for research purposes (subject to explicit consent unless the data is anonymous)
- NHS managers and the Department of Health for the purposes of planning, commissioning, managing, and auditing healthcare services
Data minimisation (including de-identification) is standard for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.
In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment. This is known as the “National Data Opt-Out” initiative. Further information can be found on the following website: https://www.nhs.uk/your-nhs-data-matters/
Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.
Serious Incident Management
The NCA works with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided. Bodies with statutory investigative powers, for example, include the Care Quality Commission, the General Medical Council (and other professional bodies), the National Audit Office, the Health Service Ombudsman.
Analysis – Risk Stratification
Risk stratification uses computer-based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions.
Personal data may also be shared with:
- National registries
- Non-statutory investigations, where necessary and appropriate - e.g. Members of Parliament
- Government departments other than the Department of Health and Social Care, where a compatible legal basis exists.
- Solicitors, to the police, to the Courts (including a Coroner's Court), and to tribunals and enquiries
The lawful basis for how we use your information
We will only process information relating to you if there is a lawful basis and it is necessary to do so. We may use one of the following lawful bases:
- To deliver our services as an NHS organisation, we use Article 6(1)e as this is “…necessary for the performance of a task carried out in the public interest or in the exercise of official authority.” For special personal data, we use Article 9(2)h, as this is “…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.”
- For research purposes in addition to Article 6(1)e (see above), we also rely on Article 9(2)j provisions around “…scientific or historical research purposes or statistical purposes.”
- Where we need to process your data for the day to day running of our Trust other than for the performance of our public task/duties, we may base this on our legitimate interest (Article 6(1)f).
- Where it is necessary to protect someone’s life, we may base processing on vital interests (Article 6(1)d and Article 9(2)c).
- Where we need to comply with the law, we may process data based on our legal obligation (Article 6(1)c).
- Where none of these are appropriate, then we will approach you for your consent (Article 6(1)a) or form a contract with you (Article 6(1)b).
Common Law Duty of Confidentiality
Information provided by patients to their doctors during a normal consultation is considered confidential. This means that there is an expectation that such information is only used for care purposes and will not be shared outside of those involved in that care.
When a patient is referred to hospital, it is implied that they agree/permit to certain information about their health being shared with the hospital.
If the hospital were to then look to share this information with organisations, for other purposes (research, medical reports, “secondary uses”, then limits provisions may enable this. The first provision is where the patient has given their explicit/written informed consent. Other provisions include:
- where disclosure is in the overriding public interest
- where there is a statutory basis or legal duty to disclose, e.g. by court order.
How we store your personal information
We primarily store data securely within the UK. However, if data is transferred outside of the UK, we will ensure that any transfer is in accordance with UK Data Protection legislation and any identified risk is mitigated.
We keep your data for as long as required in line with national NHS Records Management Code of Practice for Health and Social Care 2016.
Your data protection individual rights
Under data protection law, you have rights including:
Your right of access
You have the right to ask us for copies of your personal information. A copy of our access request police is available here.
Should you wish to make a Subject Access Request please click on the link below for each of the organisations forming the NCA:
Your right to rectification
You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing
You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to data portability
You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
If you make a request, we have one month to respond to you.
The NHS Constitution also details additional rights you have. You can also find out more about how patient information is used at the HRA website (which covers health and care research) and the understanding patient data website (which covers how and why patient information is used, the safeguards and how decisions are made).
The Freedom of Information Act (FOI) 2000 allows you to access information held by any public body. Using the Act you can request information from the NCA and you are entitled to be told whether the Trusts have it and, if so, to be supplied with the information, in accordance with certain conditions and subject to exemptions.
Should you wish to make a Freedom of Information Request please click on the link below:
How to contact us
If you have any concerns about our use of your personal information, you can contact us or make a complaint either by email or post as indicated below.
Patient Advice and Liaison Service (PALS)
The Northern Care Alliance Data Protection Officer
Salford Royal Foundation NHS Trust
You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your data.
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk