What is a privacy notice?
This privacy notice explains how Devon Partnership NHS Trust (the trust) collects, uses, retains and discloses your personal information. It is part of our commitment to ensure that we process your personal information or data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (2016) (GDPR) and the Data Protection Act (2018) (DPA).
We are the data controller and our registered address is:
Wonford House
Dryden Road
Exeter
EX2 5AF
What information do we collect about you?
The healthcare professionals caring for you keep records about your health, treatment and care that you receive. This helps us to make sure you get the best treatment and management of your health care. The records may be written down or held on a computer.
We use digital solutions to record the care and treatment we provide to users of our services. The information you provide will be recorded in a system tailored to each service’s needs.
Records held will include both personal information and 'special category' information, which is how the law defines more sensitive information about your healthcare.
We are likely to hold:
How do we use your personal information to support your care?
We use your personal information, held on a single electronic care record, to help plan and guide your care. This helps to make sure:
Other ways in which we may use your information
Your information may also be used to help:
Your personal information would be made anonymous or be given a pseudonym (a false name) when used for purposes such as service improvement. However, we may not be able to protect your confidentiality if there is a legal reason to identify your information. In these cases we will only use or share the minimum information necessary.
Where appropriate, we will use digital solutions to allow our clinical staff to make decisions on how we support the people who use our services. One of these systems is a management and supervision tool (MaST). This helps our clinical services manage resources and identify individuals who need additional support. The solution does not involve decisions being made automatically about your care. It gives our clinical teams information to help them make informed decisions based on your profile.
Equality monitoring
Under the Equality Act 2010 there are nine protected characteristics that we will ask you about when you are sent an appointment letter. You do not have to answer all the questions and some may not be relevant to you. You can also answer with ‘prefer not to say’.
The reasons we ask you these questions and how they can help:
How we share your data with third parties
We may need to share relevant personal information with other NHS organisations, and non-NHS organisations providing health or social care services, to support your healthcare needs. For example, we may share information with NHS England, general practitioners (GPs), ambulance or transport services, private care homes or social care providers who have a relationship with you. We are required by law to share information with organisations such as the Care Quality Commission for inspection purposes.
Sometimes, the law or a court order may require us to share information. This includes exceptional circumstances where we may have to share information to the police or other authorities, for example:
Where there is a cause to do this, we will always do our best to inform you and share only the minimum information needed.
We collaborate with other organisations to support the health and safety of people who use our services and the public. We also support initiatives and studies to better understand healthcare demands in Devon. We only share information if required by law, or if the information is made anonymous. All agreements are subject to checks and appropriate approved by the trust.
We will hold your information in confidence and it will only be used for the purposes explained to you. Any information will be shared and held as securely as possible. As far as possible, we will make sure that any third party will hold your information in accordance with current legislation and protect your confidentiality.
When we share your information, we will always ensure there is a legal basis for doing so. These vary depending on the processing, but are covered under appropriate legislation such as the Data Protection Act (2018), UK General Data Protection Regulation (GDPR), the common law duty of confidentiality and other applicable laws. For example, we follow these rules when sharing information with your GP through SystmOne, our electronic patient record system. After sharing, the information is processed for the provision of healthcare under UK GDPR.
Please contact dpt.ig@nhs.net for more information on who we share your information with and how, if you would like to know your rights as a data subject, or if you oppose us from sharing your information.
You can read more information in relation to sharing flu and COVID-19 information on the NHS England website
Devon and Cornwall care record
It is important for clinical services to have access to the right information at the right time to provide safe health care to those who need it. The Devon and Cornwall care record brings together patient information from a number of health and social care providers. It allows staff to see health information held by GP practices, hospitals, care homes and other organisations. We ensure that the information is safe, secure and only accessed on a need to know basis.
Having access to this overall health and medical history improves the patient experience and limits the frustration of having to repeat yourself as you move through the system.
How we protect your personal data
We take all necessary measures to protect your information. Robust data security measures are in place for our services and new initiatives. We will continue to improve and maintain our security to protect your information and for staff to keep up with evolving information standards.
Everyone working for the NHS has a legal duty to keep sensitive information secure and confidential. This extends to any suppliers working with the trust. Before engaging with any supplier, they must demonstrate the same high standard of security expected for our organisation. We only process information in relation to our users within the UK.
We will also from time to time ask you to confirm the information about you is up-to-date.
The information we secure is generated from:
Our lawful basis for processing your information under data protection regulations
For healthcare purposes:
There will be times where it would be more appropriate for the organisation to rely on an alternative basis such as ‘consent’ including ‘implied consent’ as per the definition in the common law duty of confidentiality.
Data protection officer
A data protection officer is a senior person responsible for protecting the confidentiality of information we process. They will ensure compliance with privacy legislation at all times, support the application of data processing principles and uphold individual’s rights. These rights include:
You can contact the data protection officer at dpt.ig@nhs.net if you have any queries relating to information, and how to exercise your rights.
How long do we keep your personal data?
All our records are maintained and destroyed in accordance with the NHS retention schedule. The schedule sets out the appropriate length of time the type of record is retained for. We do not keep records for any longer than is necessary.
Once the retention period is met or we have decided the record is no longer required, it is confidentially shredded and destroyed.
National data opt-out service
The national data opt-out is a service that allows you to choose if you want your confidential patient information being used for research and planning purposes.
You can make your choice online or by phone, email or post. You will need to know your NHS number.
Is information transferred outside the UK?
All personal and health information we process is within the United Kingdom. We take information security seriously and always takes steps to ensure your information is safe.
How do I complain?
You can make a complaint to our Patient advice and liaison service
If you are then still unhappy with how we have used your data, you can complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
01625 545 745
+44 1625 545 745 (if calling from overseas)