Your personal information as a user of our services

What is a privacy notice?

This privacy notice explains how Devon Partnership NHS Trust (the trust) collects, uses, retains and discloses your personal information. It is part of our commitment to ensure that we process your personal information or data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (2016) (GDPR) and the Data Protection Act (2018) (DPA).

We are the data controller and our registered address is:

Wonford House
Dryden Road
Exeter
EX2 5AF

What information do we collect about you?

The healthcare professionals caring for you keep records about your health, treatment and care that you receive. This helps us to make sure you get the best treatment and management of your health care. The records may be written down or held on a computer.

We use digital solutions to record the care and treatment we provide to users of our services. The information you provide will be recorded in a system tailored to each service’s needs.

Records held will include both personal information and 'special category' information, which is how the law defines more sensitive information about your healthcare.

We are likely to hold:

• Your name, address, email address, date of birth, NHS number, next-of-kin contacts and details of your GP
• Your marital status, occupation, overseas status, place of birth, preferred name or former name
• Sensitive personal information we may hold includes:
• Contacts we have had with you, such as clinic visits and appointments
• Notes, correspondence and reports about your health, treatment and care
• Details of your medical conditions and diagnoses
• Results of any tests or investigations
• Details of care and treatment received and any future care you may need
• Relevant information from other health or social care professionals and people who care for you and know you well, such as relatives and carers.
• Other personal information, such as smoking status and any disabilities (including learning disabilities. your religion and ethnic origin)
• Whether or not you are, or have been, subject to any protection orders for example under the Mental Health Act or Court of Protection or are or have been the subject of any safeguarding procedures
• Information extracted from the National Care Record Service (NCRS) to support decisions about your care.

How do we use your personal information to support your care?

We use your personal information, held on a single electronic care record, to help plan and guide your care.  This helps to make sure:

• Your care team can work effectively and have accurate and up-to-date information that they need to assess, advise and improve the quality and type of care you are given.
• Appropriate information is available if you see another healthcare professional. For example, if you are referred to a specialist or another part of the NHS.
• We can investigate your concerns if you need to complain.
• We can remind you about appointments, send information about your care or contact you for another reason.
• We can support the funding of your care, for example with commissioning organisations.

Other ways in which we may use your information

Your information may also be used to help:

• Look after the health of the general public and support health research and development
• Review NHS accounts and services
• Investigate complaints, legal claims and other incidents and may also help to report any such events when we are required to do so by law
• Develop and improve services
• Prepare statistics on NHS performance, meeting the needs of the public, the Department of Health or other regulatory bodies
• Review the care we provide, making sure it is of the highest standard and quality
• Teach and train health professionals
• Review your suitability for research studies or clinical trials, so that we can tell you about opportunities you might be interested in
• Understanding the diverse needs of people accessing our services
• Work with other organisations such as universities, community safety units and research institutions.

Your personal information would be made anonymous or be given a pseudonym (a false name) when used for purposes such as service improvement. However, we may not be able to protect your confidentiality if there is a legal reason to identify your information. In these cases we will only use or share the minimum information necessary.

Where appropriate, we will use digital solutions to allow our clinical staff to make decisions on how we support the people who use our services. One of these systems is a management and supervision tool (MaST). This helps our clinical services manage resources and identify individuals who need additional support. The solution does not involve decisions being made automatically about your care. It gives our clinical teams information to help them make informed decisions based on your profile.

Equality monitoring

Under the Equality Act 2010 there are nine protected characteristics that we will ask you about when you are sent an appointment letter. You do not have to answer all the questions and some may not be relevant to you. You can also answer with ‘prefer not to say’.

 The reasons we ask you these questions and how they can help:

• Your answers help us to provide personally tailored care. This is easier when we have a more rounded understanding of someone’s background and life. 
• We want to understand the diverse needs of people accessing our services. Your answers enable us to analyse and identify any inequalities or barriers. We will then use this information in future planning to ensure we provide accessible and inclusive services to everyone in our community.

How we share your data with third parties

We may need to share relevant personal information with other NHS organisations, and non-NHS organisations providing health or social care services, to support your healthcare needs. For example, we may share information with NHS England, general practitioners (GPs), ambulance or transport services, private care homes or social care providers who have a relationship with you. We are required by law to share information with organisations such as the Care Quality Commission for inspection purposes.

Sometimes, the law or a court order may require us to share information. This includes exceptional circumstances where we may have to share information to the police or other authorities, for example:

• The purposes of prevention, investigation or detection of crime
• Where there is an overriding public interest
• To prevent abuse or serious harm to you or to others.

Where there is a cause to do this, we will always do our best to inform you and share only the minimum information needed.

We collaborate with other organisations to support the health and safety of people who use our services and the public. We also support initiatives and studies to better understand healthcare demands in Devon. We only share information if required by law, or if the information is made anonymous. All agreements are subject to checks and appropriate approved by the trust.

We will hold your information in confidence and it will only be used for the purposes explained to you. Any information will be shared and held as securely as possible.  As far as possible, we will make sure that any third party will hold your information in accordance with current legislation and protect your confidentiality.

When we share your information, we will always ensure there is a legal basis for doing so. These vary depending on the processing, but are covered under appropriate legislation such as the Data Protection Act (2018), UK General Data Protection Regulation (GDPR), the common law duty of confidentiality and other applicable laws. For example, we follow these rules when sharing information with your GP through SystmOne, our electronic patient record system. After sharing, the information is processed for the provision of healthcare under UK GDPR.

Please contact dpt.ig@nhs.net for more information on who we share your information with and how, if you would like to know your rights as a data subject, or if you oppose us from sharing your information.  

You can read more information in relation to sharing flu and COVID-19 information on the NHS England website

Devon and Cornwall care record

It is important for clinical services to have access to the right information at the right time to provide safe health care to those who need it. The Devon and Cornwall care record brings together patient information from a number of health and social care providers. It allows staff to see health information held by GP practices, hospitals, care homes and other organisations. We ensure that the information is safe, secure and only accessed on a need to know basis.

Having access to this overall health and medical history improves the patient experience and limits the frustration of having to repeat yourself as you move through the system.

How we protect your personal data

We take all necessary measures to protect your information. Robust data security measures are in place for our services and new initiatives. We will continue to improve and maintain our security to protect your information and for staff to keep up with evolving information standards.

Everyone working for the NHS has a legal duty to keep sensitive information secure and confidential. This extends to any suppliers working with the trust. Before engaging with any supplier, they must demonstrate the same high standard of security expected for our organisation. We only process information in relation to our users within the UK.

We will also from time to time ask you to confirm the information about you is up-to-date.

The information we secure is generated from:

• Visitors to our website
• People who receive health and/or social care from the trust
• People who make a subject access request
• People who raise a concern or make a complaint 
• People who want to receive general information and contact from us or make a freedom of information request
• Job applicants and our current and former employees
• People who email us or send a letter
• Charity and membership involvement

Our lawful basis for processing your information under data protection regulations

For healthcare purposes:

• article 6(1)(e), public task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law
• article 9(2)(h), processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services’

There will be times where it would be more appropriate for the organisation to rely on an alternative basis such as ‘consent’ including ‘implied consent’ as per the definition in the common law duty of confidentiality.  

Data protection officer

A data protection officer is a senior person responsible for protecting the confidentiality of information we process. They will ensure compliance with privacy legislation at all times, support the application of data processing principles and uphold individual’s rights. These rights include:

• Your right of access - you have the right to ask us for copies of your personal information (known as a subject access request).
• Your right to rectification - you have the right to ask us to correct personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances
• Your right to restriction of processing - you have the right to ask us to restrict the processing of your personal information in certain circumstances
• Your right to object to processing - you have the right to object to the processing of your personal information in certain circumstances
• Your right to data portability - you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances

You can contact the data protection officer at dpt.ig@nhs.net if you have any queries relating to information, and how to exercise your rights.

How long do we keep your personal data?

All our records are maintained and destroyed in accordance with the NHS retention schedule. The schedule sets out the appropriate length of time the type of record is retained for. We do not keep records for any longer than is necessary.

Once the retention period is met or we have decided the record is no longer required, it is confidentially shredded and destroyed.

National data opt-out service

The national data opt-out is a service that allows you to choose if you want your confidential patient information being used for research and planning purposes.

You can make your choice online or by phone, email or post. You will need to know your NHS number.

Is information transferred outside the UK?

All personal and health information we process is within the United Kingdom. We take information security seriously and always takes steps to ensure your information is safe.

How do I complain?

You can make a complaint to our Patient advice and liaison service

If you are then still unhappy with how we have used your data, you can complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

0303 123 1113
01625 545 745
+44 1625 545 745 (if calling from overseas)