Privacy notice

This privacy notice explains how Devon Partnership NHS Trust (the trust) collects, uses, retains and discloses your personal information. It is part of our commitment to ensure that we process your personal information or data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (2016) (GDPR) and the Data Protection Act (2018) (DPA).

We are the data controller and our registered address is:

Wonford House
Dryden Road
Exeter
EX2 5AF

What information do we collect about you?

The healthcare professionals caring for you will keep records about your health, treatment and care that you receive. This helps us to make sure you get the best treatment and management of your health care. The records may be written down or held on a computer.

We use digital solutions to record the care and treatment we provide to users of our services. The information you provide will be recorded in a system tailored to each service's needs.

Records held will include both personal information and 'special category' information, which is how the law defines more sensitive information about your healthcare.

We are likely to hold:

  • Your name, address, email address, date of birth, NHS number, next-of-kin contacts and details of your GP
  • Your marital status, occupation, overseas status, place of birth, preferred name or former name
  • Sensitive personal information we may hold includes:
  • Contacts we have had with you, such as clinic visits and appointments
  • Notes, correspondence and reports about your health, treatment and care
  • Details of your medical conditions and diagnoses
  • Results of any tests or investigations
  • Details of care and treatment received and any future care you may need
  • Relevant information from other health or social care professionals and people who care for you and know you well, such as relatives and carers.
  • Other personal information, such as smoking status and any disabilities (including learning disabilities. your religion and ethnic origin)
  • Whether or not you are, or have been, subject to any protection orders for example under the Mental Health Act or Court of Protection or are or have been the subject of any safeguarding procedures
  • Information extracted from the National Care Record Service (NCRS) to support decisions about your care.

How do we use your personal information to support your care?

We use your personal information, held on a single electronic care record, to help plan and guide your care.  This helps to make sure:

  • Your care team can work effectively and have accurate and up-to-date information that they need to assess, advise and improve the quality and type of care you are given.
  • Appropriate information is available if you see another healthcare professional. For example, if you are referred to a specialist or another part of the NHS.
  • We can investigate your concerns if you need to complain.
  • We can remind you about appointments, send information about your care or contact you for another reason.
  • We can support the funding of your care, for example with commissioning organisations.

Other ways in which we may use your information

Your information may also be used to help:

  • Look after the health of the general public and support health research and development
  • Review NHS accounts and services
  • Investigate complaints, legal claims and other incidents and may also help to report any such events when we are required to do so by law
  • Develop and improve services
  • Prepare statistics on NHS performance, meeting the needs of the public, the Department of Health or other regulatory bodies
  • Review the care we provide, making sure it is of the highest standard and quality
  • Teach and train health professionals
  • Review your suitability for research studies or clinical trials, so that we can tell you about opportunities you might be interested in
  • Understanding the diverse needs of people accessing our services
  • Work with other organisations such as universities, community safety units and research institutions.

Your personal information would be made anonymous or be given a pseudonym (a false name) when used for purposes such as service improvement. However, we may not be able to protect your confidentiality if there is a legal reason to identify your information. In these cases we will only use or share the minimum information necessary.

Where appropriate, we will use digital solutions to allow our clinical staff to make decisions on how we support the people who use our services. One of these systems is a management and supervision tool (MaST). This helps our clinical services manage resources and identify individuals who need additional support. The solution does not involve decisions being made automatically about your care. It gives our clinical teams information to help them make informed decisions based on your profile.

Equality monitoring

Under the Equality Act 2010 there are nine protected characteristics that we will ask you about when you are sent an appointment letter. You do not have to answer all the questions and some may not be relevant to you. You can also answer with 'prefer not to say'.

 The reasons we ask you these questions and how they can help:

  • Your answers help us to provide personally tailored care. This is easier when we have a more rounded understanding of someone's background and life. 
  • We want to understand the diverse needs of people accessing our services. Your answers enable us to analyse and identify any inequalities or barriers. We will then use this information in future planning to ensure we provide accessible and inclusive services to everyone in our community.

How we share your data with third parties

We may need to share relevant personal information with other NHS organisations, and non-NHS organisations providing health or social care services, to support your healthcare needs. For example, we may share information with NHS England, general practitioners (GPs), ambulance or transport services, private care homes or social care providers who have a relationship with you. We are required by law to share information with organisations such as the Care Quality Commission for inspection purposes.

Sometimes, the law or a court order may require us to share information. This includes exceptional circumstances where we may have to share information to the police or other authorities, for example:

  • The purposes of prevention, investigation or detection of crime
  • Where there is an overriding public interest
  • To prevent abuse or serious harm to you or to others.

Where there is a cause to do this, we will always do our best to inform you and share only the minimum information needed.

We collaborate with other organisations to support the health and safety of people who use our services and the public. We also support initiatives and studies to better understand healthcare demands in Devon. We only share information if required by law, or if the information is made anonymous. All agreements are subject to checks and appropriate approved by the trust.

We will hold your information in confidence and it will only be used for the purposes explained to you. Any information will be shared and held as securely as possible.  As far as possible, we will make sure that any third party will hold your information in accordance with current legislation and protect your confidentiality.

When we share your information, we will always ensure there is a legal basis for doing so. These vary depending on the processing, but are covered under appropriate legislation such as the Data Protection Act (2018), UK General Data Protection Regulation (GDPR), the common law duty of confidentiality and other applicable laws. For example, we follow these rules when sharing information with your GP through SystmOne, our electronic patient record system. After sharing, the information is processed for the provision of healthcare under UK GDPR.

Please contact dpt.ig@nhs.net for more information on who we share your information with and how, if you would like to know your rights as a data subject, or if you oppose us from sharing your information.  

You can read more information in relation to sharing flu and COVID-19 information on the NHS England website

Devon and Cornwall care record

It is important for clinical services to have access to the right information at the right time to provide safe health care to those who need it. The Devon and Cornwall care record brings together patient information from a number of health and social care providers. It allows staff to see health information held by GP practices, hospitals, care homes and other organisations. We ensure that the information is safe, secure and only accessed on a need to know basis.

Having access to this overall health and medical history improves the patient experience and limits the frustration of having to repeat yourself as you move through the system.

How we protect your personal data

We take all necessary measures to protect your information. Robust data security measures are in place for our services and new initiatives. We will continue to improve and maintain our security to protect your information and for staff to keep up with evolving information standards.

Everyone working for the NHS has a legal duty to keep sensitive information secure and confidential. This extends to any suppliers working with the trust. Before engaging with any supplier, they must demonstrate the same high standard of security expected for our organisation. We only process information in relation to our users within the UK.

We will also from time to time ask you to confirm the information about you is up-to-date.

The information we secure is generated from:

  • Visitors to our website
  • People who receive health and/or social care from the trust
  • People who make a subject access request
  • People who raise a concern or make a complaint 
  • People who want to receive general information and contact from us or make a freedom of information request
  • Job applicants and our current and former employees
  • People who email us or send a letter
  • Charity and membership involvement

Our lawful basis for processing your information

For healthcare purposes:

  • article 6(1)(e), public task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law
  • article 9(2)(h), processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services'

There will be times when it would be more appropriate for the organisation to rely on an alternative basis such as 'consent' including 'implied consent' as per the definition in the common law duty of confidentiality.  

Data protection officer

A data protection officer is a senior person responsible for protecting the confidentiality of information we process. They will ensure compliance with privacy legislation at all times, support the application of data processing principles and uphold individual's rights. These rights include:

  • Your right of access - you have the right to ask us for copies of your personal information (known as a subject access request).
  • Your right to rectification - you have the right to ask us to correct personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your personal information in certain circumstances
  • Your right to object to processing - you have the right to object to the processing of your personal information in certain circumstances
  • Your right to data portability - you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances

You can contact the data protection officer at dpt.ig@nhs.net if you have any queries relating to information, and how to exercise your rights.

How long do we keep your personal data?

All our records are maintained and destroyed in accordance with the NHS retention schedule. The schedule sets out the appropriate length of time the type of record is retained for. We do not keep records for any longer than is necessary.

Once the retention period is met or we have decided the record is no longer required, it is confidentially shredded and destroyed.

Is information transferred outside the UK?

All personal and health information we process is within the United Kingdom. We take information security seriously and always takes steps to ensure your information is safe.

How do I complain?

You can make a complaint to our Patient advice and liaison service

If you are then still unhappy with how we have used your data, you can complain to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

0303 123 1113
01625 545 745
+44 1625 545 745 (if calling from overseas)

Privacy notice for the website

Under Data Protection legislation people have the right to be informed about the way in which we use, share and store their personal information.  The purpose of this privacy notice for the website is to tell you what we do with content and information on our website. 

Links to other sites

Links within this site to other websites are not covered by this privacy notice. 

Information collection from the website and use

We do not collect any personal information about you on our website.

The site uses 'cookies' which can be used to collect information about you.

You can find out more about cookies and their use at the Information Commissioner's Office, Wikipedia and AllAboutCookies. You can also see what cookies your browser has 'eaten'.

Feedback

You can send us your feedback, comment on policies, strategies or other issues relating to the Trust by getting in touch. If you send an email or contact us asking for information, we may need to contact other NHS departments or external organisations to find that information. If your question is technical, we may need to pass it to our IT Department.

Log files

Log files allow us to record visitors' use of the site. They enable us to make changes to the layout of the site and to the information in it, based on the way that visitors move around it.
Log files do not contain any personal information or information about which other sites you have visited. 

What happens when I move to another site?

The Trust's website contains links to other websites, which include those of NHS and government departments and of other organisations. This privacy policy applies only to our site, so you should always be aware when you are moving to another site and read the privacy statement of any site which collects personal information.

Privacy notice for staff

By issuing this privacy notice, we demonstrate our commitment to openness and accountability.

Why have we issued this privacy notice for our staff and volunteers?

By issuing this privacy notice, we demonstrate our commitment to openness and accountability.

We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with the following:

  • Data Protection Act 2018
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health and Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • Re-Use of Public Sector Information Regs 2004
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • NHS Care Records Guarantee for England
  • Social Care Records Guarantee for England
  • International information Security Standards
  • Information Security Code of Practice
  • Records Management Code of Practice for Health & Social Care 2016
  • Accessible Information Standards
  • General Data Protection Regulations 2018

How do we collect your information?

Your information could be collected in a number of different ways.

This could be directly from you - in person, over the telephone or on a form you have completed, such as a job application, contractual documentation or timesheet.

Details might also come from an external source such as NHS Jobs, your professional body, current or previous employers, the Disclosure and Barring Service, or government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration.

What information do we collect?

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin/emergency contacts
  • Recruitment and employment checks (i.e. professional membership, references, proof of identification and right to work in the UK, etc)
  • Bank account and salary/wages, as well as pension, tax and national insurance details
  • Trade union membership
  • Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
  • Medical information relevant to your employment, including physical health, vaccination, mental health and absence history
  • Information relating to your health and safety at work, and any incidents or accidents
  • Professional registration and qualifications, education and training history
  • Information relating to employee relations (i.e. disciplinary proceedings, grievances and complaints, tribunal claims, etc)

Depending on the position you hold with us, we may also collect information in relation to any current or previous criminal offences. Please refer to our Disclosure & Barring Service Procedure for more details, or contact our HR Department

Why do we collect your information and how is it used?

We will only process your personal data where the processing can be legally justified under UK law. Normally the lawful basis for processing your data will be legal obligation , "contractual purposes", or legitimate interests . These include circumstances where the processing is necessary for the performance of staffs' contracts with us or for compliance with any legal obligations which applies to us as your employer. In any other circumstances we will seek your consent before processing your data.

This includes, but is not limited to:

  • Staff administration (inc. payroll and pensions)
  • Education, training and development
  • Information and database administration
  • Business management and planning
  • Accounting and auditing
  • Criminal prosecution and prevention
  • Health administration and services
  • National fraud initiatives
  • Quality monitoring (such as staff surveys)
  • Used for modelling the future provision of health and social care services within Cornwall.

By signing your contract with the Trust, you acknowledge that you understand and are aware that the Trust will be holding and processing any information about you which you provide to us, or which we may acquire as a result of employment.

How do we keep your information safe and maintain confidentiality?

Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure.

Your information may be stored within electronic or paper records, or a combination of both.

All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.

Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Every NHS organisation has  senior people responsible for the overall protection, security and confidentiality of information. Within our Trust the details are as follows:

  • Senior Information Risk Owner (SIRO) - Phill Mantay, Chief Executive Officer
  • Caldicott Guardian - Penny Rogers, Deputy Director, Safeguarding and Public Protection
  • Data Protection Officer - Sam Bentley, Information Governance Officer

If you have any queries or concerns you can contact the safer information team.

Do we share your information with anyone else?

To support you in your employment and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others. Some of the reasons for this are included under 'Why do we collect your information and how it is used?'

Unless there is a valid reason required or permitted by law, or there are exceptional circumstances (such as a likely risk to the safety of you or others), we will not disclose any information to third parties which can be used to identify you without your consent.

We outsource a limited number of administration and IT support services to external organisations, including payroll and occupational health. These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.

Sometimes we are required by law to disclose or report certain information, which may include details which identify you. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud. Where mandatory disclosure is necessary only the minimum amount of information is released.

The Trust is subject to the Freedom of Information Act 2000 which requires information about the Trust to be published and to be provided on request. This may include some personally identifiable information.  This will usually be restricted to your name, role and work contact details.  The Trust will refuse requests for personal identifiable details beyond those stated above wherever possible, within the exemption provided by the Act and the Data Protection Act 2018, but this may not always be possible.  You will be kept informed of any such situation arising.

There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.

For occasions where consent is the lawful basis for processing you have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on the trust. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.

Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules.

How can you get access to the information that we hold about you?

Under the terms of the Data Protection Act 2018 and the General Data Protection Regulations 2018, you have the right to request access to the information that we hold about you. The Trust has established processes for dealing with such requests and if you wish to access your information you should contact the Safer Information team who will facilitate and support you through the process.

You can also request further information or an application form, by one of the following means:

Post:
Safer Information Team
Prentice House
Langdon Hospital
Exeter Road
Dawlish
EX7 ONR

01392 675678
dpt.ig@nhs.net 

How can you contact us with queries or concerns about this privacy notice?

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our safer information team

How long do we retain your records?

All our records are retained in accordance with the IGA Records Management Code of Practice for Health and Social Care 2016, which sets out the appropriate length of time each type of NHS record is retained. We do not keep your records for longer than necessary.

All records are appropriately reviewed once their retention period has been met, and the Trust will decide whether the record still requires retention or should be confidentially destroyed. All decisions and destructions will be documented.

How can you make a complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. Depending on the nature of your complaint, we would recommend contacting your line manager in the first instance.

Alternatively, you can contact our safer information team who will help you to identify the most appropriate procedure to follow based on the specifics of your complaint.

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner's Office:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see their website for further advice.

Disclaimer

Devon Partnership NHS Trust (the Trust) makes every effort to keep the information on this website accurate. However, under this disclaimer, any visitor to this website assumes full responsibility for using the information within the site, and you understand and agree that neither the Trust, nor any of its employees, is responsible or liable for any claim, loss or damage resulting from its use.

Advice and mental health conditions/treatments

This website is provided for information only. It is not intended to replace a consultation with an appropriately qualified medical practitioner. We are unable to give a diagnosis, assessment or specific case advice from these pages. 

If you are in mental health crisis please call our on 111. Only dial 999 for something that is life threatening. For more information visit the NHS website or visit Urgent help.

Computer virus protection

We make every effort to check and test material on this website for computer viruses. However, it is recommended that you run an anti-virus program on all material downloaded from the Internet. We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system which may occur whilst using material derived from this website.

Freedom of information

This website complies with The Freedom of Information (FOI) Act 2000 as applied to the NHS and includes details of our Publication Scheme.  This scheme is subject to our copyright policy.

Links from this website

We are not responsible for the content or reliability of external websites. Links should not be taken as an endorsement of any kind. We cannot guarantee that these links will work at all times and we have no control over the availability of linked pages. Please be aware that the Trust is not responsible for the privacy practices of other websites.

Links to this website

You do not have to ask permission to link to pages hosted on this website, the Trust encourages users to establish hypertext links to the site. However, we do not permit our pages to be loaded into frames, pages from this website must load into the user's entire window.  You must not use the NHS logo to link to our site without prior permission.

Copyright policy

Permitted use

The copyright policy covers all material on the Devon Partnership NHS Trust (the Trust) website unless otherwise stated.  All visitors to this website should be aware and agree to the Disclaimer listed opposite.

Different copyright restrictions may apply to individual documents on this website. Unless otherwise stated, the following copyright policy applies to documents found on this website.

All material on this website is copyright of the Trust.  Visitors to the Trust's website are granted permission to access all material. Where any of the Trust's copyright items on this website are being republished or copied to others, the source of the material must be identified and the copyright status acknowledged. The permission to reproduce copyright protected material does not extend to any material on this site which is identified as being the copyright of a third party. Authorisation to reproduce such material must be obtained from the Trust.

Publication scheme

Material available through the Trust's Publication Scheme is subject to the Trust's copyright unless otherwise indicated.  Some materials may be the copyright of the NHS, or other government departments or organizations. For HMSO guidance notes on a range of copyright issues, visit the HMSO website or contact:

HMSO Licensing Division,
St Clements House,
2-16 Colegate,
Norwich,
NR31BQ,
01603 621000
01603 723000

Social media guidelines

Devon Partnership NHS Trust social media

All Devon Partnership NHS Trust social media accounts are managed by the organisation's Communications Team. Our accounts can be found at:

Posts

We generally publish posts during normal office hours.

Posts will include:

  • News and events relevant to people and services in Devon, the South West and wider
  • General information about mental health, learning disability and neurodiversity
  • Awareness of national campaigns
  • Information about working for the Trust, including jobs and staff achievements
  • 'Retweets' or 'likes' of other posts from health and social care agencies, voluntary sector organisations and partners

Mentions of information from other organisations do not necessarily endorse the origin.

Following and tagging

We follow health and social care and voluntary sector organisations along with others. The Trust does not automatically follow people or organisations that follow the Trust - it follows those which are relevant and appropriate to its work. Following other people or organisations does not imply endorsement of any kind on the part of the Trust. We will tag relevant organisations in posts if appropriate.

Availability

The Trust monitors and updates its accounts most weekdays, between 9am and 5pm. No responsibility is accepted for lack of service outside of these hours.

@replies and direct messages

The sites are set up for communication of relevant news to the organisation's staff, stakeholders and the public. People are welcome to leave comments or ask questions via the platforms, and we will respond if we appropriate. Unsuitable comments will be reported.

Please note that we are unable to give medical advice via social media.

Media and press

If you are a member of the media and have a query or concern, please contact the Communications Team on dpn-tr.communications@nhs.net