Northern Care Alliance NHS Foundation Trust Privacy Notice

Name: Northern Care Alliance NHS Foundation Trust 

Address: Mayo Building, Salford Royal, Stott Lane, Salford, M6 8HD 

General phone number for Salford: 0161 789 7373 

General phone number for Bury, Oldham and Rochdale: 0161 624 0420 

Website: www.northerncarealliance.nhs.uk  

We are the controller for your information. A controller decides on why and how information is used and shared. 

Data Protection Officer contact details 

Our Data Protection Officer is Jym Bates and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at dataprotection.officer@nca.nhs.uk  

Our Caldicott Guardian is Dr Roger Prudham and is responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. You can contact them with queries or concerns relating to the use of your personal data at caldicott.guardian@nca.nhs.uk  

The personal information we collect is provided directly from you for one of the following reasons:   

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to run patient satisfaction surveys, to clinically audit our services, or to be used as evidence as part of an investigation into care 

• you have sought funding for continuing health care or personal health budget support 

• you have signed up to our newsletter/patient participation group 

• you have made a complaint 

We also receive personal information about you indirectly from others, in the following scenarios:  

• from other health and care organisations involved in your care so that we can provide you with care 

• from family members or carers to support your care 

• from other organisations involved in your care so that we can provide you with care such as schools and local authorities. 

Personal information 

We currently collect and use the following personal information: 

• personal identifiers (for example, name, date of birth and NHS number) 

• contact information (for example, postal address, email address and telephone number) 

• photographic information (for example, CCTV images) 

• family and carer information (for example, personal identifiers and contact information) 

More sensitive information  

We process the following more sensitive data (including special category data): 

• data concerning physical or mental health (for example, details about your appointments or diagnosis) 

• data revealing racial or ethnic origin 

• data concerning a person’s sex life 

• data concerning a person’s sexual orientation 

• data revealing religious or philosophical beliefs 

• data relating to criminal or suspected criminal offences 

We may share information with the following types of organisations: 

• other health and care providers involved in your care (such as NHS Trusts, GP practices, independent health providers, local authorities, care homes, external laboratories) 

• third party data processors (such as IT systems suppliers) 

• health and care planning services (such as Integrated Care Boards) 

• education providers (such as schools) 

In some circumstances we are legally obliged to share information. This includes: 

• when required by NHS England to develop national IT and data services  

• when registering births and deaths 

• when reporting some infectious diseases 

• when a court orders us to do so 

• where a public inquiry requires the information 

We will also share information if the public good outweighs your right to confidentiality. This could include: 

• where a serious crime has been committed  

• where there are serious risks to the public or staff 

• to protect children or vulnerable adults 

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons. For example, where we are required to create statistics for a public health initiative. 

Personal information 

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is: 

(b) We have a contractual obligation - between a person and a service, such as a service user and privately funded care home. 

(c) We have a legal obligation - the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care. 

(e) We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care. 

More sensitive data 

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category): 

(f) We need for a legal claim or the courts require it.  

(g) There is a substantial public interest (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care. 

(h) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care. 

(i) To manage public health (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care. 

Common law duty of confidentiality  

In our use of health and care information, we satisfy the common law duty of confidentiality because:  

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses) 

• we have a legal requirement to collect, share and use the data 

• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

We primarily store data securely within the UK. However, if data is transferred outside of the UK, we will ensure that any transfer is in accordance with UK Data Protection legislation and any identified risk is mitigated. 

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then review on a case by case basis and dispose of the information as recommended by the Records Management Code for example we will:  

• retain any records that fall under the scope of an existing public inquiry. 

• securely dispose of your information by shredding paper records or wiping hard drives to legal standards of destruction. 

• archive your information with the National Archives if it forms part of a historically significant service record. 

Under data protection law, you have rights including: 

Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request).  

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.  

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.  

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.  

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances. 

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances. 

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. 

Please contact us using the below details if you wish to make a request. Further information can be found on our website. 

Tel: 0161 206 1130  / 0161 778 5938     Email:  SAR@nca.nhs.uk  

The NHS Constitution also details additional rights you have. You can also find out more about how patient information is used at the HRA website (which covers health and care research) and the understanding patient data website (which covers how and why patient information is used, the safeguards and how decisions are made). 

The Freedom of Information Act (FOI) 2000 allows you to access information held by any public body. Using the Act you can request information from the NCA and you are entitled to be told whether the Trusts have it and, if so, to be supplied with the information, in accordance with certain conditions and subject to exemptions. 

Should you wish to make a Freedom of Information Request please click here for our relevant web page. 

National data opt-out 

• we are applying the national data opt-out because we are using confidential patient information for planning or research purposes 

• in certain cases we are not applying the national data opt-out because although we are using confidential patient information for planning and research, an agreed exemption applies 

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with: 

• improving the quality and standards of care provided 

• research into the development of new treatments 

• preventing illness and diseases 

• monitoring safety 

• planning services 

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law. 

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed. 

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care. 

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. 

You can change your mind about your choice at any time. 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. 

If you have any concerns about our use of your personal information, you can make a complaint to us at: 

Patient Advice and Liaison Service (PALS)  

Email: Office.Complaints@nca.nhs.uk 

The Northern Care Alliance Caldicott Guardian, Dr Roger Prudham 

Email: Caldicott.Guardian@nca.nhs.uk 

The Northern Care Alliance Data Protection Officer 

Email: dataprotection.officer@nca.nhs.uk 

The Northern Care Alliance Senior Information Risk Owner is Lorna Allen 

Northern Care Alliance NHS Foundation Trust 

Mayo Building 

Salford Royal  

Stott Lane  

Salford  

M6 8HD 

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO. 

The ICO’s address is:      

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 

Helpline number: 0303 123 1113 

ICO website: https://www.ico.org.uk