Privacy Notice

How the Trust manages your information under the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) governs the processing of personal data held on computer systems and in all other formats. It restricts how we can use an individual’s data, and consists of six privacy principles that must be applied when processing such data. 

The Christie NHS Foundation Trust is one of Europe's leading cancer centres, treating over 44,000 patients a year. We provide a networked service that serves a population of 3.2 million across Greater Manchester & Cheshire delivering care as close to the patients home as possible. As a national specialist centre, around a quarter of our patients are referred to us from other parts of the country.    

This notice explains how we use and share your information. Information may be collected on paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.  

The Christie NHS Foundation Trust is a registered Data Controller with the Information Commissioner’s Office (ICO) and our registration number is Z7091213.   

Principle one under the GDPR requires the Trust to ensure that all personal information held is processed under lawfulness, fairness and transparency. The sections below provide you with information about how we use and manage the information we hold about you, including how we share it within the NHS and with non-NHS organisations, and how we maintain confidentiality.   

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the Law.   

For more information http://www.christie.nhs.uk/about-us/about-the-christie/a-profile-of-the-christie/  

Click here to read more about our partnerships and joint ventures: http://www.christie.nhs.uk/about-us/our-future/our-partnerships/  

Further detail about our directory of services can be accessed here: http://www.christie.nhs.uk/services/   

The Christie NHS Foundation Trust is part of the Greater Manchester Health and Social Care Partnership, which was formed to oversee the devolution of health and social care services across Greater Manchester under a Sustainable Transformation Partnership (STPs). For further detail in relation to this, click here: http://www.gmhsc.org.uk/  

Child friendly Privacy notices

How the NHS and Care Services Use Your Information (National Data Opt Out Programme (NDOP)   

The Christie NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public.   

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment. The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.    

You have a choice about whether you want your confidential patient information to be used in this way. To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes. If you are happy with this use of information you do not need to do anything. You can change your choice at any time.   

When further changes occur, we will revise the last updated date as documented in the Version Control Section of this document.  

Data Controller contact details

The Christie NHS Foundation Trust

Wilmslow Road

Manchester

M20 4BX

Tel No: 0161 446 3000

Data Protection Officer contact details

Data Protection Officer

The Christie NHS Foundation Trust Wilmslow Road

Manchester

M20 4BX

Tel no 0161 446 3043

Email : dpo@christie.nhs.uk

Purpose of the processing

The following is a broad description of the way this organisations / data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communication you have received from the Trust or to contact the Data Protection Officer.

Direct Care and Administration Purposes

Direct Care is the care delivered to a patient, some of which can be provided in the patient’s home or on a Trust premises (i.e. hospital / clinic). Direct care usually results from a referral from another NHS hospital. As such there is a need to share relevant and proportionate information with other healthcare workers such as specialists, doctors, nurses, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatment, therapies and or care.

As part of our administration purposes, we process information about:

• Our patients

• Suppliers

• Employees

• Complainants, enquirers

• Survey respondents

• Professional experts and consultants

• Individuals captured by CCTV images

Commissioning, Planning and Research Purposes

Most national and local flows of personal data in support of commissioning / planning are established as collections by NHS Digital either centrally or for local flows by Commissioners. Where the collection or provision of data is a legal requirement, the Trust will need to oblige. Data minimisation (or pseudoynmisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.

Safeguarding

Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately. Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Serious Incident Management

The Christie NHS Foundation Trust works with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.

Analysis – Risk Stratification

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Lawful basis for processing

We will process personal identifiable information (article 6) and also special category of personal data (article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life. The lawful basis we use is:

The processing of personal data in the delivery of direct care and for providers’ administrative purposes (i.e. management of serious untoward incidents) in this organisation and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”* (see below reference)

Lawful basis processing for commissioning and planning purposes (including risk stratification) is:

Article 6(1) (c) – for compliance with a legal obligation

For disclosure to NHS Digital is:

Article 6(1)(e) – for the performance of a task carried out in the public interest or in the exercise of official authority.

As for direct care purposes the most appropriate Article 9 condition for commissioning purposes is:

Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Lawful basis for research is:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

The Article 9 condition for research is:

Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects.

The use of information for research

Some research will require your direct involvement (especially if taking part in clinical trials) in which case the circumstances will be fully explained to you and your express consent will be required. If you do not consent, then you will not be included in the research and / trial.

Sometimes, researchers need access to individual medical files. Before this can happen, the researchers must present their case 5 before an ethics committee to check that their research is appropriate and worthwhile.

On rare occasions it is impractical to contact individuals for their consent, in which case the researchers must make their case before an ethics committee to show that there is enough benefit to the public at large to justify this.

  • Section 251

Disclosures may be permitted under section 251 of the NHS Act 2006. This allows the Secretary of State for Health to set aside the common law duty of confidentiality in special circumstances. This has to be to improve patient care or in the 'public interest', such as for important medical research.

Applications for approval to use Section 251 powers are considered by the Confidentiality Advisory Group (CAG) who will advise whether there is sufficient justification to access the requested confidential patient information. Examples of this, used in the short-term until other measures can be put in place are, risk stratification and invoice validation.

The Trust operates secure disclosure / sharing of information practices all of which are recorded as a record of our processing activities (using the Information Sharing Gateway). Further information is available on request. 

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection legislation. Further information is available on request.

Direct Care 

When you are referred to our services and attend our hospital, clinics, or are seen at home, information about the care you receive is recorded in your health record held electronically and in your paper based patient case note file.  This information is required to make sure that we give you the best possible care and treatment. Information from your health record is used to ensure we provide the best possible care. We consider a “health record” to be information about providing health care which identifies the patient or service user whether they are an adult or a child. 

Your information may be used for any of the following purposes.

Safeguarding 

Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Serious incident management 

The Christie NHS Foundation Trust work with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.

Analysis – Risk Stratification 

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

How Your Records Are Used to Help the NHS 

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance. Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities and research institutions.

Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. The Information Commissioner’s Anonymisation Code of Practice will be used and further guidance is available here.

For further information on what information held within the Trust is being passed to other organisations and for what purpose please see here.

Recipient or categories of recipients of the processed data

The data will be shared with health and care professionals and support staff in the Trust and at hospitals and treatment centres who contribute to your personal care for direct care purposes. This will include your GP.

Where necessary or required we may consider sharing information with any other categories of recipients as follows:

Our patients

Family, associates and representatives of the person whose personal data we are processing

Staff

Current, past or potential employers

Healthcare social and welfare organisations

Suppliers, service providers, legal representatives

Auditors and audit bodies

Educators and examining bodies

Research organisations

People making an enquiry or complaint

Financial organisations

Professional advisors and consultants

Business associates

Police forces

Security organisations

Central and local government

Voluntary and charitable organisations

Rights to object (Article 21)

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Protection Officer. You should be aware that this is a right to raise an objection, this is not the same as having an absolute right to have your wishes granted in every circumstance.

.

Right to access (subject access) and correct (rectification) (Article 15 and Article 16)

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

If you wish to make a subject access request (accessing your information), requests need to be addressed to the Trust’s Legal Secretary and we will aim to respond to your request within one month from receipt of your request. If you require access to your health records you must make a written request to:

Legal Secretary

Central Administration Department

The Christie NHS Foundation Trust

Wilmslow Road

Withington

M20 4BX

The Trust can only provide access to information it holds. For example to see the records held by your GP you have to contact your GP practice directly.

The Access to Health Records Act 1990 also allows access, in certain circumstances, to information that we hold on deceased patients.

Freedom of Information Requests (FOI)

The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days. For email requests, please send to the Freedom of Information Team here.

Further information about Freedom of Information Requests received by the Trust can be accessed here.

Automated Decision Making, including Profiling

As an organisation we currently do not undertake any automated decision making, including profiling activities.

Right to Complain

If you have a complaint about the Trust we will use your information to communicate with you and investigate any compliant. Please note that the complaint will not form part of your health care record. Please contact here:

Patient Advice & Liaison Service (PALS)

The Christie NHS Foundation Trust

Wilmslow Road

Withington

M20 4BX

Tel: 0161 446 8217 between the hours of 10am - 4pm. (Outside of these hours call 0161 446 3000 and ask staff to bleep the on-call manager)

Email: pals@christie.nhs.uk

Should you have any concerns about how your information is to be used having read this Privacy Notice or you wish to request the notice in another format please contact the Data Protection Officer.

If you are not happy with our response and have exhausted all the avenues, you have the right to complain to the Information Commissioner’s Office via this link or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are also National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Information Commissioner’s Office Wycliffe House

Water Lane

WILMSLOW

Cheshire

SK9 5AF

Or email: casework@ico.org.uk

General data protection regulation statement

The Christie NHS Foundation Trust is a ‘Data Controller’ under the General Data Protection Regulation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z7091213and our registered entry can be found on the Information Commissioner’s website.

All of our staff receive annual data security awareness training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so.

As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf. These contractors are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by Law. Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.

Version Control

Last Updated - This is Version 0.1 of The Christie NHS Foundation Trust GDPR Privacy Notice and was published on 21.05.18.

Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent. In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;

• where disclosure is in the public interest; and

• where there is a legal duty to do so, for example a court order.

;