How the Trust manages your information under the UK General Data Protection Regulation (UK GDPR)
The Christie NHS Foundation Trust is the largest single site cancer centre in Europe treating more than 60,000 patients a year and the first UK centre to be accredited as a comprehensive cancer centre. Based in Manchester, we serve a population of 3.2 million people across Greater Manchester and Cheshire while more than a quarter of our patients are referred to us from across the UK.
There are several ways you can reach out and contact us, we are here to listen to your concerns and provide help and assistance: contact us at a time to suit you.
We process information for several different types of individuals:
Our cancer patients treated at our main Withington base and those treated at remote sites (The Christie at sites), those patients we treat at home and those International organisations we support with cancer treatments.
The Christie NHS Foundation Trust is one of many organisations working in the health and care system to deliver and improve care for patients and the wider public. To understand more about the wider use of patient data, including how and why patient information is used, the safeguards and how decisions are made, we recommend you look at the Understanding Patient Data website.
Information we collect about you could be collected on paper and/or electronically.
This includes:
Personal details such as name, address, date of birth, ethnicity and religion, NHS number and next of kin
Contact we have with you e.g. hospital admissions, outpatient/ clinical appointments and home visits
Notes and reports by health and care professionals about your health
Details and records about our treatment and care
Results of X-rays, scans and tests
Relevant information about people that care for you and know you well
Basic details about accompanying people, such as children, partners, carers, relatives
Whenever you use a health or care service, such as attending an outpatient clinic or using Community services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment, sharing information can also support the correct information is with the correct clinician to deliver the best care possible for you.
Your information is used to:
Provide you with care and treatment, both now and in the future, ensuring that appropriate information is available to all those who treat you medically and care for you professionally
Ensure your care is safe and effective
Support you in managing your own care, and worth with health and care professionals to ensure there is “no decision about you without you”
Support the trialling of new and innovative products and technologies as we strive to continually seek to deliver new and improved cancer treatments
Investigate any complaints or legal claims
As part of proactive auditing to ensure that all access into medical records is for legitimate purposes
Your information in anonymised format can also be used by use and provided to other organisations for purposes beyond your individual care, for instance to help with:
improving the quality and standards of care provided
look after the health of the general public
research into the development of new treatments, where approved by research bodies
preventing illness and diseases
monitoring safety
manage and plan services, this may include audits by external companies
help staff review the care they provide, such as clinical audit
train and educate staff
Processing your information may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law.
To find out how data from your health records can help with research and planning and how to choose if you want to share your data for research and planning, read further details about how your data matters. We will check the register each time data is processed to ensure your latest preferences are respected.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
The Christie NHS Foundation Trust, like almost all NHS organisation participates in and supports health and social care research, we use personally-identifiable information to conduct research to improve health, care and services. During any research study that you have agreed to take part in, information about you is collected to conduct the study and for analyses. On some occasions information that has already been collected for your normal care is then re-used for research purposes.
Researchers use information to increase our understanding of diseases and to improve treatment. We also use it to develop innovative software or treatments. Before any research is conducted it usually needs approval from an independent ethics committee, who ensure any patient information is used ethically and appropriately.
If you participate in a specific research study, in most cases you are asked to sign a consent form. The consent form, and a participant information sheet, will describe how your data will be handled during the study. Your signed consent form and your personal details will be stored by the research team in a secure location along with the study information.
Occasionally some studies will use your routinely collected information for research without your consent. For researchers to use any patient information without consent, it must either be completely anonymous to anyone outside of your direct care team, or the researcher may need to apply for permission from the Confidentiality Advisory Group (CAG), an independent national body that advises on the use of patient information. This is in line with the UK’s research governance framework.
A list of studies which are approved to use routinely collected information without patient consent is available on the HRA website.
Additionally, routinely collected information in medical records can also be used to support medical research. At The Christie, routinely-collected information is anonymised and added to a secure research database called ukCAT. Our internal research teams use this anonymised data for approved research projects aimed at patient and societal benefit.
Patient information is kept for research in line with the UK Data Protection Act 2018 and the EU General Data Protection Regulations 2016 – Article 9 (h) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. Learn more on our About medical research page.
Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.
At The Christie we have internationally recognised skills in sponsoring, hosting and delivering clinical research studies and trials. We run over 650 studies and trials at any given time. Read more on our Studies and trials page.
At The Christie, we partner and collaborate with health, academic, scientific and industry organisations, which may require us to share your personal data. Details of these organisations can be found on our research collaborations page.
All research involving NHS patients requires approval from the hospital where the research is taking place. This approval is issued by the hospital’s research department, who ensure that all applicable approvals are in place before the research begins.
The Trust collects information about overseas patients to comply with our legal obligations, which is to ensure that the Trust receives payment for any services it may provide and also to undertake processing that will allow us to verify if you are entitled to free NHS care. Our obligations are explained in the Department of Health and Social Care Guidance on implementing the overseas visitor charging regulations.
Whilst the majority of our information is received from you when you come into contact with the Trust, we also receive information from other organisations or individuals, such as when you are referred for treatment or in response to questions relating to your eligibility for free NHS care. We also need enough information to be able to provide you with appropriate healthcare services.
What types of information do we use?
Personal Data – any information relating to an identified or identifiable individual; an identifiable person is one who can be identified directly, or indirectly.
Special Category data – any information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union activities, physical or mental health, sexual life or genetic or biometric data.
The Trust may need to process our information in order to:
Establish your identity and your entitlement to free NHS Discount
Ensure the information we hold about you is valid and up to date
Record NHS debtors to the Department of Health and Social Care
Determine your immigration status using Home Office services
Prevent, detect and prosecute fraud and other crime
Provide translation and interpreter services to you
Deal with the safety, security, health and wellbeing or someone associated with you
Respond to an alert or warning and are legally obliged to act on it
Where it is necessary for discharging our obligations in this area, your personal information may be sent to the Home Office. The information provided may be used and retained by the Home Office for its own purposes, which include enforcing immigration controls overseas, at the ports of entry and within the UK. The Home Office may also share this information with other law enforcement and authorised debt recovery agencies for purposes including national security, investigation and prosecution of crime and collection of fines and civil penalties.
The General Data Protection Regulations and the Data Protection Act 2018 allow us to process such data under the following conditions:
Where we process overseas patients personal or special category data, we will do so in order to comply with a legal obligation to which the Trust is subject.
There may be occasions when we will be obliged to process overseas patients’ information in order to comply with a court order, coroner’s instruction, to prevent or detect crime or to comply with the law. Where we do this, we will process overseas patients personal and/or special category data to comply with a legal obligation to which the Trust is subject.
If we process overseas patients’ information for other purposes that are not described above then we will seek their consent to do so before we process it.
There are many justified reasons The Christie processes personal information:
Direct Care and Administration Purposes
Direct Care is the care delivered to a patient, some of which can be provided in the patient’s home or on a Trust premises (i.e. hospital / clinic). Direct care usually results from a referral from another NHS hospital. As such there is a need to share relevant and proportionate information with other healthcare workers such as specialists, doctors, nurses, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatment, therapies and or care.
As part of our administration purposes, we process information about:
Our patients
Our patients, carers and next of kin
Suppliers
Employees
Complainants, enquirers
Survey respondents
Those who visit our website
Professional experts and consultants
Our proton beam therapy patients
Proton beam therapy (PBT) has been available abroad for eligible NHS patients since April 2008. In autumn 2018, the proton beam therapy centre at The Christie, providing high-energy proton beam therapy in the UK was opened. PBT enables a dose of high-energy protons to be precisely targeted at a tumour, reducing the damage to surrounding healthy tissues and vital organs. As a specialist treatment we have a dedicated Privacy notice to outline to these patients variations in data usage.
Cancer education awareness
The Christie School of Oncology is a world class teaching centre, bringing together professional and pre-registration education, plus continuing professional development activities into one structure. This makes us uniquely able to support health care professionals at all stages of their career.
We deliver world class education to health care professionals at all stages of their career. The School is unique in that it offers education to all members of the healthcare team, throughout their career – from undergraduate education through to specialist training. Where your data is processed through the School, read our Christie education privacy policy for details of how your data is processed.
GatewayC
GatewayC is a dedicated arm of The Christie education provision providing accessible, innovative, and tailored information to support early cancer detection.
Offers free evidence-based materials and learning for GPs, nurses, AHPs, students, and anyone else with an interest in cancer. This service has its own learning platform and with that a dedicated Privacy Notice.
Commissioning, Planning and Research Purposes
Most national and local flows of personal data in support of commissioning / planning are established as collections by NHS Digital either centrally or for local flows by Commissioners. Where the collection or provision of data is a legal requirement, the Trust will need to oblige. Data minimisation (or pseudonymisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.
Safeguarding
Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately. Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.
Serious Incident Management
The Christie NHS Foundation Trust works with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.
Analysis – Risk Stratification
Risk stratification entails applying computer-based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.
National Fraud Initiative
The Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds or where undertaking a public function in order to prevent and detect fraud. We participate in the Cabinet Office’s National Fraud initiative – a data matching exercise to assist in the prevention and detection of fraud.
What recent new processing has been approved?
Before any new methods of processing of your information is undertaken, we complete a data risk assessment. This is to assess that that the planned processing is lawful, transparent and in line with best security standards. This could be working with new partners or introducing new systems to support delivery of your care. Details of those recent approved initiatives are detailed on our data protection impact assessments page.
All health and social care providers, including The Christie NHS Foundation Trust, have a statutory duty under section 251B of the Health and Social Care Act 2012 to share patient information for their direct care. This duty is subject to both the common law duty of confidence (See 'Common Law Duty of Confidentiality' below) and applicable data protection legislation, namely the Data Protection Act (DPA) 2018 and the UK General Data Protection Regulations (UK GDPR).
Personal Data
Personal data is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The processing of personal data is covered by Article 6 of the GDPR.
We will process personal identifiable information (Article 6) and also special category of personal data (Article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life. The lawful basis under Article 6 is dependent on the legitimate use we have to process different types of data.
Consent (Article (1)(a))
Lawful Basis for Processing
Article 6(1)(a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’.
Purpose of Processing
The Trust processes personal data on the basis of consent for services including, but not limited to; medical studies, managing Governance and Members data, research and development. Where consent is the lawful basis for processing your personal data, the processing will be for the purposes of indirect care only. Pertinently it must be stated that the withholding of your consent will not impact on the direct care provided by the Trust.
Your Rights
You have the following rights regarding your personal data which is processed under the lawful basis of your consent:
The right to be informed
The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
The right to object: You have the right to object to the processing of your personal information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.
If you would like to engage any of the aforementioned rights, please contact: the-christie.dpo@nhs.net
Contract (Article (1)(b))
Lawful Basis for Processing
Article 6(1)(b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
Purpose of Processing
The Trust processes personal data on the basis of contractual obligations for services including, but not limited to; background checks, payments, procurement, staff employment and all other processes related to entering and performing contractual obligations. Pertinently it must be stated that where some or all of the personal data requested is withheld, the Trust may be unable to enter into and perform a contract as per its contractual obligations.
Your Rights
You have the following rights regarding your personal data which is processed under the lawful basis of contractual obligations:
The right to be informed
The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
The right to object: You have the right to object to the processing of your personal information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.
If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net
Legal Obligation (Article (1)(c))
Lawful Basis for Processing
Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
Purpose of Processing
The Trust processes personal data on the basis of legal obligations for services including, but not limited to; legal proceedings, obtaining legal advice, assessment of potential fraud and establishing, exercising or defending legal rights.
Health and Social Care Act 2008 – to carry out clinical audits and to take other quality improvement measures.
Your Rights
You have the following rights regarding your personal data which is processed under the lawful basis of legal obligations:
The right to be informed
The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.
If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net
Vital Interests (Article (1)(d))
Lawful Basis for Processing
Article 6(1)(d) ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’.
Purpose of Processing
The Trust processes personal data on the basis of vital interests only when it is deemed necessary to protect life. This basis for processing will only be utilised in situations of life and death, such as emergency health care, whereby you are unable to give consent yourself.
Your Rights
You have the following rights regarding your personal data which is processed under the lawful basis of your vital interests:
The right to be informed
The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.
If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net
Public Task (1)(e))
Lawful Basis for Processing
Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
The Article 9 condition for direct care is:
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...' to carry out clinical audits and to take other quality improvement measures.
The Article 9 condition for research is:
Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects.
Article 9 (2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’.
Purpose of Processing
The Trust processes personal data on the basis of public task for services including, but not limited to; direct healthcare provision, issue of SMS/Email to data subjects, establishment of sub processors for delivery of elements of direct care, safeguarding, management of serious untoward incidents, National clinical audits, research and statistical analysis and reporting.
Your Rights
You have the following rights regarding your personal data which is processed under the lawful basis of public task:
The right to be informed
The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
The right to object: You have the right to object to the processing of your personal information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.
If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net
We may share information with the following types of organisations:
Your data will be shared with health and care professionals and support staff in the Trust and at hospitals, hospice and treatment centres who contribute to your personal care for your direct care purposes. This will include your GP, where you wish to receive copies of letters we send to your GP, you should notify the reception or clinic staff who can arrange for this on your behalf.
Where necessary or required we may consider sharing information with any other categories of recipients as follows:
Our patients
Family, associates and representatives of the person whose personal data we are processing
Staff
Current, past or potential employers
Healthcare social and welfare organisations
Suppliers, service providers, legal representatives,
Auditors and audit bodies
Educators and examining bodies
Research organisations
People making an enquiry or complaint
Financial organisations
Professional advisors and consultants
Business associates
Police forces
Security organisations
Central and local government
Voluntary and charitable organisations.
Information sharingwith other NHS organisations
Your health records are shared with other NHS organisations that provide a service on behalf of The Christie or are involved directly with your health care. In addition, The Christie provides a computerised facility to allow secure access to the NHS staff who care for you in the Manchester and Cheshire regions. This facility allows clinicians (such as your GP, A&E staff, hospital nurses and doctors) to view details of your cancer record to help inform their decisions about you and your care.
The Christie also has access to your health records from other NHS organisations which can be used to help Christie staff make the best decisions about your care. For example, the
If you do not want your Christie record to be made available to other NHS organisations, please write to our Data Protection Office and we will remove this facility.
If you do not want Christie staff to access your health records from other specific NHS organisations, please write to our Data Protection office and we will remove this facility.
Sharing with those we work closely with
Read more about our partnerships and joint ventures. See our directory of services to see what we offer.
Greater Manchester Health and Social Care Partnership
The Christie NHS Foundation Trust is part of the Greater Manchester Health and Social Care Partnership, which was formed to oversee the devolution of health and social care services across Greater Manchester under a Sustainable Transformation Partnership (STPs). For further detail in relation to this, see the GMHSC website.
The Christie Pathology Partnership
The Christie Pathology Partnership (CPP) is a joint venture between SYNLAB and The Christie NHS Foundation Trust in Manchester. SYNLAB in the UK is a trusted expert in clinical laboratory services. Commencing in 2014, the Partnership will run for 10 years and operates out of the existing Christie pathology laboratories, where around 70 staff have transferred from the NHS to the CPP.
Christie private partnership
The Christie Private Care LLP is a joint venture limited liability partnership between The Christie NHS Foundation Trust and HCA (HCA International Limited). The partnership means that a share of the profit from The Christie Private Care is invested back into the NHS for the development of care and future service enhancement, therefore benefiting all patients.
The Christie Private Care board is made up of 3 Christie executive directors and 3 HCA directors. HCA International has operational responsibility for the day to day running of these services.
The Christie Pharmacy Company is a wholly owned subsidiary company of The Christie NHS Foundation Trust (as such this Privacy Notice covers all processing undertaken). The company was formed in December 2017 to provide a high-quality pharmacy service to both inpatients and outpatients of the Trust.
Our services include:
dispensing and supplying medication to inpatients in wards and clinics
supporting The Christie at Home service to ensure patients can receive certain treatments from the comfort of their own home
providing bespoke medication for The Christie at Salford, The Christie at Oldham and other sites
advising patients who want to self-medicate
wholesale supplying medicines and devices to all wards on the Withington site
Manchester Cancer Research Centre
The Manchester Cancer Research Centre MCRC is a unique partnership founded in 2006 by The University of Manchester, Cancer Research UK and The Christie NHS Foundation Trust. Since its creation, the MCRC partnership has since expanded to encompass cancer research activities across Manchester, driving a consistent, compatible and integrated cancer research strategy with the ultimate aim of creating a future free from the burden of cancer.
Information sharing with other non-NHS organisations
For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving direct care, such as social services, hospice or private healthcare organisations. We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the Trust. We will always seek your permission to share your information with organisations for purposes other than your direct care. However, in exceptional situations we may need to share information without your permission if:
We will also share information if the public good outweighs your right to confidentiality. This could include:
it is in the public interest – for example, there is a risk of death or serious harm
there is a legal need to share it – for example, to protect a child under the Children Act 1989
there is a legitimate enquiry from the police for information related to a serious crime
In some circumstances we are legally obliged to share information. This includes:
when required by NHS England to develop national IT and data services
when registering births and deaths
when reporting some infectious diseases
when a court orders us to do so
where a public inquiry requires the information
We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons.
Where processing is likely to result in a high risk to individuals' privacy interests, the Trust will conduct a Data Protection Impact Assessment (DPIA). The aim of a DPIA is to identify and minimise the data protection risks of a project and your confidentiality. Read more about Data Protection Impact Assessments. A copy of the Trust’s DPIAs can be requested from the Data Protection Officer – see contact details below.
Completing a Data Protection Impact Assessment ensure that where we process your data through a 3rd party, such as a supplier of an IT system, the full security checks and data protection assurances are carried out.
It may sometimes be necessary to transfer personal information overseas. Any transfers made will be in full compliance with all aspects of the data protection legislation.
Under the Data Protection legislation, individuals have a right to access information that is held about them by an organisation. If you wish to make a subject access request (accessing your information), requests need to be addressed to the Trust’s Health Records Department and we will aim to respond to your request within one month from receipt of your request. If you require access to your health records you must make a written request. The process for this can be found on our health records page.
Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code. For example we will:
securely dispose of your information by [through secure confidential waste contracts or wiping hard drives to legal standards of WEEE destruction].
archive your information at [historically significant service’s record may be archived with the local Archive Service, which is run by the Local Authority].
take another action [Through use of new cloud hosted solutions, which meet NHS prescriptive standards].
If you have any concerns about our use of your personal information or you wish to request a copy of this Privacy Notice in another format please contact the Data Protection Officer by email at the-christie.dpo@nhs.net.
Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO (Information Commissioner’s Officer) – the UK regulatory body who monitor Data Protection compliance.
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
The Christie NHS Foundation Trust is a ‘Data Controller’ under the UK General Data Protection Regulation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity.
As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf. These contractors are subject to the same legal rules and conditions for keeping personal information confidential and secure.
We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.
As a public authority, we are required to have a Data Protection Officer
The role of the Data Protection Officer is to:
to inform and advise the Trust Board and employees about their obligations to comply with the UK General Data Protection Regulation and other data protection laws;
to monitor compliance with the UK General Data Protection Regulation and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits; and
to act as the first point of contact for the Information Commissioner’s Office and for individuals whose data is processed.
Our Data Protection Officer is Louise Westcott, she can be contacted:
Via post: The Christie NHS Foundation Trust, Wilmslow Road, Manchester, M20 4BX
Via phone: Tel No 0161 446 3000
We are required to maintain the security of information we process
Information is an asset and like other important business assets it has value to an organisation and needs to be suitably protected. Information security and incident prevention protects information from a wide range of threats to ensure business continuity.
There are 3 essential standards crucial to Information Security which are:
Confidentiality - ensuring that information is accessible to those authorised to have access
Integrity - safeguarding and completeness of information and processing methods
Availability - ensuring that authorised users have access to information and associated assets when required
In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. The Christie has systems, process and tooling to ensure all personal data we process complies with these 3 principles. This is measures externally through NHS England, details can be found on the Data Security and Protection Toolkit website.
All of our staff receive annual data security awareness training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality and may face disciplinary procedures if they do not do so.
Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
In our use of health and care information, we satisfy the common law duty of confidentiality because:
you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
we have a legal requirement to collect, share and use the data
for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case-by-case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.
Last Updated - This is Version 0.3 of The Christie NHS Foundation Trust UK GDPR Privacy Notice and was published on 21 November 2023.
These details are also available in a Child Friendly format:
The Christie Charity