COVID-19 Privacy Notice Update
COVID-19 Data Sharing and interim processes - Updated 23 December 2020
This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. This supplements the Trust's main Privacy Notice.
Throughout the COVID-19 pandemic across the Trust our services will be working under alternative agile conditions. This is to safeguard our service users and staff against the virus.
During this period of emergency we may contact you by alternative ensure that our staff can continue to provide a service to you. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. Alternative contact methods include:
- Text message
- Video conferencing; please be aware that by accepting the invitation and entering the consultation you are consenting to this.
- Telephone calls
If you have any concerns with how staff are contacting you, please raise this with the staff members.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak.
There are new data sharing requirements that the Trust must comply with to support the national public health review of COVID-19. Information will be shared linked to COVID-19 for the following purposes:
- To ensure that services remain available and accessible
- To monitor trends in the virus
- To understand areas of risk of
- To monitoring and managing the response to COVID-19 contracting the virus
- To monitor the effectiveness of capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- To support research and planning in relation to Covid-19.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.
All information shared linked to COVID-19 is inline with Data Protection 2018/GDPR as well as Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002.
In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
Please be mindful that if you do require access to your records or want to enforce any other rights under Data Protection there may be a delay in providing you a full response to these request as staff are focusing efforts on frontline services to assist with the demand faced by services due to COVID-19.
The NHS Test and Trace service:
- ensures that anyone who develops symptoms of coronavirus (COVID-19) can quickly be tested to find out if they have the virus, and also includes targeted asymptomatic testing of NHS and social care staff and care home residents
- helps trace close recent contacts of anyone who tests positive for coronavirus and, if necessary, notifies them that they must self-isolate at home to help stop the spread of the virus.
NHS Test and Trace is a key part of the country’s ongoing COVID-19 response and is run by Department for Health and Social Care (DHSC). It includes dedicated contact-tracing staff working at national level under the supervision of Public Health England (PHE) and local public health experts who manage more complex cases.
By maintaining records of staff, customers and visitors (and sharing these with NHS Test and Trace where requested) this can help to identify people who may have been exposed to the virus.
The Trust is collecting information about visitors and staff to support the NHS Track and Trace process. Where an individual develops symptoms of COVID-19 and identifies that they have been within Trust locations we may need to share information of other individuals that the person may have been in contact with.
Due to this, the Trust will collect information in relation to visitors:
- contact telephone number
- email address
- time of arrival
- time of departure
Staff who visit sites, which is not their usual working base or location, will also be required to sign the visitors log and provide the following information:
- Job title
- Time of arrival
- Time of departure
This information will be collected on site at the point of entry within each Trust location. It will be secured daily and held for 21 days; following which the information will be destroyed.
In relation to staff information, if it is confirmed that that you contracted COVID-19 from a work-related exposure, the Trust is obliged to report this to the Health and Safety Executive.
The Trusts legal basis for sharing the data with DHSC, and for DHSC’s processing of your personal data is:
- GDPR Article 6(1)(e): the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
- GDPR Article 9(2)(h): the processing is necessary for the management of health or social care systems and services
- GDPR Article 9(2)(i): the processing is necessary for reasons of public interest in the area of public health
- DPA 2018 – Schedule 1, Part 1, s.3: Public Health
- DPA 2018 – Schedule 1, Part 1, (2)(2)(f): Health or social care purposes
If you have any queries around the Trust use and sharing of data in relation to the Test and Trace service, please contact the Trust's Data Protection Officer.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
NHS England has commissioned NHS Arden and GEM CSU (which is part of NHS England) to implement a National Immunisation Vaccination Service (NIVS). The implementation of this service will deliver a centralised data capture tool for clinical teams delivering the seasonal flu immunisation and is an essential component of NHS England’s response to the COVID-19 pandemic. The Trust will be sharing data for inclusion within the National Immunisation Vaccination System (NIVS) which will be populated with:
- Demographic information from the Electronic Staff Record of current NHS staff to be offered a vaccination. NHS Digital will receive a flow of ESR Data from BSA, trace the data to append the NHS Number. This data set will be forwarded to AGEM as a data feed into a secure database where it will be accessible by the application for pre-populating and validating vaccination events.
- A record of the vaccination decisions undertaken.
- Recorded vaccination decisions and relevant clinical data
Data will be disseminated to NHS Digital as Data Processors on behalf of NHSE.
Data will be shared under the provisions of the COPI notice, issued by the Secretary of State for Health and Social Care, where we are legally required (not just ‘requested’) to provide confidential patient information about staff to support the flu and COVID-19 vaccination programme. The COPI notice specifically states that confidential patient information can be shared in order to support:
“understanding …. about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19 and the availability and capacity of those services or that care”
and can be relied upon for a number of reasons including:
- It is critical that any potential flu epidemic is managed when the NHS is already dealing with the coronavirus pandemic.
- It is important to monitor take-up of the flu vaccine by staff and the potential impact on staff absences.
- Ensuring there is an appropriate interval between administering the flu and COVID-19 vaccinations.
Your COVID Recovery® Programme is a new digital platform designed to support a person’s recovery at home in the short and immediate-term post COVID-19. It has been developed by experts representing a wide range of professional bodies and societies alongside people like you who have experienced COVID. It is planned to be rolled out alongside the programme of long COVID clinics, in which the Physical Health Psychology team will be involved.
It will support you to restore your physical and emotional well-being.
On the website, it will have an ‘ask the healthcare professional’ facility to allow you direct access to local staff that should be able to answer your questions related to your recovery.
The website and information collected via the website is managed by the University of Hospitals of Leicester NHS Trust. Further information about the security and use of your information through the Your COVID Recovery® Programme is available via the Your COVID Recovery Website.
How do I get access to ‘Your COVID Recovery’?
- A health care professional will need to refer you to a centre that will assess your needs and support you through this programme.
- Ask your primary care team or hospital team to find out if the programme is offered in your area.
The Trust's Data Protection Officer (DPO) is:
Katie Sparrow, Head of Information Governance and Data Protection
Tel: 0121 612 8017
The Data Protection Officer operates independently on how to deal with data protection matters putting patient rights at the heart of their decision making process. The Data Protection Officer will be the first point of call for individuals, such as patients, whose data is being processed, but will also be the person for staff to turn to relating to any data protection queries.
Any request for access to health records should be forwarded on to:
Information Governance Team
Greets Green Road
Telephone: 0121 612 8037
Information for Healthcare Purposes
Your doctor and the team of Health Professionals caring for you keep records about your health and any care or treatment you receive from the NHS. These records help to ensure that you receive the best possible care.
They will need to keep records, which may be written or held on computer, about your health and the care and treatment that you are receiving from them.
Information about our Foundation Trust Members
Being a Foundation Trust means we have a statutory duty to ensure that our membership is representative of the organisation and the areas it serves. We are also accountable to our members to ensure we are developing services that meet local needs. This means all our members are free to have their say on the way our services are shaped and delivered.
For full details on the data we collect and hold in relation to our Foundation Trust Members please see our Membership Privacy Notice.
Information for Employment Purposes (Staff information)
We need to obtain information about you without which we would be unable to employ you. Your information enables us to meet various administrative and legal obligations for example ensuring you have a right to work within the UK, paying you and for tax purposes.
Information about why we collect specific information will be provided to you via the Trusts recruitment process, the information required will depend on the job role you have applied for and your previous NHS employment.
For full details on the data we collect and hold in relation to employment with the Trust please refer to our Staff Members Privacy Notice.
The records that we keep about you will include:
- Personal details about you, such as name, address, date of birth, next of kin and telephone numbers.
- Sensitive details about you such as ethnicity, gender, what you are doing at the moment and what problems, if any, you may have.
- Any contact that we have had with you previously
- Notes and reports about your health and any treatment you have and may receive.
- Results of investigations and tests.
- Relevant information from people who care for you and know you well such as other health professionals and relatives.
It is essential that we have your correct details to ensure the appropriate care and treatment is provided to you, if your detail change please inform us as soon as possible.
We will collect your information from a variety of sources, however most of the information which we hold will be directly from you. We will collect information in different ways such as:
- Face to face:
Most of the information we hold about you will be collected from you at the time you engage with the service. Any data provided will be used for the reasons listed in this notice and will only relevant data will be requested and recorded.
- Telephone calls:
The information you disclose over a telephone call may be recorded by the Trust either to support your care or as a record of the conversation. Ordinarily we will inform you if we record or monitor any telephone calls you make to the Trust. This is to increase your security, for our record keeping of the phone call and for training and quality purposes.
If you email us we may keep a record of your contact and your email address for our record keeping
- Other organisation:
We may receive information from other organisations that are also required by law to share information with us about you, to help us have a full picture of your needs and provide you with care.
- Referrals - We may receive referrals or a transfer of your notes to specific specialties as a result of your care being transferred to our organisation. This can be from another Trust, your GP or any health or social care provider initiating a referral.
- Direct access - The Trust and its staff may, on a need to know basis have access to specific clinical systems from other organisation such as the summary care record, other Trust clinical systems in order to access information about you that is relevant to your care delivery. All systems are auditable and access is on a need to know basis
Our staff will use this information to enable them to assess your health and to decide what care and treatment you will need. To maintain the accuracy of this information it will be regularly up dated and kept securely.
Your information can also be used for statistical purposes; in these cases we take strict confidentiality measures to ensure that the information is anonymous so individual patients cannot be identified.
Patient records can also be used within audit and for teaching purposes; in these cases we use anonymous information when possible.
In working together for your benefit we may need to share some information with others involved in your care.
If you are involved in a research project or your information is used for non-medical purposes, you will be asked for consent before your information is used.
We will only ever use or pass on information about you if others involved in your care where we have consent to do so. However there may be occasions where we have a statutory obligation to do so by law.
Yes the Trust does share information. We may need to share some information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.
You may be receiving care from other people as well as the NHS (e.g. Social Services), in this case we may need to share information about you with them so we can all work together for your benefit. We will only ever pass this information about you if:
- They have a genuine need for it
- where there is a danger of harm to a child or vulnerable adult
- To aid the prevention and detection of serious crime
- There is a court order
- We have your consent
We will not disclose your information to a third party without your consent unless there are exceptional circumstances, such as when the health and safety of others is at risk or if the law requires us to.
We may share information about you with the following organisations in order to support the delivery of your care:
- Department of Health and other NHS bodies
- Clinical Commissioning Groups (CCG’s)
- Other providers involved in your care - such as NHS hospitals
- General Practitioners (GP’s)
- West Midlands Ambulance Service
- Other Mental health Services Providers
- Social Services
We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with:
- Education services
- Local authorities
- Voluntary sector providers
- Private sector
We may also share your information with others that need to use records about you to carry out the following:
- Check the quality of treatment of advice we have given you
- Protect the health of the general public
- Manage the health service
- Help investigate any concerns or complaints you or your family have about your healthcare
This will be done with protocols or agreements in place to govern the sharing of data to ensure it is adequate and relevant to the purpose listed above.
Some information we have to share is used for statistical, research or audit purposes, and in these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity.
Anyone who receives information from us also has a legal duty to keep it confidential and secure.
If you do not wish personal data that we hold about you to be used in the way that is described in this notice, please discuss the matter with us. You have the right to object in certain circumstances, such as where you have given consent to the processing or have entered into a contract you have given consent, but this may affect our ability to provide you with care or advice. Further details about your rights is available within this privacy notice.
The Trust follows destruction and retention periods as set out in the Health and Social Care Record Management Code of Practice.
The Trust’s Record Management Policies and Procedures in relation to retention and destruction of information has been produced in line with the Code of Practice and is available via our Publication Scheme.
1. TO BE INFORMED
Individuals should know what information is collected, how it is used, how long it is held for, who it is shared with. This is available within the Trusts Privacy Notices (such as this one), in addition staff involved within your care will be able to provide further details in relation to the use of your data. Where we need to share information the staff involved in your care will discuss this with you and will be able to provide clarity in relation to what information will be shared and why.
2. SUBJECT ACCESS
This provides you, or an individual acting on your behalf, to view or have copies of the information which hold about you. The Data Protection Act 2018 provides a right of access to your information; however the Trust is entitled to withhold information considered to be detrimental to the physical or mental health of the patient or other person, or if the information contains information given by a third party.
3. TO RECTIFICATION
Right to have information corrected if inaccurate.
You can ask for corrections to be made to your records and you are entitled to a copy of the correction, or, if the record is not corrected, the record holder’s note of the request and any discussion.
4. TO ERASURE
Known as ‘Right to be forgotten’.
You can ask for your information to be deleted/erased; however there are limitations to this such as where the information we hold about you is for the provision of health not all information can be erased.
5. RESTRICT PROCESSING
To limit what organisations can do with your information, including who to share it with.
You have the right to limit the way in which we can use your data; this includes who we share data with. Please note that there are limitations to this as we need to ensure that we can meet your Health and Care needs.
6. DATA PORTABILITY
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Please note that there are limitations in relation to this right across the NHS.
7. TO OBJECT
To stop an organisation processing your data.
This includes stopping data sharing, please be aware by objecting to data usage and/or sharing (including the restricting sharing of data), it may make the provision of care or treatment you receive more difficult or unavailable and we will fully inform you of this. You can also change your mind at any time about your decisions.
8. RIGHTS RELATING TO AUTOMATED DECISION MAKING AND PROFILING
There are provisions on:
• automated individual decision-making; making a decision solely by automated means without any human involvement.
• profiling; automated processing of personal data to evaluate certain things about an individual.
Please be aware that the Trust does not utilise automated decision making and profiling.
If you would like to enforce any of your rights you can discuss this with your clinical team or contact the Information Governance Team (details below). In addition to the above you also have the right to raise any complaints or concerns in relation to the use of your information with the Information Commissioner, who is the UKs supervisory body who oversees the Data Protection Act 2018 and GDPR 2016.
Everyone working for the NHS has a legal duty to keep information about you confidential and secure under the General Data Protection Regulation 2016 / Data Protection Act 2018 and the Caldicott principles. We use the minimum amount of information required to inform the people who need to know to provide you care.
Anyone who receives information from us is also under a legal duty to do the same and our staff all have a confidentiality clause within their contract. Breaking these rules can result in staff members being dismissed.
Yes; the below table provides the Trust's lawful basis for the types of processing that we undertake:
Type of processing
GDPR Article 6 Condition for personal data
GDPR Article 9 Condition for special categories (sensitive data)
Statutory basis or other relevant conditions
Lawful basis for direct care and administrative purposes
6(1) (e) the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
NHS Trusts National Health Service and Community Care Act 1990
Lawful basis for commissioning and planning purposes
Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data and can require specified organisations to provide it,
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance.
Lawful basis for research
6(1)(f)’…legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…’
9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …’
A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.
Lawful basis for regulatory and public health functions
6(1)(c) ‘…necessary for compliance with a legal obligation…
9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…
Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008
Lawful basis for safeguarding
6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’
Children Acts 1989 and 2004, and the Care Act 2014
Lawful basis for employment purposes
6(1)(b) ‘For the performance of a contract to which the ‘individual’ is a party’
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’
Safeguarding Vulnerable Groups Act 20069 as a basis for Disclosure and Barring Service (DBS) checks and other processing of such data
The Better Care fund is a transformation incentive which is designed to bring about the integration of health and social care services, launched nationwide in April 2015.
Working together on this programme are the City of Wolverhampton Council, Wolverhampton Clinical Commissioning Group, The Royal Wolverhampton NHS Trust, Black Country Healthcare NHS Foundation Trust and GPs, alongside groups and forums with whom we have engaged with, and continue to do so.
Data is being used and shared between the above mentioned organisations to assist in the review and redesign of services, as well as directly improving the care you receive. The programme is focusing on the following priorities:
- Reducing emergency admissions to hospital
- Reducing the number of delayed transfers of care from hospital Improving the effectiveness of re-ablement
- Reducing the number of people permanently placed in nursing and residential care
- Improving the experience of people using service
- Improving the number of people in Wolverhampton with a diagnosis of dementia.
For more information about this initiative, please see the Better Care Wolverhampton webpages on the Woverhampton.gov website.
If you do not wish your information to be shared, please email WOLCCG.firstname.lastname@example.org
Black Country Healthcare NHS Foundation Trust is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the gov.uk website.
MERIT is one of 50 pilots across the country that are exploring new models of care which will act as the blueprints for the NHS moving forward and the inspiration to the rest of the health and care system.
MERIT comprises our Trust along with Birmingham and Solihull Mental Health NHS Foundation Trust and Coventry and Warwickshire Partnership NHS Trust.
This unique mental health alliance will focus on three priority areas: Every day working in acute services, crisis care and the reduction of risk and recovery culture.
Some of the specific transformations we want to see are:
- Crisis care – exploring ways to map bed management and improving access and the patient experience
- Recovery – helping people to gain and stay in employment, working better with local communities, and developing a way to track quality of life
- Every day services (previously known as Seven Day Working) – exploring the benefits of weekend services, and charting comparisons with best practice in similar organisations
- Equality and diversity – developing a bespoke equality impact assessment to support other work streams and exploring ways to gather improved equality data Information technology – scoping options for a shared patient record
- Quality governance – developing a mock inspection tool to develop a consistent standard, which will also support CQC inspections
- Research and innovation – supplying evidence to support work stream priorities
- Workforce – developing baselines for statutory training and wider workforce planning
The Trust is continuing to work with Dudley CCG, Dudley Group of Hospitals NHS Trust, Dudley and Walsall Mental Health Partnership NHS Trust, Dudley Council and Dudley Voluntary Services as part of the aim to develop a new Integrated Community Provider Trust which will integrate GP-led providers across health and social care.
Further information in relation to this is available via the Dudley CCG website.