Privacy notice

NCIC NHS Foundation Trust

Trust HQ
Pillars Building
Cumberland Infirmary
Infirmary Street
Carlisle
CA2 7HY

Call us on 01228 608398 or 01228 608399

Head of Information Governance and Data Protection Officer
NCIC NHS Foundation Trust
Maglona House
Unit 68
Kingstown Broadway
Carlisle
CA3 0HA

Call us on 01228 603961

Email us at information.governance@ncic.nhs.uk or DPO@ncic.nhs.uk

Your health and care records

When you use our services, we keep information about you and the care you receive, in a health and care record.

We do this so the people looking after you can make the best decisions about your care. You can request access your health records at any time. Find out how to access your health records.

We are bound by a legal duty of confidence to protect your personal data and make sure it’s handled securely. Only people involved in your care can access your records.
 

The information in your records can include things like:

• name, age and address
• health conditions
• treatments and medicines
• allergies and past reactions to medications
• tests, scans and x-ray results
• hospital admission and discharge information
• contacts we’ve had with you e.g. clinic visits or therapy appointments
• notes and reports about treatment or care we’ve provided
   

Your information might also be used to help us:

• improve the quality and standards of the care we provide
• research the development of new treatments
• prevent illness and diseases
• monitor safety
• plan services
• Friends and Family survey

Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so you cannot be identified.
 

Information we collect on this website

While using this website, you might be asked to submit personal information about yourself (e.g. your name and email address) to use or receive services like our contact form or newsletter.

By entering your details you are giving us your permission to provide you with the services you select. Any information you provide to the Trust will only be used by us, our agents and service providers and will not be disclosed unless we are obliged or permitted to by law.

If you contact us by email or post, we may keep a record of that correspondence.

We may also ask you to complete surveys that we use for research purposes. If you volunteer to complete a questionnaire, you’ll be transferred to a third party site within the UK. The information you provide will be used to inform decisions on the future delivery of services. It will not be possible to identify you from the answers you give.

If you post or send offensive, inappropriate or objectionable content or engage in any disruptive behaviour on this site, we may use your information to stop such behaviour.

We’ll hold your personal information on our systems for as long as you use the service you requested. We’ll remove your information once the purpose for collecting it has been met or when you unsubscribe from our services.
 

Security

This site has security measures in place to protect the loss and alteration of information under our control. However, no internet-based site can be 100% secure and so we cannot be held responsible for unauthorised or unintended access that is beyond our control.
 

Use of cookies

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device (e.g. your computer or mobile phone). These include small files known as cookies. They cannot be used to identify you personally. You can find out about the cookies we use here.

You have a choice about how you want your confidential patient information to be used. If you're happy for us to use your information, you do not need to do anything.

If you choose to opt out, your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, visit nhs.uk/your-nhs-data-matters. Here you can:

• find out what is meant by confidential patient information
• find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• find out more about the benefits of sharing data
• understand more about who uses your data
• find out how your data is protected
• access the system to view, set or change your opt-out setting
• find a contact telephone number to find out more or opt-out by phone
• find out in which situations the opt-out does not apply

You can find out more about how patient information is used at:

hra.nhs.uk/information-about-patients

understandingpatientdata.org.uk/what-you-need-know 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies, or used for marketing purposes. Data would only be used in this way with your specific agreement.      

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out, and apply your choice to any confidential patient information they use or share, for purposes beyond your individual care. Our Trust is currently compliant with the national data opt-out policy.

We are required to protect the public funds we administer. We may share information provided to us with other bodies responsible for auditing, or administering public funds, or where undertaking a public function in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises. Data matching involves comparing sets of data such as the payroll records of a body against other records held by the same or another body to see how far they match. The data is usually personal information.

Data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.  

We are a mandatory participant in the Cabinet Office’s National Fraud Initiative; a data matching exercise to assist in the prevention and detection of fraud. We're required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed here on the gov.uk website.

For more information about how we process staff information, please refer to our privacy notice for staff (PDF). 

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the UK GDPR (General Data Protection Regulation). 

Data matching by the Cabinet Office is subject to a code of data matching practice, also available on the www.gov.uk website. The Cabinet Office has published its National Fraud Initiative privacy notice, which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the General Data Protection Regulation (UK GDPR).   

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. 

We want you to know that we take privacy very seriously. Please be assured that we will always manage your data securely and responsibly. For more information on data matching at this organisation, please contact the Counter Fraud team on 0191 441 5936 or email counterfraud@audit-one.co.uk.

When further changes occur, we will revise the last updated date as documented in the version control section of this page. 

This is a broad description of the way we process personal information. To understand how your own information is processed, you may need to refer to any communications you've received from us, or you can contact our Data Protection Officer.
 

Direct care and administration purposes

Direct care means the care delivered to you as a patient, either in your home or on Trust premises e.g. a hospital or clinic. Direct care usually results from a referral from your GP or self-referral into one of our services. 

When you're referred to us, we'll share your relevant information with other healthcare workers such as specialists, doctors, nurses, therapists and technicians etc. The information we share allows our healthcare workers to give you the most appropriate advice, investigations, treatment, therapies and care.    

As part of our administration purposes, we process information about:

• patients
• suppliers
• employees
• complainants, enquirers
• survey respondents (e.g. Friends and Family test )
• professional experts and consultants
• individuals captured by CCTV images
   

Commissioning, planning and research purposes

Most national and local flows of personal data in support of commissioning and planning are established as collections by NHS Digital. Where the collection or provision of data is a legal requirement, we need to oblige.  

Data minimisation (or pseudonymisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.
 

Safeguarding

Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately. Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. 
 

Serious incident management

We work with provider and commissioning organisations to ensure effective governance and to learn from serious incidents. The Francis Report (February 2013) emphasised that providers had a responsibility to ensure the quality of health services provided.
 

Analysis – risk stratification

Risk stratification is a process of applying computer based algorithms, or calculations to identify patients who are most at risk from certain medical conditions, and who would benefit from clinical care to help prevent or better treat their condition.

To identify these patients individually from the patient community would be a time consuming process. If we did not identify these individuals quickly it would increase the time we'd take to improve their care.  
 

Trust membership

As a Foundation Trust, NCIC has a statutory requirement to process membership data in its official authority as a public body. Membership data has to be processed in order to maintain a membership, run annual elections and make sure the membership is representative of the communities we serve.

The purpose of our membership application form is to gather the personal data required to sign up and become a member of North Cumbria Integrated Care NHS Foundation Trust.

These details may then be used to communicate with members about general membership matters. Special category data is also collected for certain constituency groups to ensure we have a membership that is representative of the community we serve.

We also collect demographic data based on member's postcodes to enable us to report the makeup of our membership to NHS Improvement when required.
 

Members of Parliament

NCIC handles queries from MPs in relation to Information Commissioner Guidance. When carrying out constituency work, MPs have a responsibility to make sure any personal identifiable information they receive about their constituents is fair, lawful and handled in a transparent manner (i.e. obtained with your consent).   

We'll advise you if an MP has contacted us on your behalf and give you the opportunity to tell us whether or not you agree to your personal identifiable information being shared.

North Cumbria Integrated Care Sub Contractors

Under separate contractual arrangements the Trust sub contract some of its services to other providers to ensure an efficient service.  Examples include, for the supply of Mental Health Administration and Responsible Clinician function, supported by the NHS England sub-contracting services to allow patients to be seen more quickly.

System testing

The National Data Guardian has acknowledged that there is a need for further guidance about how hospitals and other organisations should develop and test new technologies where that work might require the use of identifiable patient data at some stages.

Where this is required the Trust will carry out a data protection impact assessment along with supplier accreditation checks.

Test data will not be retained for longer than is required to fulfil legal, regulatory or business requirements.  Where test data is retained after testing is complete and still constitutes personal data, it may be provided as part of the response to a subject access request and this must be considered when establishing retention schedules. 

Artificial Intelligence (AI)

Artificial Intelligence is a range of algorithm-based technologies that solve complex tasks by carrying out functions that previously required human thinking. Decisions made using AI are either fully automated, or with a ‘human in the loop’.

NCIC is starting to use AI with some of the Trusts daily admin tasks to allow more focus on clinical care.  Where this is required the Trust will carry out a data protection impact assessment for each process.

We process personal identifiable information (article 6) and also special category of personal data (article 9) including: 

• racial and ethnic origin
• offences and alleged offences
• criminal proceedings, outcomes and sentences
• physical or mental health details
• religious or similar beliefs
• sexual life   

The legal basis for processing your personal data is the delivery of direct care and for administrative purposes. This is supported under Article 6 and 9 conditions of the General Data Protection Reglulation.  

Article 6(1)(e) "necessary for the performance of a task carried out in the public interest or in the exercise of official authority"

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services"

We recognise your rights established under UK case law collectively known as the Common Law Duty of Confidentiality.

The legal basis for processing your personal data for commissioning and planning purposes (including risk stratification) is for compliance with a legal obligation - Article 6(1)(c). 

The legal basis for processing your personal data for disclosure to NHS Digital is for the performance of a task carried out in the public interest or in the exercise of official authority - Article 6(1)(e). 

The legal basis for processing your personal data for direct care purposes is medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems - Article 9(2)(h). 

The legal basis for processing your personal data for research is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority - Article 6(1)(e). And for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects - Article 9(2)(j). 

The legal basis for processing your personal data for foundation trust membership is that it is necessary for compliance with a legal obligation - Article 6(1)(e). And necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

It is also carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent - Article 9(2)(d). 

And necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards - Article 9(2)(g). 

The legal basis for processing your personal data for Members of Parliament, where article 9(3) is satisfied by the elected representatives order, we will process in line with the below principles:

Article 6(1)(e) "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We operate secure disclosure / sharing of information practices, all of which are maintained as a record of our processing activities using the Information Sharing Gateway. Further information is available on request.  

It may sometimes be necessary to transfer personal information overseas. When this is needed, information is only shared within the European Economic Area (EEA).  

Any transfers will be made in full compliance with all aspects of the data protection legislation. Further information is available on request.

If you’re receiving care from other healthcare professionals or organisations like social services, we may need to share information about you so we can all work together for your benefit.

We only ever use or pass on information about you if there’s a genuine need for it. When we pass on any information, we make sure it’s kept confidential and secure.

Where necessary or required we may consider sharing information with any other types of recipients such as:

• your family, associates and representatives 
• current, past or potential employers
• healthcare social and welfare organisations
• suppliers, service providers, legal representatives
• auditors and audit bodies
• educators and examining bodies
• research organisations
• people making an enquiry or complaint
• financial organisations
• professional advisors and consultants
• business associates
• police forces
• security organisations
• central and local government
• voluntary and charitable organisations

We will not disclose your information to 3rd parties without your permission unless there are exceptional circumstances, e.g. when the health or safety of others is at risk, or where the law requires information to be passed on.

North Cumbria Integrated Care NHS Foundation Trust is a partner in the Great North Care Record (GNCR) which facilitates the sharing of your electronic health record with other hospitals, GPs and local authority for direct care.

Access to the different electronic health record systems is managed through a secure third party, Cerner who control view access of any records held by the different organisations. All access is authorised and audited.

For further information about the Great North Care Record contact them directly:

Telephone: 0344 811 9587

Email: gncarerecord@nhs.net

As an organisation we currently do not undertake any automated decision making, including profiling activities

Your data will be retained in line with the law and national guidance.

https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/

or speak to the Data Protection Officer

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact our Data Protection Officer by emailing DPO@ncic.nhs.uk.

You should be aware that this is a right to raise an objection. That is not the same as having an absolute right to have your wishes granted in every circumstance.

You have the right to ask us for copies of your personal information. You also have the right to ask us to rectify information you think is inaccurate or incomplete. There is no right to have accurate medical records deleted except when ordered by a court of law.  

How to access your health records

Freedom of information (FOI) requests

The Freedom of Information Act (2000) gives you the right to request information held by the Trust.

How to make an FOI request

If you want to make a complaint about the Trust, we'll use your personal information to communicate with you and investigate your compliant. Please note that the complaint will not form part of your healthcare record. 

How to make a complaint

If having read this privacy notice, you have any concerns about how your information is being used, or if you'd like to request this notice be sent to you in a different format, please contact the Data Protection Officer.

If you're not happy with our response and have exhausted all other avenues, you have the right to complain to the Information Commissioner’s Office. You can contact them online or call their helpline on 03031 231113 (local rate) or 01625 545745 (national rate). You can also email casework@ico.org.uk. 

There are national offices for Scotland, Northern Ireland and Wales (visit their website for details). 

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

We continually review and update this privacy notice to reflect any changes to our services and comply with changes to the law.

As we evolve as an integrated care organisation, there may be some significant changes to how we work and the services we deliver. Some examples of how our organisation has changed recently include: 

Building integrated care for happier, healthier communities

The NHS is changing to meet the needs of our community and the increased demands for our services. In January 2019 the NHS published its long term plan which sets out how the NHS will meet the challenges it faces.

We need to join up how we coordinate and deliver health and care to better support people who are now living longer with a number of long term conditions, such as diabetes, heart disease and dementia.  

In north Cumbria, health and care providers and commissioners are working in partnership with the third sector and the community to develop an integrated care system. This means that instead of only working within our individual organisations, we are working together to improve outcomes for our local population.
 

Our 6 aims over the next 5 years are:

▶ Support people to live well

We'll make sure everyone can access information and support that will help them stay well at all points in their life.

▶ Access the right care closer to home

We'll create health services around local communities and reduce duplication so we can spend money in the right places.

▶ Make Cumbria a great place to work

We'll provide career opportunities for local people and attract others to come and work in Cumbria. We'll listen to our staff and provide opportunities for them to have a rewarding career. 

▶ Raise standards of care

We'll keep you safe and help you recover well.

▶ Work in partnership with other organisations

By merging our acute and community trusts we'll help our teams work together.

▶ Rebalance investment to support out of hospital care and prevention

We'll reduce duplication so more resource is focussed on caring for you.

DPIAs (also known as Privacy Impact Assessments or PIAs) are a tool that help organisations comply with data protection laws. DPIAs allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which can sometimes occur.

View our DPIA summaries