Fair Processing Notices

The personal information we collect depends on your relationship with us. For example, we collect different information for patients and visitors. 

For services users, we will hold sensitive or 'special categories of data'. This could be information about your physical and mental health. If you are a visitor, it is unlikely we would hold this level of information. 
We keep records on paper, electronic record systems and some medical devices. 

If you provide personal information about someone else, you should inform them of this Notice. We will process information in line with this Notice. 

Below shows the types of personal information we are likely to collect and how we use it. 

Service users

Personal information 

• General information
  • Name

• • Address
  • Contact details
  • Date of birth
  • Gender
  • Next of kin
  • Information on appointments
• Identification information
  • NHS number
  • National Insurance number
  • Passport number
  • Driving licence number
• Information on your ability to pay for services, if relevant
• Information on any complaint you may make against the Trust or its staff
• Information you provide about your patient experience with us

Sensitive personal information/ special categories of personal data 

• Details of your current or former health condition. This includes information about medication, lifestyle and other information that may be relevant. For example:
  • Employment history
  • Family conditions
  • Race and ethnicity
  • Sex life or sexual orientation
  • Religious or philosophical beliefs
• Information related to criminal convictions. This includes offences and alleged offences, any court sentence or unspent criminal conviction.
• In limited circumstances, we may process other sensitive personal information. This may include details of your political opinions or trade union membership.
• Images of you that are captured, for example, by CCTV.

Others (e.g. carers, family and friends of service users, visitors, contractors, suppliers)

The data we collect will depend on your involvement with the Trust.

Personal information 

• General information you provide
  • Name
  • Address
  • Contact details
  • Date of birth
  • Gender
  • Next of kin
  • Information about your visits
• Identification information
  • NHS number
  • National Insurance number
  • Passport number
  • Driving licence number
• Information on a complaint you may make against the Trust or its staff
• Information you provide about your experience with us
• Images of you that are captured, for example, by CCTV cameras on Trust premises. Images and video from body worn cameras and patient monitoring systems.

Sensitive personal information/ special categories of personal data 

• Details of your current or former health condition. This includes information about medication, lifestyle and other information that may be relevant. For example:
  • Employment history
  • Family conditions
  • Race and ethnicity
  • Sex life or sexual orientation
  • Religious or philosophical beliefs
• Information related to criminal convictions. This includes offences and alleged offences, any court sentence or unspent criminal conviction.
• In limited circumstances, we may process other sensitive personal information where relevant. This may include details of your political opinions or trade union membership.

We collect personal information from many different sources including:

• From you. For example, when you access healthcare services or submit a query to us.
• Telephone calls. Some may be recorded for training and monitoring.
• Images and video from CCTV cameras on Trust sites.
• Images and video from body worn cameras and patient monitoring systems.
• From other healthcare organisations. This could include your GP, other NHS organisations or private healthcare.
• From shared care records such as the Great North Care Record (GNCR).
• Government agencies such as police and councils.
• Public sources such as internet search engines, news articles and social media.

We may use your information for a number of different purposes. We must have a “legal ground” to use your personal information.

Information we process may be sensitive personal information or special categories of personal data. We must have specific, additional "legal ground" to process this.

Generally, we will rely on the following "legal grounds", as appropriate:

• We have a legal or regulatory obligation to use the personal information. For example, our regulators ask us to hold certain records.
• We need to use your personal data to protect your vital interest or a third party. This may be to ensure your safety or the safety of others. We need to use your information to carry out a task in the public interest or in our official authority. For example, to provide healthcare services.
• We need to use your personal information for a medical diagnosis, providing care or managing systems. For example, to provide healthcare services and treatment to you.
• We need to use personal information to establish, exercise or defend our legal rights. This might happen if we're faced with legal proceedings or want to bring legal proceedings ourselves.
• In very limited circumstances, we will rely on your consent to use your personal data. For example, how you would like to receive communications from the Trust. Without it, we may be unable to provide you with appropriate healthcare. We will explain why we need your consent.
• Find further details of our "legal grounds" for each processing purpose below:

Providing healthcare and related services 

Legal grounds:

• The use is necessary for compliance with a legal obligation for the Trust.
• We need to use the information to protect your vital interests or the vital interests of a third party.
• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.
• You have given us consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

• We need to use information to protect your vital interest or the vital interests of a third party. Or you or the third party are physically or legally incapable of giving consent.
• We need to use the information for reasons of substantial public interest.
• The use is for the purposes of medicine, medical diagnosis, the provision of care and treatment, or management of services.
• Processing is necessary for reasons of public interest. This could be to ensure standards of quality and safety of healthcare.
• You have given explicit consent.

Great North Care Record 

The Trust takes part in the Great North Care Record (GNCR). This allows different organisations across the region to share information.

As a partner of GNCR, we need to request and share your information with other relevant parties who are part of your care.

Full details are available on the GNCR website.  

If you have any objection, contact the GNCR helpline on 0344 811 9587. To log and process your objection, we need to collect basic demographic information. In some circumstances, we may have to use your information to comply with our other legal duties.

111 Select Option 2 (Mental Health)

People in the region can contact urgent mental health services by calling NHS 111 and selecting mental health option 2.

We provide this service in the following areas:

• Gateshead
• Newcastle
• North Cumbria
• North Tyneside
• Northumberland
• Sunderland
• South Tyneside

This provides accessible and timely support to anyone experiencing mental health crisis. It is available 24 hours a day, 7 days a week.

Any member of the public can dial 111 and select the mental health option. You can call for yourself or on behalf of someone else with their consent.

A mental health professional will answer and screen your call. They will ask for your details including phone numbers, name, address and GP. They will ask a series of questions to establish the appropriate support you need. We will use these details to create a new Trust Health Record for you or update an existing one.

Calls to services provided by CNTW or other services we commission will remain confidential.

Calls are audio recorded for training and monitoring purposes. In line with national standards, we keep recordings for six years. Details of the call are also added to your Trust Electronic Health Record.

We will inform third parties such as emergency services and local authorities if:

• A caller expresses immediate intent to commit a serious criminal act
• A caller expresses immediate intent to endanger themselves or others
• A child or adult is at risk

Legal grounds:

• Processing is necessary to carry out a task in the public interest or in the exercise of official authority.
• Processing is necessary to protect the vital interests of the data subject or another person.

Additional legal grounds for sensitive personal information / special categories of personal data:

• Processing is necessary to protect the vital interests or another natural person where they are incapable of giving consent.
• Processing is necessary for the purposes of medicine and assessing the working capacity of the employee. Also for medical diagnosis, providing treatment or the management of health or social care systems and services.

• Administration and management of healthcare services. For example, maintaining records, managing IT systems and receiving professional advice.

Legal grounds:

• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.
• You have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

• The use is necessary for the purposes of medicine, medical diagnosis, providing health or social care or treatment, or the management of health or social care systems and services.
• You have given explicit consent.
• The use is necessary for us to establish, exercise or defend our legal rights.

Service improvement, evaluation and audit. To improve healthcare services and protect and improve public health. 

Legal grounds:

• The use is necessary for compliance with a legal obligation.
• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.
• You have given us your consent.

Additional legal grounds for sensitive personal information / special categories of personal data:

• We need to use the information for reasons of substantial public interest.
• The use is necessary for the purposes of medicine, medical diagnosis, providing health or social care or treatment, or the management of health or social care systems and services.
• The use is necessary for reasons of public interest in the area of public health. For example, to ensure standards of quality and safety in healthcare.
• You have given explicit consent.

Communicating with you and resolving any queries or complaints that you might have. Communicating with any other person that you ask us to update about your care.

Legal grounds:

• The use is necessary for compliance with a legal obligation.
• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.
• You have given us your consent.

Additional legal grounds for sensitive personal information / special categories of personal data:

• The use is necessary for the purposes of medicine, medical diagnosis, providing health or social care or treatment, or the management of health or social care systems and services.
• The use is necessary for us to establish, exercise or defend our legal rights.
• You have given explicit consent.

Complying with our legal and regulatory requirements 

Legal grounds:

• The use is necessary for compliance with a legal obligation.
• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.
• You have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

• The use is necessary for us to establish, exercise or defend our legal rights.
• We need to use the information for reasons of substantial public interest.
• You have given explicit consent.

Clinical research and development

We actively promote research to improve quality of services for the future. This means you have the opportunity to take part in research studies. If you'd like to get involved in research, please ask the team providing your treatment. If we use your patient information for research, we remove your name and any data that could identify you. If we need information that would identify you, we ask for your permission first. A member of Trust staff might also contact you about research you might be interested in. If you prefer us not to check your records for eligibility for research, please let us know. This will not affect your care or treatment in any way.

You don't have to take part in research if you don't want to. No identifiable information is ever shared for research without your consent.

Legal grounds:

• The use is necessary for compliance with a legal obligation.
• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.
• You have given us your consent.

Additional legal grounds for sensitive personal information:

• The use is necessary for the purposes of medicine, medical diagnosis, providing health or social care or treatment, or the management of health or social care systems and services.
• We need to use the information for reasons of substantial public interest.
• The use is necessary for public interest in public health. For example, ensuring high standards of quality and safety of healthcare.
• The use is necessary for public interest or scientific research purposes. This must be subject to appropriate safeguards.
• You have given explicit consent.

Safeguarding purposes for example, to ensure the health and safety of an individual 

Legal grounds:

• The use is necessary for compliance with a legal obligation to which the Trust is subject.
• We need to use the information to protect your vital interests or the vital interests of a third party.
• The use is necessary to carry out a task in the public interest or in the exercise of official authority. For example, to provide you or someone else with healthcare services.

Additional legal grounds for sensitive personal information:

• We need to use the information to protect your vital interests, or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent
• The use is necessary for the purposes of medicine, medical diagnosis, providing health or social care or treatment, or the management of health or social care systems and services.
• We need to use the information for reasons of substantial public interest.

Preventing and investigating fraud or the prevention and detection of crime. This might include sharing your personal information with third parties. For example, the police or fraud protection agencies like NHS Counter Fraud Authority. 

Legal grounds:

• The use is necessary to carry out a task in the public interest or in the exercise of official authority vested in the Trust.
• Necessary for the purposes of legitimate interests.
• You have given us your consent.

Additional legal grounds for sensitive personal information:

• We need to use the information for reasons of substantial public interest.
• You have given explicit consent.

We may share your personal information with others. We engage with third parties who may process your data. We will keep your information confidential and only share it with those listed below. We will only share it for the purposes explained in the above section.

NHS Organisations 

We may share your personal information with other NHS organisations, including:

• Other NHS trusts or care providers with whom you have had contact with. For example, GPs, NHS ambulance services, Acute Trusts
• Integrated Care Board (ICB)
• NHS England
• NHS primary care agencies
• NHS Counter Fraud Authority

Non-NHS Organisations

We may share your information with non-NHS organisations, such as:

• Other organisations you are receiving healthcare services from
• Our regulators. The Care Quality Commission and Monitor
• Our subsidiary company, NTW Solutions

In 2017, we set up NTW Solutions Limited, a wholly owned subsidiary company. It provides a range of services including Workforce, IT, Estates, Facilities and Catering. NTW Solutions Limited will have access to personal data of Trust employees and service users. The data shared will be in connection with the services provided to the Trust.

• Third-party contractors/ data processors
• The Department of Health
• Schools and education services
• Local authorities and social services
• Fraud detection agencies and others who operate and maintain fraud detection registers
• Trust professional advisors such as accountants and solicitors
• AuditOne
• Voluntary and private sector providers such as Turning Point, Everyturn and Insight Healthcare
• CRIS Network 

What marketing or fundraising activities do we carry out?

Your personal information will only be used for the above purposes. It will never be used for marketing or insurance purposes. 

What automated decision-making ('profiling') do we carry out in relation to your personal information?

An automated decision is a decision made by computer without any human input. We do not currently carry out 'profiling' of your personal information. 

You have a choice about how you want your confidential patient information to be used. You can opt out from the use of your data for research or planning purposes. If you’re happy for us to use your information for these purposes, you do not need to do anything.

If you choose to opt out, we will still use your information to support your care. To find out more or to register your choice to opt out, visit Your NHS Data Matters.

Here you can find:

• What confidential patient information means

• Examples of where confidential patient information is used for individual care
• Examples of when the information is used for purposes beyond individual care
• The benefits of sharing data
• Understand more about who uses your data
• Find out how your data is protected
• Access the system to view, set or change your opt-out setting
• Contact telephone number to find out more or opt-out by phone
• Find out in which situations the opt-out does not apply

Data used or shared for purposes beyond individual care does not include sharing with insurance companies or using for marketing purposes. Data is only used in this way if you have specifically agreed.

We are currently compliant with the national data opt-out policy.

We will only keep your personal information for as long as necessary. The exact time will depend on your relationship with us and the information we hold.

The Trust follows the Records Management Code of Practice.

A hard copy is available on request. This explains where times may vary for different types of health record, such as:

• Children
• People taking part in a clinical trial
• People receiving treatment for a mental disorder in line with the Mental Health Act 1983
• People serving in the Armed Forces
• People serving a prison sentence

If you need more information, contact us using the details below.

We don't currently store or process information outside the UK. This includes third parties acting on our behalf. If this changes, we will ensure your personal information is protected.

Under data protection law, you have certain rights in relation to the personal information we hold about you. This includes the right to know what information we hold about you and how we use it.

You may exercise these rights at any time by contacting us at:

Disclosures@CNTW.nhs.uk

Disclosures Department

St Nicholas Hospital

Jubilee Road

Gosforth

NE3 3XT

Phone: 0191 246 6896

You will need to provide something to help us identify you. For example, a driving licence, passport or utility bill.

You should have access to your information within a month of receipt of a valid request. There will not usually be a charge for handling a request to exercise your rights.

If we do not comply with your request to exercise your rights, we will usually tell you why.

There are some special rules about how these rights apply to health information.

If you make a large number of requests or it's not reasonable for us to comply, we do not have to respond. Or we can charge for responding.

Your rights include:

The right to access information 

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

We will usually provide your information in writing, unless otherwise requested. If you have made the request electronically, where possible, we will give you the information in the same way.

In some cases, we may not be able to fully comply with your request. For example, if your request involves another person's personal data. Or if disclosure would cause you or a third party serious harm.

You are entitled to the following under data protection law:

• We must usually confirm if we have personal information about you. If we do hold personal information about you, we usually need to explain:
  • The purposes for which we use your personal information.
  • The type of personal information we hold about you.
  • Who your personal information has been or will be shared with. This may include organisations based outside the UK.
  • If your personal information leaves the UK, how we protect it.
  • Where possible, the length of time we expect to hold your personal information. If that is not possible, how we determine how long we hold your information.
  • If the personal data we hold about you was not provided by you, details of the source of the information.
  • If we make decisions about you only by computer. If so, details of how we make those decisions and the impact they may have on you.
  • Your right to ask us to amend or delete your personal information.
  • Your right to ask us to restrict how we use your personal information or to object to its use.
  • Your right to complain to the Information Commissioner’s Office.

We also need to provide you with a copy of your personal data.

The right to rectification 

We take steps to ensure the information we hold about you is accurate and complete. If you do not believe this is the case, you can ask us to update or amend it.

There are some exceptions to this right. For example, if it's necessary to carry out a task in the public interest or to exercise the Trust's authority. In some circumstances, we may rectify your information by adding what you consider to be incorrect.

The right to erasure (otherwise known as the 'right to be forgotten')

In some circumstances, we must delete your personal information if you ask us to. We do not have to grant all requests to delete personal information. For example, if we need to keep your information in case you make a legal claim against us. Or we may need to keep the information to provide you with effective healthcare services.

The right to restrict processing

You also have the right to restrict processing in certain circumstances. For example, if you think your personal information is inaccurate or you think we no longer need to use it. If you exercise this right, we will stop any further processing. But we may continue to store your personal data.

There are exceptions to this right. For example, if we can show legitimate grounds to continue and if processing is needed to exercise or defend legal claims. This could be for the protection of the rights of another natural or legal person or reasons of public interest.

The right to notification 

We have a duty to notify you of specific activities. We also have a duty to inform any third parties if you exercise any of your rights if it is relevant to them.

The right to object marketing

You can ask us to stop sending you marketing messages at any time, and we must comply with your request. We do not currently send marketing messages.

The right to object processing

In some circumstances, you have the right to object to our use of your personal information. If you object, we must stop using it in that way. Sometimes we can still continue to use your personal information. For example, if we need to defend a legal claim brought against us.

The right not to be subject to automated decisions (i.e. decisions made about you by computer alone)

You have a right to not be subject to automated decisions that have a legal or other significant effect on you. These are decisions made about you by computer alone.

We do not currently make automated decisions.

The right to withdraw consent 

In very limited circumstances, we need your consent to use your personal information. Section three explains where we may rely on your consent in this way.

Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting us using the details below. We will explain the consequences of the withdrawal of consent to you.

The right to complain to the Information Commissioner's Office (ICO)

You can complain to the ICO if you are unhappy with the way we've dealt with a request to exercise any of these rights. You can also make a complaint if you think we have not complied with our legal obligations.

Find more information on the ICO website.

Making a complaint will not affect any other legal rights or remedies that you have.

We may need to update this Notice. For example, if we alter the purposes for legal bases or wish to transfer your information outside the UK. 

For further information, you can refer to your clinical team.

You can also contact the Data Protection Officer for the Trust.

Angela Faill

Head of Information Governance and Medico Legal

St Nicholas Hospital

Jubilee Road

Gosforth

NE3 3XT

Email: DPO@cntw.nhs.uk

We are required to protect the public funds we administer. We may share information with other bodies responsible for auditing or administering public funds. Or we may share information to prevent and detect fraud.

The Cabinet Office carries out data matching exercises. Data matching compares sets of data, such as payroll records, to see how far they match. The data is usually personal information. The data identifies potentially fraudulent claims and payments. A match may show inconsistencies which require further investigation. An investigation will show if it is fraud, error or another explanation.

We are a mandatory participant in the Cabinet Office's National Fraud Initiative. This is a data matching exercise which assists in preventing and detecting fraud. We have to provide sets of data to the Minister for the Cabinet Office for matching each exercise. More details are available on the Government website.

The legal basis for processing personal data in a data matching exercise is done with statutory authority. This is under the powers in Part 6 of the Local Audit and Accountability Act 2014. This doesn't require consent of the individuals concerned under GDPR (General Data Protection Regulation). Data matching by the Cabinet Office is subject to a code of data matching practice.

The Cabinet Office's National Fraud Initiative privacy notice sets out how it uses your personal data and your rights.

The notice is made under Article 14 of the GDPR.

The legal basis for processing your personal data is that processing is necessary for a task carried out in the public interest. Or a task carried out in the exercise of official authority vested in the data controller.

We take privacy very seriously. Please be assured we will always manage your data securely and responsibly.

For further information on data matching, please contact the Counter Fraud team.

Call: 0191 441 5936

Email: counterfraud@audit-one.co.uk