Your Patient Information - Privacy Notice

Salisbury NHS Foundation Trust collects information about you when you are referred by your GP for treatment and during your clinical consultation. We also collect information when you voluntarily complete customer surveys, provide feedback and speak to a member of our team.

As a healthcare provider we need to hold information about our patients to help ensure that they receive proper, necessary and effective treatment. We firmly believe that information should be held securely and should only be available on a ‘need to know’ basis. The information includes:

your full name, date of birth and address, phone number, email address
your next of kin contact details
medical test results, symptoms and diagnoses
details of contact we have had with you, such as referrals
details of the services you have received
patient experience feedback and treatment outcome information you provide
notes and reports about your health and any treatment you have received or need, including clinic and operational visits and medicines administered

We want to make sure we give you the best care we can. To help us do that we need keep some information about you. Below is guidance to information collected, held and used by us when you are a Patient.

The information we keep about you:

Your name, address, and date of birth.
When you’ve been to the hospital or doctors for care or treatment.
Names of your family or doctors and nurses who look after you.

We are responsible for:

Making sure the information we have about the care we give you is correct.
Keeping your information safe.
Making sure you can read and understand the information.
Show you the information we have about you if you ask.

We will not share any information about you, unless:

You ask us to
We ask you if we can and you say “yes”.
We need someone else to help care for you.
Someone is in danger, for example to stop someone from being badly hurt.

How we use your information

The people who care for you use your information to:

Help you or your doctors to make decisions about your health.
Make sure your care is safe.
Work well with others to give you the right treatment.

They may also need to use information about you to:

Protect the health of someone else.
Make sure we are giving everyone the best care.
Carry out surveys about how well we are looking after you.
Help look into any concerns or complaints.

Our partner organisations

We may need to share your information with our partners. If we need to, we will ask you if we can and will only share it if you say “yes”.

These organisations include:

Other NHS organisations, such as other hospitals or your doctor’s surgery.
Ambulance services.
Social services.
National healthcare bodies such as NHS England.
Hospital inspectors, known as the Care Quality Commission.
Commissioners, who pay us for providing healthcare services. These are known as ICBs.
Education Services.
Police.

Sharing your information for your care

If other organisations are caring for you, or about to start caring for you, we may need to share your health information with them. We will only do this when this will help you.

Sharing could be to social services or private healthcare organisations.

Where we can, we will try to ask you if it is ok to do this.

There may be times when we need to share this information without asking. This may be because we are not able to ask you or because it needs to be done quickly to help you.

We have trained people who can help you decide how to share your information and only when it is in your best interests.

Your Rights

You can tell us when you do not want your information shared. This could be with your parents, carers or others. If you tell us not to share your information, we will make sure we don’t wherever we can. We will only share your information if the law tells us we have to.

You can ask for a copy of your information on paper or electronically (email). You should ask for your information in writing (email or letter) and include your full name, address, birthday, and the number known as the NHS number.

As well as asking for copies of your information, you can also ask:

Certain people to stop using your information at certain times, this may affect your healthcare or delay treatment.
To stop your information being used for research. If you choose to opt out, ask the Data Protection Officer to help you.
To make sure that the information we hold about you is correct.
How long your information will be kept before it is destroyed.
For details on how we use your information or make a complaint to the Information Commissioner's Office (ICO).

Access Your Record

To access your record, you or a parent/guardian can contact:

Medical Records Manager

Medical Records Department

Salisbury District Hospital
Odstock Road
Odstock
Near Salisbury
Wiltshire
SP2 8BJ

If you think any of your information is not correct or you do not want us to share your information, make sure you let us know.

The Data Protection Officer is available by post at the address above, or by email: sft.information.governance@nhs.net or by telephone: 01722 336262.

You can get the above information in other languages and formats. If you would like a copy, please call 01722 429044 or email sft.pals@nhs.net.

If we hold information about you as a patient you have the right to:

1. Be informed:

Individuals, which include patients and staff, have the right to be informed about the collection and use of their personal data.

2. Right of access

You have the right to find out what information we hold about you as a member of staff or as a patient. This is called a right of access. You exercise this right by asking us for a copy of the information we hold about you.

We are required to supply this information to you within 30 calendar days from the date the Trust received the request.

We are required to supply this information to you within 30 calendar days from the date the Trust received the request. However, the Trust may extend this period if the request is deemed to be excessive or complex. In this instance, the Trust will write to inform you of the extension and revised response date.

How to make a request for copies or access to your information:

Department	Email
Medical Records (This will automatically include x-rays and MRI scans, test results)	shc-tr.Medicalrecords@nhs.net
X-Ray’s and MRI Scans Only	shc-tr.PACSOFFICE@nhs.net
Legal documents and reports	sft.legalservices@nhs.net
Complaints, concerns, and requests for assistance from the Data Protection Officer	sft.information.governance@nhs.net 01722 336262 x 5716 & 5942
Current and Former Employees	sft.peopleops@nhs.net
Occupational Health Services & Counselling	sft.occupationalhealth@nhs.net

3. The right to get your data corrected

You have the right to have any inaccurate personal information about you corrected within 30 calendar days month.

You can make this request verbally and in writing.

In certain circumstances the Trust can refuse the request for rectification. The Trust will inform you of the decision and explain why.

4. Your right to get your personal information deleted

You have the right to ask the Trust to delete any personal information we hold about you in certain circumstances. This is known as the ‘right to be forgotten’.

This right is not absolute and can only apply in certain circumstances.

You don’t have to ask a specific person within the hospital. We do recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your concerns, providing evidence and stating your desired solution.

In certain circumstances the Trust can decline the request for deletion. The Trust will inform you of the decision and explain why.

5. Right to limit how we use your information

You can limit the way the hospital uses your personal data if you are concerned about the accuracy of the data or how it is being used.
In certain circumstances you can make a request for the hospital to limit the use of your personal information. This could include:

Temporarily removing information from a system
Making it unavailable to users, or
Temporarily removing it from a website, if it has been published.

The Trust may refuse a request to limit the use of your information if we believe that your request is unfounded or excessive. We won’t do this without letting you know and if your request is ‘manifestly unfounded’. We may ask for a reasonable fee to cover administration costs.

Where the law demands The Trust will be unable to prevent your data being shared. If this is the case, we will inform you of the legislation which permits this.

6. Right to data portability

You have a right to get your personal information from the hospital in an accessible format, paper, electronic or CSV file.

You can also ask the hospital to transfer your electronic information to another healthcare provider if it is technically feasible.

How long will you need to wait for my data to be transferred?

The hospital has one month to respond to your request. We may need extra time to consider your request and this may take up to two months, but we will let you know.

If an external clinician requires your healthcare information, a synopsis or copy of the record will be released to the responsible clinician to support your ongoing care.

7. Right to object

You have the right to object to the use of your information in some circumstances.

Your request can be verbal or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.

At a national level, you can restrict the use of your healthcare data. Please refer to the National Data Guardian Opt-Out information on the Trust website.

8. Rights relating to decisions made about you by a computerised system.

Automated decisions

This is called automated decision making and profiling for example, completing an online aptitude test using a pre-programmed algorithm and or criteria when applying for a job vacancy with the hospital.

You can ask for information to understand the reasons behind the automated decisions. The request can be made verbally or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.

Profiling

Profiling means information about you is used to analyse or predict things like:

The risks associated with a medical condition
Computerised analysis of MRI scans to improve a patient’s diagnosis and recovery
performance at work
Your personal financial status
Your health, personal preferences, and interests.

You can object to the collection of profiling information if it includes direct marketing.

It will take the hospital a month to respond to your request, but in certain circumstances, we may need more time which can take up to an extra two months. We will let you know within the 30 days if it might take longer.

Exercising you rights by objecting to your data being shared, processed by automated means, or are requesting your data to be erased, restricted, corrected

If you are exercising your rights under the Data Protection Legislation by asking for your data to be restricted, erased, corrected or updated, or you are objecting to our processing of your data, to automated decision-making or would like a human to review any automated decision-making to which you are subject, these requests will be handled by the Trust Data Protection Officer directly and a response issued within one month. Please write to the contact details given to you when we collected the data, or to the contact details.

Raising a concern

You have a right to be confident that the hospital handles your personal information responsibly and securely.

If you would like to speak to someone, about any concerns you may have please call the Information Governance Office 01722 336262 or the Trust’s Data Protection Officer.

You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

As a healthcare provider we access your healthcare information to provide direct care in accordance with Articles 6 and 9 of the EU General Data Protection Regulations and Data Protection Act 2018.

The information we hold about you helps us to:

provide a good basis for all health decisions made by you and your healthcare professional
make sure your care is safe and effective
work effectively with others providing you with care

We may also use your information to:

analyse how visitors use our website to improve services;
assess the quality of care we give you
protect the health of the general public
monitor NHS spending
manage health services
help investigate any concerns or complaints you or your family have about your healthcare
report infectious diseases
help with accounts and auditing
secure clinical funding from your GP and the Clinical Commissioning Group
report fraudulent claims for NHS treatment

Specialist Cancer Drug Funding:

The Specialist Cancer Drug Funding procedures require Salisbury NHS Foundation Trust to submit patient information to NHS England and NHS Improvement (NHS E & I) on the prior approval system (currently Blueteq) to obtain funding for specialist drugs.

These procedures have been designed to:

provide patients with faster access to the most promising new cancer treatments
drive stronger value for money for taxpayers in drugs expenditure
offer those pharmaceutical companies that are willing to price their products responsibly, a new fast-track route to NHS funding for the best and most promising drugs via an accelerated NICE appraisal process, and a new CDF managed access scheme.

Who is this information shared with?

Requests for specialist cancer drugs are shared with Public Health England (PHE). This information is collected, used and shared for the purposes of public health with the aim of

making the public healthier and reducing differences between the health of different groups by promoting healthier lifestyles, advising government and supporting action by local government, the NHS and the public
protecting the nation from public health hazards
preparing for, and responding to, public health emergencies
improving the health of the whole population by sharing our information and expertise, and identifying and preparing for future public health challenges
supporting local authorities and the NHS to plan and provide health and social care services such as immunisation and screening programmes, and to develop the public health system and its specialist workforce
researching, collecting and analysing data to improve our understanding of public health challenges, and come up with answers to public health problems.

For more information about Public Health England and the specialist cancer drug funding please visit:

https://www.england.nhs.uk/cancer/cdf/

Opting out of your information being shared with Public Health England

PHE supports patients to opt out from the cancer registration process should they wish. To support this, PHE provides all cancer centres with patient information leaflets on cancer registration. These leaflets should be made readily available to patients. If you would like to request copies of the leaflet, please email NDRengagement@phe.gov.uk or you can find more information, and access the leaflet from the National Disease Registration Service webpage

Opting out of your information being shared with Public Health England

PHE supports patients to opt out from the cancer registration process should they wish. To support this, PHE provides all cancer centres with patient information leaflets on cancer registration. These leaflets should be made readily available to patients. If you would like to request copies of the leaflet, please email NDRengagement@phe.gov.uk or you can find more information, and access the leaflet from the National Disease Registration Service webpage https://www.ndrs.nhs.uk/

The Trust uses approved specialist companies which are accredited to provide any diagnostic tests or services you might need; for example, genetic testing and specialist tests.

We work closely with many organisations in order to provide you with the best possible care. This means that with your consent, and when it is beneficial to your health or in your vital interests, your information will be shared with organisations including:

your GP practice
other hospitals and community organisations providing care services
Clinical commissioning groups responsible for the management of your local NHS budget
specialist companies providing diagnostic and testing services you might need; for example, blood test, X-ray, and ultrasound scans.
Those with parental responsibility for patients, including guardians
Carers without parental responsibility (subject to explicit consent)
Medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
Bodies with statutory investigative powers - e.g. the Care Quality Commission, the General Medical Council, the Audit Commission, the Health Service Ombudsman
National generic registries - e.g. the UK Association of Cancer Registries
Organisations processing data on our behalf for the purposes of your care and managing your appointments

Also, where necessary and appropriate, to:

Non-statutory investigators - e.g. Members of Parliament
Government departments other than the Department of Health
Solicitors, the police, the Courts (including a Coroner's Court), and tribunals and enquiries
The media (normally the minimum necessary disclosure subject to explicit consent)Those with parental responsibility for patients, including guardians

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

When there is a Court Order
When there is a statutory power to share patient data
When the patient has given his/her explicit consent to the sharing
When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

Health professionals should share information in the best interests of their patients. This means that where necessary we will also share your health information with other health care providers/professionals involved in your care.

NHS Digital is developing a new system to support the national data opt-out which will give you more control over how your identifiable health and care information is used. The system will offers you and the public the opportunity to make an informed choice about whether you wish your personally identifiable data to be used just for your individual care and treatment or also used for research and planning purposes.

What information does the national data opt-out apply to..?

How do you opt out?

By contacting NHS Choices website or telephone contact center: https://www.nhs.uk/pages/home.aspx

Need more information?

Visit the National Data Opt-out web pages: https://digital.nhs.uk/national-data-opt-out

You can also use the opt-out postal service or phone the helpline to access more information: NHS Digital Contact Centre Tel: 0300 303 5678

GDPR Compliance Statement

Salisbury NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public).
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

As an early adopter of the National Data Guardian Opt Out Programme, the Trust implemented a series of internal policies and procedures in 2019 to ensure patients who have opted out of their data being used for secondary purposes is respected.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation 'is / is not currently' compliant with the national data opt-out policy.

The Trust collects stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.

The processing of employee personal information is necessary for the purpose of employment and social security and social protection law.

The Trust is not required to seek your explicit consent to process your personal information for employment purposes, taxation, fraud, internal and external investigations, and statutory or regulatory reporting purposes requiring identification.

How we use your employee information?

Your personal information is processed for the purposes of:
Staff administration and management (including payroll and performance)
Pensions administration

Business management and planning

Advertising, marketing and public relations
Accounting and auditing accounts and records
Education
Identify fraud
Health and wellbeing
Health administration and services
Information and databank administration
Journalism and media
Licensing and registration
Occupational health management
Property management

Employee information and publicity

Your personal information will not be used for internal and external publications without your explicit written consent.

Sharing of employee information

The Trust will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) and Care Information Services (smartcard) Systems.

There are a number of circumstances where we must or can share information about you to comply or manage with:
Disciplinary/ investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC;

Legislative and/or statutory requirements;
A Court Orders which may have been imposed on us;
NHS Counter Fraud requirements;
Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature.

Employee Monitoring

The Trust’s Informatics Department is committed to maintaining the privacy, dignity and confidentiality of service users at all times. We adhere to the principles of data protection legislation, Department of Health and NHS Digital policies, procedures and codes of practice.

The Informatics Department uses your personal information to create and manage IT user accounts, monitor system access and performance.

System generated audit trails are also used to improve internal processes, identify account and system issues, and establish if inappropriate access and/or use of IT equipment/resources have occurred.

Audit trails may also be released to patients requesting details of employees who have accessed their medical record.

Registration Authority Smartcards

If you hold or register for a NHS Registration Authority (RA) Smartcard your personal information including your driving license and passport numbers will be recorded along with a photographic image within the NHS Digital’s Care Identity Service (CIS) System.

All users issued with a Smartcard have the ability to update certain aspects of their record on the CIS database as well as change their pin code and, when necessary, renew their own Smartcard certificates. (Certificates last two years and can be self-renewed within 90 days leading to the expiry date – after this time please contact your local Registration Authority).

All Informatics staff adhere to a strict code of ethics in relation to the confidentiality of all personal and sensitive data.

All personal and sensitive information is treated as sensitive (‘special category’) personal data, in respect of data protection legislation and can be shared by the recipient only, with the individual’s consent and with others who have a legitimate need to know.

Your information may be released without your knowledge or consent in exceptional circumstances dictated in the professional codes of ethical behaviour and statute law i.e. the prevention and detection of a serious crime, fraud, malpractice allegation, court order or the vital interests of yourself or another (life or death).

NHS Mail

The Trust utilises the NHS Mail email system as our main communication system. As a member of staff you are accepting you will work within the NHSmail acceptable use policy v3 September 2018. This occurs when you register for the service. This is your promise to all NHSmail users and the public and patients we serve, that you will be mindful of the importance of the information that they share over NHSmail.

NHS Mail Data Retention and Information Management Policy

Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies. The NHSmail Data Retention and Information Management Policy this defines the scope of data held and details the recovery of data. The process to request this is available in the NHSmail Access to Data Policy on the NHSmail portal help pages.

Our responsibilities for data protection are explained in the Transparency Information document located within the General Data Protection Regulation section of the NHSmail portal help pages.

Sharing of employee information

Limited personal information about you may also be shared with third party organisations in order to permit access to externally located/hosted systems i.e. Lorenzo, and TPP SystmOne (GP system).

Secondary Purposes

The Informatics department will use your personal information to create anonymised, pseudonymised and statistical compliance reports.

External IT Monitoring

NHS Digital now provides national monitoring of all internet activity through NHS devices to local organisations such as hospitals and GP surgeries. This means that all internet activity is monitored to quickly identify any abnormalities so that immediate action can be taken to address any potential problem as quickly as possible. NHS Digital will be able to identify the affected device and user in real time so that alerts can be provided nationally and locally in order to minimise the threat to the NHS, staff and patients.

The SFT process will be that whenever an alert is received Informatics will immediately retrieve the device and commence erasing any data and rebuilding the device, please be aware that any information stored locally on the machine will be removed with immediate effect.

Appropriate action will be taken over any inappropriate or malicious breaches detected in line with the Trust policies and procedures.

NHS COVID-19 Digital Staff Passport Privacy Notice

Version 1 (Salisbury NHS Foundation Trust-adapted) 26/01/2021

Introduction

During the current COVID-19 health emergency, various plans and projects are being implemented to help the NHS meet the unprecedented challenges and provide the best possible care to our patients. One of those challenges is ensuring that our clinical staff members are able to work where they are needed most and where their skills can be best utilised, and to reduce the administrative delays in making this happen. To enable this,staff who volunteer to participate in the scheme will be provided with a digital passport – the COVID-19 Digital Staff Passport – which summarises their clinical attributes, is verified by their current employer, and will allow them to begin working in another NHS location as quickly as possible.

What is a COVID-19 Digital Staff Passport?

If you choose to participate in in the scheme, your COVID-19 Digital Staff Passport will primarily be digital in nature – although a paper version can be produced – and it will contain personal information about you. Your current employer will create the digital passport by collating information about you from their existing records, and uploading it to the COVID-19 Digital Staff Passport system. You will have full control over how your digital passport is used – as it will be accessed via a digital wallet on your smartphone (or held by you in paper form), and you choose when you wish to share it. We highly recommend that you protect your personal device with a password or biometric scan to ensure the security of your information. When you arrive at your ‘new’ NHS location, your ‘new’ employer will ask to see your digital passport and conduct a verification check with your current employer. This will reduce the need for lengthy employment checks or checks with professional regulators, to enable you to start work as soon as possible.

What data will be processed?

Only staff data which is held by your current organisation will be processed via your COVID-19 Digital Staff Passport. The information collated will be the minimum necessary to populate your digital passport and will all be relevant for creating your staff profile at your next organisation. This will include:

Basic personal details about you – name, date of birth, National Insurance number; An ID photo of you;
Basic details relating to your work status – DBS information, right to work information (residency/visa); Your professional registration details (GMC/NMC/GDC/HPC);
Clinical training and qualification details, any other specific clinical skills, and any restrictions on your practice;
Basic details relating to your current employment – employing organisation, job role, staff group, department, start date (and fixed term end date, if appropriate), pay band, work email address, smartcard number; and,
Limited healthcare information specifically relating to your employment – specifically Occupational Health clearance.

What is the purpose of processing my data?

The information processed via your COVID-19 Digital Staff Passport is all information which is currently processed by your existing employer to meet employment requirements, and is needed by your ‘new’ employer for those same purposes. The lawful basis for processing this information by each organisation for your employment purposes is as per the following GDPR articles:

6(1)c – Legal obligation, 6(1)e – Public task;
9(2)b – Employment, social security and social protection, 9(2)h – Health or social care, 9(2)i – Public health

However, user participation in the COVID-19 Digital Staff Passport scheme is entirely voluntary, and as such, the lawful basis for processing information using the Passport system can be found in the following GDPR articles:

6(1)a – Consent;
9(2)a – Consent

Further information regarding the lawful basis for processing can be found on the Information Commissioner’s Office (ICO) website.

Who will control my data?

Your current employer is the Data Controller of the existing records which they hold about you relating to your employment, and will be the Data Controller of the information which is uploaded to the digital passport system to create your COVID-19 Digital Staff Passport. As such, your current employer is the Data Controller of your COVID-19 Digital Staff Passport, and will handle any Information Rights requests relating to the passport, and will be able to give you privacy information relating to staff records. If you wish to contact the Data Protection Officer, please email: sft.information.governance@nhs.net.

The COVID-19 Digital Staff Passport system is hosted by Blackpool Teaching Hospitals NHS Foundation Trust (BTH). Your data will be stored by BTH in the Microsoft Azure cloud. The subscription for the cloud is owned by BTH, making BTH a Data Processor for your data. However, all data stored in the Microsoft Azure cloud is encrypted, and at no point will BTH staff have access to your data. Further information about BTH can be found here: https://www.bfwh.nhs.uk/, and specifically in relation to information security can be found here:

https://www.bfwh.nhs.uk/our-services/information-governance/information-security/

/information-security/. If you wish to contact the Data Protection Officer of BTH, please email: bfwh.dataprotection.officer@nhs.net.

Your ‘new’ employer will become the Data Controller of any records which they create using your COVID-19 Digital Staff Passport to meet their employment requirements. For your ‘new’ employer – the location of privacy information and the contact details for the DPO are dependent on the ‘new’ organisation which you join, but will be available on the relevant organisation’s website.

Further information regarding Data Controllers and Processors can be found on the ICO website.

Will any third parties have access to my data?

Your data will be stored by BTH in the Microsoft Azure cloud but BTH staff will not have access to your personal data.

Evernym and Truu provide components of the technical solution but will not have access to your personal data and will not act as Data Processors.

Sitekit provide secondary technical support for the digital passport system. Sitekit will not routinely have access to your personal data, but there may be occasions where personal data is shared with Sitekit staff during the course of providing technical support. Any personal data obtained in this way by Sitekit will only be used to enable technical support, and will not be used for any other purpose or retained by Sitekit in any way. Sitekit are an approved NHS subcontractor who have been subject to stringent Data Protection Impact Assessments and meet Data Security and Protection standards. For more information about Sitekit, please see here.

Your data will be sent electronically from the Trust ESR system to the Staff Passport system, in order to streamline and safeguard this process we will be required to use a component provided to us by Cloud Gateway. This processing activity is fully encrypted and at no point will they have access to any personal information.

How long will you keep my data?

COVID-19 Digital Staff Passports will only be valid for the duration of the current COVID-19 health emergency. Once this emergency has ended and there is no longer a need for the scheme, all digital passports will be revoked by the creating organisation.

What are my Information Rights?

As a data subject, you are entitled to the following:

The right to access – You have the right to request from the Data Controller copies of your personal data.
The right to rectification – You have the right to request that the Data Controller corrects any information you believe is inaccurate. You also have the right to request the Data Controller to complete the information you believe is incomplete.
The right to erasure – You have the right to request erasure of your personal data, under certain conditions.
The right to restrict processing – You have the right to request restrictions on the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that the Data Controller transfers the data that it has collected to another organisation, or directly to you, under certain conditions.

If you make a request, the Data Controller has one month to respond to you.

Further information regarding your Information Rights can be found on the ICO website.

How do I make an Information Rights request?

Your current employer is the Data Controller of the information which is uploaded to the digital passport system to create your COVID-19 Digital Staff Passport. You should contact your current employer with any Information Rights requests relating to your digital passport – including to rectify details, or to revoke the digital passport. To submit an Information Rights request contact [this placeholder will be updated after registration].

Your ‘new’ employer will become the Data Controller of any records which they create using your COVID-19 Digital Staff Passport to meet their employment requirements. Contact details for submitting an Information Rights request are dependent on the ‘new’ organisation which you join, but will be available on the relevant organisation’s website. Please note, your current employer is required to notify your ‘new’ employer of any changes to the content of the data held in your passport (rectification or erasure), or any changes to your status – especially if this relates to fitness to practice.

Can I object to or complain about the use of my data?

As a data subject, you have the right to object to or complain about how your data is used. If you have reason to believe your data is being processed illegally or inappropriately, then you can contact the Data Protection Officer of the relevant Data Controller organisation. If you are not satisfied with the way the relevant Data Controller has handled your concerns, you can contact the ICO – further details can be found on the ICO website.

NHS COVID-19 Digital Staff Passport Privacy Notice for [this placeholder will be updated after registration]

Version 3, 28th September 2020

Introduction

During the current COVID-19 health emergency, various plans and projects are being implemented to help the NHS meet the unprecedented challenges and provide the best possible care to our patients. One of those challenges is ensuring that our clinical staff members are able to work where they are needed most and where their skills can be best utilised, and to reduce the administrative delays in making this happen. To enable this, staff who volunteer to participate in the scheme will be provided with a digital passport – the COVID-19 Digital Staff Passport – which summarises their clinical attributes, is verified by their current employer, and will allow them to begin working in another NHS location as quickly as possible.

What is a COVID-19 Digital Staff Passport?

If you choose to participate in in the scheme, your COVID-19 Digital Staff Passport will primarily be digital in nature – although a paper version can be produced – and it will contain personal information about you. Your current employer will create the digital passport by collating information about you from their existing records, and uploading it to the COVID-19 Digital Staff Passport system. You will have full control over how your digital passport is used – as it will be accessed via a digital wallet on your smartphone (or held by you in paper form), and you choose when you wish to share it. We highly recommend that you protect your personal device with a password or biometric scan to ensure the security of your information. When you arrive at your ‘new’ NHS location, your ‘new’ employer will ask to see your digital passport and conduct a verification check with your current employer. This will reduce the need for lengthy employment checks or checks with professional regulators, to enable you to start work as soon as possible.

What data will be processed?

Only staff data which is held by your current organisation will be processed via your COVID-19 Digital Staff Passport. The information collated will be the minimum necessary to populate your digital passport and will all be relevant for creating your staff profile at your next organisation. This will include:

Basic personal details about you – name, date of birth, National Insurance number; An ID photo of you;
Basic details relating to your work status – DBS information, right to work information (residency/visa); Your professional registration details (GMC/NMC/GDC/HPC);
Clinical training and qualification details, any other specific clinical skills, and any restrictions on your practice;
Basic details relating to your current employment – employing organisation, job role, staff group, department, start date (and fixed term end date, if appropriate), pay band, work email address, smartcard number; and,
Limited healthcare information specifically relating to your employment – specifically Occupational Health clearance.

What is the purpose of processing my data?

The information processed via your COVID-19 Digital Staff Passport is all information which is currently processed by your existing employer to meet employment requirements, and is needed by your ‘new’ employer for those same purposes. The lawful basis for processing this information by each organisation for your employment purposes is as per the following GDPR articles:

6(1)c – Legal obligation, 6(1)e – Public task;
9(2)b – Employment, social security and social protection, 9(2)h – Health or social care, 9(2)i – Public health

However, user participation in the COVID-19 Digital Staff Passport scheme is entirely voluntary, and as such, the lawful basis for processing information using the Passport system can be found in the following GDPR articles:

6(1)a – Consent;
9(2)a – Consent

Further information regarding the lawful basis for processing can be found on the Information Commissioner’s Office (ICO) website.

Who will control my data?

Your current employer is the Data Controller of the existing records which they hold about you relating to your employment, and will be the Data Controller of the information which is uploaded to the digital passport system to create your COVID-19 Digital Staff Passport. As such, your current employer is the Data Controller of your COVID-19 Digital Staff Passport, and will handle any Information Rights requests relating to the passport, and will be able to give you privacy information relating to staff records. If you wish to contact the Data Protection Officer, please email: sft.information.governance@nhs.net.

The COVID-19 Digital Staff Passport system is hosted by Blackpool Teaching Hospitals NHS Foundation Trust (BTH). Your data will be stored by BTH in the Microsoft Azure cloud. The subscription for the cloud is owned by BTH, making BTH a Data Processor for your data. However, all data stored in the Microsoft Azure cloud is encrypted, and at no point will BTH staff have access to your data. Further information about BTH can be found here, and specifically in relation to information security can be found here. If you wish to contact the Data Protection Officer of BTH, please email: bfwh.dataprotection.officer@nhs.net.

Your ‘new’ employer will become the Data Controller of any records which they create using your COVID-19 Digital Staff Passport to meet their employment requirements. For your ‘new’ employer – the location of privacy information and the contact details for the DPO are dependent on the ‘new’ organisation which you join, but will be available on the relevant organisation’s website.

Further information regarding Data Controllers and Processors can be found on the ICO website.

Will any third parties have access to my data?

Your data will be stored by BTH in the Microsoft Azure cloud but BTH staff will not have access to your personal data.

Evernym and Truu provide components of the technical solution but will not have access to your personal data and will not act as Data Processors.

Sitekit provide secondary technical support for the digital passport system. Sitekit will not routinely have access to your personal data, but there may be occasions where personal data is shared with Sitekit staff during the course of providing technical support. Any personal data obtained in this way by Sitekit will only be used to enable technical support, and will not be used for any other purpose or retained by Sitekit in any way. Sitekit are an approved NHS subcontractor who have been subject to stringent Data Protection Impact Assessments and meet Data Security and Protection standards. For more information about Sitekit, please see here.

Your data will be sent electronically from the Trust ESR system to the Staff Passport system, in order to streamline and safeguard this process we will be required to use a component provided to us by Cloud Gateway. This processing activity is fully encrypted and at no point will they have access to any personal information.

How long will you keep my data?

COVID-19 Digital Staff Passports will only be valid for the duration of the current COVID-19 health emergency. Once this emergency has ended and there is no longer a need for the scheme, all digital passports will be revoked by the creating organisation.

What are my Information Rights?

As a data subject, you are entitled to the following:

The right to access – You have the right to request from the Data Controller copies of your personal data.
The right to rectification – You have the right to request that the Data Controller corrects any information you believe is inaccurate. You also have the right to request the Data Controller to complete the information you believe is incomplete.
The right to erasure – You have the right to request erasure of your personal data, under certain conditions.
The right to restrict processing – You have the right to request restrictions on the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that the Data Controller transfers the data that it has collected to another organisation, or directly to you, under certain conditions.

If you make a request, the Data Controller has one month to respond to you.

Further information regarding your Information Rights can be found on the ICO website.

How do I make an Information Rights request?

Your current employer is the Data Controller of the information which is uploaded to the digital passport system to create your COVID-19 Digital Staff Passport. You should contact your current employer with any Information Rights requests relating to your digital passport – including to rectify details, or to revoke the digital passport. To submit an Information Rights request contact [this placeholder will be updated after registration].

Your ‘new’ employer will become the Data Controller of any records which they create using your COVID-19 Digital Staff Passport to meet their employment requirements. Contact details for submitting an Information Rights request are dependent on the ‘new’ organisation which you join, but will be available on the relevant organisation’s website. Please note, your current employer is required to notify your ‘new’ employer of any changes to the content of the data held in your passport (rectification or erasure), or any changes to your status – especially if this relates to fitness to practice.

Can I object to or complain about the use of my data?

As a data subject, you have the right to object to or complain about how your data is used. If you have reason to believe your data is being processed illegally or inappropriately, then you can contact the Data Protection Officer of the relevant Data Controller organisation. If you are not satisfied with the way the relevant Data Controller has handled your concerns, you can contact the ICO – further details can be found on the ICO website.

Salisbury NHS Foundation Trust has entered into a contract with Quantum Health Solutions (QHS) Limited to provide a Covid 19 vaccination booking system, Covid Track.

This privacy notice confirms that Salisbury and or your organisation has agreed to use QHS is processing your vaccination booking.

This privacy notice explains what personal data QHS collects from NHS staff or third party organisations who participate (“you”,”your”) in the NHS led Covid-19 vaccination appointment booking programme. The contract identifies the Trust is a data controller when processing its own employees data and retains legally responsible for complying with your rights under UK GDPR the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA2018).

If you are a Trust employee who wishes to ask for copies of information held about you please contact the Trusts Data Protection Officer via email sft.Information.Governace@nhs.net.

EXTERNAL EMPLOYEES

If you work for an external organisation or company, other than the Trust your employer remain responsible for providing you with copies of your information. The Trust processes your data as a data processor and therefore, is not responsible for supplying copies of your personal data held in Covid Track directly to you.

WHAT PERSONAL INFORMATION IS PROCESS BY COVID TRACK?

To fulfil obligations to your employer’s (NHS healthcare organisation), we process the following personal information:

Name (first name & last name)
Date of Birth
Gender
Work email address
Job title
Healthcare organisation number / Directorate/Division
Ward and department number
Electronic Staff Record (ESR) number (if appropriate)
Home post code
Appointment time / date
Login details / password
Mobile phone number (if you require text message reminders (SMS))

NATIONAL REPORTING

Under the Coronavirus Act 2020, all organisations are required by law to provide limited information to NHS and Public Health England about the number of staff who have been vaccinated, when the vaccine was administered and when the second vaccination must be given. This information is completely anonymised and will include details of your ethnicity and vaccination status only.

PURPOSES AND BASES FOR USING YOUR PERSONAL DATA

When providing services to you, your personal information will be processed by QHS on behalf of the Trust for the following purposes:

Fulfilment of a contractual obligation between the Trust, your employer and QHS to use Covid Track.
Providing you with continued information and support during the Covid 19 vaccination programme when using Covid Track.
Internal administration and management of your Covid 19 booking
Supplying anonymised reports informing NHS England of the number of people who have received their first and second Covid 19 Vaccination.

International Transfers

The Trust and QHS will not transfer your personal data outside of the UK.

Your rights:

The UK GDPR and DPA 2018, provides you with certain rights. The table below confirms in column 1 which rights apply who to contact to apply your rights:

Your Rights	Rights Which Apply
Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you, and to check that we are lawfully processing it. This service is free of charge and can take up to 30 days.	Yes
Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.	Yes
Request personal data provided by you to be transferred in machine-readable format (“data portability”).	No
Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing	Yes
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).	No
Object to the processing of your personal data in certain circumstances. This right may apply where the processing of your personal data is based on the legitimate	No

WHO DO YOU CONTACT TO OBTAIN INFORMATION ABOUT YOU?

Please contact your employer to ask for copies of information held about you first. They will then request copies of your information from QHS and release it to you.

HOW LONG WILL YOUR INFORMATION RETAINED?

Your information will be retained in the system in compliance with the retention schedules within the NHS Code of Practice: Records Management or the contract ends.

YOUR RIGHT OF ACCESS: NON TRUST EMPLOYEES

You can contact your employer to make a complaint. The Trust Data Protection Officer will support your organisation to ensure data held in Covid Track is supplied to you in a timely manner.

HOW TO COMPLAIN

If you wish to raise a concern about how your personal information is being used, stored or shared. Please contact:

Information Governance Department

Salisbury NHS Foundation Trust

Salisbury District Hospital

Odstock Road

Odstock Near Salisbury

Wiltshire

SP2 8BJ

01722 336262 Ext 5716 & 5731

Email: sft.Information.Governance@nhs.net

Information Commissioners Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate)

Fax: 01625 524 510

The BSW CCG have entered into a contract with Quantum Health Solutions (QHS) Limited to provide a staff Flu and Covid 19 vaccination booking system, Flu Track/Covid Track on behalf of the NHS Trusts and NHS providers within the Bath, Swindon and Wiltshire region.

This privacy notice confirms that Salisbury NHS Foundation Trust (the Trust) has agreed to use QHS for processing your flu and COVID booster vaccination bookings.

This privacy notice explains what personal data QHS collects from NHS staff or third party organisations who participate (“you”,”your”) in the NHS led Flu and Covid-19 booster vaccinations appointment booking programme. The Trust is a Data Controller when processing its own employee’s data and retains legally responsibility for complying with your rights under UK GDPR the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA2018).

If you are a Trust employee who wishes to ask for copies of information held about you please contact the Information Governance Department by emailing sft.Information.Governace@nhs.net

ADDITIONAL EMPLOYMENT WITH OTHER NHS TRUSTS AND NHS PROVIDERS

If in addition to working at the Trust you also have employment with other NHS Trusts or NHS providers within the Bath and North east Somerset, Swindon and Wiltshire region (i.e. RUH, GWH, WHC and Virgin care) information on your vaccination status and appointments will then be shared with them. This is to avoid unnecessary duplication of appointments and effort as well as providing accuracy of reporting. In such circumstances each employing organisation will be Data Controller of your data and be legally responsible for complying with your rights under UK GDPR the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA2018).

WHAT PERSONAL INFORMATION IS PROCESSED BY FLU TRACK/COVID TRACK?

To fulfil obligations to your employer’s (NHS healthcare organisation), we process the following personal information:

Name (first name & last name)
Date of Birth
Gender
NHS Number
Work email address
Job title
Healthcare organisation number
Electronic Staff Record (ESR) number
Appointment time / date
Login details / password
Mobile phone number (if you require text message reminders (SMS)
Whether you have any allergies (not detailed)
Flu and COVID vaccination status

NATIONAL REPORTING

All NHS Trusts and other NHS providers and organisations are required to provide limited information to NHS and Public Health England about the Flu and COVID vaccination status for their staff. The data provided is completely anonymised and will include details of overall vaccination rates and information such as ethnicity and vaccination status for groups of staff.

PURPOSES AND BASES FOR USING YOUR PERSONAL DATA

When providing services to you, your personal information will be processed by QHS on behalf of the Trust for the following purposes:

Fulfilment of a contractual obligation of QHS to the Trust as your employer to use Flu Track/Covid Track.
Providing you with continued information and support during the Flu and Covid 19 booster vaccination programme when using Flu Track/Covid Track.
Internal administration and management of your Flu and Covid 19 booster vaccination bookings
Supplying anonymised reports informing NHS England of the number of people who have received their Flu and Covid 19 booster vaccinations.

International Transfers

The Trust and QHS will not transfer your personal data outside of the UK.

Your rights:

The UK GDPR and DPA 2018, provides you with certain rights. The table below confirms in column 1 which rights apply who to contact to apply your rights:

Your Rights	Rights Which Apply
Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you, and to check that we are lawfully processing it. This service is free of charge and can take up to 30 days.	Yes
Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.	Yes
Request personal data provided by you to be transferred in machine-readable format (“data portability”).	No
Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing	Yes
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).	No
Object to the processing of your personal data in certain circumstances. This right may apply where the processing of your personal data is based on the legitimate	No

WHO DO YOU CONTACT TO OBTAIN INFORMATION ABOUT YOU?

Please contact the Trust’s Occupational Team to ask for copies of information held about you in the first instance. They will then request copies of your information from QHS and release it to you. If you have additional employment with other NHS organisations, and have booked your vaccination appointments through their own arrangements, you should contact them direct.

HOW LONG WILL YOUR INFORMATION RETAINED?

Your information will be retained in the system in compliance with the retention schedules within the NHS Code of Practice: Records Management or the contract ends.

HOW TO COMPLAIN

If you wish to raise a concern about how your personal information is being used, stored or shared. Please contact:

Information Governance Department

Salisbury NHS Foundation Trust

Salisbury District Hospital

Odstock Road

Odstock Near Salisbury

Wiltshire

SP2 8BJ

Tel: 01722 336262 Ext 5716 & 5942

Email: sft.Information.Governance@nhs.net

Information Commissioners Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate)

Fax: 01625 524 510

Salisbury NHS Foundation Trust takes seriously its obligations to protect the rights and freedoms of patients, staff, volunteers, trainees, and contractors. The Trust is committed to building privacy by design and default into our systems and services, to minimise any risks to data subjects that might arise through our processing activities.

However, we recognise that there may be circumstances in which members of the public or staff raise concerns or complaints about the way the Trust is processing their personal data. This procedure gives a framework for managing data protection complaints consistently and transparently, to ensure fair and equitable outcomes for complainants. It will also clarify the relationship between this procedure and other complaints and grievance procedures at the Trust, and related data protection procedures, such as our Data Breach Reporting Procedure and our Data Subject Access Request appeal process.

If Trust staff, or members of the public wish to refer or make a complaint, raise a query about the procedure, or otherwise need to get in touch, please contact the IG Team using the email address sft.information.governance@nhs.net or call 01722 336262 Ext 5716 & 5731.

Confidentiality

Any complaint or concern you raise will be treated in confidence. We will only share your identity or the details of your complaint with a third party with your consent, or if it is necessary to do so to fully investigate your complaint.

Records relating to your complaint will be held securely in restricted areas of the Trust’s IT network or system. The records relating to your complaint will be retained in line with our data retention policies (for ten years from the end of the calendar year in which the final action on your complaint takes place at the time of writing).

It may be necessary during the investigation to reveal to you the identities and personal data of staff or other third parties involved in responding to the complaint. This information will be provided to you only as required, and you must always respect the confidentiality of third parties.

Grievance and representation

Any complaint or allegation cannot be made anonymously.

A third party may submit the complaint on your behalf with your written and signed authorisation, subject to approval by the Data Protection Officer or their delegate.

Internal concerns and complaints procedure

The Data Protection Officer or their delegate will write an initial letter to you, usually within 5 working days, to acknowledge receipt of your complaint. The letter will inform you:

a) Whether your complaint is eligible for consideration under this procedure. If it is not considered eligible, you will be told why.
b) The terms of your complaint, and the breaches of the Data Protection Legislation to be investigated, so that the complainant can understand the scope of the investigation.
c) The expected deadline for completion of the investigation

The Data Protection Officer or their delegate will aim to conclude the formal investigation and provide you with an outcome within 20 working days of sending you the initial letter.

At the end of the review the Data Protection Officer will provide you with an response summarise the complaint and examination process, this may including further evidence gathered from yourself, colleagues or any other relevant third party, and an assessment of the extent to which specific concerns raised in the complaint contravene the Trusts Data Protection policies and procedures and Data Protection Legislation, to help you better understand the outcome of the review. The outcome section of the report will tell you whether your complaint is:

a) Fully upheld
b) Partially upheld
c) Not upheld

The response will set out any recommendations proposed by the Trust. The Data Protection Officer may recommend the case is referred for further consideration under the relevant internal disciplinary procedure. This might include, for example, cases where the investigation identifies a serious breach of the Trust’s Data Protection policies and procedures by an individual subject to said policies and procedures, or an infringement of Data Protection or Computer Misuse legislation.

The response marks the final stage of the Trusts Data Protection Complaints procedure. The Trust will aim to put in place any recommendations within one calendar month of the date of the report, where possible.

If the review finds that a person has processed your personal data and infringe sections 170-173 of the Data Protection Act (2018), the matter may be referred to the Police if the Trust believes that one or more of the criminal offences listed below has been breached:

a) Unlawfully obtaining, disclosing or retaining personal data:
b) Re-identifying de-identified personal data
c) Altering, defacing, blocking, erasing, destroying, or concealing personal data to prevent disclosure to a data subject

Right to representation

You have the right to be accompanied at any meeting arranged under this procedure to investigate your complaint. You may choose to be accompanied by a friend, and staff by a work colleague or a trade union representative. This procedure does not permit any party to have legal representation at meetings. The identity of your representative should be made known to other parties to the meeting prior to the date of the meeting.

If you need us to make any reasonable adjustments under the Equality Act (2010) in connection with meetings or other proceedings under this procedure, please inform the Data Protection Officer in advance.

You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

Your Right to an External Review

If you reject the outcome of the formal investigation, you can make a complaint to the Information Commissioner’s Office (ICO) using their online reporting tool here https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ or by calling 0303 123 1113.

Whilst you have the right to make a complaint to the ICO without seeking a remedy through this procedure, we recommend that you follow this procedure in the first instance to advance the resolution of your complaint.

If the Police investigate a Trust employee about an offence listed in section 5.3 above, the Trust will consider whether internal disciplinary procedures should continue or be paused until the outcome of the police investigation is known.

Your Patient Information - Privacy Notice

Person Centred & Safe

Professional

Responsive

Friendly

Progressive

Your Patient Information - Privacy Notice

The Trust

Legal & Privacy

Sustainability

Join us on social media

Information & Resources

Person Centred & Safe

Professional

Responsive

Friendly

Progressive