An important aspect of complying with data protection legislation is the requirement to process data fairly and lawfully.
In order for the processing to be fair, the Charity must provide data subjects with information about how their personal data will be used. The most common way to do this is through a privacy notice.
A privacy notice (also known as a ‘privacy statement’, ‘fair processing notice’) is a term used to describe all the privacy information when you make contact with us or use one of our services and give you information about what to do if you have a query or concern.
About this notice and who it applies to
Data Protection law determines how organisations can use personal information.
In accordance with the Data Protection Act 2018, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the legislation.
We recognise the need to treat personal data in a secure, fair and lawful manner. No personal information held by St Andrew's Healthcare will be processed unless the requirements for fair and lawful processing can be met.
This privacy notice applies to patients and service users.
This notice contains information about how the Charity processes your personal data and your rights in relation to this processing including what to do if you have a query or complaint.
What personal information we may collect
In order to provide services to you, St Andrew’s may collect and use your personal data including, for example:
• Personal details such as name, date of birth, home address, NHS number and the name of your General Practitioner (GP)
• Details of your mental condition, including any medications you are taking and the side effects
• Medical records whilst at St Andrew’s and any previous placements
• Contacts such as nearest relative, main carer, next of kin, external health professionals and your Solicitor
• Bank details if you wish to have a St Andrew’s finance account
• Criminal offence details (if applicable)
• Education and learning records
• Information about your personal interests
• Relevant information relating to risks, behaviour, special needs and allergies, and useful interventions to ensure safe and productive delivery of our service
How the Charity obtains your personal data?
If you come to us through your GP, local authority or another health or social care authority, they will provide us with a variety of information, including your name, contact details and medical history. This would include any significant episodes that we need to be aware of in order to assess your needs and deliver the right care and service to you.
We also conduct independent mental health reviews or medico legal reports for solicitors, the Crown Prosecution Service, the Police, Courts, Coroners, Magistrates and other healthcare providers etc. In order to provide this service, we will usually obtain information about you from these organisations, and use the information you have provided to us.
Lawful basis for processing your personal data
We will only use your data where the law allows us to. Most commonly, we will process your personal data in the following circumstances:
• Where you have given consent
• Where it is necessary so that we can provide healthcare for you
• To comply with the law (for example, the Mental Health Act 1983)
• To help detect or prevent crime
• When it is necessary to protect the vital interests of an individual (for example, in a medical emergency)
• Where it is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal data which overrides those legitimate interests)
Why we need to process your personal data
There are a number of reasons why we need to process your personal data, which include:
• To help inform decisions that we make about your care
• To ensure that your treatment is safe and effective
• To work effectively with other organisations who may be involved in your care
• To ensure our services can meet your needs (now and later)
• For research and audit purposes
• To prepare statistics on our performance
• To provide education, training and development opportunities
We will only process your personal data for reason it was collected for. An exception would be unless it is needed for another purpose and the reason is compatible with the original purpose for processing.
We will notify you of any material changes to information which we collect or the purpose for which we collect and process it, and explain the legal basis for doing that.
We may process your information without your knowledge or consent where this is permitted by law.
Sharing your information
To provide you with the best care possible, we may need to share your information with others. We will only share your information in the following circumstances:
• Where you have given your consent to the information being shared
• Where there are issues or concerns, like the health and safety of yourself or others
• Where there is a legal requirement or responsibility on us to share the information
Some examples of third parties we may need to share your information with, but not limited to:
• Central and local government agencies and departments
• General Practitioners (GPs)
• Healthcare and Safeguarding bodies
• Police, courts and prisons
Any disclosures of personal data are made only on a case-by-case basis, using the minimum personal data necessary and with the appropriate security controls in place.
Security of your information
We take our duty to protect your personal information and confidentiality very seriously. The Charity is accredited to an international security standard, and we take all steps to ensure we have the right technical and organisational security control measures in place to protect your personal data from harm.
We have made some senior employees specifically responsible for data protection and confidentiality. For example, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information associated risks and incidents, and a Caldicott Guardian who is responsible for the management of confidential patient information.
There is a Data Protection Officer who has specific responsibility for and knowledge of data protection compliance, covering all aspects of this privacy notice.
There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data and we ensure that our staff regularly undertake data protection training.
We ensure that any third parties who process your personal data on our behalf are contractually obliged to comply with our data protection and information security policies and procedures.
Keeping your personal information up to date
It is important that the information which we hold about you is up to date and accurate. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting the Charity’s Data Protection Officer using the contact details at the bottom of this privacy notice.
Any corrections which are needed will be made promptly and we will promptly inform any third parties who have received the incorrect information from us, so that they can amend their records.
Retention and disposal of personal information
We will only keep information for as long as necessary. Records are managed in line with our Records Management Policy. This ensures that we regularly review records and securely destroy records at the right time. There are times when we need to keep some information for longer so we can comply with the law.
Access to personal information
Data protection law gives you the right to access the information that we hold about you. This includes supplementary information about the processing that this privacy notice is designed to address.
Requests for access to patient/service user records can be made verbally or in writing to:
Health Records Office
St Andrew’s Healthcare
Email: [email protected]
Telephone: 01604 616000
We will need to check that you are who you say you are. Therefore you may be asked to provide:
• Relevant information (for example full name, address, date of birth, staff number, etc.)
We may ask you for further information to help us locate what you are looking for.
We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one calendar month of receipt, unless there is a reason for delay that is justifiable under the law.
If a subject access request is made and the request for access is thought to be unfounded or excessive, or if you ask for more than one copy of the information we may ask you pay a fee to cover the costs.
In certain circumstances, you may also have the right to:
• Object to the processing of personal data that is likely to cause, or is causing, damage or distress
• Have inaccurate personal data rectified, blocked, erased or destroyed
• Object at any time to processing of personal data concerning you for direct marketing
If you wish to exercise them, please let us know by contacting our Data Protection Officer (details at the bottom of this privacy notice).
Raising a query or concern
If you have a query or concern about any aspects of this privacy notice, or how your data is handled, please contact the Charity’s Data Protection Officer:
Data Protection Officer
St Andrew’s Healthcare
Email: [email protected]
If you remain unsatisfied you also have the right to raise your concern externally with the Information Commissioner’s Office:
The Information Commissioner's Office
Data Protection Notification with the Information Commissioner's Office
St Andrew’s Healthcare is registered as a ‘data controller’ with the Information Commissioner’s Office.
The details of the Charity’s notification are available on the ICO’s Data Protection Public Register.
St Andrew’s registration number is Z5735699.