Service user Privacy Notice
How your personal information is used by Cambridgeshire and Peterborough NHS Foundation Trust
A Privacy Notice (also known as a Fair Processing Notice) is a statement from an organisation that describes how they collect, use, retain and share any personal information held about an individual or individuals. Issuing a Privacy Notice is part of our commitment to ensure that we are processing your personal information fairly, lawfully, and keeping you informed throughout.
CPFT will be taking part in the My Care Record programme which is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it's needed for your care. The privacy notice for the programme can be found here.
Who we are
We are a health and social care organisation dedicated to providing high quality care with compassion. We deliver NHS services across Cambridgeshire with teams providing services in inpatient, community, and primary care settings, such as physical, mental health and specialist services. Our services include:
- Adult mental health
- Forensic and specialist mental health
- Older people’s mental health
- Children’s mental health
- Children’s community
- Older people and adult community
- Specialist learning disability.
- Primary care and liaison psychiatry
- Substance misuse
- Social care
- Research and development
We support a population of just under a million people and employ more than 4,500 staff working in more than 50 locations.
Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z6521629.
Our lawful basis for processing information about you
The lawful basis for using your information is a ‘public task’ because it is necessary for the Trust to use your information in order to provide you with direct health care. We do not rely on consent to process your information.
Patient ‘personal data’ is processed under Article 6 (1)(e) which states that ‘processing is necessary for the performance of a task carried out in the public interest or in the exercises of official authority vested in the controller’.
Patient ‘sensitive data’ is processed under Article 9 (2)(h) which states that ‘processing is necessary for the purpose of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or member State Law’.
For further information on this legislation please visit: https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation
In some circumstances we may rely on other lawful basis, where it is necessary for us to comply with legal and regulatory obligations to which we are subject.
How, why and what information we collect about you
We ask for and hold, personal confidential information about you which will be used to support the delivery of appropriate care and treatment. This supports the provision of high-quality care.
Basic details will include: Your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts and your GP details.
We may also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.
We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.
In addition to the above, we may hold the following sensitive (known as Special Category) personal information about you:
- Notes and reports about your health, treatment and care, which include:
- your medical condition
- results of investigations, such as x-rays and laboratory tests
- future care you may need.
- personal information from people who care for and know you, such as relatives and health or social care professionals.
- other personal information such as smoking status and any learning disabilities
- Your religion
- Ethnic origin
- Whether or not you are subject to any protection orders regarding your health, wellbeing, and human rights (safeguarding status).
It is important for us to have as complete a picture as possible, as this information assists our staff to provide improved care and deliver appropriate treatment and care plans which meet your needs.
Information is collected in several ways, via your healthcare professional, referral details from your GP, from other healthcare professionals and officers in the local authority, social services departments and emergency services or directly given by you or your authorised representative or parents, relatives or carers.
It is essential that your details are accurate and up to date to avoid any mistakes. You should always check that your details are current and inform us of any changes as soon as possible.
How we use information about you
Your information is used to manage and deliver healthcare to you, to ensure that:
- The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
- Staff have the information they need to be able to assess and improve the quality and type of care you receive.
- Appropriate information is available if you see another healthcare professional or are referred to a specialist or another part of the NHS, social care, or health provider.
The personal information we collect about you may also be used to:
- Remind you about your appointments and send you relevant correspondence.
- Review the care we provide to ensure it is of the highest standard and quality, e.g., through audit or service improvement.
- Support the funding of your care, e.g., with commissioning organisations.
- prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies.
- Help to train and educate healthcare professionals.
- Report and investigate complaints, claims and untoward incidents.
- Report events to the appropriate authorities when we are required to do so by law.
- Review your suitability for research study or clinical trial.
- Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital to further improve our services to patients.
- Monitor how we spend public money.
Where possible, we will always look to anonymise/pseudonymise your personal information to protect patient confidentiality, unless there is a legal basis that permits us to use it, in which case we will only use/share the minimum information necessary.
Who we share information with and why
We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies. We will also share information with other parts of the NHS and those contracted to provide services to the NHS to support your healthcare needs.
We may also be asked to share basic information about you, such as your name and parts of your address, which does not include sensitive information from your health records. Generally, we would only do this to assist the requesting organisation to carry out their statutory duties (such as usages of healthcare services, public health, or national audits)
In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the Data Protection Act 2018 and UK General Data Protection Regulation.
For your benefit, we may also need to share some of your information with authorised non-NHS authorities and other organisations involved in your care. This might include organisations such as local councils, social services, education services, the police, voluntary and private sector providers, and private healthcare companies. Where necessary we also have data sharing agreements in place with our partner organisations which will state the specific ways in which the shared data can be used.
Staff should discuss with you what information they are sharing, why and with whom.
When we are required to do so, we will ensure that we seek your consent before sharing your personal information with other people. We will not pass your personal information to your friends, relatives or carers without your explicit consent. If you are unable to consent for any reason, we will only share information where it is clearly in your best interests to do so or it is required by law.
The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA). Because of this it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made CPFT will make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage and retention are securely controlled and in full compliance with the requirements of the GDPR.
We may also share information about you and your care with other NHS organisations responsible for the organisation and funding of health and social care, for example Clinical Commissioning Groups (CCGs) and their Commissioning Support Units (CSUs). If we must share information about you, we will remove your personal details when possible.
There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud), the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm. (For some of these purposes it also applies to patients who are discharged from the Trust).
Unless there are exceptional circumstances, under the common law duty of confidentiality (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confidentiality_-_NHS_Code_of_Practice.pdf) we will not disclose any information to third parties which can be used to identify you without your consent.
We may provide information to non-NHS partner organisations that act as ‘data processors’ and with whom we have binding confidentiality agreements to carry out an agreed service for the Trust. In these circumstances we will have a robust agreement with them for this purpose.
Processing beyond individual care
The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This may only take place when there is a clear legal basis to use this information. All these used helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Improving health care and services through planning
To help us monitor our performance, evaluate, and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups. The information we share is anonymous so you cannot be identified and all access to and use of this information is strictly controlled.
In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.
NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.
Most of the time, NHS digital use anonymised data for planning. So, your confidential patient information isn't always needed.
Improving health care and services through research
The Trust actively promotes research to provide better health and care for you, your family and future generations. Researchers can improve how physical and, mental health can be treated and prevented.
As a data controller Cambridgeshire and Peterborough NHS Foundation Trust rely upon
Article 6(1)(e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller’
Article 9(2)(j) ‘…scientific or historical research purposes’
as our lawful basis for processing your information under the General Data Protection Regulation. This means we do not rely upon your consent for our Researchers to access information we have collected about you.
However, we do rely upon your consent for you to actively take part in a research study.
We would never publish the outcome of our research studies in a way that would personally identify you.
Whilst actively taking part in a research study you would have the right to withdraw your consent at any point, but you would not have the right to erasure of the information already collected as part of the research study.
Opting out of processing beyond your individual care
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this webpage you will:
- See what is meant be confidential patient information.
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
- Find out more about the benefits of sharing data.
- Understand more about who uses the data.
- Find out how your data is protected.
- Be able to access the system to view, set or change your opt-out settings
- Find the contact telephone number if you want to know any more or to set/ change your opt-out by phone.
- See the situations where the opt-out will not apply.
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
Cambridgeshire and Peterborough NHS Foundation Trust is compliant with the National Data Opt out Programme.
Data Protection Impact Assessments
Under GDPR regulations we are required to carry out a Data Protection Impact Assessment (DPIA) when undertaking new projects which involve the processing of personal data. Completing a DPIA helps us to identify any data risks at an early stage and to take steps to minimise these risks as part of the project development process.
Data Protection Impact Assessments have been completed for the following health and social care projects and software applications that involve the processing of patient data .
- MyCopd Software – Self management app for patients with a diagnosis of COPD
- WoundWorks Software- Wound assessment software
- PASCOM Software- Podiatry activity monitoring database
- CADCAM Software- Digital scanning software for foot orthoses (insoles)
- S12 Solutions software- Digital app for facilitating setting-up Mental Health Act (1983) assessments.
- Medtronic Care Link pro software.- Diabetes pump and sensor software
- Qb Test- Software for objective measurement of ADHD Symptoms
- CamCOPS- Data collection tool for cognitive and psychiatric assessments
- FNP Turas- Data base for collection of demographic and health information of mothers enrolled in the Family Nurse Partnership Programme
- CPIP- Cerebral Palsy Integrated pathway collection and assessment of data for children with a diagnosis of cerebral palsy to detect early risk of hip displacement.
- Peterborough Exemplar- A project involving the joining-up of mental health care provided in primary care, secondary care, local authority social support and community-based assets people with mental health illness and physical health problems.
- Silver Cloud- A Digital mental health platform providing online Cognitive Behavioural Therapy (iCBT)
- Your Covid Recovery- a web-based programme to support people who have had the diagnosis of Covid-19 virus
- ChatHealth- NHS approved text messaging service for 11- 19 year olds
- BFP LumaNova- A digital therapeutic mental health platform for children
- Healios – A CBT-E interventions programme
- Secret Agent Society- Digital Mental health platform for children
- Assemble- Volunteer Management Platform
- Reveal BWC- Body Worn Cameras
- MedBrief- Platform for managing data for the purpose of litigation
For further details of any of these DPIA’s please contact the Information Governance Team at email@example.com
How we store and secure information
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process your information in accordance with the Data Protection Act 2018 and UK General Data Protection Regulation
In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- maintain full and accurate records of the care we provide to you.
- keep records about you confidential and secure.
- provide information in a format that is accessible to you.
The Data Protection Act 2018 gives you certain rights, including the right to:
- Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our ‘Access to Health Records Policy’.
- Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is also explained in our ‘Access to Health Records Procedure’.
- Refuse/withdraw consent to the sharing of your health information: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health information ‘for the management of healthcare systems and services’.
Your consent will only be required if we intend to share your health information beyond these purposes, as explained above (e.g. active participation in research). Any consent form you will be asked to sign will give you the option to withdraw consent to share any information. The consent form will also warn you about the possible consequences of such withdrawal. Should you also refuse to the sharing of information the possible consequences will also be explained to you.
In instances where the legal basis for sharing identifiable information without consent relies on authorisation under Section 251 of the NHS Act 2006, such as for important medical research then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.
In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.
- Request your personal information to be transferred to other providers on certain occasions.
- Object to the use of your personal information
You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.
Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.
SMS text messaging
When attending the Trust for an appointment or procedure patients may be asked to confirm their contact number / mobile telephone number. Where applicable this will be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
Should you not wish to receive automated texts then please inform the relevant department involved).
Surveillance Cameras (CCTV)
We employ surveillance cameras (CCTV) on and around our sites to:
- protect staff, patients, visitors, and Trust property.
- apprehend and prosecute offenders and provide evidence to take criminal or civil court action.
- provide a deterrent effect and reduce unlawful activity.
- help provide a safer environment for our staff.
- assist in traffic management and car parking schemes.
- monitor operational and safety related incidents.
- help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance.
- assist with the verification of claims.
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to the address below and you will need to provide further details as contained in the section ‘How you can access your records’. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.
We reserve the right to withhold information where permissible by the General Data Protection Regulation (GDPR) 2018 and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the GDPR.
How to contact the Data Protection Officer
Please contact the Data Protection Officer at:
Information Governance Team
Edith Cavell HealthCare Campus
Or via e-mail at firstname.lastname@example.org
How to contact the Information Commissioners Office (ICO)
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. https://ico.org.uk/. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the ICO at:
Information Commissioner's Office
T 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
F 01625 524 510