Privacy notice and cookies

We keep records about the health care and treatment you receive as one of our patients or service users This ensures that you receive the best possible care from us with accurate and up to date information readily available.

The legal basis we hold and use this information is broadly covered under UK GDPR:

• Article 6(1)(e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ and
• Article 9(2)(h) ‘processing is necessary for Health and Social Care purposes’ UK GDPR Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine.

In addition, we may process personal data for the purpose of, or in connection with legal proceedings, obtaining legal advice or defending legal rights. We will rely on the following UK GDPR legislation:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

• Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

This information will be collected directly from you and others involved in your care, or may be information others have provided as it is necessary for their own care, such as contact details for Next of Kin.

We may use personal data for the following purposes:

• To prepare statistics on NHS performance
• To audit NHS Services
• To monitor how we spend public money
• To plan and manage the health service
• To teach and train healthcare professionals and NHS employees
• To conduct health research and development

We also keep records relating to staff for the purpose of recruitment and leavers processes, pay, disciplinary matters, superannuation, work management, volunteers, contractors or other personnel matters. This is to ensure that employment at the Trust is managed to a high standard and that staff are provided with the information and training required to carry out their role.

Below are listed the Acts of Parliament which affect our ‘public task’ under the Constitution of the NHS:

• Access to Health Records Act 1990
• Care Act 2014
• Children’s Act 2004
• Coronavirus Act 2020
• Coroners Act 2009
• Crime and Disorder Act 1998
• Data Protection Act 2018
• Employment Relations Act 1999
• Employment Rights Act 1996
• Equality Act 2010
• Health & Safety at Work Act 1974
• Health & Social Care Act 2008/2012/15/18
• Health Act 2009
• Health and Care Act 2022
• Human Rights Act 1998
• Inquiries Act 2005
• Mental Capacity Act 2005
• Mental Health Act 1983
• NHS Act 2006
• Public Bodies (Admission to meetings) Act 1960
• Public Services (Social Value) Act 2012
• Rehabilitation of Offenders Act 1974
• Trade Union & Labour Relations Act 1992
• UK GDPR

All of the personal data that we collect, and use is handled in accordance with UK GDPR core principles:

• Data is processed lawfully, fairly and transparently
• Purpose limitation: data is processed for a specified purpose
• Data minimisation: only necessary data is processed
• Accuracy: data is kept accurate and up to date
• Storage limitation: data will not be kept longer than necessary
• Integrity and confidentiality (security): data is kept securely
• Accountability: The Trust must comply with the above and take responsibility for the data we hold

Our services share data with a range of organisations and we will always endeavour to share the minimum amount of personal data required, anonymising data where we possible.

Some sharing of information is necessary for delivering care to yourself as a patient or service user. Sharing will be completed adhering to national security standards and best practice. We often share personal information with the following organisations for the purposes of delivering or improving healthcare or where there is a legal requirement for us to do so:

• Clinical Commissioning Groups / Integrated Care Boards
• Health authorities
• Other NHS Trusts
• General Practitioners (GPs)
• Ambulance services
• Other NHS common services agencies such as primary care agencies
• Social services
• Education services
• Local authorities
• Police
• Department for Work & Pensions
• Voluntary sector providers and private sector providers

Services in our Trust will hold paper and electronic information in accordance with the Trust Retention Schedule which is aligned with national guidance. This sets out appropriate length of time to hold each type of record and we endeavour to not keep your records for longer than necessary.

The Trust uses Confidential Waste Management and secure destruction of information to ensure that all records are destroyed correctly once their retention period has been met, and the Trust has made the decision that the records are no longer required.

On occasion we may be required to keep information beyond our retention schedule to comply with investigations and inquiries.

Our services are committed to securing your personal information from unauthorised access, use or disclosure. A combination of physical and electronic controls will help protect your personal information, creating a secure environment that allows for the provision of best quality care and preventing misuse of that data.

All our staff must complete and keep up to date with appropriate data security training within their employment. Each service monitors compliance with the policies and procedures in the Trust, and a high standard of behaviour is expected from all employees when handling confidential information.

Please refer to our Data Protection How to access information page.

If you have a concern about any aspect of your care or treatment at this hospital or about the way your records have been managed, please contact the Trust’s Patient Advice and Liaison Service (PALS).

Furthermore, you have a right to complain to the Information Commissioner if you are dissatisfied with the way the Trust has handled or shared your personal information:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)
Website: https://ico.org.uk

We will occasionally update this document to reflect how our services use your information and feedback we receive. We therefore encourage you to periodically review this web page in case of any changes.

To learn more about how we use, manage and maintain confidentiality of your information, please speak to the health professionals dealing with your care.

The NHS is committed to respecting the privacy of individuals using this website. Torbay and South Devon NHS Foundation Trust does not collect personally-identifiable information about users of this site.

We do analyse server log files, which contain details such as IP address, pages viewed, times of access, and the type of web browser used. None of this information is linked to individuals or shared with third parties.

Cookies used on this website

Our site uses cookies to improve functionality, provide embedded content, and help us understand how the site is used. When you first visit, you can manage your preferences using the cookie banner or via the cookie icon in the lower-left corner of your browser window.

There are two main types of cookies you may encounter:

• First-party cookies – created by this website and controlled by us.
• Third-party cookies – set by external services we embed or integrate, such as Google, Vimeo, YouTube, or the Browsealoud accessibility toolbar.

First-party cookies

A to Z list filter: We use a cookie to remember the last letter you selected in the A to Z services list. This ensures the page reloads with the same filter when you return. This is a functional cookie.

Silktide Cookie Control: We use a cookie to store your cookie consent choices (which categories you allow or reject). This is essential for the site to function correctly.

Functional / Accessibility cookies

Browsealoud (ReachDeck) toolbar: Our website uses the Browsealoud plugin, which reads text aloud. Cookies may store your preferences and settings for this tool. To find out more, visit Texthelp.

Google services cookies

Google Analytics: We use Google Analytics to collect statistics about site usage. These cookies do not contain personal information and are only used to improve the website experience.

Google Maps: Some pages include interactive maps. Cookies may store preferences for these maps or other Google services.

To find out more, visit Google’s Privacy Policy.

Third-party embedded content

Vimeo videos: We embed videos from our Vimeo channel. When you play a video, Vimeo may set cookies to enable playback and collect information about how the video is used. These cookies help Vimeo provide video functionality and analytics. More information: Vimeo Cookie Policy.

YouTube videos: We embed videos from our YouTube channel using privacy-enhanced mode. Cookies may be set once you play a video, but YouTube will not store personally-identifiable information. More information: YouTube Embedded Video Information.

How to control and delete cookies

You can manage your cookie preferences at any time via the cookie icon in the lower-left corner of your browser window. This opens the Silktide Cookie Control panel, where you can:

• Accept all cookies
• Reject non-essential cookies
• Manage individual cookie categories (Functional, Google services, YouTube, Vimeo)

If you prefer, you can also restrict or block cookies through your browser settings. Each browser is different, so check the ‘Help’ menu of your particular browser or your mobile device manual for guidance.

Comprehensive information about cookies, including how to delete them, is available at:

• www.allaboutcookies.org

Please note: restricting cookies may prevent some parts of the site from functioning correctly.

Cookies we use on our website

Torbay and South Devon NHS Foundation Trust reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose. This will not impact on the personal care your receive and the data we collect for that purpose.

for more information, visit: The NHS Website – Your NHS data matters.

Torbay and South Devon NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust is a mandatory participant of the Cabinet Office’s National Fraud Initiative (NFI) which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise.

This notice link sets out how the Cabinet Office use your personal data, and your rights. It is made under Article 14 of the UK General Data Protection Regulation (GDPR).

The Cabinet Office process information that you provide when seeking payment for employment from an organisation that takes part in the NFI. This is referred to as payroll data.

They process information you provide when seeking payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing and payment history data.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014

Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

For further information on data matching at Torbay and South Devon NHS Foundation Trust contact Gareth Cottrell, Local Counter Fraud Specialist

Service name: High Intensity Users
Address and contact telephone number: British Red Cross, 83 Caxton Business Park, Tower Road North, Warmley, BS30 8XP 07860 401986
Email and public website: https://www.redcross.org.uk
Data Protection Office: dataprotection@redcross.org.uk

What type of personal information we collect

Torbay and South Devon NHS Foundation Trust are working with British Red Cross to support “high intensity users” of our Emergency Department, this initiative is supported by NHS Devon ICB to ensure patients are receiving the most appropriate support.

If you are in the top 150 patients who have accessed the Emergency Department in the last 3 months, your data may be shared with British Red Cross to ensure you are getting appropriate support. The information shared may include:

• NHS Number
• Name
• Date of birth
• Age
• Address
• Telephone number
• GP practice
• ICB/NHS code
• Arrival mode
• Warning flag information
• Presenting complaint from last 3 months ED attendances (chief/coded complaint and free text complaint)
• A&E attendance in the last 12 months (admission number)
• A&E attendance in the last 3 months (admission number)
• Non-elective admissions in the last 12 months (admission reference)
• Non-elective admissions in the last 3 months (admission reference)
• Ambulance conveys in the last 12 months
• Ambulance conveys in the last 3 months
• Date of each A&E attendance in last 3 months

If you are contacted by the British Red Cross, you will be asked to formally consent to any support they may offer.

How we get this information and why we have it

Torbay and South Devon NHS Foundation Trust process your personal information provided by you during your healthcare and treatment.

We use this information to allow the British Red Cross to provide assertive outreach to patients who attend the Emergency Department on a regular basis with a high number of attendances. This information is provided by way of a quarterly report issued from the Trust’s Business Intelligence (BI) Team.

We rely on the following legal bases to process this information

• UK GDPR Article 6.1.e ‘Public Task’ – Processing is necessary for the performance of official authority vested in the controller
• UK GDPR Article 9.2.h ‘Direct healthcare’ – Processing is necessary for health or social care purposes

How we are storing your information

Torbay and South Devon NHS Foundation Trust store all information in secure systems and share information with British Red Cross via secure methods.

Your information is securely stored by British Red Cross prior to contacting patients to ask if they would like additional support. British Red Cross will store no more than six months’ worth of data provided directly by Torbay and South Devon NHS Foundation Trust.

The British Red Cross team will then gain explicit consent to store any further personal data.

Your data rights under data protection law

• A right of access (copies), a right to rectification (if you believe data is inaccurate), a right to erasure (under certain circumstances), a right to restrict processing (in certain circumstances), a right to object to processing (in certain circumstances) and a right to portability (transfer information to another organisation – in certain circumstances)
• To make a request you should contact dataprotection@redcross.org.uk or visit the British Red Cross public website.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at vikkiamiss@redcross.org.uk or dataprotection@redcross.org.uk

You can also complain to the ICO if you are unhappy with how we have used your data.

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Torbay Council has commissioned Torbay and South Devon NHS Foundation Trust to provide Adult Social Care services on the Council’s behalf. This means that Torbay Council and Torbay and South Devon NHS Foundation Trust are jointly responsible for making sure anyone with an illness or a disability who needs help and support receives the care they need, when they need it.

We also hold joint responsibility for managing and processing the data required in relation to delivering of safe adult social care services to people within Torbay.

This privacy notice explains how we will manage your personal information collected and processed for the purposes of delivering adult social care services.

What information will we be processing?

To deliver adult social care services, we need to process your personal information about you including names, addresses, contact details, dates of birth, gender status, education and/or employment details, financial information and information about your lifestyle and relationships.

We also need to hold some special category data including physical and mental health details, ethnic origin and religious and/or philosophical beliefs and your sexual orientation. We may also process data of any criminal offences committed by yourself (including alleged offences), proceedings, outcomes and sentences.

We may request and process personal information provided by other organisations including, but not limited to, other social care and safeguarding services, education providers, healthcare providers and the Police.

We are the “data controller” in relation to your personal information. This means we make decisions about how your data is collected, processed and shared.

Why will we be processing it?

We need to process information about you so that your needs can be assessed and supported through the planning, delivery, monitoring or evaluation of care. It will be held to ensure that you are provided with appropriate care and that your safeguarding needs are met.

What is our lawful basis?

Our lawful basis for processing your personal data is that is a task carried out in the public interest outlined in the UK General Data Protection Regulation as:

Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

We also process your personal data to comply with various legal obligations, this is carried out under the lawful basis of legal obligation outlined in the UK General Data Protection Regulation as:

Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

These laws (in alphabetical order) being:

• Access to Health Records Act
• Care Act
• Care Standards Act
• Children and Families Act
• Data Protection Act (UK General Data Protection Regulation)
• Data (Use and Access) Act
• Equality Act
• Health & Social Care Act
• Health Act
• Mental Capacity Act
• Mental Health Act
• National Health Service (NHS) Act
• Safeguarding Vulnerable Groups Act

We also process your special category data under the following lawful basis:

Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued.

Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

Do we share your information?

Our services share data with a range of organisations and we will always endeavour to share the minimum amount of personal data required, anonymising data where possible.

Some sharing of information is necessary for delivering care to yourself. Sharing will be completed adhering to national security standards and best practice. We often share personal information with the following organisations for the purposes of delivering or improving care or where there is a legal requirement for us to do so:

• Integrated Care Boards
• Other NHS Trusts
• General Practitioners (GPs)
• Ambulance services
• Other NHS common services
• Local Authorities (for example Social Services and Education services)
• Police and Courts
• Department for Work & Pensions
• Voluntary sector providers and private sector providers

How long do we keep your information?

We keep adult social care records for a minimum of 8 years after death of the service user or longer in the case of:

• Safeguarding concerns or investigations
• Where the individual lacks mental capacity
• Ongoing legal proceedings or complaints
• Coroner’s inquests or other formal reviews

How do I obtain a copy of my personal data?

Please refer to our Data Protection How to access information page.

Contact

Torbay and South Devon NHS Foundation Trust
Jamie Whaling, Associate Director of Legal Services and Acting Data Protection Officer
Email: Data Access & Disclosure Office

Torbay Council
Jo Beer, Data Protection Officer
Email: infocompliance@torbay.gov.uk