Privacy notice and cookies
This document is to inform you as an individual how the Trust and our Services will collect and use information about you; This a legal requirement under UK GDPR and Data Protection legislation and is here to help you be aware of your rights.
Personal information about any living, identifiable individual is protected in law. Some information we hold about you is more important and this is called ‘Special Category Data’. The Trust considers information we hold about you to be confidential and this includes:
- Name, address, date of birth
- NHS Number, hospital number
- Contact information i.e. telephone number, mobile phone, e-mail address
- Next of Kin details and contact information
- Special Category Data including:
- Contacts we have had with you such as clinic visits
- Details of diagnosis and treatment
- Allergies and physical or mental health conditions
- Racial or Ethnic Origin
- Sexual orientation
- Religious or other beliefs of a similar nature
- Offences, criminal proceedings, outcomes and sentences.
- Family, lifestyle and social circumstances
- Education and training details
- Employment details
- Financial details
We keep records about the health care and treatment you receive as one of our patients or service users, as this helps to ensure that you receive the best possible care from us and that full information is readily available if you see another doctor, or are referred to a specialist elsewhere. The legal basis we hold and use this information is broadly covered under UK GDPR Article 6(1)(e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ and Article 9(2)(h) ‘processing is necessary for Health and Social Care purposes’ UK GDPR Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine.
In addition, we may process personal data for the purpose of, or in connection with legal proceedings, obtaining legal advice or defending legal rights. We will rely on the following UK GDPR legislation:
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special categories of personal data for these purposes, the legal basis for doing so is:
- Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims
- Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
This information will be collected directly from you and others involved in your care, or may be information others have provided as it is necessary for their own care, such as contact details for Next of Kin.
We may use personal data for the following purposes:
- To prepare statistics on NHS performance
- To audit NHS Services
- To monitor how we spend public money
- To plan and manage the health service
- To teach and train healthcare professionals and NHS employees
- To conduct health research and development
We also keep records relating to staff for the purpose of recruitment and leavers processes, pay, disciplinary matters, superannuation, work management, volunteers, contractors or other personnel matters. This is to ensure that employment at the Trust is managed to a high standard and that staff are provided with the information and training required to carry out their role.
Below are listed the Acts of Parliament which affect our ‘public task’ under the Constitution of the NHS:
- Health & Social Care Act 2008/2012/15/18
- Crime and Disorder Act 1998
- Children’s Act 2004
- NHS Act 2006
- Equality Act 2010
- Health Act 2009
- Care Act 2014
- Public Bodies (Admission to meetings) Act 1960
- Human Rights Act 1998
- Mental Health Act
- Mental Capacity Act 2005
- Data Protection Act 2018
- UK GDPR
- Employment Rights Act 1996
- Employment Relations Act
- Trade Union & Labour Relations Act 1992
- Health & Safety at Work Act 1974
- Rehabilitation of Offenders Act 1974
- Access to Health Records Act 1990
- Coronavirus Act 2020
- Coroners Act 2009
- Public Services (Social Value) Act 2012
- Health and Care Act 2022
All of the personal data that we collect and use is handled in accordance with UK GDPR core principles:
- Data is processed lawfully, fairly and transparently
- Purpose limitation: data is processed for a specified purpose
- Data minimisation: only necessary data is processed
- Accuracy: data is kept accurate and up to date
- Storage limitation: data will not be kept longer than necessary
- Integrity and confidentiality (security): data is kept securely
- Accountability: The Trust must comply with the above
Our services share data with a range of organisations and we will always endeavour to share the minimum amount of personal data required, even anonymising data where we possible.
Some sharing of information is necessary for delivering care to yourself as a patient or service user and ensuring that this is done so in a safe way. We often share personal information with the following organisations for the purposes of delivering or improving healthcare or where there is a legal requirement for us to do so:
- Clinical Commissioning Groups
- Health authorities
- Other NHS Trusts
- General Practitioners (GPs)
- Ambulance services
- Other NHS common services agencies such as primary care agencies
- Social services
- Education services
- Local authorities
- Department for Work & Pensions
- Voluntary sector providers and private sector providers
Services in our Trust will hold paper and electronic information in accordance with the Trust Retention Schedule which is aligned with national guidance. This sets out appropriate length of time to hold each type of record and we endeavour to not keep your records for longer than necessary.
The Trust uses Confidential Waste Management and secure destruction of information to ensure that all records are destroyed correctly once their retention period has been met, and the Trust has made the decision that the records are no longer required.
On occasion we may be required to keep information beyond our retention schedule to comply with criminal investigations, and local and national inquiries.
Our services are committed to securing your personal information from unauthorised access, use or disclosure. A combination of physical and electronic controls will help protect your personal information, creating a secure environment that allows for the provision of best quality care and preventing misuse of that data.
All our staff must complete and keep up-to-date with appropriate data security training within their employment. Each service monitors compliance with the policies and procedures in the Trust, and a high standard of behaviour is expected from all employees when handling confidential information.
If you have a concern about any aspect of your care or treatment at this hospital or about the way your records have been managed, please contact the Trust’s Patient Advice and Liaison Service (PALS).
Furthermore, you have a right to complain to the Information Commissioner if you are dissatisfied with the way the Trust has handled or shared your personal information:
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)
We will occasionally update this document to reflect how our services use your information and feedback we receive. We therefore encourage you to periodically review this web page in case of any changes.
To learn more about how we use, manage and maintain confidentiality of your information, please speak to the health professionals dealing with your care.
There are two types of cookie you may encounter:
First party cookies: these are our own cookies, controlled by us and used to provide information about usage of our site.
Third party cookies: these are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook or Twitter have their own cookies, which are controlled by them
First party cookies
Third party cookies
Browsealoud: Our website uses the Browsealoud plugin which allows text on the page to be read aloud. Cookies may be set to store information and preferences when using the plugin. To find out more please visit Texthelp.
Google: We use Google Analytics to collect statistics about site usage such as when the visitor last visited the site. The cookie contains no personal information and is used only for web analytics. This information is used by us to help to improve the experience for you on our website.
SiteImprove: The SiteImprove nmstat cookie contains a randomly generated ID used to recognise your browser when you read a page. It collects statistics about site usage such as when the visitor last visited the site. The cookie contains no personal information and is used only for web analytics. This information is used by us to help to improve the experience for you on our website. To find out more please visit SiteImprove.
YouTube: We embed videos from our YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page.
How to control and delete cookies
If you wish to restrict or block the cookies which are set by the Torbay and South Devon NHS Foundation Trust website, or indeed any other website, you can do this through your browser settings. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.
The websites www.aboutcookies.org.uk or www.allaboutcookies.org contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your machine as well as more general information about cookies.
Please be aware that restricting cookies may cause the Torbay and South Devon NHS Foundation Trust website to work incorrectly.
Torbay and South Devon NHS Foundation Trust reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.
If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose. This will not impact on the personal care your receive and the data we collect for that purpose.
for more information, visit: The NHS Website – Your NHS data matters.
Torbay and South Devon NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
The Trust is a mandatory participant of the Cabinet Office’s National Fraud Initiative (NFI) which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise.
This notice link sets out how the Cabinet Office use your personal data, and your rights. It is made under Article 14 of the UK General Data Protection Regulation (GDPR).
The Cabinet Office process information that you provide when seeking payment for employment from an organisation that takes part in the NFI. This is referred to as payroll data.
They process information you provide when seeking payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing and payment history data.
Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014
Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
For further information on data matching at Torbay and South Devon NHS Foundation Trust contact Gareth Cottrell, Local Counter Fraud Specialist
Emma Davies, Data Protection Officer
Tel: 01803 654868
Email: Data Access & Disclosure Office