Patient and service user privacy notice

We deliver a wide range of emergency, specialist, and general medical services through Torbay and South Devon. Alongside our acute hospital (Torbay), we provide integrated health and social care services across a variety of settings including community inpatient hospitals, outpatient clinics, and within people’s own homes.

Torbay and South Devon NHS Foundation Trust is registered with the Information Commissioner’s Office to process personal and special category information under UK Data Protection legislation.

What personal information do we collect and how do we obtain it?

Personal information identifies a living individual. Personal information is anything that can be attributed to you personally, including your name, weight, height, date of birth, health conditions, and treatments you receive. If you can be identified from it, it is your personal information.

Personal details such as your name, address, date of birth, NHS number, contact info, ethnicity, religion, family and social circumstances, health conditions, treatments, allergies, and safeguarding status.

This information will be collected directly from you and others involved in your care such as your GP, or another healthcare provider, or may be information others have provided in relation to your own care.

We receive information, such as temporary and correspondences addresses, from your GP, should these details be out of date, this may result in information being sent to the wrong address. If we hold this information and it is no longer relevant, please also inform your GP service.

Why we collect information about you and what we do with it?

Torbay and South Devon NHS Foundation Trust collects personal and confidential information to support your healthcare and treatment. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.

Your records help staff provide the right care, ensure accurate and up-to-date information, and improve the quality of care you receive.

The personal information we collect about you may also be used to:

• Remind you about appointments and send relevant correspondence
• Review and improve care quality (e.g. audits, service improvement)
• Monitor spending and support funding for your care
• Plan and manage health services, prepare NHS statistics, and meet regulatory requirements
• Investigate complaints, claims, and incidents
• Report events to authorities when required
• Assess suitability for research or clinical trials, and conduct health research
• Contact you for patient satisfaction surveys to improve services

Where possible, we will always look to anonymise or pseudonymise your personal information to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use and share the minimum information necessary.

Data may be shared for approved research projects, usually in anonymous form. If not possible, your permission or special approval is required. You can opt out of having your data used for research. For more information, please refer to the National Data Opt Out.

What is our lawful basis for processing?

All the personal information that we collect, and use is handled in accordance with the UK General Data Protection Regulation (UK GDPR) principles. These state that personal data processing must be:

1. Lawful and fair
2. Specified, explicit and legitimate
3. Adequate, relevant, and not excessive
4. Accurate and kept up to date
5. Kept for no longer than is necessary
6. In a secure manner

Torbay and South Devon NHS Foundation Trust is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. We have statutory powers which underpin the legal bases that apply for the purposes of the UK GDPR. The legal bases for most of our processing is:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority,
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject

Where we process special categories data, for example, data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the legal basis for most of our processing is:

• Article 9(2)(h) – the provision of health or social care or treatment or the management of health of social care systems and services. care or treatment or the management of health of social care systems and services
• Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Where we process special category data for research purposes our legal basis is:

• Article 9(2)(j) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

In addition, we may also process personal data for the purpose of, or in connection with legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising, or defending legal rights. Where we process personal data for these purposes, the legal bases for doing so are:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

• Article 9(2)(f) – processing is necessary for the establishment, exercise, or defence of legal claims; or
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

Please note consent is not the legal basis for processing information that concerns your direct patient care. Most of your data processed in relation to your care is under Article 6(1)(e) as our task as an NHS Trust, as described above.

This means we use your personal information to provide you with your direct patient care without seeking your consent. However, you do have the right to object to our use of your information. We will consider your objection, and if we are able to comply with your wishes, we will explain how this could impact on our ability to provide you with that care.

Who we share personal information with and why?

Your personal information is shared with the team providing your care and treatment.

The Trust may share relevant personal information with other NHS organisations (such as NHS England, UK Health Security Agency, other NHS trusts, GPs, ambulance services, and Integrated Care Systems), local authorities and contracted service providers to support your healthcare needs.

Information may be shared with bodies responsible for auditing or administering public funds to prevent and detect fraud, and with authorities such as the Care Quality Commission, the police, or HMRC when required by law, court order, or in the public interest (e.g., to prevent abuse, fraud or serious harm).

We may share information in cases where public safety is at risk (such as infectious disease outbreaks), only the minimum necessary information is disclosed.

The Trust may be reviewed by independent auditors, which could involve access to randomly selected patient information to ensure legal compliance.

These practices ensure that information sharing is limited to what is necessary, lawful, and in line with public interest and regulatory requirements. Personal information you provide to the Trust in confidence will only be used for the purposes explained. Unless there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Caldicott Guardian ensures that the sharing is appropriate.

How we keep your personal information safe and secure

Our staff members are trained to handle your information correctly to protect your confidentiality and keep your information secure. Everyone working in the NHS has a duty of confidentiality under the NHS Code of Practice when handling your personal information.

All new systems undergo appropriate governance reviews to ensure they meet the Trust cyber security standards.

Use of email – Some services in the Trust provide the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

How long we keep your records

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS: Records Management Code of Practice.

The retention of records is dependent on various factors such type of service, continuity of care, litigation, last hospital attendance, etc. Typically, adult care records are retained for eight years, maternity records for 25 years and cancer records for 30 years. All records are destroyed confidentially once their retention period has been met and the Trust has made the decision that the records are no longer required.

How do I obtain a copy of my personal data?

Please refer to our Data Protection How to access information page.

Torbay Council has commissioned Torbay and South Devon NHS Foundation Trust to provide Adult Social Care services on the Council’s behalf. This means that Torbay Council and Torbay and South Devon NHS Foundation Trust are jointly responsible for making sure anyone with an illness or a disability who needs help and support receives the care they need, when they need it.

We also hold joint responsibility for managing and processing the data required in relation to delivering of safe adult social care services to people within Torbay.

This privacy notice explains how we will manage your personal information collected and processed for the purposes of delivering adult social care services.

What information will we be processing?

To deliver adult social care services, we need to process your personal information about you including names, addresses, contact details, dates of birth, gender status, education and/or employment details, financial information and information about your lifestyle and relationships.

We also need to hold some special category data including physical and mental health details, ethnic origin and religious and/or philosophical beliefs and your sexual orientation. We may also process data of any criminal offences committed by yourself (including alleged offences), proceedings, outcomes and sentences.

We may request and process personal information provided by other organisations including, but not limited to, other social care and safeguarding services, education providers, healthcare providers and the Police.

We are the “data controller” in relation to your personal information. This means we make decisions about how your data is collected, processed and shared.

Why will we be processing it?

We need to process information about you so that your needs can be assessed and supported through the planning, delivery, monitoring or evaluation of care. It will be held to ensure that you are provided with appropriate care and that your safeguarding needs are met.

What is our lawful basis?

Our lawful basis for processing your personal data is that is a task carried out in the public interest outlined in the UK General Data Protection Regulation as:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

We also process your personal data to comply with various legal obligations, this is carried out under the lawful basis of legal obligation outlined in the UK General Data Protection Regulation as:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

These laws (in alphabetical order) being:

• Access to Health Records Act
• Care Act
• Care Standards Act
• Children and Families Act
• Data Protection Act (UK General Data Protection Regulation)
• Data (Use and Access) Act
• Equality Act
• Health & Social Care Act
• Health Act
• Mental Capacity Act
• Mental Health Act
• National Health Service (NHS) Act
• Safeguarding Vulnerable Groups Act

We also process your special category data under the following lawful basis:

• Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued.
• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

Do we share your information?

Our services share data with a range of organisations and we will always endeavour to share the minimum amount of personal data required, anonymising data where possible.

Some sharing of information is necessary for delivering care to yourself. Sharing will be completed adhering to national security standards and best practice. We often share personal information with the following organisations for the purposes of delivering or improving care or where there is a legal requirement for us to do so:

• Integrated Care Boards
• Other NHS Trusts
• General Practitioners (GPs)
• Ambulance services
• Other NHS common services
• Local Authorities (for example Social Services and Education services)
• Police and Courts
• Department for Work & Pensions
• Voluntary sector providers and private sector providers

How long do we keep your information?

We keep adult social care records for a minimum of 8 years after discharge of the service user or longer in the case of:

• Safeguarding concerns or investigations
• Where the individual lacks mental capacity
• Ongoing legal proceedings or complaints
• Coroner’s inquests or other formal reviews

How do I obtain a copy of my personal data?

Please refer to our Data Protection How to access information page.

Contact

Torbay and South Devon NHS Foundation Trust
Jamie Whaling, Associate Director of Legal Services and Acting Data Protection Officer
Email: Data Access & Disclosure Office

Torbay Council
Jo Beer, Data Protection Officer
Email: infocompliance@torbay.gov.uk

Service name: High Intensity Users
Address and contact telephone number: British Red Cross, 83 Caxton Business Park, Tower Road North, Warmley, BS30 8XP 07860 401986
Email and public website: https://www.redcross.org.uk
Data Protection Office: dataprotection@redcross.org.uk

What type of personal information we collect

Torbay and South Devon NHS Foundation Trust are working with British Red Cross to support “high intensity users” of our Emergency Department, this initiative is supported by NHS Devon ICB to ensure patients are receiving the most appropriate support.

If you are in the top 150 patients who have accessed the Emergency Department in the last 3 months, your data may be shared with British Red Cross to ensure you are getting appropriate support. The information shared may include:

• NHS Number
• Name
• Date of birth
• Age
• Address
• Telephone number
• GP practice
• ICB/NHS code
• Arrival mode
• Warning flag information
• Presenting complaint from last 3 months ED attendances (chief/coded complaint and free text complaint)
• A&E attendance in the last 12 months (admission number)
• A&E attendance in the last 3 months (admission number)
• Non-elective admissions in the last 12 months (admission reference)
• Non-elective admissions in the last 3 months (admission reference)
• Ambulance conveys in the last 12 months
• Ambulance conveys in the last 3 months
• Date of each A&E attendance in last 3 months

If you are contacted by the British Red Cross, you will be asked to formally consent to any support they may offer.

How we get this information and why we have it

Torbay and South Devon NHS Foundation Trust process your personal information provided by you during your healthcare and treatment.

We use this information to allow the British Red Cross to provide assertive outreach to patients who attend the Emergency Department on a regular basis with a high number of attendances. This information is provided by way of a quarterly report issued from the Trust’s Business Intelligence (BI) Team.

We rely on the following legal bases to process this information

• UK GDPR Article 6.1.e ‘Public Task’ – Processing is necessary for the performance of official authority vested in the controller
• UK GDPR Article 9.2.h ‘Direct healthcare’ – Processing is necessary for health or social care purposes

How we are storing your information

Torbay and South Devon NHS Foundation Trust store all information in secure systems and share information with British Red Cross via secure methods.

Your information is securely stored by British Red Cross prior to contacting patients to ask if they would like additional support. British Red Cross will store no more than six months’ worth of data provided directly by Torbay and South Devon NHS Foundation Trust.

The British Red Cross team will then gain explicit consent to store any further personal data.

Your data rights under data protection law

• A right of access (copies), a right to rectification (if you believe data is inaccurate), a right to erasure (under certain circumstances), a right to restrict processing (in certain circumstances), a right to object to processing (in certain circumstances) and a right to portability (transfer information to another organisation – in certain circumstances)
• To make a request you should contact dataprotection@redcross.org.uk or visit the British Red Cross public website.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at vikkiamiss@redcross.org.uk or dataprotection@redcross.org.uk

You can also complain to the ICO if you are unhappy with how we have used your data.

• Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Website: Information Commissioner’s Office – Make a complaint
• Tel: 0303 123 1113

Torbay Council and NHS Devon ICB has commissioned Torbay and South Devon NHS Foundation Trust to provide Carers Services for people within Torbay Council area.

For patients living within Devon, please refer to Devon Carers Service.

Torbay Carers provide information, assessment and support for carers who:

• care for someone living in the Torbay Council area, or
• live in the Torbay Council area

Why we collect information about you?

Under the provisions of the Care Act 2014, Torbay Council has opted to delegate its obligations to provide support to carers and has contracted Torbay and South Devon NHS Foundation Trust to do this work. We also provide information, assessment and support services under the Health and Social Care Act 2022, and the Children & Families Act 2014.

When you contact us for information, advice or support relating to your caring role, Torbay Carers will collect and hold personal information, and processing will be undertaken because of this legal obligation.

We also hold personal information that is needed for us to provide you with advice and support to you in your caring role and this is known as a legitimate interest.

Failure to provide us with the necessary personal information may result in us being unable to provide you with the service or result a delay in the provision.

We may also record calls and other communications for monitoring and training purposes as part of the work we do.

When do we collect this information?

We collect information about you when you register with us, request a Carers Assessment or engage with carers support services.

The level of personal and sensitive information collected will vary dependant on the carers services requested.

Who do we share information with?

The Health and Care Act 2022, identifies that more people are now living with multiple long-term conditions and need support from several different services at the same time. Services therefore need to work together more effectively to provide joined up, coordinated care that meets individuals’ needs in a flexible, person-centred way.

This aligns with the requirements of the Care Act 2014 for Local Authorities to make sure that people who live in their areas, receive services that prevent their care needs from becoming more serious, or delay the impact of their needs.

The information we will share will depend on you circumstances and the support you need.

Any Carers Assessment (also known as a Health and Wellbeing Check) completed with you that is undertaken on behalf of Torbay Council and all information relating to this assessment will be securely stored.

If you request that we refer you to, or share your information with a 3rd party organisation, we will only undertake this with your permission or where there is an overriding legal obligation to do so.

When do we share information without your permission?

We will make all efforts to discuss our concerns with you and advise you when are sharing your information and with whom. However, there are occasions where we have a legal obligation to share your information without your consent, this could include where there is an identified risk to yourself or other people.

How long do we hold your information?

We will hold your personal information on our systems for as long as you are registered for our services. This will extend past the point when you tell us that you are no longer a carer or no longer require our services, for up to 8 years in order to meet the commissioner’s requirements as legislated by the Care Act 2014 and case law. We review our retention periods for personal information on a regular basis in line with legislation and best practice.

Contact

Torbay and South Devon NHS Foundation Trust
Jamie Whaling, Associate Director of Legal Services and Acting Data Protection Officer
Email: Data Access & Disclosure Office

NHS Devon ICB has commissioned Torbay and South Devon NHS Foundation Trust to provide Continuing Healthcare Services (CHC) on the ICB’s behalf. NHS Continuing Healthcare means a package of ongoing care that is arranged and funded solely by the National Health Service (NHS) specifically for the relatively small number of individuals (with high levels of need) who are found to have a ‘primary health need’. Such care is provided to an individual aged 18 or over to meet health and associated social care needs that have arisen because of disability, accident or illness.

This privacy notice explains how we will manage your personal information collected and processed for the purposes of delivering CHC services.

What information will we be processing?

To deliver CHC services, we need to process your personal information about you including names, addresses, contact details, dates of birth, gender status, education and/or employment details, financial information and information about your lifestyle and relationships.

We also need to hold some special category data including physical and mental health details, ethnic origin and religious and/or philosophical beliefs and your sexual orientation. We may also process data of any criminal offences committed by yourself (including alleged offences), proceedings, outcomes and sentences.

We may request and process personal information provided by other organisations including, but not limited to, other social care and safeguarding services, education providers, healthcare providers and the Police.

We are the “data controller” in relation to your personal information. This means we make decisions about how your data is collected, processed and shared.

What is our lawful basis?

Our lawful basis for processing your personal data is that is a task carried out in the public interest outlined in the UK General Data Protection Regulation as:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

We also process your personal data to comply with various legal obligations, this is carried out under the lawful basis of legal obligation outlined in the UK General Data Protection Regulation as:

• Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

We also process your special category data under the following lawful basis:

• Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued.
• Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

Do we share your information?

Our services share data with a range of organisations, and we will always endeavour to share the minimum amount of personal data required, anonymising data where possible.

Some sharing of information is necessary for delivering care to yourself. Sharing will be completed adhering to national security standards and best practice. We often share personal information with the following organisations for the purposes of delivering or improving care or where there is a legal requirement for us to do so:

• Integrated Care Boards
• Other NHS Trusts
• General Practitioners (GPs)
• Local Authorities (for example Social Services and Education services)
• Department for Work and Pensions
• Voluntary sector providers and private sector providers such as Care Homes or Nursing Homes

How long do we keep your information?

We keep CHC records for a minimum of 8 years after funding has ceased. The retention will depend on the type of care funding was provided for. There may be circumstances where we keep records for longer, these include:

• Safeguarding concerns or investigations
• Where the individual lacks mental capacity
• Ongoing legal proceedings or complaints
• Coroner’s inquests or other formal reviews

How do I obtain a copy of my personal data?

Please refer to our Data Protection How to access information page.

Contact

Torbay and South Devon NHS Foundation Trust
Jamie Whaling, Associate Director of Legal Services and Acting Data Protection Officer
Email: Data Access & Disclosure Office

A ‘privacy notice’ describes how we use and share the personal information we hold about our patients, service users, visitors, carers, the public and staff.

This privacy notice is issued by the following three NHS Trusts following our joint venture to provide a Devon-wide EPR:

From January 2026, your records will start to move to the new electronic patient record (EPR) system and staff with access to this system may begin to have access to your records. This is to make sure your records are accurate and ready for the go-live dates: April 2026 for Torbay and South Devon (TSDFT) and July 2026 for University Hospitals Plymouth (UHP).

The Trusts have entered into a data sharing and processing agreement which sets out the legal framework for this sharing. This privacy notice will explain how we handle your information in our shared environments and how we will ensure your rights are respected.

This privacy notice only covers the data we jointly hold about you in our EPR and shared systems and we would advise all readers of this notice to also familiarise themselves with the Trust privacy notices below:

• Royal Devon University Healthcare NHS Foundation Trust
• Torbay and South Devon NHS Foundation Trust
• University Hospitals Plymouth NHS Trust

Key points

The Devon EPR is a secure digital system that stores your health information. It helps doctors and nurses across Devon provide better care by sharing important details about your health, treatments, and appointments. Only staff who need your information to care for you are allowed to access your record.

Your health record is stored in one secure system for all three NHS Trusts in Devon. Doctors, nurses, and support staff who need your information to care for you can see your record. Sometimes, partner organisations (like other NHS Trusts, GP surgeries, or care providers) may also need access to your record to help with your care. There are different ways these organisations can access your record for direct care purposes. All sharing is covered by strict agreements to make sure your data is handled safely and only by people who need it. Caldicott Guardians (senior staff responsible for protecting patient information) must approve all data sharing agreements.

The main reason your health information is shared is to help provide you with care. The law says NHS organisations must share data when it helps with your treatment and is in your best interests, unless you object or the service is anonymous. Even though sharing is required, the Trusts still must follow data protection laws and keep your information confidential. Because health information is sensitive, there are extra rules to protect it. The Trusts can share your data when it’s needed to provide or manage healthcare services, as allowed by law.

You can raise concerns about how your data is accessed, shared or managed either your care team, or with our Information Governance Teams (details on each Trust’s privacy notice).

Only staff who need your information to do their job are allowed to look at your health record. Staff must follow these rules, which are part of both their contract and workplace policies. Access is only allowed when necessary. If someone looks at your record without a valid reason, it’s considered unlawful. The Trusts monitor access to health records. If someone is found to have accessed or used information unlawfully, action will be taken according to policy.

You have the right to say you don’t want your records shared between the three NHS Trusts for patient care, and we will respect this where possible. If you object, a clinical professional or Caldicott Guardian will talk with you about any risks of limiting sharing. You’ll be asked to acknowledge these risks, and your objection will be recorded. Some cross-Trust staff may still need access for technical or legal reasons, but only a small group.

Please note this objection is separate from the National Data Opt Out (NDOO), which does not apply to sharing for direct patient care.

If we use any innovative technologies, including AI, we will always assess the risks.

What is the Devon Electronic Patient Record (EPR)?

An EPR is a collection of patient health information in a digital format, that can be shared across different health care settings. It will include a range of data, including medical history and treatment, medication and allergies, immunisation status, laboratory test results, radiology images, vital signs and personal statistics like age and weight. It will also be the place where we book appointments, request tests and prescribe medicines and write clinical notes.

The Devon EPR allows for the three Trusts to work in partnership to provide a single acute care record.

With secure, immediate access to live patient records across Devon, the EPR will give clinical staff more time to deliver higher quality and safer care. For you, this will mean you don’t have to remember your medical history or repeat the same information making your care journey more joined-up.

Who your health record is shared with

To ensure a safe clinical journey, the Trusts store your health information in one secure record. Your data is available (subject to certain restrictions listed below) to any healthcare professional and relevant support and administration staff employed by, or working in support of, any of the three Trusts.

We may also provide access either directly or indirectly to partner organisations to ensure safe transfer of your care. Where we provide this access, appropriate data sharing agreements are put into place so colleagues can understand their roles and responsibilities in both accessing and handling your data and to document the technical and organisational controls.

Data sharing can take place through multiple forms when supporting direct patient care:

• Direct Access – If an organisation needs to add to (in addition to viewing) your healthcare record they may be provided direct access to the EPR and will be adherent to Devon EPR Policies. These will usually be third party organisations who are performing a task on behalf of one or more of the Trusts, such as Liaison Psychiatry.
• EpicCare Link – If an organisation need to view your record, they may be provided access via a portal called EpicCare Link. They may also have limited capability to upload information relevant to your care. The organisation will sign up to a data sharing agreement and are individually assessed prior to approval. This usually applies to our local GP surgeries, however, other organisations, such as other NHS Trusts, hospices and other care organisations may also sign up to this access.
• Care Everywhere – Our EPR can communicate with other organisations that use the same system supplier (Epic). We automatically share top level information with these organisations in the UK. We may also extend this functionality to other organisations who use different EPRs where technologically possible. We can also share information with international organisations; however, this will only be done under one of two circumstances:
  • You (or a legally authorised third party) have provided explicit consent
  • There is a deemed vital interest or public health concern, and it is not possible, or appropriate, to gain your consent.
• Other forms of information sharing – Where the Trusts share information with each other, or third parties, we will ensure all appropriate arrangements are in place. Should we rely on your consent as our lawful basis for sharing we will ensure this is appropriately documented. You will be provided with the appropriate privacy notice where such sharing occurs; please see above links to the Trusts own privacy notices which will cover any further sharing.

We ensure all agreements are approved by the Trust’s Caldicott Guardians before access is provided.

What is our lawful basis for sharing your information in these ways

All our data sharing, as outlined in this privacy notice, is for supporting direct patient care and therefore we consider it necessary to perform a ‘public task’ (Article 6(1)(e) of the GDPR) placed on us.

The Health & Social Care (Safety & Quality) Act 2015 places a duty on organisations providing healthcare services to share data where it supports the provision of care to an individual, and is in their best interests, unless the individual objects or it relates to an anonymous access service.

This duty does not remove the need to comply with data protection legislation or common law confidentiality requirements (please see section below).

As we process health information, which is considered ‘special category’ and warrants additional protection, we rely on Article 9(2)(h). This allows us to share this data where we need it to comply with our legal obligations to provide or manage healthcare services.

How to gain access to your information

We would first advise patients to sign up to MY CARE, our patient portal.

MY CARE gives patients and approved proxies quick access to view key parts of a medical record and interact with the Trusts to support care and treatment. MY CARE can be used to update certain personal information, manage appointments via scheduling tools, interact with the Trusts via messaging and complete questionnaires and other care management tools. For full details on MY CARE, please review the Terms and Conditions.

If you require further information, not currently provided in MY CARE, you may contact the Trusts and make a request for this information. These requests are handled by each Trust individually so you will need to contact each organisation separately. Please see the above links to each Trust’s privacy notice.

How to engage your other rights under data protection law

All rights requests will be handled by the individual trusts, please see each of the Trust’s privacy notices to understand how they manage these requests.

How we secure your record

To ensure a safe clinical journey, there are only certain sections of your health record that are restricted by technical controls to staff who may need to access your record across Devon.

We also apply additional restrictions to who can access parts of your record in line with our policies, such as where you may receive a service that would only ever need to viewable between the care teams/department involved.

Does that mean anyone can access your record who has permission to access the EPR?

The Trusts have clear policies in place to prohibit staff unlawfully accessing health information. Staff are subject to these rules both in policy and in contract.

Staff are only authorised to access a patient’s record where it is necessary to perform their role; where this is found not to be the case, this may be considered a breach of the Data Protection Act 2018 and the Computer Misuse Act.

We employ regular audits and monitoring techniques, and if any staff be found to have unlawfully accessed health information, action will be taken in accordance with our policies.

If criminal activity is identified, the Trusts will report this to the relevant regulatory/law enforcement organisations, as well as professional bodies as appropriate.

What if you have a concern that someone has unlawfully accessed your record or that of someone you care for?

The Trusts take all concerns seriously. You can raise these directly with either your care team, or with our Information Governance Teams (details on each Trust’s privacy notice).

You may also contact the Data Protection Officer (DPO) at the Trust responsible for your care.

Is it possible to object to this sharing?

Yes, this is your health information.

If wish for your information to not be shared between organisations for patient care purposes, we will always try to respect this.

You can object to the following:

• Having the data shared between the three Trusts where it relates to sharing for patient care.
• Having your data shared through Care Everywhere (other trusts with EPRs that we can directly communicate with)
• Having your data shared through EpicCare Link (GPs etc.)

We will ask a clinical professional, who may be a member of your care team, or one of our Caldicott Guardians to discuss your concerns and outline any risks that limiting the sharing may mean. You will be asked to acknowledge any risk, and the Trust will record your objection to this sharing.

If your objection is upheld, we can apply certain privacy controls between the Trusts for those who would otherwise access your information for patient care purposes.

Under our joint agreements, the Trusts share several back-end services to support the EPR. If you request that we do not share your record between the Trusts, and this request is upheld, a smaller group of cross-Trust staff may still need to access your record to ensure security and functionality, and to ensure the Trusts can meet other lawful requirements under which we operate a shared service.

Any objection to your record being shared will only limit access for staff who would access it for direct patient care purposes.

Please note, any objection is separate to the National Data Opt Out (NDOO) programme, which is a national policy. The National Data Opt Out (NDOO) does not apply to direct patient care sharing of health data.

Data security and international transfers

The Trust’s store your data securely on UK servers.

The Trust’s EPR system supplier is Epic Healthcare, who are based in Wisconsin, USA. There are occasions when troubleshooting issues, we may need to transfer limited patient information securely to our system supplier’s servers in Verona. All appropriate contracts and safeguards are in place to ensure these transfers are completed legally and that your rights will be respected as they would be in the UK. Where data is transferred, it is only retained for a short period to resolve the issue.

Innovative technologies and AI

Having an integrated EPR across Devon will allow the Trusts to be innovative in our use of technologies (including AI) to support your care; we will always consider the use of these technologies in line with national guidance and best practice. We will always assess any impacts these technologies may have on our patient’s fundamental rights. Primarily, our use of these technologies will always be to support your patient care delivered by the three Trusts; should there be any secondary purposes or use cases, we will ensure transparency with our patients and put all relevant safeguards in place.

Raising a concern with the ICO

Whilst the Trust’s will always endeavour to address your concerns with your directly, you have a right to complain to the Information Commissioner if you are dissatisfied with the way the Trust has handled or shared your personal information:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)
Website: Information Commissioner’s Office

Torbay Council has commissioned Torbay and South Devon NHS Foundation Trust to provide Drug and Alcohol Services. When we do so we are regulated under the United Kingdom General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information for the purposes of those laws.

As part of its response to this duty, Torbay Council commissions the Trust to provide specialist drug and alcohol treatment services on behalf of Office for Health Improvement and Disparities (OHID). These services offer harm reduction advice, assessments and recovery plans.

Information collected by us

To deliver adult social care services, we need to process your personal information about you including names, addresses, contact details, dates of birth, gender status, education and/or employment details, financial information and information about your lifestyle and relationships.

We also need to hold some special category data including physical and mental health details, ethnic origin and religious and/or philosophical beliefs and your sexual orientation. We may also process data of any criminal offences committed by yourself (including alleged offences), proceedings, outcomes and sentences.

In addition, criminal offence or conviction information (for example, allegations, investigations, proceedings, unproven allegations, criminal activity) may also need to be disclosed and shared with services involved in your treatment, care and support. This will only be shared in very narrow circumstances and would be on a strictly ‘need to know’ basis. For example, to ensure your and others safety.

We are the “data controller” in relation to your personal information. This means we make decisions about how your data is collected, processed and shared.

Office for Health Improvement and Disparities (OHID)

If the service user agrees, some partially identifiable information is shared with Torbay Council and OHID via National Drug Treatment Monitoring System (NDTMS). Your data may be shared with other organisations and combined with other datasets for further analyses such as system and service planning, and research. Data will be de-identified wherever possible before it is shared elsewhere, to protect confidentiality.

The Trust and OHID never publishes any NDTMS information that could be used to identify individual people. The data collected is specified by the OHID guidance on Alcohol and Drug misuse treatment core dataset collection, which can be viewed on the National Government website.

How OHID use your personal information

On behalf of OHID we use the personal data and other information collected to:

• monitor how effective drug and alcohol treatment services are
• plan and develop services that best meet local needs
• produce statistics and support research about drug and alcohol use and treatment.

What is our lawful basis?

Our lawful basis for processing your personal data is that is a task carried out in the public interest outlined in the UK General Data Protection Regulation as:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

We also process your personal data to comply with various legal obligations, this is carried out under the lawful basis of legal obligation outlined in the UK General Data Protection Regulation as:

Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

We also process your special category data under the following lawful basis:

• Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued.
• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

Do we share your information?

Our services share data with a range of organisations, and we will always endeavour to share the minimum amount of personal data required, anonymising data where possible.

Some sharing of information is necessary for delivering care to yourself. Sharing will be completed adhering to national security standards and best practice. We share personal information with the following organisations for the purposes of delivering or improving care or where there is a legal requirement for us to do so:

• Integrated Care Boards
• Other NHS Trusts
• General Practitioners (GPs)
• Ambulance services
• Local Authorities (for example Social Services and Education services)
• Police and Courts
• Prison and Probation Services

How long do we keep your information?

We keep your Drug and Alcohol records for a minimum of 8 years after discharge, from services, unless your treatment was Court Ordered or as part of a mental health inpatient discharge. We may also retain records for longer in the case of:

• Safeguarding concerns or investigations
• Where the individual lacks mental capacity
• Ongoing legal proceedings or complaints
• Coroner’s inquests or other formal reviews

How do I obtain a copy of my personal data?

Please refer to our Data Protection How to access information page.

Contact

Torbay and South Devon NHS Foundation Trust
Jamie Whaling, Associate Director of Legal Services and Acting Data Protection Officer
Email: Data Access & Disclosure Office

Torbay and South Devon NHS Foundation Trust reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose. This will not impact on the personal care your receive and the data we collect for that purpose.

for more information, visit: The NHS Website – Your NHS data matters.