How the Trust manages your information
Cumbria Partnership NHS Foundation Trust (CPFT) is responsible for providing over 60 expert health services across Cumbria, supporting people in our communities to live happier, healthier and hopeful lives. Our services are currently organised into four care groups:
- Community – providing care in patients’ homes or in community settings such as health centres and community hospitals
- Specialist – our specialist services are led by exerts in areas, including dentistry, sexual health, and diabetes. This growing group of services deliver smaller, specialist services into the communities of Cumbria.
- Mental Health – supporting people with mental health problems to recover and live as independently as possible
- Children and Families – we promote a healthy start to life and provide healthcare services that are responsive to the changing needs of young people and their families
For more information see our directory of services https://www.cumbriapartnership.nhs.uk/a-z
This notice explains how we use and share your information. Information may be collected on paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.
Cumbria Partnership NHS Foundation Trust is a registered Data Controller. Information Commissioner Office (ICO) registration no Z8703662.
Cumbria Partnership NHS Foundation Trust (CPFT) and North Cumbria University Hospitals (NCUH) are working together to integrate support services (for example Estates and Facilities, Information Management and Technology, and Human Resources). By integrating support services we aim to build on the collaborative working already happening across many of our support services. Sharing resources, talents and capabilities will lead to improved quality, greater opportunities, reduced duplication and lead to greater efficiencies. Together our services can sustainably meet the demands and expectations of our customers. The integrated support services will be provided by CPFT and NCUH in West, North and East Cumbria.
In order to facilitate this integration, both Trusts will need to share information appropriately and proportionality, which will include patient, staff and corporate information. Information flows are recorded in our Information Sharing Gateway and are risk assessed to ensure that the sharing is lawful and proportionate for the purpose identified.
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the Law. There may also be significant changes within the Cumbrian health economy as Integrated Care Communities (ICCs) and the Sustainability and Transformation Plan (STP) is further developed and implemented.
Integrated Care Communities (ICCs)
An integrated care community works together to improve the overall health and wellbeing of the community. West, North & East Cumbria has been divided into eight ICCs based on groups of GP practices and their patients. By understanding the challenges that each area faces it is hoped that the community can work together with health and care organisations to improve the health and wellbeing of local people. The Information Governance team, through the CCG’s commissioning, provides services across all eight ICCs.
Sustainable Transformation Partnerships (STPs)
The West, North and East Cumbria STP covers Carlisle, Allerdale, Copeland and Eden – a population of around 330,000. Partnerships between the providers and the commissioners of health and social care with the community aim to integrate services to deliver a better experience for patients, staff and communities. The Information Governance team provides services across the STP. STPs are outlined in the five year forward view for the NHS. Our West, North and East Cumbria STP aims to:
- Prevent illness and empower people to support their own health and wellbeing
- Strengthen and invest in local primary care, social care and community care
- Deliver sustainable hospital services and develop improved physical and mental health services closer to home and in hospital when needed.
How the NHS and Care Services Use Your Information (National Data Opt Out Programme (NDOP)
Cumbria Partnership NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment. The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent. You have a choice about whether you want your confidential patient information to be used in this way. To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice. If you do choose to opt out you can still consent to your data being used for specific purposes. If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Cabinet Office: National Fraud Initiative (NFI)
Cumbria Partnership NHS Foundation Trust is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises. Data matching involves comparing sets of data such as the payroll records of a body against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
We are a mandatory participant in the Cabinet Office’s National Fraud Initiative; a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed here on the www.gov.uk website. For further information on how the Trust uses your information, please refer to the Trust’s Fair Processing Notice and the Privacy Notice for Staff.
The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the GDPR (General Data Protection Regulation). Data matching by the Cabinet Office is subject to a code of data matching practice, also available on the www.gov.uk website. The Cabinet Office has published its Data Privacy notice, which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the General Data Protection Regulation (GDPR).
The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
We want you to know that we take privacy very seriously. Please be assured that we will always manage your data securely and responsibly. For further information on data matching at this organisation, please contact the Counter Fraud team on 0191 441 5936 or email firstname.lastname@example.org.
When further changes occur, we will revise the last updated date as documented in the Version Control Section of this document
Data Controller contact details
Cumbria Partnership NHS Foundation Trust
Tel No 01228 608398 / 01228 608399
Data Protection Officer contact details
Head of Information Governance / Data Protection Officer
Unit 68 Kingstown Broadway, Carlisle, CA3 0HA
Tel no 01228 60 3961
Purpose of the processing
The following is a broad description of the way this organisations / data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communication you have received from the Trust or to contact the Data Protection Officer.
Direct Care and Administration Purposes
Direct Care is the care delivered to a patient, some of which can be provided in the patient’s home or on a Trust premises (i.e. hospital / clinic). Direct care usually results from a referral from a GP or self-referral into one of our services. As such there is a need to share with relevant and proportionate information with other healthcare workers such as specialists, doctors, nurses, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatment, therapies and or care.
As part of our administration purposes, we process information about:
- Our patients
- Complainants, enquirers
- Survey respondents
- Professional experts and consultants
- Individuals captured by CCTV images
Commissioning, Planning and Research Purposes
Most national and local flows of personal data in support of commissioning / planning are established as collections by NHS Digital either centrally or for local flows by Commissioners. Where the collection or provision of data is a legal requirement, the Trust will need to oblige. Data minimisation (or pseudonymisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.
Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately. Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.
Serious Incident Management
Cumbria Partnership NHS Foundation Trust work with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.
Analysis – Risk Stratification
Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.
Foundation Trust Membership
As a Foundation Trust, Cumbria Partnership NHS Foundation Trust has a statutory requirement to process membership data in its official authority as a public body. Membership data has to be processed in order to maintain a membership, run annual elections and ensure the membership is representative of the communities we serve.
The purpose of our membership application form is to gather the personal data required in order to sign up and become members of the organisation, Cumbria Partnership NHS Foundation Trust. These details may then be used to communicate with you about general membership matters. Special category data is also collected for certain constituency groups to ensure we have a membership that is representative of the community we serve. We also collect demographic data based on your postcode to enable the organisation to report the makeup of its membership to NHS Improvement, the Regulator (https://improvement.nhs.uk) as and when required.
Lawful basis for processing
We will process personal identifiable information (article 6) and also special category of personal data (article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life. The Lawful basis we use
The processing of personal data in the delivery of direct care and for providers’ administrative purposes (i.e. management of serious untoward incidents) in this organisation and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”* (see below reference)
Lawful basis processing for commissioning and planning purposes (including risk stratification) is
Article 6(1) (c) – for compliance with a legal obligation
For disclosure to NHS Digital is:
Article 6(1)(e) – for the performance of a task carried out in the public interest or in the exercise of official authority.
As for direct care purposes the most appropriate Article 9 condition for commissioning purposes is:
Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Lawful basis for research is
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
The Article 9 condition for research is:
Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects
Lawful Basis for FT membership is supported under the following Article 6 and 9 conditions of the GDPR :
Article 6(1)(c) – …necessary for compliance with a legal obligation.
Article 6(1)(e) – …necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9(2)(d) – …carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
9(2)(g) – …necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards.
The Trust operates secure disclosure / sharing of information practices all of which are recorded as a record of our processing activities (using the Information Sharing Gateway). Further information is available on request.
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection legislation. Further information is available on request.
Recipient or categories of recipients of the processed data
The data will be shared with health and care professionals and support staff in the Trust and at hospitals, diagnostic and treatment centres who contribute to your personal care for direct care purposes. This will include your GP.
The Trust engages partners in the North and East to conduct audits on clinical processes. This enables the Trust to continue to develop their quality of care for patients.
Where necessary or required we may consider sharing information with any other categories of recipients:
- Our patients
- Family, associates and representatives of the person whose personal data we are processing
- Current, past or potential employers
- Healthcare social and welfare organisations
- Suppliers, service providers, legal representatives,
- Auditors and audit bodies
- Educators and examining bodies
- Research organisations
- People making an enquiry or complaint
- Financial organisations
- Professional advisors and consultants
- Business associates
- Police forces
- Security organisations
- Central and local government
- Voluntary and charitable organisations.
Rights to object (Article 21)
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
Right to access (subject access) and correct (rectification) (Article 15 and Article 16)
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
If you wish to make a subject access request (accessing your information). Requests should be addressed to the Trust and we will aim to respond to your request within one month from receipt of your request. See how to get in touch from here. Please note that Subject Access Requests are for those who wish to obtain information held about them personally and not general information around the Trust. The address is:
Information Rights Team
Maglona House – Unit 68 – Kingstown Broadway, Carlisle, CA3 0HA
Email – Accesstorecords@cumbria.nhs.uk
Freedom of Information Requests (FOI)
The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days. For email requests, please send to the Freedom of Information Team here.
Freedom of Information Act Requests
c/o Information Rights Team
Maglona House – Unit 68 – Kingstown Broadway, Carlisle, CA3 0HA
You can also email your request to email@example.com
Automated Decision Making, including Profiling
As an organisation we currently do not undertake any automated decision making, including profiling activities
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the Data Protection Officer
Right to Complain
If you have a complaint about the Trust we will use your information to communicate with you and investigate any compliant. Please note that the complaint will not form part of your health care record. Please contact here:
Patient Experience Team
The Coppice, Carleton Clinic Estate, Carlisle, CA1 3SX
Should you have any concerns about how your information is to be used having read this Fair Processing / Privacy Notice or you wish to request the notice in another format please contact the Data Protection Officer.
If you are not happy with our response and have exhausted all the avenues you have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
Or email: firstname.lastname@example.org
General data protection regulation statement
Cumbria Partnership NHS Foundation Trust is a ‘Data Controller’ under the General Data Protection Regulations. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z8703662 and our registered entry can be found on the Information Commissioner’s website.
All of our staff receive annual information governance training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so.
As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf. These contractors are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.
We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by Law. Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.
Last Updated - This is Version 1.0 of the Cumbria Partnership NHS Foundation Trust Fair Processing Notice and was published on 09.10.2018
Common Law Duty of Confidentiality
Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent. In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.