Fair Processing Notices

Northumberland, Tyne and Wear NHS Foundation Trust (the Trust) is a body established under statute with functions to provide goods and services for the purposes of the health service in England. In order to fulfil these functions, the Trust needs to collect and process certain information about you (‘personal data’). This makes the Trust a ‘data controller’ for the information that the Trust collects and processes about you, and makes you the ‘data subject’. Maintaining the right of confidentiality to individuals is an important commitment for the Trust. The Trust also aims to be open and transparent about how it is handling the public’s personal data and restore their sense of control over their personal data. This Fair Processing Notice (this “Notice”) sets out details of the information that we may collect from you and how we may use that information. In this Notice we use “we” or “us” or “our” or “the Trust” to refer to the Trust. Please take your time to read this Notice carefully. If you have any questions about this Notice, you can contact us using the details in section eight ‘Contacting us’.

What personal information do we process? 

The personal information that we collect will depend on your relationship with us.  For example, we will collect different personal information depending on whether you are a patient or a visitor to the Trust. For example, where you are a service user accessing healthcare services, the Trust will hold sensitive or ‘special categories of data’, such as information about your physical and mental health. If you are a visitor, it is unlikely the Trust would hold this level of information.  Records are kept on paper, on electronic record systems and on some medical devices used by the Trust.

If you provide personal information to us about other individuals you should inform the individual about the contents of this Notice.  We will process such information in accordance with this Notice.

We have set out detailed information below about the types of personal information we are likely to collect and use about you in different circumstances.

Service users

Personal information

  • General information you provide such as your name, address, contact details, date of birth, gender and next of kin, information relating to appointments
  • Identification information, such as NHS number, national insurance number, passport number or driving license number
  • Information regarding your ability to pay for services, if relevant
  • Information relevant to any complaint you may make against the Trust or its staff
  • Information you provide regarding your patient experience with us

Sensitive personal information / special categories of personal data

  • Details of your current or former health condition, including information about medication, lifestyle and other information that may be relevant to your health e.g. employment history, family conditions; race; ethnicity; sex life or sexual orientation, religious or philosophical beliefs
  • Information relating to criminal convictions (including offences and alleged offences and any court sentence or unspent criminal conviction)
  • Genetic or biometric data
  • In limited circumstances, we may process other sensitive personal information including details of your political opinions; and trade union membership, for example, where it is relevant to your health or social history
  • Images of you that are captured, for example, by CCTV or x-ray

Others (e.g. carers, family and friends of service users, visitors, contractors, suppliers)

Personal information

  • General information you provide such as your name, address, contact details, date of birth, gender and next of kin, information relating to your visits to the Trust
  • Identification information, such as NHS number, national insurance number, passport number or driving license number
  • Information relevant to any complaint you may make against the Trust or its staff
  • Information you provide regarding your experience with us
  • Images of you that are captured, for example, by CCTV or x-ray

Sensitive personal information/special categories of personal data

  • Details of your current or former health condition, including information about medication, lifestyle and other information that may be relevant to your health or the health of a patient e.g. employment history, family conditions; race; ethnicity; sex life or sexual orientation, religious or philosophical beliefs
  • Information relating to criminal convictions (including offences and alleged offences and any court sentence or unspent criminal conviction)
  • Genetic or biometric data
  • In limited circumstances, we may process other sensitive personal information including details of your political opinions; and trade union membership, for example, where it is relevant to your health or social history or that of a patient

How do we collect information about you?

We collect personal information from a number of different sources, including:

  • directly from you. For example, when you access healthcare services, submit a query to us including by email or post;
  • images and video from CCTV cameras on Trust premises;
  • from other healthcare organisations, such as your GP, an NHS body or a private healthcare, for example in order to access your medical records
  • government agencies such as the police and councils
  • publically available sources such as internet search engines, news articles and social media sites such as twitter.

Why do we collect information about you?

We may use your information for a number of different purposes.  For each purpose we must have a “legal ground” to use your personal information in such a way.

When the information that we process is classed as sensitive personal information/ special categories of personal data, we must have a specific, additional “legal ground” to process such information.

Generally we will rely on the following “legal grounds”, as appropriate:

  • We have a legal or regulatory obligation to use such personal information. For example, where our regulators require us to hold certain records of our dealings with you.
  • We need to use your personal data in order to protect your vital interests or a third party. For example, in order to ensure your safety or the safety of others.
  • We need to use your personal information for the performance of a task carried out in the public interest or in the exercise or our official authority. For example, in order to provide healthcare services.
  • We need to use your personal information for purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. For example, in order to provide healthcare services and treatment to you.
  • We need to use such personal information to establish, exercise or defend our legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves.
  • You have consented to the use of your personal data (e.g. in relation to how you would like to receive communications from the Trust). Without it, we may be unable to provide you with appropriate healthcare. We will always explain why your consent is necessary.

You will find further details of our “legal grounds” for each of our processing purposes set out below.

Providing healthcare and related services

Legal grounds:

  • the use is necessary for compliance with a legal obligation to which the Trust is subject
  • we need to use the information to protect your vital interests or the vital interests of a third party
  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you or another with healthcare services
  • You have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

  • we need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent
  • we need to use the information for reasons of substantial public interest
  • the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care
  • You have given explicit consent.

Administration and management of healthcare services (such as maintaining records, receiving professional advice)

Legal grounds:

  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you or another with healthcare services
  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you with healthcare services
  • You have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

  • the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • You have given explicit consent
  • The use is necessary in order for us to establish, exercise or defend our legal rights.

Service improvement, evaluation and audit (in order to improve the healthcare services that the Trust and others provide, and to protect and improve the health of the public)

Legal grounds:

  • the use is necessary for compliance with a legal obligation
  • we need to use the information to protect your vital interests or the vital interests of a third party
  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you or another with healthcare services
  • You have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

  • we need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent
  • we need to use the information for reasons of substantial public interest
  • the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • the use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care
  • You have given explicit consent.

Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care.

Legal grounds:

  • the use is necessary for compliance with a legal obligation
  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you or another with healthcare services
  • you have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

  • the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • you have given explicit consent.

Complying with our legal and regulatory requirements

Legal grounds:

  • the use is necessary for compliance with a legal obligation
  • you have given us your consent.

Additional legal grounds for sensitive personal information/special categories of personal data:

  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • you have given explicit consent.

Clinical research and development

Legal grounds:

  • the use is necessary for compliance with a legal obligation
  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you with healthcare services
  • you have given us your consent.

Additional legal grounds for sensitive personal information:

  • the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • we need to use the information for reasons of substantial public interest
  • the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • the use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care
  • the use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards
  • You have given explicit consent

Safeguarding purposes (for example, in order to ensure the health and safety of an individual)

Legal grounds:

  • the use is necessary for compliance with a legal obligation to which the Trust is subject
  • we need to use the information to protect your vital interests or the vital interests of a third party
  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide you with healthcare services

Additional legal grounds for sensitive personal information:

  • we need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent
  • Necessary in protecting an individual from neglect or physical, mental or emotional harm and protecting the physical, mental or emotional wellbeing of an individual
  • we need to use the information for reasons of substantial public interest

Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, for example, NHS Counter Fraud Authority or Audit One

Legal grounds:

  • the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Trust
  • necessary for the purposes of legitimate interests
  • you have given us your consent

Additional legal grounds for sensitive personal information:

  • we need to use the information for reasons of substantial public interest
  • You have given explicit consent

Who do we share your information with?

From time to time, we may share your personal information with others. We will keep your personal information confidential and only share it with those listed below for the purposes explained in the previous section.

If you would like further information regarding the disclosure of your personal information, please contact us using the details set out in section eight.

NHS organisations

We may share your personal information with other NHS organisations, including:

  • other NHS trusts or care providers with whom you have had contact with, such as general practitioners (GPs), NHS ambulance services
  • Clinical Commissioning Groups
  • NHS England
  • NHS primary care agencies
  • NHS Counter Fraud Authority

Non-NHS organisations

We may share your information with other non-NHS organisations, such as:

  • organisations from which you are also receiving healthcare services
  • our regulators, e.g. the Care Quality Commission and Monitor
  • The Department of Health
  • Schools and education services;
  • Local authorities and social services;
  • Police;
  • fraud detection agencies and other third parties who operate and maintain fraud detection registers; and
  • Voluntary and private sector providers such as Turning Point and Insight Healthcare.

What marketing or fundraising activities do we carry out?

Your personal information will only be used for the above purposes. It will never be used for marketing or insurance purposes.

What automated decision-making (‘profiling’) do we carry out in relation to your personal information?

An automated decision is a decision made by computer without any human input. The Trust do not currently carry out automated decision-making (‘profiling’) in respect of your personal information.

How long do we keep your personal information?

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Notice and to comply with our legal and regulatory obligations.

The exact time period will depend on your relationship with us and the type of personal information we hold. For example, information about your health will be retained longer than information relating to a query received from a member of the public.

The Trust follows the Records management: NHS code of practice  A hard copy is available on request. This provides further information regarding the periods for which your personal information will be stored and explains where the requirements may vary for some types of health record, such as those relating to:

  • Children;
  • People taking part in a clinical trial;
  • People receiving treatment for a mental disorder within the meaning of the Mental Health Act 1983;
  • People serving in the armed forces;
  • People serving a prison sentence.

If you require any further information about the periods for which your personal information is stored, please contact us using the details below.

International data transfers

The Trust (and third parties acting on its behalf) does not currently store or process information that we collect about you in countries outside the European Economic Area (“EEA”).  However, if this changes the Trust will take the required steps to ensure that your personal information is protected.

Your rights

Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used.

You may exercise these rights at any time by contacting us using the details below in order to obtain an application form. This application form is also available on the Trust Internet. Please note that you will need to provide something to help us identify you, such as a copy of your driving license or passport and something with your name and address on such as a utility bill.

You should normally have access to your information within one month of receipt of a valid request for access to information and there will not usually be a charge for handling a request to exercise your rights.

If we do not comply with your request to exercise your rights we will usually tell you why.

There are some special rules about how these rights apply to health information.

If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond.  Alternatively, we can charge for responding.

Your rights include:

The right to access information

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in writing, unless otherwise requested.  If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you, or disclosure would cause you or a third party serious harm.

You are entitled to the following under data protection law:

  • We must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:
    • The purposes for which we use your personal information
    • The types of personal information we hold about you
    • Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
    • If your personal information leaves the EU, how we make sure that it is protected
    • Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
    • If the personal data we hold about you was not provided by you, details of the source of the information
    • Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
    • Your right to ask us to amend or delete your personal information
    • Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
    • Your right to complain to the Information Commissioner’s Office

We also need to provide you with a copy of your personal data.

The right to rectification

We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it. There are some exceptions to this right which can be applied by the Trust, for example where it is necessary for the performance of a task carried out in the public interest or in the exercise of the Trust’s official authority i.e. it needs to keep the information in order to provide effective healthcare services. In some circumstances the Trust may rectify you information, by adding a supplementary statement to your records.

The right to erasure (otherwise known as the “right to be forgotten”)

In some circumstances, we must delete your personal information if you ask us to. We do not have to comply with all requests to delete personal information.  For example, we do not have to comply if we need to retain your personal information in case you make a legal claim against us, or we need to retain the information for the performance or a public interest task (i.e. in order to provide you with effective healthcare services).

The right to restrict processing

You also have the right to restrict processing in certain circumstances, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information. If you exercise this right then the Trust will stop any further processing, but may continue to store your personal data. There are exceptions to this right which can be applied by the Trust, for example where the Trust can demonstrate compelling and overriding legitimate grounds to continue, where the processing is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

The right to data portability

In certain circumstances, you have the right to ask that we transfer personal information that you have provided to us to another third party of your choice. The information must be transferred in an electronic format.

The right to object to marketing

You can ask us to stop sending you marketing messages at any time and we must comply with your request. However, the Trust does not currently send marketing messages.

The right to object to processing

In some circumstances you have the right to object to our use of your personal information and we must stop using it in that way.  Even these cases, we sometimes can continue to use your personal information, for example if this is necessary to defend a legal claim brought against us.

The right not to be subject to automated decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

However, the Trust does not currently make automated decisions.

The right to withdraw consent

In some cases we need your consent in order for our use of your personal information to comply with data protection legislation.

We have explained in section three where we may rely on your consent in this way.  Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting us using the details below. We will explain the consequences of the withdrawal of consent to you.

The right to complain to the Information Commissioner’s Office

You can complain to the Information Commissioner’s Office (ICO) if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

You can ask us to stop sending you marketing messages at any time and we must comply with your request. However, the Trust does not currently send marketing messages.

Changes to this notice

The Trust will notify you of any changes to the information contained in this Notice if it affects you in any way, for example if the Trust alters the purposes for or legal bases under which it processes your personal data or wishes to transfer your information to new recipients or outside of the United Kingdom.

Contacting us

Further information

  • For further information about how the Trust uses your personal information, you can refer to your clinical team or the Trust’s website: https://www.ntw.nhs.uk
  • You can also contact the Data Protection Officer for the Trust.

Data Protection Officer: Angela Faill, Head of Information Governance and Medico Legal
St Nicholas Hospital
Jubilee Road

Gosforth NE3 3XT
Phone: 0191 246 6896
Email: DPO@ntw.nhs.uk

  • If you have any concerns about the way the Trust is using or sharing your information, you can speak to your clinical team or the Data Protection Officer in the first instance.

Service User Fair Processing Notices

Notice for service users (184kB)

Fair processing notice

Employee Fair Processing Notices

Notice for NTW employees (173kB)

Fair processing notice

Notice for NTW Solutions employees (476kB)

Fair processing notice

Cabinet Office: National Fraud Initiative (NFI)

Northumberland, Tyne and Wear NHS Foundation Trust is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.Data matching involves comparing sets of data such as the payroll records of a body against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.

We are a mandatory participant in the Cabinet Office’s National Fraud Initiative; a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed here on the www.gov.uk website. For further information on how the Trust uses your information, please refer to the Trust’s Fair Processing Notice.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the GDPR (General Data Protection Regulation). Data matching by the Cabinet Office is subject to a code of data matching practice, also available on the www.gov.uk website.

The Cabinet Office has published its Data Privacy notice, which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the General Data Protection Regulation (GDPR).

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

We want you to know that we take privacy very seriously. Please be assured that we will always manage your data securely and responsibly.
For further information on data matching at this organisation, please contact the Counter Fraud team on 0191 441 5936 or email counterfraud@audit-one.co.uk.