Your information – privacy notice

University Hospitals Sussex NHS Foundation Trust Privacy Notice (for Patients)

University Hospitals Sussex NHS Foundation Trust collects information about you when you are referred by your GP for treatment and during your clinical consultation. We also collect information when you voluntarily complete customer surveys, provide feedback and speak to a member of our team.

As a healthcare provider we need to hold information about our patients to help ensure that they receive proper, necessary and effective treatment. We firmly believe that information should be held securely and should only be available on a ‘need to know’ basis. The information includes:

• your full name, date of birth and address, phone number, email address
• your next of kin contact details
• medical test results, symptoms and diagnoses
• details of contact we have had with you, such as referrals
• details of the services you have received
• patient experience feedback and treatment outcome information you provide
• notes and reports about your health and any treatment you have received or need, including clinic and operational visits and medicines administered

Our duties

We have a duty to:

• maintain a full accurate record of the care we give you
• keep records about you confidential, secure, accurate and accessible
• follow UK law and dispose of your information confidentially when it is no longer needed
• give you copies of your healthcare information in an easy to understand format (in a large type if you are partially sighted) and a list of medical abbreviations we use.

Your rights

If we hold information about you as a patient, you have the right to:

1. Be informed:

Individuals, which include patients and staff, have the right to be informed about the collection and use of their personal data.

The information we have to provide includes:

• Who we are (known as the ‘data controller’)
• The contact details of our Data Protection Officer
• What personal data we hold, e.g. your name, address, DOB (unless we have collected it from you directly)
• What we are doing with your personal data (the purpose)
• What legal reason we have to use your data in this way
• If our legal reason is your consent (most of the time it won’t be) that you have the right to withdraw your consent at any time
• Which other organisations we will share your personal data with
• How long we will keep your personal data for (or how we work out the length of time)
• Where we got your data from (unless we collected it from you directly)
• Whether we will need to send your data outside of Europe and how we will make sure it is safe and legal if we do
• That you have the right to complain about how we are using your personal data to the Information Commissioner’s Office (ICO)
• Whether we will use any computer processes with your data which make decisions about you (known as ‘automated decision making’) and if so, how those computer decisions work (known as ‘the logic’) and what consequences there will be for you.
• If we are collecting the data from you directly, whether you have to provide it as part of a contract or law

2. Right of access

You have the right to find out what information we hold about you as a member of staff or as a patient. This is called a right of access. You exercise this right by asking us for a copy of the information we hold about you.

We are required to supply this information to you within 30 calendar days from the date the Trust received the request. However, the Trust may extend this period if the request is deemed to be excessive or complex. In this instance, the Trust will write to inform you of the extension and revised response date.

If you would like online access to your appointments, test results or letters please register for the My Health and Care Record you can add, access, and share your health information with healthcare professionals, family and carers – anytime, anywhere.

You will soon be able to access your My health information through the NHS App.

Please read the My healthcare privacy information: PKB Manual – Legal (patientsknowbest.com)

How to make a request for copies or access to your information not held in my health and care record.

3. The right to rectification of inaccurate personal data

You have the right to have any inaccurate personal information about you corrected and we must respond to the request without delay and at the latest within one calendar month, from the first day after the request was received.

You can make this request verbally and in writing.

In certain circumstances the Trust can refuse the request for rectification. The Trust will inform you of the decision and explain why.

4. Your right to get your personal information deleted

You have the right to ask the Trust to delete any personal information we hold about you.  This is known as the ‘right to be forgotten’.

This right is not absolute and can only apply in certain circumstances.

You don’t have to ask a specific person within the hospital. We do recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your concerns, providing evidence and stating your desired solution.

In certain circumstances the Trust can decline the request for deletion. The Trust will inform you of the decision and explain why.

5. Right to limit how we use your information

You can limit the way the hospital uses your personal data if you are concerned about the accuracy of the data or how it is being used.

In certain circumstances you can make a request for the hospital to limit the use of your personal information. This could include:

• Temporarily removing information from a system
• Making it unavailable to users, or
• Temporarily removing it from a website, if it has been published.

The Trust may refuse a request to limit the use of your information if we believe that your request is unfounded or excessive. We won’t do this without letting you know and if your request is ‘manifestly unfounded’. We may ask for a reasonable fee to cover administration costs.

Where the law demands The Trust will be unable to prevent your data being shared. If this is the case, we will inform you of the legislation which permits this.

6. Right to data portability

You have a right to get your personal information from the hospital in an accessible format, paper, electronic or CSV file.

You can also ask the hospital to transfer your electronic information to another healthcare provider if it is technically feasible.

The hospital has one month to respond to your request. We may need extra time to consider your request and this may take up to two months, but we will let you know.

If an external clinician requires your healthcare information, a synopsis or copy of the record will be released to the responsible clinician to support your ongoing care.

7. Right to object

You have the right to object to the use of your information in some circumstances.

Your request can be verbal or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.

At a national level, you can restrict the use of your healthcare data. Please refer to the National Data Guardian Opt-Out information on the Trust website.

7.1 Right to object to your healthcare data being uploaded to the My healthcare Application (App) or Portal.

If you wish to object to your healthcare data being uploaded to the My healthcare App, please email the Trust’s Data Protection Officer: uhsussex.informationgovernance@nhs.net.

8. Rights relating to decisions made about you by a computerised system.

Automated decisions

This is called automated decision making and profiling for example, completing an online aptitude test using a pre-programmed algorithm and or criteria when applying for a job vacancy with the hospital.

You can ask for information to understand the reasons behind the automated decisions. The request can be made verbally or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.

Profiling

Profiling means information about you is used to analyse or predict things like:

• The risks associated with a medical condition
• Computerised analysis of MRI scans to improve a patient’s diagnosis and recovery
• performance at work
• Your personal financial status
• Your health, personal preferences, and interests.

You can object to the collection of profiling information if it includes direct marketing.

It will take the hospital a month to respond to your request, but in certain circumstances, we may need more time which can take up to an extra two months. We will let you know within the 30 days if it might take longer.

If you are exercising your rights under the Data Protection Legislation by asking for your data to be restricted, erased, corrected or updated, or you are objecting to our processing of your data, to automated decision-making or would like a human to review any automated decision-making to which you are subject, these requests will be handled by the Trust Data Protection Officer directly and a response issued within one month. Please write to the contact details given to you when we collected the data, or to the contact details.

Raising a concern

You have a right to be confident that the hospital handles your personal information responsibly and securely.

If you would like to speak to someone, about any concerns you may have please contact the Information Governance Office or the Trust’s Data Protection Officer or 07900736922.

You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

Legal basis for sharing of information

As a healthcare provider we access your healthcare information to provide direct care in accordance with Articles 6 and 9 of the UK General Data Protection Regulations and Data Protection Act 2018.

The information we hold about you helps us to:

• provide a good basis for all health decisions made by you and your healthcare professional
• make sure your care is safe and effective
• work effectively with others providing you with care

We may also use your information to:

• analyse how visitors use our website to improve services;
• assess the quality of care we give you
• protect the health of the general public
• monitor NHS spending
• manage health services
• help investigate any concerns or complaints you or your family have about your healthcare
• report infectious diseases
• help with accounts and auditing
• secure clinical funding from your GP and the Clinical Commissioning Group
• report fraudulent claims for NHS treatment

Specialist Cancer Drug Funding:

The Specialist Cancer Drug Funding procedures require University Hospitals Sussex NHS Foundation Trust to submit patient information to NHS England on the prior approval system (currently Blueteq) to obtain funding for specialist drugs.

These procedures have been designed to:

• provide patients with faster access to the most promising new cancer treatments
• drive stronger value for money for taxpayers in drugs expenditure
• offer those pharmaceutical companies that are willing to price their products responsibly, a new fast-track route to NHS funding for the best and most promising drugs via an accelerated NICE appraisal process, and a new CDF managed access scheme.

Who is this information shared with?

Requests for specialist cancer drugs are shared with NHS England. This information is collected, used and shared for the purposes of public health with the aim of

• making the public healthier and reducing differences between the health of different groups by promoting healthier lifestyles, advising government and supporting action by local government, the NHS and the public
• protecting the nation from public health hazards
• preparing for, and responding to, public health emergencies
• improving the health of the whole population by sharing our information and expertise, and identifying and preparing for future public health challenges
• supporting local authorities and the NHS to plan and provide health and social care services such as immunisation and screening programmes, and to develop the public health system and its specialist workforce
• researching, collecting and analysing data to improve our understanding of public health challenges, and come up with answers to public health problems.

For more information about NHS England and the specialist cancer drug funding please visit the NHS England website.

Opting out of your information being shared with Public Health England

NHS England supports patients to opt out from the cancer registration process should they wish. To support this, NHS England provides all cancer centres with patient information leaflets on cancer registration. These leaflets should be made readily available to patients. If you would like to request copies of the leaflet, please email NDRSenquiries@nhs.net or you can find more information, and access the leaflet from the National Disease Registration Service webpage.

Who may we share your information with?

The Trust uses approved specialist companies which are accredited to provide any diagnostic tests or services you might need; for example, genetic testing and specialist tests.

We work closely with many organisations in order to provide you with the best possible care. This means that with your consent, and when it is beneficial to your health or in your vital interests, your information will be shared with organisations including:

• your GP practice
• other hospitals and community organisations providing care services
• Clinical commissioning groups responsible for the management of your local NHS budget
• specialist companies providing diagnostic and testing services you might need; for example, blood test, X-ray, and ultrasound scans.
• Those with parental responsibility for patients, including guardians
• Carers without parental responsibility (subject to explicit consent)
• Medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
• NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
• Bodies with statutory investigative powers – e.g. the Care Quality Commission, the General Medical Council, the Audit Commission, the Health Service Ombudsman
• National generic registries – e.g. the UK Association of Cancer Registries
• Organisations processing data on our behalf for the purposes of your care and managing your appointments

Also, where necessary and appropriate, to:

• Non-statutory investigators – e.g. Members of Parliament
• Government departments other than the Department of Health
• Solicitors, the police, the Courts (including a Coroner’s Court), and tribunals and enquiries
• The media (normally the minimum necessary disclosure subject to explicit consent)
• Those with parental responsibility for patients, including guardians

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

• When there is a Court Order
• When there is a statutory power to share patient data
• When the patient has given his/her explicit consent to the sharing
• When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

Health professionals should share information in the best interests of their patients. This means that where necessary we will also share your health information with other health care providers/professionals involved in your care.

How and why is your information shared?

Here at University Hospitals Sussex NHS Foundation Trust we take your privacy seriously and will only use your personal information when caring for you and to give you any products and services you have asked for.

The Trust will not disclose any information about you other than in exceptional circumstances where we are required to do so by law.

You can also get further information on:

• agreements we have with other organisations for sharing information
• circumstances where we can pass on personal data without consent for example to prevent and detect crime and to produce anonymised and pseudonymised statistical information to improve NHS services
• our instructions to staff on how to collect, use and delete personal data
• how we check that the information we hold is accurate and up to date

If you are a patient seeking routine treatment and you live outside of the NHS England boarders, the Trust is required to contact your local GP practice and Local Health Board (LHB) or the National Specialised Services team responsible for your area to obtain authorisation prior to commencing your treatment. If you are planning to move outside the NHS England borders, please can you confirm your new address and GP Practice with the Trust as soon as possible to ensure a continuation of care. On occasion it may be necessary for the Trust to contact you directly about your provision of care as we will be working on your behalf to ensure that the continuity of care is not adversely affected.

Working in partnership with your GP

As a trusted Healthcare partner the University Hospitals Sussex NHS Foundation Trust clinical staff have been granted read only access to a limited view of your GP electronic patient record when supporting your care.

In conjunction with your GP practice we will ensure access to your GP electronic record is strictly controlled and monitored. If you wish to prevent the hospital from accessing your GP electronic record, please contact your GP practice who can arrange.

Integrated Care Record (ICR)

Health and care organisations across Sussex are working to improve the care our population receives through a wide reaching programme of digital transformation designed to use digital technology to provide better care for local people and use our resources in a more effective and efficient way.

Part of this digital transformation programme is focusing on the development of Integrated Care Records (ICRs). 

An ICR enables the different health and care organisations involved in an individual’s care to access relevant information about them without the need to access multiple IT systems. 

For more information, please see the  Sussex Health & Care; My Health and Care Record.

How long do we keep your personal information for?

The NHS has a comprehensive set of guidelines, which govern the length of time that we may keep your records for, which are called the NHS Retention Schedules. University Hospitals Sussex NHS Foundation Trust will comply with the NHS Retention Schedules. There may be occasions where the Trust will be obliged to vary from the NHS Retention Schedules, for examples, in response to a Court Order or other equivalent legal requirement. Information about the NHS Retention Schedules may be found via the NHS Digital Website.

Do I have a choice about who accesses my medical records?

The Trust uses a secure electronic patient record system which enables GPs to refer you here. You can decide whether we can give limited access to the information held within your GP record.

Our system is also used by other GP practices, child health services, community services, hospitals, out-of-hours services, palliative care services and many more. This means your information can be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including medication and allergies. We will seek your consent before sharing your medical information.

Sharing out: This controls whether your information stored by us can be shared with your GP

Sharing in: This controls whether information in your medical record held by your GP can be viewed by staff on a need to know basis

Accessing information

If you would like to receive a copy of your medical records, report a concern or inaccuracy within your record or would like to restrict who your medical data is shared with, please speak to your clinician or contact any of the people listed below. They will be happy to help:

If you would like advice or report a concern directly to the data protection and privacy and electronic regulator, you can use the contact details below:

The national data opt-out

NHS Digital is developing a new system to support the national data opt-out which will give you more control over how your identifiable health and care information is used. The system will offers you and the public the opportunity to make an informed choice about whether you wish your personally identifiable data to be used just for your individual care and treatment or also used for research and planning purposes.

What information does the national data opt-out apply to?

How do you opt out?

By contacting NHS Choices website or telephone contact centre.

Need more information?

Visit the National Data Opt-out web pages.

You can also use the opt-out postal service or phone the helpline to access more information:
NHS Digital Contact Centre Tel: 0300 303 5678

GDPR Compliance Statement

University Hospitals Sussex NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public).

University Hospitals Sussex NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public).

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at health research authority
(which covers health and care research); and the understanding patient data website
(which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

As an early adopter of the National Data Guardian Opt Out Programme, the Trust implemented a series of internal policies and procedures in 2019 to ensure patients who have opted out of their data being used for secondary purposes is respected.

Health and care organisations had until 31 July 2022 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.

Overseas Patients and Patients Not Ordinarily Resident in the UK

Please refer to our additional privacy notice. 

Overseas patient information may be used to?

• Establish your identity and your entitlement to free NHS treatment
• Ensure that the information we hold about you is valid and up to date
• Record outstanding NHS debts and provide this to the Department of Health & Social Care
• Determine your immigration status using Home Office services
• Prevent, detect and prosecute fraud and other crime
• Provide translation and interpretation services

We may need to share overseas patient information with external organisations, such as:

• NHS managers and the Department of Health for the purposes of planning, commissioning,
• managing and auditing healthcare services.
• Organisations with statutory investigative powers such as the Care Quality Commission, the
• General Medical Council, the Audit Commission, or the Health Service Ombudsman.
• Department of Health & Social Care, Home Office, and registered charities.
• Solicitors, the police, the courts (including a Coroner’s court), debt recovery agencies, clinical.
• commissioning groups and to tribunals and enquiries.
• Government agencies or public bodies within your home country.
• Companies that provide translation services and with whom we have a contract.
• Medical insurers for the purposes of administration of a claim for payment of medical expenses

The Trust does not routinely transfer information outside the European Union but may do so if there is a need to make contact with a government agency in your home country, or possibly your medical insurer. Some organisations we share with, such as debt recovery agencies may transfer information outside the European Union as if there is a need to do so. Where this is the case, we will ensure that the security and protections that are put in place are of equivalent standard to those standards that we would use with the European Union when processing.

Security and CCTV

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public.

The Trust’s security services, including the use of CCTV, are managed internally.

The Trust remains the data controller of this data and any disclosures to third parties such as the Police, will only be done with the permission of the Trust.

For safety and security reasons, the Trust security personnel also wear body-worn video cameras while on duty.

Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on.

To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity.

Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the public.

Your employee information – privacy notice

The Trust collects stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.

The processing of employee personal information is necessary for the purpose of employment and social security and social protection law.

The Trust is not required to seek your explicit consent to process your personal information for employment purposes, taxation, fraud, internal and external investigations, and statutory or regulatory reporting purposes requiring identification.

How we use your employee information?

• Your personal information is processed for the purposes of:
• Staff administration and management (including payroll and performance)
• Pensions administration

Business management and planning

• Advertising, marketing and public relations
• Accounting and auditing accounts and records
• Education
• Identify fraud
• Health and wellbeing
• Health administration and services
• Information and databank administration
• Journalism and media
• Licensing and registration
• Occupational health management
• Property management

Employee information and publicity

Your personal information will not be used for internal and external publications without your explicit written consent.

Sharing of employee information

The Trust will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) and Care Information Services (smartcard) Systems.

• There are a number of circumstances where we must or can share information about you to comply or manage with:Disciplinary / investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC;
• Legislative and/or statutory requirements;
• A Court Orders which may have been imposed on us;
• NHS Counter Fraud requirements;
• Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature.

Employee Monitoring

The Trust’s Informatics Department is committed to maintaining the privacy, dignity and confidentiality of service users at all times. We adhere to the principles of data protection legislation, Department of Health and NHS Digital policies, procedures and codes of practice.

The Informatics Department uses your personal information to create and manage IT user accounts, monitor system access and performance.

System generated audit trails are also used to improve internal processes, identify account and system issues, and establish if inappropriate access and/or use of IT equipment/resources have occurred.

Audit trails may also be released to patients requesting details of employees who have accessed their medical record.

Registration Authority Smartcards

If you hold or register for a NHS Registration Authority (RA) Smartcard your personal information including your driving license and passport numbers will be recorded along with a photographic image within the NHS Digital’s Care Identity Service (CIS) System.

All users issued with a Smartcard have the ability to update certain aspects of their record on the CIS database as well as change their pin code and, when necessary, renew their own Smartcard certificates. (Certificates last two years and can be self-renewed within 90 days leading to the expiry date – after this time please contact your local Registration Authority).

All Informatics staff adhere to a strict code of ethics in relation to the confidentiality of all personal and sensitive data.

All personal and sensitive information is treated as sensitive (‘special category’) personal data, in respect of data protection legislation and can be shared by the recipient only, with the individual’s consent and with others who have a legitimate need to know.

Your information may be released without your knowledge or consent in exceptional circumstances dictated in the professional codes of ethical behaviour and statute law i.e. the prevention and detection of a serious crime, fraud, malpractice allegation, court order or the vital interests of yourself or another (life or death).

NHS Mail

The Trust utilises the NHS Mail email system as our main communication system. As a member of staff you are accepting you will work within the NHSmail acceptable use policy v3 September 2018. This occurs when you register for the service. This is your promise to all NHSmail users and the public and patients we serve, that you will be mindful of the importance of the information that they share over NHSmail.

NHS Mail Data Retention and Information Management Policy

Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies. The NHSmail Data Retention and Information Management Policy this defines the scope of data held and details the recovery of data. The process to request this is available in the NHSmail Access to Data Policy on the NHSmail portal help pages.

Our responsibilities for data protection are explained in the Transparency Information document located within the General Data Protection Regulation section of the NHSmail portal help pages.

Sharing of employee information

Limited personal information about you may also be shared with third party organisations in order to permit access to externally located/hosted systems.

Secondary Purposes

The Informatics department will use your personal information to create anonymised, pseudonymised and statistical compliance reports.

External IT Monitoring

NHS Digital now provides national monitoring of all internet activity through NHS devices to local organisations such as hospitals and GP surgeries. This means that all internet activity is monitored to quickly identify any abnormalities so that immediate action can be taken to address any potential problem as quickly as possible. NHS Digital will be able to identify the affected device and user in real time so that alerts can be provided nationally and locally in order to minimise the threat to the NHS, staff and patients.

The SFT process will be that whenever an alert is received Informatics will immediately retrieve the device and commence erasing any data and rebuilding the device, please be aware that any information stored locally on the machine will be removed with immediate effect.

Appropriate action will be taken over any inappropriate or malicious breaches detected in line with the Trust policies and procedures.

Performance

University Hospitals Sussex NHS Foundation Trust is registered with the Information Commissioner’s Office which is the regulator for data protection and privacy and electronic communications. Our registration number is: Z1745658

The Trust is registered with the Department of Health (DOH) and our security and confidentiality compliance is assessed annually by the completion of the Data Security and Protection Toolkit (DPST). A full copy of our data protection registration details can be accessed via the link: Register of Data Controllers

This is an online system which allows organisations’ information security, data protection, and confidentiality processes and procedures to be assessed against national standards required by NHS Digital and the Care Quality Commission. To access details of the Trusts compliance please visit NHS England.

Keeping information

We follow UK law and will only keep your personal information for as long as necessary.

Updating the privacy notice

We will review and update this notice regularly in line with guidance issued by the privacy regulator, the Department of Health and NHS Digital.

Data protection concerns and complaints

University Hospitals Sussex NHS Foundation Trust takes seriously its obligations to protect the rights and freedoms of patients, staff, volunteers, trainees, and contractors. The Trust is committed to building privacy by design and default into our systems and services, to minimise any risks to data subjects that might arise through our processing activities.

However, we recognise that there may be circumstances in which members of the public or staff raise concerns or complaints about the way the Trust is processing their personal data. This procedure gives a framework for managing data protection complaints consistently and transparently, to ensure fair and equitable outcomes for complainants. It will also clarify the relationship between this procedure and other complaints and grievance procedures at the Trust, and related data protection procedures, such as our Data Breach Reporting Procedure and our Data Subject Access Request appeal process.

If Trust staff, or members of the public wish to refer or make a complaint, raise a query about the procedure, or otherwise need to get in touch, please contact the IG Team via email.

Confidentiality

Any complaint or concern you raise will be treated in confidence. We will only share your identity or the details of your complaint with a third party with your consent, or if it is necessary to do so to fully investigate your complaint.

Records relating to your complaint will be held securely in restricted areas of the Trust’s IT network or system. The records relating to your complaint will be retained in line with our data retention policies (for ten years from the end of the calendar year in which the final action on your complaint takes place at the time of writing).

It may be necessary during the investigation to reveal to you the identities and personal data of staff or other third parties involved in responding to the complaint. This information will be provided to you only as required, and you must always respect the confidentiality of third parties.

Grievance and representation

Any complaint or allegation cannot be made anonymously.

A third party may submit the complaint on your behalf with your written and signed authorisation, subject to approval by the Data Protection Officer or their delegate.

Internal concerns and complaints procedure

The Data Protection Officer or their delegate will write an initial letter to you, usually within 5 working days, to acknowledge receipt of your complaint. The letter will inform you:

1. Whether your complaint is eligible for consideration under this procedure. If it is not considered eligible, you will be told why.
2. The terms of your complaint, and the breaches of the Data Protection Legislation to be investigated, so that the complainant can understand the scope of the investigation.
3. The expected deadline for completion of the investigation

The Data Protection Officer or their delegate will aim to conclude the formal investigation and provide you with an outcome within 20 working days of sending you the initial letter.

At the end of the review the Data Protection Officer will provide you with an response summarise the complaint and examination process, this may including further evidence gathered from yourself, colleagues or any other relevant third party, and an assessment of the extent to which specific concerns raised in the complaint contravene the Trusts Data Protection policies and procedures and Data Protection Legislation, to help you better understand the outcome of the review. The outcome section of the report will tell you whether your complaint is:

1. Fully upheld
2. Partially upheld
3. Not upheld

The response will set out any recommendations proposed by the Trust. The Data Protection Officer may recommend the case is referred for further consideration under the relevant internal disciplinary procedure. This might include, for example, cases where the investigation identifies a serious breach of the Trust’s Data Protection policies and procedures by an individual subject to said policies and procedures, or an infringement of Data Protection or Computer Misuse legislation.

The response marks the final stage of the Trusts Data Protection Complaints procedure. The Trust will aim to put in place any recommendations within one calendar month of the date of the report, where possible.

If the review finds that a person has processed your personal data and infringe sections 170-173 of the Data Protection Act (2018), the matter may be referred to the Police if the Trust believes that one or more of the criminal offences listed below has been breached:

1. a) Unlawfully obtaining, disclosing or retaining personal data:
2. b) Re-identifying de-identified personal data
3. c) Altering, defacing, blocking, erasing, destroying, or concealing personal data to prevent disclosure to a data subject

Right to representation

You have the right to be accompanied at any meeting arranged under this procedure to investigate your complaint. You may choose to be accompanied by a friend, and staff by a work colleague or a trade union representative. This procedure does not permit any party to have legal representation at meetings. The identity of your representative should be made known to other parties to the meeting prior to the date of the meeting.

If you need us to make any reasonable adjustments under the Equality Act (2010) in connection with meetings or other proceedings under this procedure, please inform the Data Protection Officer in advance.

You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

Your Right to an External Review

If you reject the outcome of the formal investigation, you can make a complaint to the Information Commissioner’s Office (ICO) using their online reporting tool or by calling 0303 123 1113.

Whilst you have the right to make a complaint to the ICO without seeking a remedy through this procedure, we recommend that you follow this procedure in the first instance to advance the resolution of your complaint.

If the Police investigate a Trust employee about an offence listed in section 5.3 above, the Trust will consider whether internal disciplinary procedures should continue or be paused until the outcome of the police investigation is known.