Privacy Notice Your Information, What You Need to Know North West Ambulance Service NHS Trust (NWAS) covers an area of over 5,400 square miles with a population of over 7.5 million people, Has three emergency control centres and two patient transport control centres and two North West NHS 111 Contact Centres and Is, along with Urgent Care and OOH partners, the largest provider of the NHS 111 nationally - in terms of calls received and area covered. The Trust employs over 6,000 staff who operate from sites across the region and provide services for patients in a combination of rural and urban communities, in coastal resorts, affluent areas and in some of the most deprived inner city areas in the country. We also provide services to a significant transient population of tourists, students and commuters. The services we provide can be categorised: Paramedic Emergency Services Urgent Care Services Patient Transport Service Managing Major Incidents Managing Clinical Conditions NWAS is a registered “Data Controller”. Information Commissioner Office (ICO) registration no Z9603234. This notice explains how we use and share your information. Information may be collected on paper, or online form, telephone, email, CCTV or by a member of our staff, or one of our partners. We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the Law. When such changes occur, we will revise the “last updated” date as documented in the Version Control Section. How We Keep Your Information Confidential and Safe Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised, with consent given by the patient, unless there are other circumstances covered by the Law. There are other conditions (other than consent) that as an organisation we can use and these are listed under the General Data Protection Regulation Article 6(1)) for personal data (i.e. your name / address) and Article 9 (1)) for sensitive personal data (i.e. race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data and biometric data where processed to uniquely identify a person. Further details are available here. Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you how your information will be used, and allow you to decide if and how your information can be shared. Access to identifiable information is strictly controlled and it is only used when it is absolutely necessary to use identifiable information. The Trust will as a general rule of thumb will pseudonymise or anonymise data that is required for non-direct health care purposes. Pseudonymisation is a process that removes the NHS number and any other identifiable information such as name, date of birth or postcode, and replaces it with an artificial identifier, or pseudonym. Data which is pseudonymised is effectively anonymous to the people who receive and hold it but allows the association of multiple events with one patient, allowing us to better understand the experience of patients accessing health services. In the circumstances where we are required to hold or receive personal information we will only do this if: The information is necessary for the direct healthcare of patients We have received explicit consent from individuals to be able to use their information for a specific purpose (i.e. employment of staff). There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation, dealing with employee details for example national insurance and PAYE) We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care. NHS Digital has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information. Why We Collect Information about You In carrying out some of services we may collect information about you which helps us respond to your queries. We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health. How We Use the Information that We Collect Information from your health record is used to ensure you provide the best possible care. We consider a “record” to be information about providing health which identifies the patient or service user whether they are an adult or a child. What We Use Your Information For Information relating to the purposes below will be retained in line with the Records Management Code of Practice for Health and Social Care 2016. For more information please follow this link. Direct Care When you use our services information about the care you receive is recorded in your health record. This information is required to make sure that we give you the best possible care and treatment. Safeguarding Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. Serious Incident Management NWAS work with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided. Sharing Information In order for NWAS to fulfil its functions, information is shared between various organisations which include: Acute hospitals, General practices, Clinical Commissioning Groups, community services, mental health, nursing homes, and many others. Information Sharing With Other NHS Agencies and Non-NHS Organisations We may share your information for health purposes and for your benefit with other organisations such as other NHS Trusts, General Practitioners, other partner organisations who could be providing specialist services on our behalf. Information may also need to be shared with other non-NHS organisations, from which you are receiving care. Where information sharing is required with these third parties, we will always have a relevant Information Sharing Agreement in place and will not disclose any health information without an appropriate lawful principle. Our guiding principle is that we are holding your records in strictest confidence. We are required by Law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional and where appropriate ratified by the Caldicott Guardian / Data Protection Officer. We may be asked to share basic information about you, such as your name and address or sensitive information (i.e. health information). This would normally be to assist them to carry out their statutory duties. How Your Records Are Used to Help the NHS Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance. Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions. Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. Your Right to Withdraw Consent for Us to Share Your Personal Information (Opt-Out) At any time you have the right to refuse/withdraw consent, in full or in part, to information sharing. The possible consequences will be fully explained to you to allow you to make an informed decision. You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. These commitments are set out in the NHS Constitution. If you do not want your personal information to be shared and used for purposes other than your care and treatment, then you should contact the GP Practice you are registered with and ask for further information about how to register your objections. This should not affect the care and treatment you receive. See section on Patient Control of Information for further details Patient control of information You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. There are two choices available to you: You can object to information about you leaving a GP Practice in an identifiable form for purposes other than your direct care, which means confidential information about you will not be shared with other organisation for any non-direct care purpose. This is referred to as a ‘type 1′ objection; or You can object to information about you leaving NHS Digital in identifiable form, which means confidential information about you will not be sent to anyone outside NHS Digital. This is referred to as a ‘type 2′ objection. Information from other places where you receive care, such as hospitals and community services is collected nationally by NHS Digital. If you do not want information that identifies you to be shared outside your GP practice, please speak to a member of staff at your GP practice to ask how to “opt-out”. The Practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or a public health emergency. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice. Patients are only able to register the opt-out at their GP practice. For further information and support relating to type 2 opt-outs please contact NHS Digital contact centre at email@example.com referencing ‘Type 2 opt-outs — Data requests’ in the subject line; alternatively, call NHS Digital on (0300) 303 5678; or visit their website here In both cases, it is still necessary for NHS Digital to hold information about you in order to ensure data is managed in accordance with your expressed wishes. Please see “Patient Objections Management” on NHS Digital website for further information. If you have questions about this, please speak to staff at your GP practice, check NHS Digital frequently asked questions, or call their dedicated patient information line on 0300 456 3531. Withholding information about you Information may be withheld if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld. Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information. Correcting inaccurate information We have a duty to ensure your information is accurate and up to date to ensure that we have the correct contact and treatment details about you. If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention. Further Information If you would like to know more about how we use your information, or if (for any reason) you do not wish to have your information used in any of the ways described above, please contact: North West Ambulance Service NHS Trust (Data Protection Officer) Ladybridge Hall Headquarters Chorley New Road Bolton BL1 5DD Tel: 01204 498400 Email: firstname.lastname@example.org For independent advice about data protection, privacy and data-sharing issues, you can contact: The Information Commissioner Wycliffe House Water Lane Wilmslow, Cheshire SK9 5AF Phone: 08456 30 60 60 or 01625 54 57 45 Website: www.ico.org.uk Data Protection Statement NWAS is a ‘Data Controller’ under the Data Protection Act 1998 (to be replaced by General Data Protection Regulations in May 2018). This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also tell the Information Commissioner about all of our data processing activity. Our registration number is Z9603234 and our registered entry can be found on the Information Commissioner’s website. All of our staff receive annual information governance training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to contractors who provide transport services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached. We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by Law. Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements. Accessing Your Information Held by NWAS You have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust. Requests should be addressed to: Legal Department North West Ambulance Service NHS Trust Ladybridge Hall Headquarters Chorley New Road Bolton BL1 5DD Email: email@example.com Freedom of Information Requests (FOI) The Freedom of Information Act (2000) gives every Individual the right to request information held by Government Agencies. Private Companies are not subject to this Act. Please note that a Freedom of Information Request is not a Subject Access Request. For more information please refer to the Freedom of Information section of the Trust website here Complaints If you have a complaint about NWAS, we will use your information to communicate with you and investigate any complaint if it’s the responsibility of the Trust. Should you have any concerns about how your information is to be used having read this Privacy Notice or if you do not wish your information to be shared by NWAS then please email the Data Protection Officer at firstname.lastname@example.org If you are not happy with our responses and have exhausted all the avenues in the NWAS process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing to the following address: Wycliffe House Water Lane WILMSLOW Cheshire SK9 5AF You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. They are also available via email: email@example.com Version Control Last Updated - This is Version 1.0 of the NWAS Privacy Notice and was published on 24th May 2018. This version will be reviewed by May 2019.