We have a duty to protect your personal information and confidentiality and we take our responsibilities very seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data, whether it is in electronic or paper format.

Everyone working for NWAS must comply with data protection legislation and the Common Law Duty of Confidentiality. Information provided to us will be used in confidence and only for the purposes explained to you and to which you consented, unless there are other circumstances covered by the law.

All staff are required to undertake annual data security and protection training and be aware of their information governance.

At board level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of information across the trust and any associated risks and incidents. The SIRO for the trust is our Executive Director of Quality, Innovation and Improvement.

The NHS also has an additional set of guidelines, known as the Caldicott Principles, which apply to the use of patient information. All NHS organisations are required to appoint a Caldicott Guardian to ensure patient information is handled in accordance with legal and NHS regulations. We have appointed our Medical Director as Caldicott Guardian in acknowledgement of how seriously we take the protection of your right to confidentiality. Our Medical Director is also a senior member of our trust board who understands the requirements for protecting the confidentiality of patient information as well as enabling appropriate information sharing.

We also have the necessary controls in place with external organisations that process data on our behalf, to ensure that the organisation complies with the UK data protection legislation and the GDPR.

The trust will not transfer your personal data outside the UK unless there are arrangements in place to ensure an adequate level of protection for the rights and freedoms of data subjects.

Data Protection laws give individuals rights in respect of the personal information that we hold about you. These are:
• To be informed why, where, and how we use your information;
• To ask for access to your information;
• To ask for your information to be corrected if it is inaccurate or incomplete;
• To ask for your information to be deleted or removed where there is no need for us to continue processing it;
• To ask us to restrict the use of your information;
• To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information;
• To object how your information is used;
• To challenge any decisions made without human intervention (automated decision making).

The Freedom of Information Act (2000) gives every Individual the right to request information held by Government Agencies. Private Companies are not subject to this Act. Please note that a Freedom of Information Request is not a Subject Access Request.

For more information please refer to the Freedom of Information section of the trust website.

The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health and data protection laws. It is appropriate to do so for health and social care treatment of patients and the management of health or social care systems and services.

Some of your information will also be shared with NHS Digital to improve NHS 111 and 999 services; the information received through their intelligence data tool consists of outcome data which is not identifiable.

If we need to use your personal information for any reason beyond those stated above, we will discuss this with you. You have the right to not ask us to use your information in this way.

However there are exceptions to this which are listed below:
• The public interest is thought to be of greater importance, for example:
– If a serious crime has been committed;
– If there are risk to the public or our staff;
– To protect vulnerable children or adults.
• We have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms, and court orders;
• We need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (CAG) (appointed by the NHS Health Research Authority).