How we handle your information
Due to the challenges we are facing because of the Coronavirus (COVID-19) outbreak, you may experience delays when making Freedom of Information (FOI) or Right of Access/Subject Access Requests (SARs).
Postal applications are not being monitored at this time so please email your FOI requests to: Freedom.Information@Candi.nhs.uk For SARs – please include two forms of identification with your completed SAR request form. Please complete the relevant form to request your information then send it to: Information.Request@candi.nhs.uk
Our Supplementary Privacy Note on COVID describes how we may use your information to protect you and others during the Covid-19 outbreak.
We apologise for this inconvenience and appreciate your understanding at this time.
- Trust Privacy Notice - for patients
What is a Fair Processing Notice?
Welcome to Camden and Islington NHS Foundation Trust’s (C&I) Privacy Notice. C&I respects your privacy and is committed to protecting your personal data.
This privacy notice will tell you about how we look after your personal data, your privacy rights and how the law protects you. The General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose personal data they hold and use.
A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice. A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data is used and disclosed, how long it is kept and the controller’s legal basis for processing.Fair processing notice for staff
- What is our duty as a trust?
Confidentiality affects everyone: Camden and Islington NHS Foundation Trust collects,stores and uses large amounts of personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data we are responsible for, whether digital or on paper.
At Trust Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. We also have a Data Protection Officer who is responsible for overseeing the Trust’s data protection strategy and its implementation to ensure compliance with GDPR requirements. They can be contacted via Information.Request@candi.nhs.uk
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) , the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance: Information.Request@candi.nhs.uk
- Why do we collect information about you?
- Doctors, nurses and other healthcare professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer, and may include:
- Basic details about you such as name, address, date of birth, next of kin, etc
- Contact we have had with you such as appointments or clinic visits
- Mental Health documentation
- Notes and reports about your health, treatment and care
- Relevant information from people who care for you and know you well such as health professionals and relatives
- It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible. We need to collect information about you to provide you with health and care services. This is in accordance with the statutory obligations under the NHS Act 2006 and Health and Social Care Act 2012. The information that we collect is used for medical purposes that include:
- The Data Protection Act 2018
- General Data Protection Regulation
- The Human Rights Act 1998
- Freedom of Information Act 2000
- Computer Misuse Act 1998
- Audit Commission Act 1998
- Regulation of Investigatory Powers Act 2000
- Access to Health Records Act 1990
- For the purposes of the Data Protection Act, the Trust is the "Data Controller" (the holder, user and processor) of staff information.
- What types of personal data do we process?
- C&I have a legal duty to keep complete, accurate and up-to-date information about your health. This is so that you can receive the best possible care, both now and in the future.This information is known as your ‘health record’ and is stored securely on managed systems.We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Category Data type Identity Data Your name, date of birth, NHS number, gender Contact details Your address, telephone number, email address (if provided), Emergency contacts Support contact details Names, contact details of carers, relevant close relatives, next of kin, representatives Physical, social or mental health situation or conditionYour medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving, GP contact details, bank details (for patient affairs) Protected characteristics/ Special Categories of personal dataYour ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way for the people being cared for Recruitment data (for C&I staff only, fixed term, agency)Recruitment Data includes items of personal information such as your name, date of birth, address, qualifications, references and potentially special categories of data such as occupation health data (if provided) and disclosure and barring service self-declaration form details OthersInformation relating to health and safetyOffences (including alleged offences), criminal proceedings, outcomes and sentencesComplaints, accidents, and incident details
- What is the purpose of processing data?
Under the Data Protection Act 2018, the Trust processes your data for the performance of a task carried out in the public interest and in exercising our official authority. This means that it is necessary for us to process your data for those purposes.
Additionally, other alternative conditions may be applicable where the above justification is not available for example, in the event of a life or death situation such as to prevent harm being caused by a patient or service user.
Other than where there is a legal requirement to share your information we will not publish any information that identifies you or routinely disclose any information about you without your express consent. At any time you have the right to refuse or withdraw your consent to information sharing.
We have set out a description of all the ways we use your personal data, and the legal bases we rely on to do so. You can download this here.
- Obligatory Situations where we share your Information
In certain circumstances the Foundation Trust is legally and morally obliged to share your information. In many of these circumstances your consent is not required for this sharing to take place and we may not be obliged or able to report that the sharing has taken place. The following list includes, but is not limited to, such circumstances:
Courts (civil and criminal)
If a court serves the Foundation Trust a court order we are obliged to provide the requested information. It is the responsibility of the court to contact you to inform you of their actions.
Department of Health
The Department of Health requires us to submit information for performance and financial monitoring purposes.
Police and law enforcement
Police and other law enforcement agencies can require us to submit information they require to fulfil their investigation. Most only have powers to request information when investigating criminal matters. We would in most cases be unable to inform you that your information has been shared until after the investigation had been completed.
Professional bodies, such as the British Medical Association or the Nursing and Midwifery Council have obligations to ensure their licensed members adhere to their codes of practice. Under some circumstances they can request information to assist in malpractice or misconduct investigations.
National Government department
Some National Government departments have powers to request information to assist in their investigations (e.g. The Home Office).
National Disease Registries or Research Projects
The Trust may by law be obliged to report some communicable diseases if a service user is infected (e.g. Influenza, Tuberculosis). We may also be required to submit information to national research registries (e.g. Heart Disease, Cancer) under the Data Protection Act 1998.
We are required by law to report suspicion of, or documented cases of, abuse, neglect or circumstances of risk. Similarly we are obliged to support the investigations of Social Services, particularly in regards to children and the elderly, which may require us to release information. In this circumstance however the
Foundation Trust is obliged to release only the information it considers necessary and would rarely release an entire set of care records.
Other external sharing
Depending on the care services that you are engaged with the Trust may have other legitimate needs to share your information. These local needs are not captured here and if you are concerned or curious we would encourage you to speak to your care team about their information sharing requirements.
- How we use your information for research
Care teams within C&I are working with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is used with a lawful basis such as consent.
Researchers will make efforts to take out any information that could identify you where possible, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit consent.
We work with healthcare partners, researchers and technical experts to develop computer systems, such as C&I Research Database. This includes encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research. For more information on such local research systems and initiatives, please visit the C&I Research Database site.
In more exceptional cases, researchers may seek special support from the Secretary of State under the health service (control of patient information) regulations (also known as ‘section 251 support’). This can allow researchers to use your personal data without your permission, only when it is not practical to seek permission. They must also have reassured an independent committee who have reviewed the purpose and data security arrangements. You can find more information on trials where researchers have used this special support known as ‘section 251’ support.
- National opt outs
The national data opt out allows patients to opt out of their confidential information being used for research and planning. You can read more about it on the NHS.uk website
Patients can find out more and set their opt-out choice at nhs.uk/your-nhs-data-matters.
- How do we protect your information
Confidentiality and data security
All our staff have written into their contracts statements requiring them to keep personal information provided by users of the service in the strictest confidence. If you suspect a member of our staff has been indiscrete with your personal information (such as sharing it with non-health related organisations, selling it companies, or harassing you at home or work) please do not hesitate to provide the Foundation Trust a written complaint or contact Chief Executive's Office. The Chief Executive can be contacted at:
Chief Executive's Office
Camden and Islington NHS Foundation Trust
Fourth floor, East Wing
St. Pancras Hospital
4 St. Pancras Way
Fax: 020 3317 3230
Jinjer Kandola MBE
Camden and Islington NHS Foundation Trust
St. Pancras Hospital
4 St. Pancras Way
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have legal basis on need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
All our staff have written into their contracts statements requiring them to keep personal information provided by users of the service in the strictest confidence. If you suspect a member of our staff has been indiscreet with your personal information (such as sharing it with non-health related organisations, selling it companies, or harassing you at home or work) please do not hesitate to provide the Trust with a written complaint .
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
All staff are required to undertake annual information governance (Data Security and Protection) training and are provided with an information governance awareness at induction to understand their responsibilities and agree to adhere to them. The staff are aware of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.
We endeavour to keep your personal information safe and secure at all times. Trust premises have controlled public access during work hours and are securely locked otherwise. Most Trust premises are covered by CCTV as well as being protected by security services and alarms.
Restricted access records storage
Major Trust sites have restricted access records storage. At each site there will be a limited number of people who have access to the storage room and who control the release of records. This makes the records stored here unavailable except when requested under official protocols.
- Data retention - How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements.
To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have been considered.
All records held by C&I will be kept for the duration specified by national guidance from the Department of Health & Social Care found in the Records management: NHS code of practice for health and social care 2016, supplemented by C&I Records Management policy and Retention schedule.
In some circumstances you can ask us to delete your data: see ‘Request erasure’ below for further information.
- Service Specific Privacy Notices
These notices provide you with details of our privacy practices in connection with a number of systems we use and what we do to maintain your right to privacy.
You can download the privacy notices below.
- Privacy Notice - Attend Anywhere
- Privacy Notice - CCTV
- Privacy Notice Service specific - MS teams
- Privacy Notice - Granicus
- Privacy Notice - electronic Prescribing & Medicines Administration (ePMA) project
- Privacy Notice - Lookahead
- RIO Privacy Notice Service specific
- Privacy Notice - London Care record
- Privacy Notice - Islington People’s Rights
- Privacy Notice - C&I Decant Programme