☰ Menu
  • Accessibility
  • Contact us

What is the purpose of processing data?

Under the Data Protection Act 2018, the Trust processes your data for the performance of a task carried out in the public interest and in exercising our official authority. This means that it is necessary for us to process your data for those purposes.
 
Additionally, other alternative conditions may be applicable where the above justification is not available for example, in the event of a life or death situation such as to prevent harm being caused by a patient or service user.
 
Other than where there is a legal requirement to share your information we will not publish any information that identifies you or routinely disclose any information about you without your express consent. At any time you have the right to refuse or withdraw your consent to information sharing.
 
We have set out below a description of all the ways we use your personal data, and the legal bases we rely on to do so. 
 

Purpose/activity

Type of data

Lawful basis for processing including basis of legitimate interest

Direct Care

a) Identity (b) Contact (c) Special Categories

All Health and Adult Social Care providers are subject to the statutory duty under Section 251B of the Health and Social Care Act 2012 to share personal data about patient for their direct care.

 

GDPR Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

 

GDRP Article (2) (h) Processing is necessary for the purposes of preventative or occupational medicine for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or management of heath or social cares systems and services on the basis of Union or Member State law or a contract with a health professional

To respond to a request under the Freedom of Information Act, enquiries, complaints

(a) Identity (b) Contact

GDPR Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

Comply with a legal or regulatory obligation

To respond to a request under Data Protection Act or the General Data Protection Regulation

a) Identity (b) Contact (c) Special Categories such as health information

GDPR Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

 

Safeguarding

a) Identity (b) Contact (c) Special Categories such as health information

Local Authorities have a duty to make enquiries where an adult is experiencing or is at risk of abuse or neglect and had a duty to collaborate with partners generally and in specific cases.

 

GDPR Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

 

GDPR Article 9 (2) (b) Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State Law.

 

To investigate and respond to a complaint (including whistle-blowing)

(a) Identity (b) Contact (c) Special Categories

GDPR Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

 

GDPR Article 9 (2) (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes

 

Commissioning and Planning Purposes

 

 

(a) Identity (b) Contact (c) Special Categories

Your information is sent to the commissioners of our services, the Primary Care Trusts who, on behalf of your GP, pay us for providing our services. We are also paid for services provided by London Borough of Islington and London Borough of Camden to provide some Social Care services. We are also required to report to the Healthcare Commission and the Department of Health on our activities and performance. These uses of your information would almost never involve a person looking at your records. Most submissions of your data outside of the Foundation Trust are done by computer and sent securely. Only very rarely would someone need to check into the submissions we make to focus on a specific person, and even then it is unlikely that the information would easily identify you as an individual.

C&I also undergoes external audit by the Audit Commission or other professional bodies given the legal authority to carry out audits. These audits may involve reviewing information in patient records to ensure accuracy, completeness and the competency of the staff that served you. It would rarely be the case that the auditors would ever be interested in knowing about you directly, and only in extreme cases of misconduct or incompetence in the Foundation Trust would they be interested in tracing you as an individual. 

C&I cannot prevent your information from being provided to the above when it is seeking payment for its services. By engaging in care provided by the C&I you will have consented for your information to be used in these ways.

Most national and local flows of personal data in support of commissioning are established by NHS digital either centrally or for local flows by the Data Services for Commissioners Regional Officers (DSCRO). These flows do not operate on the basis of consent for confidentiality or data protection purposes

Article 6 (1) (c) Processing is necessary for compliance with a legal obligation.

 

Article 6 (1) (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

Article 9 (2) (h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

 

 

Research

(a) Identity (b) Contact (c) Special Categories

For research purposes, the common law duty of confidentiality must still be met through consent. This requirement has not changed under the GDPR. Consent is still needed for people outside the care team to access and use service user personal data for research, unless you have Section 251B of the Health and Social Care Act 2012 support or the data is annoymised  (no longer identifiable) such C&I Research Database. This includes encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research.

 

 

Article 6 (1) (e)Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

Article 9 (2) (j) Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).

 

Employment Purpose (staff and volunteers)

(a) Identity (b) Contact (c) Special Categories

For employment purposes the below lawful reasons for lawful processing will apply this includes special categories of data such as health data for employment purposes.

 

(1) (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

9 (2) (b) Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State law.

 

 

Personal data processed in relation to the Disclosure and Barring Service (DBS checks) falls under the GDPR (Article 10) and the provision of Safeguarding Vulnerable Groups Act 2006.

Surveys

(a) Identity (b) Contact (c) Special Categories

In some cases, the Trust may commission a survey for a specific reason, such as monitoring improvement in care; this may be commissioned with explicit consent of those taking part or on another legal basis, eg. The Community Mental Health survey hosted by the CQC, or mental health inpatient surveys. The Trust may contract third party organisations to work on survey development and analysis on its behalf.  In such circumstances, participants will be notified in advance of their data being gathered.

 

GDPR Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

 

GDPR Article 9 (2) (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes

 

 

Leave feedback

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.