Fair processing and privacy notice

We will process your personal information fairly and lawfully by;

1. Only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;
   • We do not rely on consent to use your information as a ‘legal basis for processing’. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as:
   • ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’, and
   • ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
   • This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.
2. Only collecting and using your information to provide you with your care and treatment and will not use it for anything else that is not considered by law to be for this purpose;
3. Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care;
4. Keeping your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can;
5. Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;
6. Having secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you receive. This may include:

• Basic details such as name, address, date of birth, phone number, mobile number, email address - where you have provided it to enable us to communicate with you by email. 
• Your next of kin and contact details
• Notes and reports about your physical or mental health and any treatment, care or support you need and receive
• Results of your tests and diagnosis
• Relevant information from other professionals, relatives or those who care for you or know you well
• Any contacts you have with us such as home visits or outpatient appointments
• Information on medicines, side effects and allergies
• Patient experience feedback and treatment outcome information you provide.

Your information is used to guide and record the care you receive and is vital in helping us to;

• have all the information necessary for assessing your needs and for making decisions with you about your care
• have details of our contact with you, such as referrals and appointments and can see the services you have received
• can assess the quality of care we give you
• can properly investigate if you and your family have a concern or a complaint about your healthcare
• The Trust operates a text appointment reminder service and you have the option to opt out either by speaking to a member of staff, or opting out when you receive an appointment reminder text.
• To provide feedback on your experience to the Trust, you will be contacted by an NHS approved company commissioned by the Trust.  If you are an outpatient they will contact you by text or interactive voicemail. If you are an inpatient the ward staff will give you a questionnaire which will be either in paper format or electronic using one of the Trust’s tablets. You can opt out from this process either for a particular hospital attendance or permanently by informing a member of Trust staff who will advise the Information Department to remove your consent.

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

• Move to another area
• Need to use another service
• See a different healthcare professional.

Health and Social Care Professionals

Your information will be shared with the team who are caring for you and are providing treatment to you.

However, the NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care.   We do this in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved. We will only share your information in this way if we have your consent and it is considered necessary.

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

• NHS Trusts / Foundation Trusts
• GP’s
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Integrated Care Board and Integrated Care System Providers
• Social Care Services
• NHS England (NHSE)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Voluntary Sector Providers
• Private Sector Providers
• Other ‘data processors’ which you will be informed of.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent. Examples of this are:

• If there is a concern that you are putting yourself at risk of serious harm
• If there is concern that you are putting another person at risk of serious harm
• If there is concern that you are putting a child at risk of harm
• If we have been instructed to do so by a Court
• If the information is essential for the investigation of a serious crime
• If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
• If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases

The information from your patient record will only be used for purposes that benefit your care - we would never share it for marketing or insurance purposes.

NHS Patient Survey Programme (NPSP)

NPSP is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP.

We carry out regular patient surveys to support care improvement which are facilitated by the Trust and there are times where we may share your contact information with an NHS approved contractor for this purpose.

NHS England

NHSE assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

My Care Record

Mid and South Essex Foundation NHS Trust is part of My Care Record, an approach to improving care by joining up health and care information. Health and care professionals from other services will be able to view information from the records we hold about you when it is needed for your care. Please see https://mycarerecord.org.uk/ for more information.

To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.

We carry out a programme of clinical audits.  Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally within our Trust and with external audit centres.

The Trust actively promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented.

If we use your patient information for research, we remove your name and all other personal data which would identify you.  If we need the information in a form that would personally identify you, we would ask for your permission first.

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format.

This Trust is registered to the Information Commissioner’s Office; registration number Z1972899

All of the Information Systems used by our Trust are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the Trust are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS England and other Government standards.

All employees and our partner organisations are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal.

If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.  We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

All records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

You have a right to see the information we hold about you, both on paper or electronic, except for information that:

• Has been provided about you by someone else if they haven’t given permission for you to see it
• Relates to criminal offences
• Is being used to detect or prevent crime
• Could cause physical or mental harm to you or someone else

Your request must be made in writing via the following methods:

• Via email to mse.informationgovernance@nhs.net
• Via the portal https://mseig.ams-sar.com

we will request proof of identity before we can disclose personal information.

If you wish to obtain a copy of a health record please refer to https://www.mse.nhs.uk/access-to-health-records

The Freedom of information Act 2000 requires all public authorities to publish certain information about their activities; and entitles members of the public to request information from public authorities. Freedom of Information (FOI) only applies to non-personal information.

All enquiries relating to Freedom of Information requests should be directed to https://www.mse.nhs.uk/freedom-of-information.

Complaints and Patient Experience Team 

The team are available to assist you with your comments, concerns and complaints. The team act independently of clinical teams to ensure your concerns are investigated and responded to in an effective and timely manner. Please refer to https://www.mse.nhs.uk/pals

To obtain further advice or to report a concern directly to the UK’s independent authority you can do this by making contacting with: 

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

Alternatively you can call 0303 123 1113 or visit https://ico.org.uk/concerns/handling.

Other Useful Contact Details:

The Data Controller 

Mid and South Essex NHS Foundation Trust Prittlewell Chase

Westcliff-on-Sea

Essex,

SS0 0RY

Call 01702 385333.

Data Protection Officer, Matt Barker

Mid and South Essex NHS Foundation Trust 
Nethermayne, Basildon 
Essex
SS16 5NL

Call 01268 524900 or email mse.informationgovernance@nhs.net.

Your Information

Why do we need your information?

We need to keep some information about you to make sure we can give you the best care possible.

What information do we keep about you?

• Your name, address and date of birth.
• When you have been to the hospital or doctors for care or treatment.
• Names of your family or doctors and nurses who look after you.

What are our responsibilities?

• To make sure the information we have about you is correct.
• To keep your information safe.
• To make sure you can read and understand the information.
• To show you the information we have about you, if you ask to see it.

We will not share any information about you, unless:

• You ask us to.
• We ask you if we can and you say “yes”.
• Someone is in danger, for example to stop someone from becoming ill or being badly hurt.

What do we do with your information?

We may use your information to:

• Help you or your doctors to make decisions about your health.
• Make sure your care is safe.
• Work well with others to give you the right treatment.

We may also need to use your information to:

• Protect the health of others.
• Make sure we are giving everyone the best care.
• Carry out surveys about how well we are looking after you.
• Help look into any concerns or complaints.

Who might we share your information with?

Other organisations involved in your care and safety, for example:

• Other hospitals
• Your GP
• Ambulance services
• Social services
• Hospital inspectors, known as the Care Quality Commission (or CCG)
• Commissioners, who pay the hospital to provide a service
• Education Services
• The Police

Where we can, we will try to ask you if it is okay to do this but there may be times when we need to share this information without asking you first. This may be because we are not able to ask you or because it needs to be done quickly to help you.

What are your rights?

You can tell us when you do not want your information shared. This could be with your parents, carers or others.

If you tell us not to share your information, we will make sure we don’t wherever we can.

We will only share your information if the law tells us we have to.

You can ask for a copy of your information on paper or electronically (email). You should ask for your information in writing (email or letter) and include your full name, address, birthday and the number known as the NHS number.  

What can you ask us for?

As well as asking for copies of your information, you can also ask:

• Certain people to stop using your information at certain times, this may affect your healthcare or delay treatment.
• To stop us using your information for research. If you choose to opt out, ask the hospital’s Data Protection Officer to help you.
• To make sure that the information we hold about you is correct.
• How long your information will be kept before it is destroyed.
• Details about how we use your information

If you want to find out more about your information, how we use it and your rights, please contact the Data Protection Officer Matt Barker by telephone: 01268 524900 or email mse.informationgovernance@nhs.net

This Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified.

Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR), however the Cabinet Office set out how your data will be used and your rights on their website. This external link opens in a new window https://www.gov.uk/government/publications/fair-processing-national-fraud-initiative/fair-processing-level-3-full-text

For further information on data matching at this Trust please contact the Local Counter Fraud Specialist, Mark Kidd by email Mark.kidd@nhs.net or by phone 07528 970251.

Why do we collect information about ethnicity?

We want everyone, no matter what their ethnic category, religion or culture, to be able to use our services easily. Getting an accurate picture of a patient’s ethnicity can help us understand their diagnosis and care needs, particularly if they are at risk of developing certain health conditions that may be connected with their background.

We want to immediately tackle health inequalities in our local area. A person’s health is influenced by the social and economic conditions in which they are born, grow, work, live and age. Health inequalities are known to exist across some of the protected characteristics such as age, sex and ethnicity. Understanding the protected characteristics of our patients, including ethnicity, will help us identify and predict clinical need in the populations we care for. Therefore, knowing a patient’s ethnic category allows us to tailor care and reduce inequalities with respect to access to health services and outcomes.

We also need to comply with the Equality Act 2010, which holds public bodies such as NHS trusts accountable for:

• eliminating unlawful discrimination, harassment and victimisation and other conduct prohibited by the Act.
• advancing equality of opportunity between people who share a protected characteristic and those who do not.
• fostering good relations between people who share a protected characteristic and those who do not.

How is ‘ethnicity’ defined?

Ethnicity recognises differences between people mostly on the basis of language and shared culture. Though many variations exist, NHS Digital has mandated that health records are to use a set of 16 ethnicities as used in the 2001 English census. Therefore, it is a subjective classification, and the patient is free to choose whichever category they self-identify with.

What if I do not want to share my ethnicity?

It is your decision whether you want to reveal your ethnicity. Our staff will explain why we’re collecting this information and how it helps us deliver fair access to and improve the delivery of healthcare for all. If after this explanation, you still prefer not to let us know your ethnicity, a value of “Not stated” will be recorded on the electronic system.

Why are there only 16 ethnic categories to choose from?

In February 2001, a Data Set Coding Notice was issued to NHS organisations which stated that “All clients/patients/staff are to be classified under one or other of the 16 categories above. This is to be the national standard”. There has not been an update on ethnicity coding since. For this reason, we’re recording ethnicity using the existing 16 categories.

The categories are comparable with the 2001 Census data. NHS Digital is considering changing the categories to reflect the 2021 Census, but this has not yet been confirmed. You can see national codes based on Census 2001 here - https://datadictionary.nhs.uk/data_elements/ethnic_category.html?hl=ethnic%2Ccategory

What if none of the categories describe my ethnic origin? If you feel that none of the options describe your ethnic category, please select the option “Other Ethnic Groups – Any other Ethnic Group”.

What happens to the information once it is collected?

Your ethnic category information is recorded electronically in the same way as all your other demographic details. The information provided is treated as part of the confidential health record and is not shared with any other person or organisation. The NHS has strict standards regarding data protection and your information will be carefully safeguarded. The information regarding ethnic origin will be released only in the form of total numbers and no individual can be identified from the statistics.

Who should I contact if I have any questions?

Please speak to a member of staff if you have any questions

We may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation, and any risks explained to you before the consultation begins. The Trust follows the guidance provided by NHS: https://www.nhsx.nhs.uk/information-governance/guidance/using-video-conferencing-and-consultation-tools/

We may use AI technology to support our Clinician's to identify potential health issues found during your treatment/consultation. The AI technology is used to review the images/data to identify potential findings and assist the clinician in decision making and in no way will replace the final verdict of the clinician’s diagnosis. We will also abide by the code of practice in relation to the use of digital and data driven health technologies, please refer to A guide to good practice for digital and data-driven health technologies - GOV.UK (www.gov.uk).

If you have received medical imaging such as an MRI, then you have the right to express your point of view and discuss the decisions made with your clinician.

Essex Partnership University Trust (EPUT) and Mid and South Essex NHS Foundation Trust (MSEFT) are working together to launch the new patient portal in partnership with our third-party data processor, PKB.

Please see Patients Know Best (PKB) (mse.nhs.uk) for more information.

We use a computer system called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, and Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services determined locally e.g. other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

Legal basis for sharing this data:

In order for your Personal Data to be shared or processed, an appropriate "legal basis" needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

• for the processing of personal data: Article 6.1 (e) of the UK GDPR: "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
• for the processing of "Special Category Data" (which includes your medical information): Article 9.2 (h) of the UK GDPR:  "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services".

Your rights

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same (these are listed elsewhere in our privacy notice).

To find out more, visit https://digital.nhs.uk/services/gp-connect.

Referral to treatment validation tool.

Broad description of product

NHS Trusts use the information to support and  improve their wait-list times and provide you with the best care within the most appropriate timeframe.

The relevant healthcare information used in this system is collected within the trust and utilised to identify the actions that the Trust can take to accelerate your care pathway. Only healthcare professionals and appropriate support staff  will have access to your information to provide you with care.

Use Case - Elective care.

Controllers who use this Product - Mid and South Essex University Hospital Foundation Trust.

The purpose for processing your personal data

The Referral to Treatment Validation Tool processes personal data including health data to support the better coordination of planned treatment, which we call elective care.

The aim is to improve the delivery of planned treatment through better use of the information that the NHS Trust  (“Trust”) holds, making sure the data is valid and accurate, and that the Trust can use the information to improve on the waiting times for elective care in the wake of the COVID-19 pandemic.

The RTT validation tools allows healthcare professionals and appropriate support staff  to review  your health data in relation to your treatment within the hospital in one place to ensure that they provide an holistic approach to your care.

Type of Data Processed and categories of data

Personal Data

Personal Data which is directly identifiable data will be processed for the purposes above.

Data that is processed by this product may include about an individual’s:

• name
• address including postcode
• date of birth or age
• gender
• biological sex
• NHS number or hospital record number
• telephone number
• email address
• health information, including information about your symptoms, diagnosis and, treatment
• race or ethnicity.

Staff data:

• name
• email address
• Role and/or profession
• Planned absence information.

Legal grounds for processing personal data in FPD and sharing it (if applicable)

Processing personal data in FDP

The processing of personal data  by the Controllers for the purposes identified above is to provide you with individual care.

This is permitted under the following legal grounds in UK GDPR:

UK GDPR

• Public task - Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Healthcare - Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  

Confidential data

The personal data processed for the purposes above is also Confidential Data.

As the NHS Trust are processing your Confidential Data to provide you with individual care, they are relying on your implied consent.

Who is processing your personal data on behalf of the controller

The data platform contractor, Palantir Technologies UK, LTD is a processor for this product.

No Personal Data is being processed by the PET Contractor IQVIA LTD, who is not a Processor for this Product.

Who your data is shared with

Staff

Healthcare professionals who are providing direct care and support staff who need to administer your care journey.

Other organisations

Personal data will not be shared with any other organisations.

Aggregate data will be shared via reports to the local Intergrated Care Board and NHSE to allow for planning and service improvement.

Your rights under UKGDP

The following rights under UK GDPR apply to the processing of your personal data for the purposes above:

• Right to be informed.
• Right of access.
• Right to rectify.
• Right to object.

Further information about these rights is in the FDP privacy notice at https://future.nhs.uk/system/login?nextURL=%2Fconnect%2Eti%2FFederatedDataPlatformInfo%2Fview%3FobjectID%3D51291920. 

If you wish to exercise your rights you should contact the Data Protection Officer mse.informationgovernance@nhs.net. 

Other opt-outs

No.

• Type one — opt-outs do not apply because the datasets used to create the dashboard do not contain confidential patient information that has been collected by NHS England from GP Practices.
• National data opt-outs do not apply because:
  • the collection and analysis of data by NHS England to create the dashboards has been carried out under a legal obligation (the Legal Direction) and therefore the national opt-outs does not apply.
  • the data which is shared with other organisations through the dashboards is not confidential patient information and therefore the national data opt-outs does not apply.

Last updated Date - 26 March 2024

If you view or manage your hospital appointments via the NHS App we share your data with NHS England who operate the NHS App and provide this functionality, known as NHS Wayfinder services.  For more information, see the NHS Wayfinder services privacy policy.

Information Commissioner’s Office

National Health Service Act 2006

Confidentiality: NHS Code of Practice

Confidentiality Advisory Group

The NHS Constitution

NHS Choices