Managing your information

The confidence and trust of the people who use our servicves, staff and stakeholders is a crucial element in the our role in delivering the highest quality health care services.

The lawful and correct processing of personal data is a key part of building and maintaining that trust and confidence. The Trust will fully discharge its responsibilities implied by the principles contained within the GDPR (Article 5) by putting in place the following procedures, which will be monitored through annual audits:

• Comply with the ICO's guide "Good Practice Guidance on Privacy by Design" (Article 25 GDPR)
• Fully implement all aspects of the GDPR and publish information so that all service users, staff and stakeholders are aware of their rights under GDPR
• Ensure all staff understand the GDPR, by holding mandatory training for all staff
• Implement adequate and appropriate physical and technical security measures and organisational measures to ensure the security of all personal data held by the Trust, or by other organisations on behalf of the Trust
• Meet its legal obligations to specify the purposes for which personal data is used by a series of Privacy Notices
• Only collect and process appropriate personal data to the extent that it is needed to fulfil operational needs or to comply with any legal requirement and fully observe conditions regarding the fair collection and use of personal data
• Ensure the quality and accuracy of the personal data used
• To keep personal data securely and in line with the Records Management Code of Practice 2021.
• Ensure that the rights of people about whom personal data is held can be exercised fully under the legislation
• Ensure that the necessary measures to ensure the proper disclosure of personal data between agencies are taken

• Where there is a requirement to send personal data outside the European Economic Area (EEA), staff will obtain prior authorisation from IG Services to ensure that the necessary safeguards and measures are implemented prior to the disclosure of personal data
• Ensure full compliance with the new notification process under GDPR to the ICO

November 2023  

NSFT has recently achieved a globally recognised standard for our information security management, further demonstrating our commitment to protecting the sensitive information we work with every day.

The standard, ISO/IEC 27001:2022, provides a systematic and structured approach to managing and protecting sensitive information within an organisation. It requires organisations to implement a comprehensive set of policies, procedures, and controls to manage information security risks, and ensure the confidentiality, integrity, and availability of information.

The benefits of achieving the new standard are:  

• Resilience to cyber-attacks
• Preparedness for new threats
• Data integrity, confidentiality and availability
• Security across all supports
• Organisation-wide protection 

What is ISO/IEC 27001?

It’s a globally recognised standard for information security management. It was developed in collaboration between the International Organisation for Standardisation, the ISO, and the international Electro Technical Commission, the IEC. The standard is designed to be flexible and can be applied to all sorts of organisations of any size, from small businesses to multinational corporations. It provides a comprehensive framework for organisations to manage and protect their sensitive information, reducing the risk of data breaches, cyber-attacks, and other security incidents. 

Who needs ISO/IEC 27001?

Nowadays, data theft, cybercrime and liability for privacy leaks are risks that all organisations need to factor in. The ISO/IEC 27001 standard enables organisations to establish an information security management system and apply a risk management process that is adapted to their size and needs, and scale it as necessary as these factors evolve. The benefits of this standard have convinced private, public and non-profit organisations to adopt it. 

How will ISO/IEC 27001 benefit NSFT?

Implementing the information security framework specified in the ISO/IEC 27001 standard helps NSFT to:

• Reduce vulnerability to the growing threat of cyber-attacks
• Respond to evolving security risks
• Ensure that assets such as financial statements, intellectual property, and staff and patient data remain undamaged, confidential, and available as needed
• Provide a centrally managed framework that secures all information in one place
• Prepare people, processes and technology to face technology-based risks and other threats
• Secure information in all forms, including paper-based, cloud-based and digital data
• Save money by increasing efficiency and reducing expenses for ineffective defence technology 

You can find out more about the ISO IEC 27001:2022 standard via this link.

You can view the certificate: NSFT British Assessment Bureau Certificate [pdf] 336KB 

Norfolk & Suffolk NHS Foundation Trust (the Trust) provides mental health care services to the residents of Norfolk & Suffolk. Our services include mental health, learning disabilities, eating disorders and wellbeing. The Trust is registered with the Information Commissioners Officer (ICO) as a Data Controller.

On the 25 May 2018, the EU General Data Protection Regulation (GDPR) was enacted by the Data Protection Act 2018 (DPA 18) as the UK GDPR. These legislations cover personal data held manually and electronically by organisations within the United Kingdom. The UK GDPR and the DPA18 covers personal data held manually and electronically by organisations within the United Kingdom.

Below is our trust wide Privacy Notice along with an additional Covid-19 Privacy Notice, which details the principles adopted by The Trust to meet its legal obligations under GDPR, DPA 18 and the NHS requirements concerning confidentiality and information security standards have been set out.

GDPR - Privacy Notice - Trust wide [pdf] 186KB

 

 

We are a member of the Norfolk and Waveney Integrated Care System (ICS). The ICS shares data for secondary uses, e.g. risk stratification, planning clinical services and research. This is different from sharing for your direct care. The privacy notes gives further details of how and why we share this information.   

The Chief Executive has overall responsibility for the implementation and delivery of the GDPR on behalf of the Trust. 

A requirement of the GDPR (Articles 37-39) is the appointment of a Data Protection Officer (DPO) who has devolved responsibility from the Chief Executive in relation to GDPR.

All NHS Foundation Trusts also have a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service users and enabling appropriate information sharing.

Detailed below are the key roles and responsibilities of these roles:

Data Protection Officer - DataProtectionOfficer@nsft.nhs.uk

• Facilitating the implementation of GDPR
• Supporting Trust staff to understand their responsibilities
• Jointly responsible (with the Caldicott Guardian) for ensuring the effective integration of respective policies relating to personal data held within health records

 

Caldicott Guardian - caldicott.guardian@nsft.nhs.uk

• Advising Trust staff
• Ensuring adequate arrangements are implemented to protect personal data held within health records
• Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of personal data
• A strategic role, which involves representing and championing issues related to information sharing at Board or management team level

 

Staff

All staff within the Trust should ensure that personal data is processed in accordance with the GDPR and the rights of the individual. Any concerns relating to confidentiality should be dealt with professionally and where appropriate referred to the Data Protection Officer.

 

The below lawful reasons have been identified under GDPR these enable the Trust to process personal data without the requirement to seek consent from the data subject.

Direct Care

All health and adult social care providers are subject to the statutory duty under Section 251B of the Health and Social Care Act 2012 to share personal data about a patient for their direct care. In addition, 9 (3) applies when sharing information for direct care with third party or voluntary sector organisations.

6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9 (2) (h): Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

9 (3): Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

Safeguarding

The Children's Act 1989 establishes implied powers for local authorities to share personal data to safeguard children. The Care Act (2014) also allows local authorities to request help from Foundation Trusts to safeguard and promote the welfare of children within their area who are in need.

The CA sets out a clear legal framework for how local authorities and other parts of the system should protect adults at risk of abuse or neglect. Local authorities have a duty to make enquiries where an adult is experiencing or is at risk of experiencing abuse or neglect, and has a duty to collaborate with partners generally and in specific cases.

6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9 (2) (b): Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State law.

Commissioning and Planning Purposes

Most national and local flows of personal data in support of commissioning are established by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).

These flows do not operate on the basis of consent for confidentiality or data protection purposes. Where the collection or provision of personal data is a legal requirement, GDPR still needs to be complied with.

The appropriate lawful reasons for providers of the personal data is 6 (1) (e) and 9 (2) (h) under Section 251B of the Health and Social Care Act 2012. When the processing is not supported under Section 251B of the Health and Social Care Act 2012 the lawful reasons are 6 (1) (c) and 9 (2) (h).

6 (1) (c): Processing is necessary for compliance with a legal obligation.

6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9 (2) (h): Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

Research

For research purposes, the common law duty of confidentiality must still be met through consent. This requirement has not changed under the GDPR. Consent is still needed for people outside the care team to access and use service user personal data for research, unless you have Section 251B of the Health and Social Care Act 2012 support.

Regulatory and Public Health Functions

6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9 (2) (j): Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).

For performing regulatory and public health functions the below lawful reasons are both required. This function would also include processing contracts that the Trust has entered into.

6 (1) (c): Processing is necessary for compliance with a legal obligation.

9 (2) (i): Processing is necessary for reasons of public interest in the area of public health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Employment purposes ((staff, volunteers and participants)

For employment purposes the below lawful reasons for lawful processing will apply this includes special categories of data such as health data for employment purposes.

All: 6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Staff and volunteers: 9 (2) (b): Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law in so far as it is authorised by Union or Member State law. 

Participants: 9 (2) (i): Processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.

Personal data processed in relation to the Disclosure and Barring Service (DBS checks) falls under the GDPR (Article 10) and the provision of Safeguarding Vulnerable Groups Act 2006

Foundation Trust Governors and Members

NHS Act 2006 sets out the legal requirements of a NHS Foundation Trust.

6 (1) (c): Processing is necessary for compliance with a legal obligation to which the controller is subject

6 (1) (e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9 (2) (g): Processing is necessary for reasons of substantial public interest.

 

This privacy notice covers all aspects of processing of personal data carried out by the Trust during its normal business activities the below list is not exhaustive:

Trust business activities

• Mental and physical healthcare
• Access and assessment teams
• Primary care teams
• Learning disability services
• Child and adult protection
• Human resources (including DBS checks)
• Payroll and finance
• Procurement
• Estates and facilities (maintenance)
• Occupational health
• Foundation Trust membership
• Volunteers
• Population health management
• Risk stratification
• Service development and planning

Personal data we may process

• Personal details
• Family details
• Education, training
• Employment details
• Financial details
• Goods and services
• Lifestyle and social circumstances
• Visual images, personal appearance and behaviour
• Details held on patients' records
• Responses to surveys

Sensitive personal data we may process

• Racial and ethnic origin
• Offences and alleged offences
• Criminal proceedings, outcomes and sentences
• Trade union membership
• Physical or mental health details
• Religious or similar beliefs
• Sexual life

We process data about

• Service users
• Suppliers
• Employees
• Volunteers
• Governors
• Members
• Complaints
• Survey respondents
• Professional experts and consultants
• Individuals captured by CCTV images or BWV images

Sources of data we process

• Our health records
• Social care providers
• Local and national health and social care organisations
• Contractors
• Local and regional shared care records
• Suppliers
• Professional bodies
• Data subject (service users and employees)

How we store data

• Manually stored paper data e.g. card index files, medical records
• Computer references paper data e.g. health records
• Personnel records etc
• Computerised data held in computer applications and databases
• Tapes and other data from CCTV systems
• Data held offsite in archive storage
• Data held on CD ROMS, computer disks, memory sticks etc.
• Data is retained in line with the Records Management Code of Practice 2021.

The Trust is a signatory to My Care Record. My Care Record is an information sharing agreement used throughout the East of England region that allows information to be shared for direct care purposes only. Further information about My Care Record may be found at www.mycarerecord.org.uk.

The Trust receives requests to share personal data from other agencies and sources these are actioned by the Information Rights team. Personal data will be shared with the following organisations without the data subjects consent if a lawful reason to share the personal data under GDPR is identified:

• Health and social care providers
• Local authorities
• Commissioners including Integrated Care Boards and Partnerships
• Safeguarding agencies
• Police forces and authorities with investigative powers 
• Organisations with a defined lawful reason (e.g. Department of Work and Pensions)

When sharing personal data with third parties that are not health and social care providers, such as relatives the common law duty of confidentiality must still be met through consent. Where a child is under the age of 13 then consent (under the common law duty of confidentiality) of those with parental responsibility will be sought. These types of requests would include requests from organisations or solicitors who have been given authority in writing to act on behalf of the data subject.

Individuals have rights under the GDPR. We will ensure that all individuals are aware of their rights under the legislation and will comply with the delivery of these rights to individuals.

Right to be Informed (Articles 12-14 GDPR)

Details relating to the personal data processed by your Trust is detailed within this privacy notice. A copy of this privacy notice is available to view or download from the Trust website www.nsft.nhs.uk or a hard copy may be requested from the Information Rights Team.

Right to Access (Subject Access Requests) Article 15 GDPR

• All data subjects, or someone acting on their behalf, can request a copy of their personal data held by the Trust
• All requests for copies of personal data must be made in writing to the Information Rights Team who will validate and action the request
• If third party data is included in the personal data being requested this will be redacted unless we have the consent from the third party to release their personal data
• The Trust may on occasion be unable to provide access to personal data held if the release is likely to be detrimental to health or cause harm. These circumstances would be reviewed on a case-by-case basis
• The Trust must provide a copy of the personal data free of charge. However, the Trust can charge a 'reasonable fee' when a request is manifestly unfounded or excessive, particularly if it is repetitive. The Trust may also charge a reasonable fee to comply with requests for further copies of the same personal data. The fee will be based on the administrative cost of providing the personal data
• The Trust has one calendar month to provide the personal data requested. If the personal data being requested is complex or numerous then the Trust is able to extend the period of compliance by a further two months. The Trust will notify the requestor of the extension to the timeframe and explain why this is necessary within one calendar month of receipt of the initial request

Right to Rectification (Article 16 GDPR)

• All data subjects can ask the Trust to review any of the information that they feel is inaccurate
• Please note that the rectification of health records is dealt with on a case by case basis however the Trust follows the Department of Health Guidelines as summarised below:

• Credible records are an important aid in providing safe healthcare
• Records should reflect the observations, judgements and factual data collected by the contributing health professional
• An opinion or judgement recorded by a health professional, whether accurate or not, should not be deleted
• Retaining relevant records is essential for understanding the decisions that were made and to audit the quality of care
• If a service user feels that personal data recorded on their health record is incorrect, they should first make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended
• Where both parties agree that the records are factually inaccurate it should be amended to clearly display the correction whilst ensuring that the original record is still legible. An explanation for the correction should also be added to the records
• An amended version of the records should be shared with anyone who received the inaccurate records
• Where the health professional and patient disagree about the accuracy of the entry, the Department of Health recommends that the data controller should allow the service user to include a statement within their record to the effect that they disagree with the content

• If the data subject is still unhappy then they should contact the Data Protection Officer in writing who will investigate the request for rectification of personal data within a health record on a case-by-case basis
• Requests to rectify other personal data held by the Trust should be made in writing to the Data Protection Officer who will oversee the request for rectification on a case-by-case basis

Right to Erasure (Article 17 GDPR)

• The Trust processes the majority of personal data under the lawful reason of 6 (1) (e) public interest and 9 (2) (h) in the interest of public health. Therefore, the right to erasure does not apply to personal data processed under these lawful reasons
• If a data subject still believes that they have a right to request erasure then this request should be made in writing to the Data Protection Officer to review on a case-by-case basis

Right to Restriction of Processing (Article 18 GDPR)

All data subjects have the right to require the Trust to restrict processing where:

• Accuracy is contested by the data subject
• Processing is unlawful, and the subject opposes erasure
• The data controller no longer needs the data, but the subject requires it to be kept for legal claims
• The data subject has objected, pending verification of legitimate grounds

 

Requests to restrict processing should be made in writing to the Data Protection Officer to review on a case-by-case basis.

Right to Object (Article 21 GDPR)

• The right to object does not apply where the Trust can demonstrate compelling legitimate grounds for the processing
• Requests to object to processing should be made in writing to the Data Protection Officer, to review on a case-by-case basis

Automated Decision-making including profiling (Article 22 GDPR)

The Trust does not process any personal data using automated decision-making processes or profiling, therefore the rights in relation to this will not apply to personal data held by the Trust.

Right to Data Portability (Article 20 GDPR)

The right to data portability is only available where processing is based on consent and the processing is automated. The Trusts lawful reasons are not based on consent and the Trust does not process personal data using automated decision-making processes.

Right to Complain

• A data subject can complain directly to the Trust if they are concerned about how the Trust is processing their personal data. In the first instance, a complaint should be made in writing to the Data Protection Officer

Alternatively, a data subject has a right to complain directly to the ICO who oversees how organisations within the United Kingdom

Information Rights Team

Norfolk and Suffolk NHS Foundation Trust
Kestrel House
Hellesdon Hospital
Drayton High Road
Norwich
NR6 5BE

Tel: 01603 421333

Email: informationrights@nsft.nhs.uk

Data Protection Officer

Mr Richard Green
Norfolk and Suffolk NHS Foundation Trust
Hellesdon Hospital
Drayton High Road
Norwich
NR6 5BE

Tel: 01603 421578

Email: dataprotectionofficer@nsft.nhs.uk

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 01625 545740

Definitions (From the General Data Protection Regulations) Article 4

Personal Data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restrictions, erasure and destruction.

Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisations, structuring, storage, adaption or alteration, retrieval, consultation, use , disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients, the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

The Principles of GDPR

Principles relating to the processing of data. Personal data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)
• Collected for specified, explicitly and legitimate purposes and not further processed in a manner that is incompatible with those purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (purpose limitation)
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
• Accurate and where necessary kept up to date, every reasonable step taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay (accuracy)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific, historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical; and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (storage limitations)
• Processed in a manner than ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality)
• The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (accountability)

Personal data legislation

Legislation requiring disclosure of personal data

• Public Health (Control of Diseases) Act 1984 and Public Health (Infectious Diseases) Regulations 1985
• Education Act 1944 (for immunisations and vaccinations to the NHS Trusts from schools)
• Births and Deaths Act 1984
• Police and Criminal Evidence Act 1984

Legislation to restrict disclosure of personal data

• Human Fertilisation and Embryology (disclosures of information) Act 1992

• Venereal Diseases 1917 and Venereal Diseases Regulations of 1974 and 1992

• Abortion Act 1976