When we collect and process personal data about people we are required to provide them with information about that process. The privacy notice below informs you of the type of personal data that we hold, how that information is used, who we may share that information with, and how we keep it secure and confidential.
Who we are
Identity of the Data Controller:
Sheffield Health and Social Care NHS Foundation Trust
Old Fulwood Road
The implementation of Data Protection is overseen by our Data Protection Officer. You can contact them via this email DPO@shsc.nhs.uk or you can write to them at this address:
The Data Protection Officer
Sheffield Health and Social Care
Old Fulwood Road
Why we process personal information
We process personal information about our staff, service users, volunteers, carers and other people for a variety of purposes:
- to provide health and social care services
- to manage our services and to plan for the future
- to monitor how we are performing against targets
- to make sure we comply with legislation about equality
- to allow us to get paid for the work we do
- to manage our staff and fulfil the duties we have as an employer
- for research and training
- to safeguard our service users, staff and the public
The main reason we process personal data is because it is necessary:
- for exercising the public task of running a health and social care trust
We process information which is defined in law as ‘special category’ data – this includes health records amongst other items. This is necessary:
- for the provision of health or social care or treatment or the management of health or social care systems and services
We also process some personal information because it is necessary:
- for employment purposes
We process some personal information because it is necessary:
- for reasons of public interest in the area of public health, such ensuring high standards of quality and safety of health care
Sometimes we may process information on the basis of consent from the data subject but this is not the basis for the majority of our processing.
Where consent is used as the basis for processing this will be made clear to the data subject along with their rights regarding consent.
The types of information we process
We collect different types of personal information:
- Personal identifiers – name, address, date of birth, NHS number etc, plus contact details
- Bank details for our staff
- Employment records, disciplinary records
- Professional registration details, qualifications
- Referrals, assessments and notes
- Information about appointments, contacts, hospital admissions and other service use
- Medical information such as prescriptions, test results, diagnoses
- Use of services provided by other organisations
- Details of incidents
- Processing of queries and complaints
- Records about our Trust members
Who we share personal information with
We share information with other health and social care organisations such as hospitals, GPs, care homes and social services.
We may share information with carers of service users where the service user has agreed to this.
We may share information with the police or courts where we are legally obliged to do so or in order to help prevent or investigate serious crimes.
We provide datasets to purchasers/commissioners of our services and to NHS Digital.
Regulators have the ability to view information we collect as part of the process of ensuring we provide good services.
Information for research
As a NHS organisation we use person-identifiable information to conduct research to improve health, care and services. As a publicly-funded organisation, we have to ensure that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.
You may be asked if you want to take part in research projects undertaken by the Trust. If you agree to take part in a research study we will use your data in the ways needed to conduct and analyse the study. Once you have agreed to participate in a research study we will be processing your information under the basis of a “Public task” so your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained.
In certain circumstances, where it is not practical to get consent from individual patients' we may be granted legal approval to process personal information for research purposes without consent - any such requests are subject to processes imposed by the Health Research Authority and have strict requirements to protect patient confidentiality imposed upon them.
To safeguard your rights, we will use the minimum person-identifiable information possible.
You can find out more about patient information and health and care research on the Health Research Authority website.
Transfers of information overseas
We do not routinely transfer personal information to other countries.
Where we are requested to send individual service user records abroad we will do so with their consent and via a secure method.
How long we keep personal information
We adhere to the retention periods set out by the Information Governance Alliance – their guidance is available here.
We will develop systems to allow us to archive records which have passed their recommended minimum retention period but we will not destroy records which may be relevant to ongoing inquiries
The rights you have regarding your information
Right to be informed
Data subjects have a right to know when their personal information is being processed. We let you know about the processing we do via this notice and via our staff when they collect information from you. You can also contact our Data Protection Officer.
Right of access
You can ask us to confirm whether we process information about you and for an explanation of the processing. You can also ask for access to the information we hold about you – we won’t charge for this and we have to provide the information within a specified time period. If you have a keyworker you can ask them for details of how to access your information or you can contact our Corporate Affairs department – there are details on how to access your records on our website here.
Right to rectification
If you think any of the information we hold about you is inaccurate you can ask us to change it – if we agree then we will correct the information but we will usually keep a copy of the previous version in case we need to refer back to see the information as it was at the time any decisions were made. If we disagree about the information being incorrect then you can add a note to your records to say what you disagree with.
Right to erasure
Data protection legislation gives data subjects a limited right to have their personal information deleted where there is no compelling reason for the processing to continue. This is sometimes known as the ‘right to be forgotten’. For the majority of the personal information we process we will need to keep it for the minimum retention period specified in national guidance so that we have the information we need to treat our service users, to manage and plan our services and to be paid for the work we do and in case it is needed for any future legal proceedings so we cannot delete the information. If you want to know more, please contact our Data Protection Officer.
Right to restrict processing
In certain circumstances you may have a right to restrict the processing of your personal data – it would then still be held but not further processed. This would apply where you had contested the accuracy of the data or objected to the processing and were awaiting our response, or we no longer needed the data but you required us to keep it for legal purposes.
Right to data portability
Where you provide your information to a data controller with consent or for the performance of a contract with you and if the data is processed automatically then you can ask for your data to be downloaded in a form that allows you to transfer it to another provider. This is not how we process the information we hold so the right to data portability does not apply but you still have the right to make a subject access request for your data, as above.
Right to object
You can object to processing of your information for direct marketing or profiling. We may contact you to tell you relevant information about our services or to ask for your opinions - this is not marketing but you can tell us your preferences about how and when we contact you. You can object to having your identifiable information used for research – if we ask you whether you would like to be involved in research projects we will tell you what would be involved and will respect your decision. This is different from the decision whether to allow data about you to be used as part of national datasets – see the national Data Opt-Out website to find out more about this here.
Rights in relation to automated decision making/profiling
You have the right not to be subject to decisions based on automated processing which have a significant effect on you. We may use assessment tools which score people according to certain criteria but we don’t use them as the sole way of making decisions about our service users and there will always be an element of human decision making.
We may use data to profile service user populations so we can plan services and offer appropriate interventions to improve their health and wellbeing. Where we do that then we will be open about the logic we use, we will use reliable processes and make sure the processing is secure.
Right to withdraw consent to processing
If we process information on the basis of consent from the data subject then they can withdraw their consent if they choose. We do not rely on the consent of data subjects for the majority of the processing we do – we process information in order to provide health and social care services and to run our Trust as described elsewhere in this notice.
If you wish to withdraw your consent for any processing which you think is undertaken on the basis of that consent then please contact our Data Protection Officer in the first instance by emailing DPO@shsc.nhs.uk
How to complain
If you have a complaint about how your personal information has been processed then you can raise it informally with the appropriate service or formally using our complaints procedure, details available on our website here.
You can also complain to the Office of the Information Commissioner which oversees the operation of Data Protection legislation. The ICO website is here or you can write to:
Information Commissioner's Office
Where we get information from
We receive information when other services such as GPs or social workers make referrals to our services. This will include the identity of the person being referred and their contact details plus relevant information about the reason for their referral.
We will collect information from our service users and from other people involved in their care.
We will receive results of medical tests from other health organisations.
We use national systems in order to find NHS numbers so that we can uniquely identify our service users, to find their registered GPs and check that other details about our service users are accurate and up to date.
If we don't have the data we need
We need to collect information about our service users in order to provide them with safe and effective care. This includes keeping records of the treatment we provide. We cannot provide our services without keeping records.
We also need to record the work we do in order to meet the contractual requirements of the bodies that purchase our services and to comply with national reporting requirements.
We process information about our staff in order to make sure they are qualified to do their jobs, to make sure we pay them and respect their rights and to ensure the safety of the people they provide services to.
Covid-19 and your information
This section describes how we may use your information to protect you and others during the Covid-19 outbreak.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your contacts details and sometimes confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example other NHS Trusts, GP practices and the local authority. We may also use the details we have to send public health messages to you, either by phone, text, e-mail or post.
During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so you may wish to check back from time to time.