When we collect and process personal data about people we are required to provide them with information about that process. The privacy notice below informs you of the type of personal data that we hold, how that information is used, who we may share that information with, and how we keep it secure and confidential.

(Last updated 29 December 2020)

Who we are

Identity of the Data Controller:

Sheffield Health and Social Care NHS Foundation Trust
Fulwood House
Old Fulwood Road
S10 3TH

Website: www.shsc.nhs.uk

The implementation of Data Protection is overseen by our Data Protection Officer. You can contact them via this email DPO@shsc.nhs.uk or you can write to them at this address:

The Data Protection Officer
Information Department
Sheffield Health and Social Care
Fulwood House    
Old Fulwood Road
S10 3TH

Why we process personal information

We process personal information about our staff, service users, volunteers, carers and other people for a variety of purposes:

  • to provide health and social care services
  • to manage our services and to plan for the future
  • to monitor how we are performing against targets
  • to make sure we comply with legislation about equality
  • to allow us to get paid for the work we do
  • to manage our staff and fulfil the duties we have as an employer
  • for research and training
  • to safeguard our service users, staff and the public

The main reason we process personal data is because it is necessary:

  • for exercising the public task of running a health and social care trust

We process information which is defined in law as ‘special category’ data – this includes health records amongst other items.  This is necessary:

  • for the provision of health or social care or treatment or the management of health or social care systems and services

We also process some personal information because it is necessary:

  • for employment purposes

We process some personal information because it is necessary:

  • for reasons of public interest in the area of public health, such ensuring high standards of quality and safety of health care

Sometimes we may process information on the basis of consent from the data subject but this is not the basis for the majority of our processing.

Where consent is used as the basis for processing this will be made clear to the data subject along with their rights regarding consent.

The types of information we process

We collect different types of personal information:

  • Personal identifiers – name, address, date of birth, NHS number etc, plus contact details
  • Bank details for our staff
  • Employment records, disciplinary records
  • Professional registration details, qualifications
  • Referrals, assessments and notes 
  • Information about appointments, contacts, hospital admissions and other service use
  • Medical information such as prescriptions, test results, diagnoses
  • Use of services provided by other organisations
  • Details of incidents
  • Processing of queries and complaints
  • Records about our Trust members    

Who we share personal information with

We share information with other health and social care organisations such as hospitals, GPs, care homes and social services.

We may share information with carers of service users where the service user has agreed to this.

We may share information with the police or courts where we are legally obliged to do so or in order to help prevent or investigate serious crimes.

We provide datasets to purchasers/commissioners of our services and to NHS Digital.

Regulators have the ability to view information we collect as part of the process of ensuring we provide good services.

Information for research

As a NHS organisation we use person-identifiable information to conduct research to improve health, care and services. As a publicly-funded organisation, we have to ensure that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.

You may be asked if you want to take part in research projects undertaken by the Trust. If you agree to take part in a research study we will use your data in the ways needed to conduct and analyse the study. Once you have agreed to participate in a research study we will be processing your information under the basis of a “Public task” so your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained.

In certain circumstances, where it is not practical to get consent from individual patients' we may be granted legal approval to process personal information for research purposes without consent - any such requests are subject to processes imposed by the Health Research Authority and have strict requirements to protect patient confidentiality imposed upon them.

To safeguard your rights, we will use the minimum person-identifiable information possible.

You can find out more about patient information and health and care research on the Health Research Authority website.

National Fraud Initiative

The Trust is a mandatory participant in the Cabinet Office’s National Fraud Initiative data-matching exercise, run every two years.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018. All Trust staff and suppliers’ data may be submitted to the National Fraud Initiative on a regular basis.

You can read further information about the national fraud initiative on the GOV.UK website.

Transfers of information overseas

We do not routinely transfer personal information to other countries.

Where we are requested to send individual service user records abroad we will do so with their consent and via a secure method.

How long we keep personal information

We adhere to the retention periods set out by the Information Governance Alliance – their guidance is available here.

We will develop systems to allow us to archive records which have passed their recommended minimum retention period but we will not destroy records which may be relevant to ongoing inquiries

The rights you have regarding your information

Right to be informed

Data subjects have a right to know when their personal information is being processed.  We let you know about the processing we do via this notice and via our staff when they collect information from you. You can also contact our Data Protection Officer.

Right of access

You can ask us to confirm whether we process information about you and for an explanation of the processing.  You can also ask for access to the information we hold about you – we won’t charge for this and we have to provide the information within a specified time period.  If you have a keyworker you can ask them for details of how to access your information or you can contact our Corporate Affairs department – there are details on how to access your records on our website here.

Right to rectification

If you think any of the information we hold about you is inaccurate you can ask us to change it – if we agree then we will correct the information but we will usually keep a copy of the previous version in case we need to refer back to see the information as it was at the time any decisions were made. If we disagree about the information being incorrect then you can add a note to your records to say what you disagree with.

Right to erasure

Data protection legislation gives data subjects a limited right to have their personal information deleted where there is no compelling reason for the processing to continue. This is sometimes known as the ‘right to be forgotten’. For the majority of the personal information we process we will need to keep it for the minimum retention period specified in national guidance so that we have the information we need to treat our service users, to manage and plan our services and to be paid for the work we do and in case it is needed for any future legal proceedings so we cannot delete the information. If you want to know more, please contact our Data Protection Officer.

Right to restrict processing

In certain circumstances you may have a right to restrict the processing of your personal data – it would then still be held but not further processed. This would apply where you had contested the accuracy of the data or objected to the processing and were awaiting our response, or we no longer needed the data but you required us to keep it for legal purposes.

Right to data portability

Where you provide your information to a data controller with consent or for the performance of a contract with you and if the data is processed automatically then you can ask for your data to be downloaded in a form that allows you to transfer it to another provider. This is not how we process the information we hold so the right to data portability does not apply but you still have the right to make a subject access request for your data, as above.

Right to object

You can object to processing of your information for direct marketing or profiling. We may contact you to tell you relevant information about our services or to ask for your opinions - this is not marketing but you can tell us your preferences about how and when we contact you. You can object to having your identifiable information used for research – if we ask you whether you would like to be involved in research projects we will tell you what would be involved and will respect your decision. This is different from the decision whether to allow data about you to be used as part of national datasets – see the national Data Opt-Out website to find out more about this here.

Rights in relation to automated decision making/profiling

You have the right not to be subject to decisions based on automated processing which have a significant effect on you.  We may use assessment tools which score people according to certain criteria but we don’t use them as the sole way of making decisions about our service users and there will always be an element of human decision making.

We may use data to profile service user populations so we can plan services and offer appropriate interventions to improve their health and wellbeing.  Where we do that then we will be open about the logic we use, we will use reliable processes and make sure the processing is secure.

Right to withdraw consent to processing

If we process information on the basis of consent from the data subject then they can withdraw their consent if they choose.  We do not rely on the consent of data subjects for the majority of the processing we do – we process information in order to provide health and social care services and to run our Trust as described elsewhere in this notice.

If you wish to withdraw your consent for any processing which you think is undertaken on the basis of that consent then please contact our Data Protection Officer in the first instance by emailing DPO@shsc.nhs.uk

How to complain

If you have a complaint about how your personal information has been processed then you can raise it informally with the appropriate service or formally using our complaints procedure, details available on our website here.

You can also complain to the Office of the Information Commissioner which oversees the operation of Data Protection legislation. The ICO website is here or you can write to:

Information Commissioner's Office
Wycliffe House
Water Lane

Where we get information from

We receive information when other services such as GPs or social workers make referrals to our services. This will include the identity of the person being referred and their contact details plus relevant information about the reason for their referral.

We will collect information from our service users and from other people involved in their care.

We will receive results of medical tests from other health organisations.

We use national systems in order to find NHS numbers so that we can uniquely identify our service users, to find their registered GPs and check that other details about our service users are accurate and up to date.

If we don't have the data we need

We need to collect information about our service users in order to provide them with safe and effective care.  This includes keeping records of the treatment we provide.  We cannot provide our services without keeping records.

We also need to record the work we do in order to meet the contractual requirements of the bodies that purchase our services and to comply with national reporting requirements.

We process information about our staff in order to make sure they are qualified to do their jobs, to make sure we pay them and respect their rights and to ensure the safety of the people they provide services to.

COVID-19 and your information

This section describes how we may use your information to protect you and others during the COVID-19 outbreak.

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your contacts details and sometimes confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example other NHS Trusts, GP practices and the local authority. We may also use the details we have to send public health messages to you, either by phone, text, e-mail or post.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.   

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.   

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. 

Specific data flows related to COVID-19

Electronic Prescribing and Medicines Administration (EPMA) data

We are required to supply the NHS with data on medicines we prescribe to our patients who will be identified by their NHS numbers. Where medicines are associated with certain conditions, procedures or treatments which are legally protected the information which could identify specific patients will be removed. The information will be used for research into the effect of medicines with COVID-19 and for wider analysis of the use and effectiveness of medicines.

Asymptomatic staff testing results

Where our staff are tested for COVID-19, any positive tests must be reported to Public Health England. We collate individual staff test results and upload them via secure file transfer. The information is also used within the Trust in order to manage services and inform our measures to counteract the pandemic.

Staff vaccination

We are required to collect information to identify which of our staff are more vulnerable to COVID-19 because of their age, ethnic group or medical conditions. We will use this information to prioritise the vaccination of vulnerable staff, providing priority lists to partner organisations who will vaccinate our staff. As vaccinations become more widely available we will monitor their uptake amongst our staff. We may amend this privacy notice at any time so you may wish to check back from time to time.

We may amend this privacy notice at any time so you may wish to check back from time to time.

National Data Opt-Out: How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services may also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This can only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, information used for research and planning is anonymised so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used for purposes beyond your direct care. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

On this page you will:

  • see what is meant by confidential patient information
  • find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • find out more about the benefits of sharing data
  • understand more about who uses the data
  • find out how your data is protected
  • be able to access the system to view, set or change your opt-out setting
  • find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • see the situations where the opt-out will not apply

You can also find out more about how patient information is used at: www.hra.nhs.uk/information-about-patients (which covers health and care research); and understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Sheffield Health and Social Care NHS Foundation Trust has processes in place to comply with the national data opt-out policy.

Share this

Was this page useful?