Privacy Notice
Introduction
We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way, and we review this regularly.
Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use your personal and special category information (For example Your healthcare Information) held at South Western Ambulance Service Foundation Trust.
This Notice describes how we collect, use, and process your data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer or Information Governance Team.
Who we are?
We, at South Western Ambulance Service Foundation Trust (SWASFT) are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you have contacted us and used us an emergency service.
There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice
At South Western Ambulance Service NHS Foundation Trust (SWASFT) we keep records about the care and treatment you receive as one of our patients. This helps to ensure that you get the best possible care from us and that your information is easily available if you see another health professional (such as a doctor) or social care professional. These records are also known as “personal data”.
We only use the minimum amount of your information necessary by those who have legitimate reasons to view it to:
· make sure the care we offer meets patients’ needs
· manage emergency activity and the demand on our services
· plan and manage the health service
· get accurate figures about NHS performance
· check how well NHS Services are doing
· see how we spend public money
· teach and train NHS employees and other healthcare professionals
· carry out research and development in the healthcare industry.
What information do we hold?
Examples of the types of personal data that the Trust holds are:
· Your name, address, date of birth, NHS Number
· Contact information such as your telephone number or email address.
· Details of your closest relatives (“next of kin”) or patient representative
· Details of contacts we have had with you before.
· Details of any diagnosis and treatment
· Your medications / drug usage
· Any allergies you have
· Your physical or mental health conditions
· Your racial or ethnic origin
What types of record do we hold?
We may hold records about you in the following ways:
· Patient records – paper and/or electronic
· Voice recordings of 999, calls for the areas we cover.
· Legacy 111 records and GP out-of-hours records for the areas we covered.
· Urgent Care Centre (UCC) records for the centres we operate.
· CCTV footage for our vehicles and buildings
· Details of attendance to you to monitor our performance.
How we use your information and the law
South Western Ambulance Service will be what’s known as the ‘Controller’ of the personal data you provide to us.
We are required to provide you with this Privacy Notice by UK Law GDPR General Data Protection Regulation & DPA Data Protection Act 2018. It explains how we use the personal and healthcare information we collect, store and hold about you. The Law says:
· We must let you know why we collect personal and healthcare information about you;
· We must let you know how we use any personal and/or healthcare information we hold on you;
· We need to inform you in respect of what we do with it;
· We need to tell you about who we share it with or pass it on to and why; and
· We need to let you know how long we can keep it for.
We collect basic personal data about you which includes your name, address, contact details such as email and mobile number, etc.
We will also collect sensitive confidential data known as “special category personal data”, in the form of health information or linked to your healthcare through other health providers or third parties.
Why do we need your information?
Any health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g., NHS Trust, GP Surgery, Walk-in Centre, OOH, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
We may get personal data from or share personal data with the following organisations.
for the purposes of delivering or improving healthcare, or where there is a legal or
authoritative requirement for us to do so:
· Clinical commissioning groups (CCGs)
· Health authorities such as NHS England
· Other NHS Trusts
· General practitioners (GPs)
· Other Ambulance Trusts
· Other NHS agencies such as community care or clinics
· Social Services
· Local Authorities (District, Unitary and County Councils)
· Education services
· Fire, Police and Search and Rescue Services
· HM Coroners
· Prison Services
· Legal representatives
· DVLA
· Regulators such as the Care Quality Commission (CQC)
· Professional organisations such as Nursing & Midwifery Council (NMC), General
· Medical Council (GMC), Health and Care Professions Council (HCPC) and Health
· and Safety Executive (HSE) etc.
· Department for Work & Pensions
· Voluntary sector providers and private sector providers
We may share information with the Police or DVLA for example where we have concerns over the safety of you, another person / other people, or the general public.
If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer.
What is your personal data?
Personal data is any information about a living individual which allows them to be identified. Identification can be directly using the data itself, or by combining it with other information which helps to identify a living individual. The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018, and other legislation relating to personal data and rights, such as the Human Rights Act.
The data we might collect about you.
Body Worn Video (BWV) is a visual and audio recording device implemented by South Western Ambulance Service (SWAST) for the prevention and detection of crime. The evidence it captures is impartial and provides the best evidence of the events that took place between yourself and the Ambulance service. The use of BWV will be on a case-by-case basis and down to the discretion of the individual wearing BWV.
Personal Data that we may collect includes photographic, video, and digital imagery and audio commentary.
What is the legal basis for processing data?
South Western Ambulance Service Trust, processes personal data under the GDPR Article 6 lawful basis of Public Task, for the purpose of prevention, investigation, detection, or prosecution of criminal offences against ambulance staff. Ensuring that ambulance staff, and the public, are always safe whilst in our care.
The Data Controller – SWAST, will comply with data protection legislation. This says that the personal data we hold about you must be:
- Used lawfully and fairly.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as is necessary for the purposes we have told you about.
- Kept and destroyed securely, including ensuring that appropriate technical and security measures are in place to protect your personal data and to protect personal data from loss, misuse, unauthorized access, and disclosure.
Automated decision making
We do not rely on any automated decision-making systems or processes within our Trust.
Sharing information
When we share information about you with others, we always do this in the best interests of you, the patient. We only share information that is strictly necessary. Where possible, we will not share your name or personal details about you.
What authority do we have to share information?
We, with the following organisations, may share personal data for the purposes of delivering or improving healthcare or where there is a legal or authoritative requirement for us to do so.
This table explains the laws that we have to follow when we share your information with
other public authorities and organisations:
Type of sharing |
Lawful Basis |
Legislation |
Sharing Medical Records e.g. attending to you as a patient |
Lawful basis of public interest or vital interest
|
· General Data Protection Regulation – Section 6 (1)(d) & Section 9 (2)(c) · Health and Social Care Act 2012 · The Mental Capacity Act 2005 |
Safeguarding / Vulnerable Person Referrals |
Lawful basis of public interest or vital interest
|
· General Data Protection Regulation – Section 6 (1)(d) & Section 9 (2)(c) · Care Act 2014 · The Mental Capacity Act 2005 |
Pursuit / Defense of Legal Claims |
Necessary for the establishment, exercise or defence of legal claims
|
· General Data Protection Regulation – Section 6 (1)(c) & Section 9 (2)(f) |
Prevention and Detection of Crime |
Lawful basis of legislation
|
· General Data Protection Regulation – Section 6 (1)(c) & Section 9 (2)(g) · Data Protection Act 2018 |
Inquests |
Lawful basis of legislation
|
· Coroners and Justice Act 2009 |
Subject Access Requests |
Lawful basis of legislation
|
· General Data Protection Regulation Article 15 · Data Protection Act 2018 |
Any sharing of information is bound by the Common Law Duty of Confidentiality and the Confidentiality NHS Code of Practice.
Records which we hold about you may include the following information;
· Details about you, such as your address, carer, legal representative, emergency contact details
· Any contact SWASFT has had with you, such as call outs to us as an emergency service.
· Notes and reports about your health
· Details about your treatment and care
· Results of investigations such as laboratory tests, x-rays etc
· Relevant information from other health professionals, relatives or those who care for you.
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS.
Information may be shared with your GP practice for clinical audit to monitor the quality of the service provided and to form part of your medical record.
Call Recording
We use Telephone Call Recording software for quality and training purposes. All telephone calls made or received via SWASFT Telephony systems may be recorded. Call Recordings are stored indefinitely on an external hard drive and can be accessed by the IT & Data Lead ONLY. We have internal policies that all staff must follow in order to protect your data. Under your rights of access you are entitled to copies of phones calls that we hold and you can contact our Information Governance Team for a copy of your call.
Special Category Information
The Law states that personal information about your health falls into a special category of information because it is very sensitive.
Reasons that may entitle us to use and process your information may be as follows:
· Public interest: Where we may need to handle your personal information when it is in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.
· Consent: When you have given us consent.
· Vital interest: If you are incapable of giving consent, and we must use your information to protect your vital interests (e.g., if you have had an accident and you need emergency treatment).
· Defending a claim: If we need your information to defend a legal claim against us by you, or by another party.
· Providing you with medical care: Where we need your information to provide you with medical and healthcare services.
Retention Period
We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice we follow strict NHS guidance in terms of standard retention schedules in healthcare.
Anonymised Information
Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.
Your Patient Rights
The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:
Subject Access Requests (SAR) -Rights of Access Requests
You have the right to see what information we hold about you and to request a copy of this information.
If you would like a copy of the information, we hold about you please contact a member of Information Governance Team at South Western Ambulance Service Foundation Trust Information.Governance@swast.nhs.uk
We will provide this information free of charge however, we may in some limited and exceptional circumstances ask you to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive. We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing is made clear to us as to what and how much information you require.
Freedom Of Information Requests -FOIA 2000
Freedom of Information Requests – The Freedom of Information Act 2000 (FOIA) gives you as a patient a general right to certain information held on behalf of public authorities. You can request any non-personal information that the SWASFT holds that doesn’t fall under an exemption within Data Protection Law.
You can find out more information here – The Information Commissioner’s Office has guidance on making FOI requests including request to public bodies.
Please see section
Right to Rectification
We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.
If considered appropriate, a retrospective entry can be made by a clinician if you have concerns regarding the accuracy of your clinical record.
Right to Object
If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply i.e., safeguarding reasons.
We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g., medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by SWASFT in this way. Please note the anonymised Information section in this Privacy Notice.
Right to Withdraw Consent
Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.
Right to Erasure
In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.
Right of Data Portability
Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP-to-GP data transfer and transfer of your hard copy notes. How can you access, amend move the personal data that you have given to us?
Under 16s
Up until the age of 16 your parents will be able to access your medical information. This means they can discuss your care with staff at South Western Ambulance Service Foundation Trust and may request to see copies of your medical information unless you request us to withhold this information from them.
If you do not want your parents to have access to your medical information, please speak to a member of South Western Ambulance Service Foundation Trust team. (Please see attached Privacy Notice for 13–16-year-olds).
If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer Information.Governance@swast.nhs.uk
Once the data is collected, it will only be used for the purposes of improving health and care. Patient data is not for sale and will never be for sale.
NHS Digital
NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across NHS providers in England and provides reports on how the NHS is performing. These reports help plan and improve services to patients. This practice must comply with the law and send data to NHS Digital when it is told to do so by the Secretary of State for Health or NHS England under the Health & Social Care Act 2012.
More information about NHS Digital and how it uses information can be found at: digital.nhs.uk
Records Management Code of Practice 2021
How do we lawfully use your data?
We need to know your personal, sensitive and confidential data in order to provide you with healthcare services as a General Practice, under the General Data Protection Regulation we will be lawfully using your information in accordance with: –
· Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
· Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.
Medical Management
South Western Ambulance Service Foundation Trust may conduct Medicines Management reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
· Data Protection Act 2018
· UKGDPR UK General Data Protection Regulations 2018
· Human Rights Act 1998
· Common Law Duty of Confidentiality
· Access to Medical Records Act 1990
· Health and Social Care Act 2012
· NHS Codes of Confidentiality, Information Security and Records Management
· Information: To Share or Not to Share Review
All our staff receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Our staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.
Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.
All employees and sub-contractors engaged by the South Western Ambulance Service are asked to sign a confidentiality agreement. South Western Ambulance Service Foundation Trust will, if required, sign a separate confidentiality agreement if deemed necessary.
In certain circumstances you may have the right to withdraw your consent to the processing of data.
Please contact South Western Ambulance Service Foundation Trust Information Governance Team in writing if you wish to withdraw your consent.
In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.
Updating your record
Under your ‘Right to rectification’ you can ask us to amend your details at any time if they are incorrect. For example, if you change your address or if you need to update your mobile or email address with us. It’s important that we have the most up to date contact details for you as we may need to contact you in the event of an emergency the police may also ask us for your contact details following an incident as they may wish you to provide a statement, we will only provide minimal information that we deem is necessary in order to assist them with their enquiries if it falls under the exemptions outside of GDPR for the prevention and detection of crime. Please see the enclosed link for further information.
Sharing personal data with law enforcement authorities | ICO
Third Parties
Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.
Services that may send us your personal data
· Hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare.
· Avon & Somerset Police Firearms department
· Court Orders
· Immigration matters
· Solicitors
· Fire Brigade
· Social Services
· Education
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations.
· NHS Trusts / Foundation Trusts
· Out of Hours / Extended Hours services 111
· GPs
· NHS Commissioning Support Units
· Independent Contractors such as dentists, opticians, pharmacists
· Private Sector Providers
· Voluntary Sector Providers
· Ambulance Trusts
· Clinical Commissioning Groups ICBs
· Social Care Services
· NHS England (NHSE) and NHS Digital (NHSD)
· Local Authorities
· Education Services
· Fire and Rescue Services
· Police & Judicial Services
· Voluntary Sector Providers
· Private Sector Providers
· Other ‘data processors’ You will be informed who your data will be shared with and in some cases asked for consent for this happen when this is required.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Social Prescribers/Mental Health Referral
Social prescribing is when health professionals refer patients to support in the community, in order to improve their health and wellbeing. The concept has gained support in the NHS organisations of the United Kingdom, as well as in Ireland and the Netherlands, and forms part of the NHS Long Term Plan, also known as the NHS 10-Year Plan.
South Western Ambulance Service Foundation Trust may ask for your consent before any information is shared between your GP and the social prescriber there will also be a Data Sharing Agreement between South Western Ambulance Service Foundation Trust and the Social Prescriber so that we all keep your information safe.
Some of the work that happens at a national level with your information is required by
If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.
Information Commissioner
Should you have any concerns about how your information is managed by South Western Ambulance Service Foundation Trust, please contact the
If you are still unhappy following a review by us, you have a right to lodge a complaint with a supervisory authority: You have a right to complain to the UK supervisory Authority as below.
Wycliffe house
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545745
If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact South Western Ambulance Service Foundation Trust Manager.
If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer Information.Governance@swast.nhs.uk
Our Website
The only website this Privacy Notice applies to is the South Western Ambulance Service Foundation Trust website. If you use a link to any other website from the our website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.
Security
We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.
If English isn’t your first language
If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer or Information Governance Team Information.Governance@swast.nhs.uk
Cookies
Our website uses cookies. For more information on which cookies, we use and how we use them, please contact our Data Protection Officer Information.Governance@swast.nhs.uk
Security
We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.
How long do we keep your records?
We keep records in accordance with the NHS retention and disposal schedule available here. Once we no longer have a legal requirement to retain you’re personal information, we will normally destroy it securely. Where this is not possible (due to technical limitations), we will make sure that your records are ‘put beyond use’ in accordance with the Information Commissioners Office guidance available here. This means that the
information can only be accessed if the Trust is served with a Court Order.
How do we keep your data safe and secure?
We only share your information on a “need-to-know” basis supported by legislation and/or appropriate authority.
Body Worn Video Manager:
Senior Responsible Officer (SRO):
What personal data do we manage?
We manage the personal data of the Trusts staff, contractors, and any individuals associated with the Trust, and members of the public, these may include patients, visitors, or witnesses.
Sharing your personal data.
We may share your data internally with relevant departments for the purpose of the above stated legal basis. We may also share the data we collected with the Police or other agencies.
How long do we keep your personal information?
South Western Ambulance Service will retain personal data for as long as is necessary in relation to the purpose for which it was collected.
Should the footage not be required, it will automatically be deleted from our system after 31 days.
Your information is kept safe using secure IT systems and suitable record management processes.
How to obtain my personal data and find out about my individual rights?
Details of how you can obtain copies of your personal records from us are available on our website here Welcome to SWASFT - (swast.nhs.uk)
How do I withdraw my consent?
Where we rely on your consent to perform a function then you will have the opportunity to withdraw your consent. However, we will not be able to withdraw your consent where the process forms a key part of any medical assessment or intervention performed by the Trust.
If you do decide to withdraw or withhold personal information, we will clearly highlight and explain any consequences of doing so.
To withdraw your consent please contact us clearly stating what information about you that you do not want us to use.
Raising concern / providing feedback
Details of how to raise a complaint, concern, comment or provide feedback is available on our website.
If you are unhappy with how we have managed your information, you can contact the Information Commissioner at:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 01625 545 700
Web: https://ico.org.uk/
Records amendment and deletion
Under certain circumstances you have the right for records held by us about you to be changed or deleted. You can make a request for your records to be changed or deleted by contacting the Information Governance Team.
Data Protection Officer
The Data Protection Officer for SWASFT is Nigel Gooding he can be contacted via dpo@dataprivacyadvisory.com
Information Governance Team
We hope this information is transparent and clear, but if you have any questions about how we use your personal information, or if you would like to obtain copies of your information, please contact SDPlus.InformationGovernance@SWAST.nhs.uk
Additional Support for Third Party Data Sharing
If you require any further information on any of the above, please do not hesitate to ask the Data Protection Officer Information.Governance@swast.nhs.uk
Please note: if you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed.
Last Updated
This Privacy Notice was last updated 11th January 2024 by the Information Governance Manager for SWASFT SDPlus.InformationGovernance@SWAST.nhs.uk