Confidentiality & Data Protection

(If you work or volunteer at the Trust, please click the below button to view the Staff Privacy Notice)

Staff Privacy Notice

How your personal data is being used by The Clatterbridge Cancer Centre NHS Foundation Trust

For Covid-19 and your information please click here

1. Who are we?

The Clatterbridge Cancer Centre NHS Foundation Trust is one of the UK’s leading cancer centres providing highly specialist cancer care to a population of 2.3m people across Merseyside, Cheshire and the surrounding areas including the Isle of Man.

We are based in Wirral, Liverpool, and Aintree, and have a number of satellite sites.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z7367711.

2. What is a ‘Privacy Notice’ and what does it mean for me?

Under data protection law we are legally required to provide information about how we use your information in a way that is:

  • concise
  • transparent
  • easy to understand
  • easily accessible
  • written in clear, plain language, particularly if addressed to a child
  • free of charge

Data protection law says the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  • relevant to the purposes we have told you about and limited only to those purposes
  • accurate and kept up to date
  • kept only as long as necessary for the purposes we have told you about
  • kept securely

This privacy notice explains what we do with your personal information where we are or have provided care to you. It tells you:

  • the information we collect about you
  • how we store this information
  • how long we retain it
  • who we may share it with
  • for which legal purpose we may share it

Please note that the information contained in this privacy notice is applicable to all Clatterbridge Cancer Hospital NHS Foundation Trust sites.


Definitions

GDPR

General Data Protection Regulation

Personal data

information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

name

identification number

social media posts

location data

online identifier

Special category personal data

information which is thought to be "extra sensitive", such as:

ethnicity

data concerning health

biometric data

sexual orientation

religious or philosophical belief

Data controller

the organisation that determines or decides the purposes, conditions and means of the processing of personal data i.e. Clatterbridge Cancer Centre NHS FT

Processing

Anything that is done to the personal data we hold

Pseudonymisation

the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).

Information Commissioner’s Office (ICO)

the body that regulates the Trust under data protection and freedom of information legislation.


3. Purposes for using your information

Below are key examples of the purposes and rationale for why we collect and process information:

PurposeRationale
ComplaintsTo process your personal information if it relates to a complaint where you have asked for our help or involvement.


When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Legal Basis
We will need to rely on your explicit consent to undertake such activities.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Direct Patient CareThe term ‘direct care’ is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals (all activities that directly contribute to the diagnosis, care and treatment of an individual). It includes:

  • supporting individuals’ ability to function and improve their participation in life and society
  • the local audit/assurance of the quality of care provided
  • the management of untoward or adverse incidents
  • the measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
Legal Basis
Health and Social Care Act 2012. We need to collect, record, store and use your personal data in order to provide our healthcare services to you.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
For other organisations
to provide support services for us
The Trust will use the services of the additional data processors, who will provide additional expertise to assist in the delivery of services. We share the minimum information necessary to allow the data processors to act on our behalf. Each contract will have a specific list of information to be shared and the legal basis allowing us to legitimately share the information.

Legal Basis

We have entered into contracts with other companies/organisations to provide some services for us or on our behalf. These organisations are known as “data processors"

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
Patient and Public InvolvementIf you have asked us to keep you regularly informed and up to date about the work of the Trust or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Legal Basis

We will obtain your consent for this purpose, when you initially contact us to get involved in our engagement and consultation activities.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
National RegistriesLegal Basis
National Registries (such as the Cancer Registry* and National Disease Registration Service**) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual patient.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

*For more information on the Cancer Registry please see the following websites:

https://www.gov.uk/guidance/national-cancer-registration-and-analysis-service-ncras

https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/gdpr/gdpr-register/cancer-registry-canreg

** National Disease Registration Service: High Cost Drug Patient Data to support the National Congenital Anomaly and Rare Disease Registration Service (NCARDRS).

The NCARDRS is part of the National Disease Registration Service (NDRS), which is part of Public Health England (PHE) and records people with congenital abnormalities and rare diseases across the whole of England. The registration service provides a resource for clinicians to support high quality clinical practice, including epidemiology and monitoring of the frequency, nature, cause and outcomes of these disorders.

You can find more information, and access a leaflet, from the National Disease Registration Service webpage https://www.ndrs.nhs.uk/
ResearchThis is to support research proposals and activities at the Trust.

Legal Basis
Consent to participation in research is not the same as consent as the legal basis for processing under data protection legislation. The Trust will does not use consent to process for research purposes, instead it will use the GDPR articles listed below.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For processing special categories of personal data:

  • Article 9(2)(j) – Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
CCTV
Cameras
We have installed CCTV cameras on our Trust sites in areas that are used by members of the public and staff.

Legal Basis
This is for the purposes of public safety and crime prevention/detection. In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Analysis to improve the services provided to our patientsFor processing personal data:

Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

In addition to the purposes listed above The Clatterbridge Cancer Centre NHS Foundation Trust may process information for specific purposes which are listed below:

4. What personal data we collect about you and how we collect it

We are committed to protecting your privacy and will only process personal confidential data in accordance with current Data Protection Laws, General Data Protection Regulations, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.

Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.

Examples of identifiable data are:

  • Your name
  • Your contact details
  • Your DOB
  • Your next of kin/carer details
  • Your GP details

This is not an exhaustive list, and will depend on information you have provided to healthcare professionals.

In addition to the above, we may also hold special category personal information about you which could include:

  • Details about your health, care and treatment
  • Your religion and ethnic origin
  • Whether or not you are subject to any protection orders regarding your rights (safeguarding status)

5. How long do we retain your records?

Your personal information will only be kept for as long as necessary, in accordance with the Trust’s Record Management Policy. This is in line with the NHS Code of Practice: Records Management, which sets out the appropriate length of time each type of NHS record is held for.

6. Sharing Your Information

The Clatterbridge Cancer Centre NHS Foundation Trust works closely with other organisations to support patient care. This means that information will be shared between the hospital and other organisations who may be caring for you or involved in your care. These may include:

  • NHS England
  • NHS Digital
  • Public Health England
  • Other NHS trusts
  • Your GP
  • Ambulance services
  • Cancer registries
  • Local authorities such as social services


The Trust is part of a regional sharing agreement called Share2Care, ensuring records can be shared by other care providers involved in your treatment and care.

In instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, you have the right at any time to refuse consent to the information sharing, or to withdraw your consent previously given.

In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then you have the right to register your objection to the disclosure, and the Trust is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, patients cannot refuse or withdraw consent for the disclosure

Where information is to be shared across organisational boundaries on a regular basis information sharing agreements should be in place between all of the sharing parties involved. For a list of current Information Sharing Agreements please click here

7. Your Rights

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

i. Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records "for the management of healthcare systems and services"

ii. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above

iii. In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time

  • request your personal information to be transferred to other providers on certain occasions
  • object to the use of your personal information

In certain circumstances you may also have the right to "object" to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment

i. For further information, please see the National data opt-out programme

  • challenge any decisions made without human intervention (automated decision making)
  • ask us to restrict the use of your information where appropriate


Do we use Artificial Intelligence?

There may be some activities we use artificial intelligence for; however, we do not use it to make any clinical decisions. For example, we may use artificial intelligence to do something that would otherwise be a manual task which is quite painful for a patient. The result of the artificial intelligence output is then thoroughly checked by a relevant member of staff.

We also may use something called 'Robotic Process Automation'. This is where an online robot (known as a digital worker) undertakes administrative tasks that would usually be carried out by a person.

8. National Data Opt-Out Programme

National Data Opt-Out: GDPR information - NHS Digital

You have a choice about how you want your confidential patient information to be used. If you’re happy for us to use your information, you do not need to do anything.

If you choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the National Data Opt Out Programme. If you do choose to opt out you can still consent to your data being used for specific purposes.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subject to.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

When there is a Court Order or a statutory duty to share patient data;

When there is a statutory power to share patient data;

When the patient has given his/her explicit consent to the sharing;

When the patient has implicitly consented to the sharing for direct care purposes;

When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

This list is not exhaustive but indicative of the information recorded.

9. Is my data transferred overseas or sold for profit to other organisations?

Your information will only be sent outside of the UK where the country has laws in place that meet the standards of data protection similar to those in the UK. We perform a number of checks to ensure this.

The Trust will never sell any information about you to other organisations for profit.

10. Further Information

If you have any questions or concerns regarding how we use your information, please contact the Trust's Data Protection Officer:

The Information Governance Manager
The Clatterbridge Cancer Centre NHS Foundation Trust
Clatterbridge Cancer Centre - Wirral
Clatterbridge Road
Wirral
CH63 4JY

E-mail: ccf-tr.cccdataprotectionofficer@nhs.net

11. Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

ICO website(opens in new tab)

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

How to make a complaint to the ICO

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

0303 123 1113

01625 545 745

casework@ico.org.uk

Procurement

Health Procurement Liverpool is a new shared Procurement function for Alder Hey Children’s Hospital, Clatterbridge Cancer Centre, Liverpool Heart & Chest Hospital and the Walton Centre Trust. In May 2021 the Trusts named above agreed to create a single shared procurement alliance in order to strengthen procurement services, support integrated ways of working and to deliver efficiencies through economies of scale and consolidated purchasing activity. The shared service is hosted by The Walton Centre.

Patient/Staff Data - Patient data will not be processed by HPL. If any staff contact information is passed over during the requisition phase to HPL, the information will be removed and changed to initials only.

Supplier Data – Data such as contracts registers, suppliers contracts and bid prices, supplier spend and usage on products/services, supplier addresses and representative contact details will be held centrally by Health procurement Liverpool.

For further information regarding the sharing of information across the HPL collaboration please contact:

Katie Tootill

Chief Procurement Officer

Katie.tootill@nhs.net

All sharing of information is carried out in line with the Data Protection Act 2018/UK General Data Protection Regulation.