Confidentiality & Data Protection

How your personal data is being used by The Clatterbridge Cancer Centre NHS Foundation Trust

1. Who are we?

The Clatterbridge Cancer Centre NHS Foundation Trust is one of the UK’s leading cancer centres providing highly specialist cancer care to a population of 2.3m people across Merseyside, Cheshire and the surrounding areas including the Isle of Man.

We are based in Wirral, Merseyside supported by a £17m radiotherapy treatment centre in Aintree, Liverpool. We also operate specialist chemotherapy clinics in eight of Merseyside’s district hospitals and deliver a pioneering Treatment at Home service.

2. What is a ‘Privacy Notice’ and what does it mean for me?

The Clatterbridge Cancer Centre NHS Foundation Trust treats the confidentiality of the data we hold about people very seriously. This privacy notice provides an overview of the information we hold, why we hold it and how we store it securely.

This privacy notice is part of our programme to make the data processing activities we carry out transparent.

This privacy notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It covers information we collect directly from you or receive from other individuals or organisations.

This privacy notice will be reviewed on a regular basis to ensure it is in line with national guidance and legislation. This privacy notice was last reviewed in June 2018

3. How does The Clatterbridge Cancer Centre NHS Foundation Trust comply with data privacy and confidentiality issues?

We are committed to protecting your privacy and will only process personal confidential data in accordance with current Data Protection Laws, General Data Protection Regulations, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.

Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.

Examples of identifiable data are:

  • Name
  • Address
  • Postcode
  • Date of Birth
  • NHS Number

Personal data mean data which relates to a living individual who can be identified:

(a) from that data, or;

(b) from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data is different from Personal Data. Sensitive personal data means personal data consisting of information as to:

  • the racial or ethnic origin of the data subject
  • their political opinions
  • their religious beliefs or other beliefs of a similar nature
  • whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  • their physical or mental health or condition
  • their sexual life
  • the commission or alleged commission of any offence, or
  • any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings

The Clatterbridge Cancer Centre NHS Foundation Trust is a Data Controller as defined in current Data Protection Laws and the General Data Protection Regulations . This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z7367711 and our entry can be found in the Data Protection Register on the ICO website.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and well-being.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you.

All our staff receive appropriate and ongoing training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

4. Purposes for using your information

Below are key examples of the purposes and rationale for why we collect and process information:

PurposeRationale
ComplaintsTo process your personal information if it relates to a complaint where you have asked for our help or involvement.


When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Legal Basis
We will need to rely on your explicit consent to undertake such activities.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Direct Patient CareThe term ‘direct care’ is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals (all activities that directly contribute to the diagnosis, care and treatment of an individual). It includes:

  • supporting individuals’ ability to function and improve their participation in life and society
  • the local audit/assurance of the quality of care provided
  • the management of untoward or adverse incidents
  • the measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
Legal Basis
Health and Social Care Act 2012. We need to collect, record, store and use your personal data in order to provide our healthcare services to you.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
For other organisations
to provide support services for us
The Trust will use the services of the additional data processors, who will provide additional expertise to assist in the delivery of services. We share the minimum information necessary to allow the data processors to act on our behalf. Each contract will have a specific list of information to be shared and the legal basis allowing us to legitimately share the information.

Legal Basis

We have entered into contracts with other companies/organisations to provide some services for us or on our behalf. These organisations are known as “data processors"

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
Patient and Public InvolvementIf you have asked us to keep you regularly informed and up to date about the work of the Trust or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Legal Basis

We will obtain your consent for this purpose, when you initially contact us to get involved in our engagement and consultation activities.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
National RegistriesLegal Basis
National Registries (such as the Cancer Registry) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual patient.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
ResearchThis is to support research proposals and activities at the Trust

Legal Basis
We will obtain your consent for this purpose before identifiable information about you is disclosed for any research. This is in line with ethically approved research protocols which and we will ensure you are fully aware of the needs and requirements of the research study. Sometimes research can be undertaken using anonymised or aggregated information that does not identify you. The law does not require us to obtain your consent in this case


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
CCTV
Cameras
We have installed CCTV cameras on our Trust sites in areas that are used by members of the public and staff.

Legal Basis
This is for the purposes of public safety and crime prevention/detection. In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5. Sharing Your Information

The Clatterbridge Cancer Centre NHS Foundation Trust works closely with other organisations to support patient care. This means that information will be shared between the hospital and other organisations who may be caring for you or involved in your care. These may include:

  • Other NHS Organisations
  • Ambulance Serices
  • Cancer Registries
  • NHS Common Services Agencies such as dentists, ophthalmic services, etc
  • Local Authority Departments, including Social Services
  • Voluntary Sector Providers
  • Private Sector Provider

In instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, you have the right at any time to refuse consent to the information sharing, or to withdraw your consent previously given.

In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then you have the right to register your objection to the disclosure, and the Trust is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, patients cannot refuse or withdraw consent for the disclosure

Where information is to be shared across organisational boundaries on a regular basis information sharing agreements should be in place between all of the sharing parties involved. For a list of current Information Sharing Agreements please click here

6. Your Rights

You have certain legal rights, including a right to have your information processed fairly and lawfully. You have the right to privacy and to expect the NHS to keep your information confidential and secure.

Data Protection laws gives individuals rights in respect of the personal information that we hold about you. These are:

  1. To be informed why, where and how we use your information.
  2. To ask for access to your information
  3. To ask for information to be corrected if inaccurate or incomplete
  4. To ask for your information to be deleted or removed where there is no need for us to continue processing it (This only applies if certain conditions are met)
  5. To ask us to restrict the use of your information
  6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information ( This only applies were data is provided to us with consent or under the performance of a contract)
  7. To object to how your information is used.
  8. To challenge any decisions made without human intervention (automated decision making).

    7. Is my data transferred overseas or sold for profit to other organisations?

    Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK.

    The Trust will never sell any information about you to other organisations for profit.

    8. How long do we retain your records?

    All our records are destroyed or retained in accordance with the NHS Code of Practice: Records Management, which sets out the appropriate length of time each type of NHS records is held for. We do not keep your records for longer than necessary.

    All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

    9. National Data Opt-Out Programme

    The national data opt-out is a new service, introduced on 25th May 2018 by NHS Digital, that allows people to opt out of their confidential patient information being used for research and planning purposes. Individual preferences will begin to be collected from 25th May 2018 and by 2020 all health and care organisations are required to have applied these preferences in all research and planning situations in which confidential patient information is used. NHS Digital will apply these preferences with immediate effect.

    You can find out more about the wider use of confidential personal information and to register your choice to opt out by visiting www.nhs.uk/your-nhs-data-matters.

    10. Further Information

    If you have any questions or concerns regarding how we use your information, please contact the Trust's Data Protection Officer:

    The Information Governance Manager
    The Clatterbridge Cancer Centre NHS Foundation Trust
    Clatterbridge Cancer Centre - Wirrral
    Clatterbridge Road
    Wirral
    CH63 4JY

    Tel: (0151) 556 5844
    E-mail: ccf-tr.cccdataprotectionofficer@nhs.net

    11. Information Commissioner's Office

    The Information Commissioner’s Office (ICO) is the regulator for current data Protections Laws and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.

    Additionally, you have the right to complain to the Information Commissioner if you should ever be dissatisfied with the way the Trust has handled or shared your personal information:

    The Information Commissioner's Office (ICO)
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire
    SK9 5AF

    Tel: 0303 123 1113 or 01625 545745
    Information Commissioner's Office website - www.ico.org.uk

    12. Children

    A child friendly copy of this privacy notice is available to download from here