Confidentiality & Data Protection

(If you work or volunteer at the Trust, please click the below button to view the Staff Privacy Notice)

Staff Privacy Notice

If you want a Child Friendly copy or a copy in a different format, please email:

ccf-tr.cccDataProtectionOfficer@nhs.net

How your personal data is being used by The Clatterbridge Cancer Centre NHS Foundation Trust

For Covid-19 and your information please click here

The Clatterbridge Cancer Centre NHS Foundation Trust is one of the UK’s leading cancer centres providing highly specialist cancer care to a population of 2.3m people across Merseyside, Cheshire and the surrounding areas including the Isle of Man.

We are based in Wirral, Liverpool, and Aintree, and have a number of satellite sites.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z7367711.


What information do we collect about you?

We will collect:

1. Your name, address, contact details and date of birth - we need this to send you letters or telephone you about your care, and to identify you when you visit us. It also helps us to receive your information from other hospitals if needed.

2. Your health information including any scans and test results

3. Information about your family or carers or Next of Kin. This lets us know who to contact in an emergency. Your next of kin does not have a legal right to view your medical records or access any confidential information about you.

4. Information about your religion to provide patients with a chaplaincy service and meet your spiritual needs

5. What language you speak, to make sure we can provide an interpreter if needed

6. Whether you have a disability so we can make sure we can meet any needs you have

7. Your GP details to let them know what care and treatment you receive from us

How do we collect information about you?

We collect information from you, from your GP or other hospitals who care for you. When you receive care from us, staff will collect information for your health records. We might also receive information from anyone else involved in your care, like a care home or social services.

How do use your information?

Direct Care

We use your information to provide you with care and treatment. This might include sharing your information with other NHS organisations that provide care to you.


Complaints, Feedback, Legal Claims and Incidents

If you have made a complaint, staff investigating the complaints will need to access your health records and might need to share information with third parties such as solicitors. The same applies if you have made a legal claim against the Trust.

If you have provided feedback on a service, we may need to share your information about your care with us with relevant staff, in order to look into your feedback.

If you have been involved in a serious incident, staff investigating the incident will need to access your health records.


Clinical Audits

The Trust have to monitor the services and treatment we provide. This means our clinical staff have to use patient information to look atthe quality of the care we have provided.

Research

The Trust may use anonymised information for research - this means you cannot be identified from the information.

If identifiable information is needed, you will be asked for consent first.


CCTV

We have CCTV at our sites in order to protect patients, staff and visitors and to prevent crime. CCTV is also used to monitor safety incidents.

We do not have CCTV in any areas where patients receive treatment or that would be considered private (bathrooms and changing rooms).


Health service planning and management

Information about how our patients are cared for is collected, such as appointment waiting times. This is used to monitor the service we are providing.

Who do we share your information with?

The Clatterbridge Cancer Centre NHS Foundation Trust works closely with other organisations to support patient care. This means that information will be shared between the hospital and other organisations who may be caring for you or involved in your care or who have a responsibility for management of the whole NHS. These may include:

  • NHS England
  • NHS Digital
  • NHS Business Services Authority
  • NHS Counter Fraud Authority
  • Public Health England
  • Other NHS trusts
  • Your GP
  • Ambulance services
  • Cancer registries
  • Local authorities such as social services

The Trust is part of a regional sharing agreement called Share2Care, ensuring records can be shared by other care providers involved in your treatment and care.

We also have to share data for monitoring our performance, such as Analysis of Cancer Waiting Times. This looks at whether we are seeing patients in a timely manner.

Where information is to be shared across organisational boundaries on a regular basis, we put in place information sharing agreements between all of the sharing parties involved. For a list of current Information Sharing Agreements please click here

National Registries

The law (Section 251, NHS Act 2006) says we must share some patient information with NHS England, for national registers. This includes the Cancer Registry* and the National Disease Registration Service**

*For more information on the Cancer Registry please see the following websites:

https://www.gov.uk/guidance/national-cancer-registration-and-analysis-service-ncras

https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/gdpr/gdpr-register/cancer-registry-canreg

** National Disease Registration Service: High Cost Drug Patient Data to support the National Congenital Anomaly and Rare Disease Registration Service (NCARDRS). https://www.ndrs.nhs.uk/


Legal Requirement

By law, we have to share some information, such as to the police to prevent a crime or to notify of infectious diseases. We will also share information for this purpose securely and in line with the law.

How do we keep your information safe?

  1. All staff at the Trust must abide by the Common Law Duty of Confidentiality and have a confidentiality clause in their contract of employment.
  2. All staff at the Trust undertake annual training on keeping your information safe, secure and confidential.
  3. Every year the Trust must meet certain standards to make sure we are keeping information secure and to make sure our computer security meets high standards.
  4. We only collect, use and share the minimum information necessary about you.

How long do you keep my information for?

We only keep your data for as long as is necessary. This is required by law. We follow the NHS Records Management Code of Practice.

For cancer patient records, this is usually 30 years after you last had contact with us.

What are your rights?

  1. We must tell you what information we collect about you, why we collect it and how we use it
  2. You can request a copy of information we hold about you. This is free of charge (unless repeated copies are asked for) request access to the personal data we hold about you, e.g. in health records
  3. You can let us know if your information needs updating or if its incorrect
  4. You can ask for your information to be deleted or removed (this does not apply to your individual health or care record, or for public health or scientific research reasons)
  5. You can ask us to restrict how we use your information
  6. You can ask us to securely send a copy of your information to another organisation
  7. If you are not happy with how we use your information, you can let us know
  8. If any decision is made about you without human intervention (this does not routinely happen at the Trust), you can challenge the decision


Do we use Artificial Intelligence?

There may be some activities we use artificial intelligence for; however, we do not use it to make any clinical decisions. For example, we may use artificial intelligence to do something that would otherwise be a manual task which is quite painful for a patient. The result of the artificial intelligence output is then thoroughly checked by a relevant member of staff.

We also may use something called 'Robotic Process Automation'. This is where an online robot (known as a digital worker) undertakes administrative tasks that would usually be carried out by a person.

National Data Opt-Out Programme

National Data Opt-Out: GDPR information - NHS Digital

You have a choice about how you want your confidential patient information to be used. If you’re happy for us to use your information, you do not need to do anything.

If you choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the National Data Opt Out Programme. If you do choose to opt out you can still consent to your data being used for specific purposes.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subject to.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

When there is a Court Order or a statutory duty to share patient data;

When there is a statutory power to share patient data;

When the patient has given his/her explicit consent to the sharing;

When the patient has implicitly consented to the sharing for direct care purposes;

When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

This list is not exhaustive but indicative of the information recorded.

Is my data transferred overseas or sold for profit to other organisations?

Your information will only be sent outside of the UK where the country has laws in place that meet the standards of data protection similar to those in the UK. We perform a number of checks to ensure this.

The Trust will never sell any information about you to other organisations for profit.

Further Information

If you have any questions or concerns regarding how we use your information, please contact the Trust's Data Protection Officer:

The Information Governance Manager
The Clatterbridge Cancer Centre NHS Foundation Trust
Clatterbridge Cancer Centre - Wirral
Clatterbridge Road
Wirral
CH63 4JY

E-mail: ccf-tr.cccdataprotectionofficer@nhs.net

11. Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

ICO website(opens in new tab)

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

How to make a complaint to the ICO

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

0303 123 1113

01625 545 745

casework@ico.org.uk


Purposes for using your information

Below are key examples of the purposes and rationale for why we collect and process information:

PurposeRationale
ComplaintsLegal Basis
We will need to rely on your explicit consent to undertake such activities.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Direct Patient CareLegal Basis
Health and Social Care Act 2012. We need to collect, record, store and use your personal data in order to provide our healthcare services to you.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
For other organisations
to provide support services for us
Legal Basis

We have entered into contracts with other companies/organisations to provide some services for us or on our behalf. These organisations are known as “data processors"

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.


General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
Patient and Public InvolvementLegal Basis

We will obtain your consent for this purpose, when you initially contact us to get involved in our engagement and consultation activities.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

For processing special categories of personal data:

  • Article 9(2)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
National Registries

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

  • Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
ResearchLegal Basis
Consent to participation in research is not the same as consent as the legal basis for processing under data protection legislation. The Trust will does not use consent to process for research purposes, instead it will use the GDPR articles listed below.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For processing special categories of personal data:

  • Article 9(2)(j) – Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
CCTV
Cameras
Legal Basis
This is for the purposes of public safety and crime prevention/detection. In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme.

General Data Protection Regulation

For processing personal data:

  • Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Analysis to improve the services provided to our patientsFor processing personal data:

Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For processing special categories of personal data:

Article 9(2)(h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Procurement

Health Procurement Liverpool is a new shared Procurement function for Alder Hey Children’s Hospital, Clatterbridge Cancer Centre, Liverpool Heart & Chest Hospital and the Walton Centre Trust. In May 2021 the Trusts named above agreed to create a single shared procurement alliance in order to strengthen procurement services, support integrated ways of working and to deliver efficiencies through economies of scale and consolidated purchasing activity. The shared service is hosted by The Walton Centre.

Patient/Staff Data - Patient data will not be processed by HPL. If any staff contact information is passed over during the requisition phase to HPL, the information will be removed and changed to initials only.

Supplier Data – Data such as contracts registers, suppliers contracts and bid prices, supplier spend and usage on products/services, supplier addresses and representative contact details will be held centrally by Health procurement Liverpool.

For further information regarding the sharing of information across the HPL collaboration please contact:

Katie Tootill

Chief Procurement Officer

Katie.tootill@nhs.net

All sharing of information is carried out in line with the Data Protection Act 2018/UK General Data Protection Regulation.