A PDF version of the information below is provided here.

A short version of the information below is provided here.

What is a Privacy Notice?

A Privacy Notice describes how organisations use personal information. This page describes how Tees, Esk and Wear Valleys NHS Foundation Trust (TEWV) uses your personal information to deliver healthcare.

Personal information is information that identifies you as an individual. This leaflet answers key questions about how the Trust uses (processes) your personal information. Data protection laws control the use of personal information of living individuals. An easy-read shortened version of this notice will soon be available our on website.

Key information

Tees Esk and Wear Valleys NHS Foundation Trust is a Controller under data protection law.

Data Protection Officer: Louise Eastham, Head of Information Governance, Information Governance Department, Tarncroft, Lanchester Road Hospital, Lanchester Road, Durham, DH1 5RD.

Purpose of processing: TEWV provides a range of inpatient and community mental health and learning disability services for around 2 million people of all ages living in County Durham; Darlington; the four Teesside boroughs of Hartlepool, Stockton, Middlesbrough and Redcar and Cleveland; the Scarborough, Whitby, Ryedale, Hambleton, Richmondshire, Selby and Harrogate areas of North Yorkshire; the City of York; the Pocklington area of East Yorkshire; and the Wetherby area of West Yorkshire.  Our children and young people’s wards, our adult inpatient eating disorder services and our Adult Secure (Forensic) wards serve the whole of the North East and North Cumbria.  TEWV also provides mental health care within the prisons located in North East England, Cumbria and Lancashire.

Lawful basis for processing: the performance of a task carried out in the public interest or in the exercise of official authority. 

Retention of information: we hold adult service user records for 20 years after last contact. 

Overseas transfers: data is not routinely transferred outside the UK. 

 

Contents

Data Protection Officer contact details
Why do you hold and record information about me?
What information do you record about me?
Who do you share my information with?
Will you share my personal information for research purposes?
Will you transfer my personal information overseas?
How long will you keep my personal information?
What are my information rights?
Right to information
Right to access
Right to rectification
Right to be forgotten
Right to restriction of processing
Right to notification
Right to data portability
Right to object
Right to appropriate decision making
Right to withdraw consent
How can I make a complaint about the way my personal information has been used?
How do you collect my information and how do you store it?
Do I have to give you my personal information?
Is my personal information used in profiling or automated decision making?
How do you make sure my personal information is safe and secure?
How do you protect my privacy and confidentiality?
How will you meet my communication needs?
Why do you use CCTV?

 

Information More information

Data Protection Officer contact details

Organisations that use personal information are known as Controllers. Tees, Esk and Wear Valleys NHS Foundation Trust is a Controller.  Organisations that are controllers have a Data Protection Officer.

The Data Protection Officer has expert knowledge and they make sure that personal information is used according to the law. The Data Protection Officer for Tees, Esk and Wear Valleys NHS Foundation Trust is: 

Louise Eastham
Head of Information Governance
Information Governance Department
Tees, Esk and Wear Valleys NHS Foundation Trust
Tarncroft
Lanchester Road Hospital
Lanchester Road
Durham
DH1 5RD

Telephone: 0191 333 6637

Email: TEAWVNT.AccessRequests@nhs.net 

Further information about TEWV can be found at the Trust’s website: Tees, Esk & Wear Valleys NHS Foundation Trust

 

 

 

 

The Data Protection Officer is the point of contact between the Controller and the Information Commissioner’s Office (ICO). The ICO is the The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

 

Why do you hold and record information about me?

The Health and Social Care Act 2012 and the Care Act 2014 are the laws that tell us we have to keep records about the care and treatment you receive. 

 

Health and Social Care organisations are public authorities that use personal information to deliver appropriate treatment and care specific to individual’s needs. These organisations use personal information to make sure:

  • Service users receive the best possible care and treatment;
  • Those involved in your care have accurate and up-­to-­date information to help them provide the best care for you;
  • Full information is available should you see another doctor, be referred to a specialist or another part of the NHS
  • That should you have a problem or concern, your care record will help with any investigation

 

TEWV is a public authority and we have to use personal information to carry out our public authority duties. Our lawful basis for processing personal information is ‘for the performance of a task carried out in the public interest or in the exercise of official authority’. Refer to Article 6(1)(e) – Lawfulness of processing of the General Data Protection Regulation (GDPR)

 

We deliver care and treatment to improve health so we collect information about your mental and physical health. This is classed as ‘special’ information which means we also rely on Article 9(2)(h) of the GDPR for lawful processing.

 

We do not need your consent to use your personal information for the delivery of direct care because we are an NHS Trust. We use personal information because it is necessary for us to use this to carry out our activities as an NHS organisation.

 

What information do you record about me?

We record various items of information about you which will include:

  • Basic details about you, such as your name, date of birth and address
  • Contacts we have had with you; scheduled and unscheduled appointments
  • Details about your care; treatment and advice given and referrals made
  • Results of investigations, g., blood tests
  • Relevant information from people who care for you and know you well

 

Note: if you give your mobile phone number as a means of contact then we will assume you agree to accepting voicemail messages and text messages. If you do not agree to this please tell the clinician providing your care and treatment.

 

The information listed above is known as ‘primary data’ and is collected and used for healthcare and medical purposes. This will directly contribute to your treatment, diagnosis or care.  It is also used by administrative staff within the organisation to ensure we maintain high standards in delivering health or care services. 

 

We also collect and use ‘secondary data’ for non-health or care purposes.  This includes research, audits, service improvement, commissioning and contract monitoring.  When personal information is used for secondary use this will be de-identified. 

 

Some of the items of information that we record about individuals will be classed as ‘special’. Special categories of personal data are:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health information (physical and mental health information)
  • Sexual orientation
  • Genetic data (e., about the genes in your body, DNA) and biometric data (e.g., fingerprints, iris patterns, facial geometry)

 

We may also hold information about your criminal convictions and offences where relevant.

If you want to find out more about de-identified data go to the Information Commissioner’s Anonymisation Code of Practice

 

















































Anonymised data

This refers to data where individuals cannot be identified because all identifiers have been removed.

 

Pseudonymised data

Pseudonymisation is a process that removes the NHS number and any other identifiable information such as name, date of birth or postcode, and replaces it with an artificial identifier, or pseudonym.  Data which is pseudonymised is effectively anonymous to the people who receive and hold it.

Who do you share my information with?

We may share your information with a variety of organisations to make sure you receive the appropriate care and treatment for your needs.  We do not need to ask for your permission to do this. We will share your information internally between our own teams and also externally with other organisations such as:

  • NHS Trusts (acute health/mental health)
  • General Practitioners (GPs)
  • Private care providers
  • Local Authorities

 

In some limited circumstances we may share your personal information to ensure the safety of you or other individuals.  For example, we may share some of your information with the Police if you commit a serious crime. 

We may share your information with other organisations for other purposes – this is known as ‘indirect care’.  When we do this we will ask for your consent.  Your consent is only valid if it is freely given, specific, informed, unambiguous and you have given a clear indication that you agree to how we will use your personal information.  You may withdraw your consent at any time.

 

If you want to know exactly who we’ve shared your information with you will have to access your own records. Refer to the section on ‘What are my rights under the Data Protection Act – Right of Access’.

If you object to information sharing with specific individuals or organisations please discuss this with the clinician providing your care. If you do object we will have to consider the risks of not sharing. If the risks outweigh the benefit of sharing we will over-rule your right to object but we will explain this to you.

 

Will you share my personal information for research purposes?

High-quality research evidence underpins all our clinical services and our aim is to establish a culture of appreciative enquiry within the Trust.  We want to use research to improve the quality and value of care for our own patients, as well as to contribute to the worldwide evidence base for better mental health care. 

 

TEWV may use your personal information for its own research work. We do not need your consent to do this as long as the research is compatible with the purpose for which the data was originally collected. We will only carry out legitimate research in the public interest.

 

If you object to the use of your personal data for research purposes you will be able to use NHS Digital’s National Data Opt-Out system from the 25th May to set your preferences. You can set these in different ways. For example you can choose for your personal information to be used for local research and opt-out of its use for national research. Opting out of using your personal information for research purposes will not affect the care and treatment we will give you.

 

Will you transfer my personal information overseas?

We do not routinely transfer personal information to countries outside of the EU. This is checked yearly through a process called information mapping.  If we need to transfer your personal information to a country overseas we will make sure your information is safely protected.  If we do transfer your personal information outside of the EU we will tell you about this. 

 

 

General Data Protection Regulation

Article 4 (11), Articles 6(1)(a), 6(1)(e) and Article 7(1 – 4)

 

 

 

 

 

 

 

 

 

 

 

 

 

General Data Protection Regulation

Article 4 (11), Article 6(1)(a), and Article 7(1 – 4)

 

 

National Data Opt Out Programme

NHS Digital is the national information and technology partner to the health and care system. They use digital technology to transform the NHS and social care.

They are introducing a new tool that people can use to opt out of their confidential patient information being used for reasons other than their individual care and treatment. This will give you more control over how your person identifiable data is used. The system will let you exercise your right to make an informed choice about whether your personal identifiable data is only used for your individual care and treatment or also shared for research and planning purposes. 

 

If you decide you do not want to share your personal identifiable data for planning and research purposes you can set your national data opt-out preference online. NHS Digital will provide a non-digital alternative for patients who can't or don't want to use an online system. The preference will be set once and apply to all data sharing for planning and research purposes.

 

 
























General Data Protection Regulation, Article 6(1)(e) covers the use of personal information for the performance of a task carried out in the public interest, i.e., for research purposes.

 

General Data Protection Regulation, Article 6(4) covers the use of personal information for a purpose other than which it was originally collected.

 

How long will you keep my personal information?

Organisations must not retain (keep) personal information for longer than is necessary.  All records have a minimum retention time.  Different types of records have different retention times. For example:

  • Mental health records are kept for 8 years after death
  • Adult mental health records are kept for 20 years after last contact
  • Records for service users with a learning disability are kept for the lifetime of the individual.
  • Children’s records are kept until their 25th or 26th birthday depending on their age at conclusion of treatment.

 

NHS records retention times

Local Authorities set their own retention times although some may apply the NHS records retention times – refer to above NHS retention schedule.

What are my information rights?

The law provides you with rights that give you some control over the use of your personal information, as follows:

Right to information

You have the right to ask if your personal information is being processed by Tees, Esk and Wear Valleys NHS Foundation Trust or another organisation that works alongside us (a third party processor). Please write to the Data Protection Officer to request this information.  You may request a copy of the information and find out why your personal information is being used. 

Right to access

You have the right to see or be given a copy of your personal information.  To do this you will need to make a Subject Access Request (SAR).  Send your request to the Data Protection Officer.  We will aim to respond to your request within 30 days from the receipt of your request.  If your health or care history is long and complex we may take longer to provide you with the information.  If this is the case will let you know once we have assessed your request.  There is no charge for accessing your personal information.

 

If several health and social care organisations have contributed to your treatment and care you will have to make separate Subject Access Requests to each of these organisations. 

Information may be withheld from you if the organisation believes that releasing the information could cause serious harm to you or others. 

Information may also be withheld if another person (i.e, third party) is identified in the record, and they do not want their information disclosed to you.

Right to rectification

You have the right to have inaccurate information corrected.  This also includes making sure that incomplete information is added to, to make it complete.  If you wish to have incorrect or incomplete information corrected, contact the Data Protection Officer. 

Right to be forgotten

The law states that you can request that information is erased if you withdraw consent for processing or if organisations are not obeying the laws.  However, this right does not extend to organisations providing health and social care treatment. You may not use this right to erase health records. 

 

Right to restriction of processing

This allows you to stop us from carrying out specific processing of your personal data.  We can store your personal data but we may not process it unless you give us permission.  Contact the Data Protection Officer if you wish to restrict processing of your personal information.

Right to notification

We have a duty to let you know if we rectify, erase or restrict processing of your personal information.  We must also tell any recipients (third parties) with whom we have shared your personal information about any of these processing activities. 

Right to data portability

You can request copies of your personal information in a useful electronic format. This ensures that electronic transfer to another data controller may take place without difficulty. The right to data portability only applies in specific circumstances. It applies when:

  • TEWV is using consent to process personal information
  • TEWV is processing personal information for the performance of a contract; and
  • TEWV is carrying out the processing by automated means (e., excluding paper files).

Most of the care that TEWV delivers does not rely on consent or the performance of a contract so it is unlikely you will have an opportunity to use the right of data portability.

Right to object

You have a right to object at any time to the processing of personal information.  If you exercise this right we must stop processing your personal information immediately. 

Right to appropriate decision making

You have the right not to be subject to a decision based solely on automated processing including profiling. We do not currently use automated processing or profiling.

Right to withdraw consent

You have a right to withdraw any consent (permission) you have given at any time.  If you do this we must stop processing your personal information or decide if there are other legal grounds on which we can continue to use your personal information.  We do not rely on consent to use your personal information for the provision of direct health and social care. (Refer to ‘Why do you hold and record information about me?’)

If you want to exercise any of your rights please discuss firstly with a clinician then contact the Data Protection Officer.

If we rectify, erase or restrict the processing of your personal information we will let you know unless it is impossible or involves disproportionate effort.

The Information Commissioner’s website offers more information about Subject Access Requests.










If you want to access more general information about the organisation you may wish to submit a request for information under the Freedom of Information Act. Please submit your request to the Trust’s membership team.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

General Data Protection Regulation, Article 17(3)(c). 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The term profiling is described as:

any form of automated processing  of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

General Data Protection Regulation, Article 7(3) covers the conditions for consent.

How can I make a complaint about the way my personal information has been used?

If you are not happy about the way Tees, Esk and Wear Valleys NHS Foundation Trust have used your information you can complain.  You must firstly raise your complaint directly with the organisation through their complaints process. To raise a complaint contact:

Complaints Manager
Tees, Esk and Wear Valleys NHS Foundation Trust
Flatts Lane Centre
Normanby
Middlesbrough
TS6 0SZ

Telephone: 01642 451638

Email: tewv.complaints@nhs.net

You can get help with how to make a complaint from the Patient Advice and Liaison Service (PALS).  PALS staff are available Monday to Friday, 9am - 4pm and can be contacted by:

Freephone:             0800 0520219
Mobile:                   07775 518086
Email:                  tewv.pals@nhs.net

If you are not satisfied with the outcome of your complaint you may then take this to the Information Commissioner’s Office and the Parliamentary and Health Service Ombudsman. 

You can find out more information contained within the Trust’s Complaints Policy

 

After you have used the TEWV’s complaints process you may refer your complain to the Information Commissioner’s Office:

 

Wycliffe House

Water Lane

WILMSLOW

Cheshire

SK9 5AF

 

You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

 

Or email: casework@ico.org.uk

 

You may also want to refer your complaint to the PHSO:

 

Parliamentary and Health Service Ombudsman

 

Telephone helpline: 0345 015 4033

Send a text to their 'call back' service: 07624 813 005, with your name and mobile number.

How do you collect my information and how do you store it?

When you are referred to our services and attend appointments or are seen at home, information about the care and treatment you receive is recorded in your health or care record. 

Most of the information we collect about you will come directly from you.  We may collect your information on paper, online, by telephone, by email, through CCTV, by a member of staff or from one of our partners.  Information will be stored in paper and electronic format. 

Some of our partner organisations may share your personal information with us.  Information sharing between health (NHS Trusts) and Social Care (Local Authorities) is routine and Information Sharing Agreements will exist between partner organisations. 

You can find out more about how we manage information by reading our Records Management Policy.

 

Do I have to give you my personal information?

We need your personal information so we can decide what care and treatment is appropriate for your specific needs.  The law allows us to collect personal information so we can provide health and social care services to the people who live in our local community.  We will only collect the information that is necessary.  We have to collect information about service users to promote your recovery – this is the law. 

 

Is my personal information used in profiling or automated decision making?

Your personal information is not used in automated decision making or profiling (refer to the Right to appropriate decision making section above).  We will update you if this changes.

 

How do you make sure my personal information is safe and secure?

We provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or do not look after your personal information properly.  

We use passwords for access to computer systems and when we need to transfer personal information electronically it is encrypted (translated into a special code to protect it from being seen by anyone not authorised to do so). 

When we need to transfer paper records we have a system in place called “tracking and tracing” to record their movement from one location to another.

NHS Digital’s Encryption Good Practice Guide and Tees, Esk and Wear Valleys NHS Foundation Trust’s Information Security and Risk Policy provide more information about how your information is kept safe and secure. If you want a copy of this TEWV policy you will have to request this.

 

The National Data Guardian: Review of consent and opt-outs lists 10 new data security standards. These standards are intended to apply to every organisation handling health and social care information, although the way that they apply will vary according to the type and size of organisation. 

How do you protect my privacy and confidentiality?

We employ a Privacy Officer whose role is to closely monitor access to electronic patient records to ensure that only those who have a justified reason to access your records do so.

TEWV has a Caldicott Guardian whose role it is to make the final decision on how, what, when and why personal information will be processed. 

TEWV’s Caldicott Guardian is Elizabeth Moody, Director of Nursing & Governance.  Information about her can be found here

The following document explains the various laws and rules about the use and sharing of confidential information:

HSCIC Guide to Confidentiality in Health and Social Care

 

Tees, Esk and Wear Valleys NHS Foundation Trust’s Confidentiality and Sharing Information Policy explains how we protect your privacy and confidentiality.  

How will you meet my communication needs?

We will aim to provide information to meet the needs of service users and/or parents/ carers, where those needs relate to a disability, impairment or sensory loss. 

The Accessible Information Standard sets out a specific, consistent approach to identifying, recording, flagging, sharing and meeting the information and communication support needs of service users, carers and parents with a disability, impairment or sensory loss

Why do you use CCTV?

The Trust uses CCTV for a variety of reasons:

  • Support the Police to prevent or detect crime or disorder;
  • Assist in the identification, apprehension and prosecution of offenders (including use of images as evidence in criminal proceedings);
  • Increase personal staff/patient/public safety and reduce fear of crime;
  • Protect Trust premises and its assets.

CCTV is used according to data protection law and its use is governed by a Trust policy and procedure.

The Information Commissioner has published a guide on the use of CCTV.

 

TEWV has a CCTV policy and procedure. If you want a copy of these you will have to make a request.

Trust address

Tees Esk and Wear Valleys NHS Foundation Trust
Trust Headquarters
West Park Hospital
Edward Pease Way
Darlington
DL2 2TS

 

 

Reference:  L1009
Version:  v2
Last updated:  13 / 06 / 2018
Archive date:  13 / 06 / 2021