Name: Nottingham CityCare Partnership CiC (CityCare)
Address: Aspect House, Aspect Business Park, Bennerley Road

Bulwell, Nottingham, NG6 8WR
General phone number: 0800 5612121 (9am-5pm, Mon-Fri only)
Website: https://www.nottinghamcitycare.nhs.uk/

We are the controller for your information. A controller decides on why and how information is used and shared.

Data Protection Officer contact details

Our Data Protection Officer is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at ncp.dataprotection@nhs.net or by visiting https://www.nottinghamcitycare.nhs.uk/contact-us

The personal information we collect is provided directly from you for one of the following reasons: 

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care.
• you have sought funding for continuing health care or personal health budget support.
• you have signed up to our newsletter/patient participation group.
• you have made an enquiry or complaint.
• you have given feedback such as a patient story or compliment.

We also receive personal information about you indirectly from others in the following scenarios:

• from other health and care organisations involved in your care so that we can provide you with care.
• from family members or carers to support your care.

Personal information

We currently collect and use the following personal information:

• Personal identifiers and contacts, such as your name, address, date of birth, telephone number, email address (where applicable) and emergency contact details.
• Equality and diversity data (for example, ethnicity and religion). We are legally obliged to collect this information so we and our Commissioners can be sure that we provide our service fairly to anyone from any background or community who may need them.
• Clinical information such as notes and reports about your health, information about your treatment and care, results of laboratory tests, x-rays and medication.
• Information from other people who are involved with your care, such as other health and social care professionals or relatives.
• Records on other contact we have had with you, for example, if you have contacted us with an enquiry, or have attended an event and agreed for us to send you our newsletters or other communications materials.
• Telephone call recordings. CityCare telephones have line caller ID and calls to the Health and Care Point Service are recorded for training and monitoring purposes.
• Photographic identity (photo ID) (for example, when submitting a subject access request or for our website).

More sensitive information

We process the following more sensitive data (including special category data):

• data concerning physical or mental health (for example, details about your appointments or diagnosis).
• data revealing racial or ethnic origin.
• data concerning a person’s sex life.
• data concerning a person’s sexual orientation.
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service).
• biometric data (where used for identification purposes).
• data revealing religious or philosophical beliefs.
• other information such as Safeguarding information which may require a higher level of confidentiality and security.
• data relating to criminal or suspected criminal offences, particularly where committed on CityCare premises or identified as part of your care and treatment. This includes the reporting of gunshot wounds.

We may share information with the following types of organisations:

• Hospitals, GP Practices, Care Homes, Community Care, Charities.
• Local Authorities and Social Care Providers.
• Third party data processors (such as IT systems suppliers).
• Planners of health and care services (such as Integrated Care Boards).
• Regulatory bodies such (such as NHS England, Care Quality Commission).
• Education Providers.

In some circumstances we are legally obliged to share information. This includes:

• when required by NHS England to develop national IT and data services.
• when registering births and deaths.
• when reporting some infectious diseases.
• when a court orders us to do so.
• where a public inquiry requires the information.

We will also share information if the public good outweighs your right to confidentiality. This could include:

• where a serious crime has been committed.
• where there are serious risks to the public or staff.
• to protect children or vulnerable adults.

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

Purposes that do not directly relate to care could include:

• Checking the quality of care and care records (known as clinical audit).
• Protection of the health of the general public.
• Keeping track of NHS spending.
• Managing and improving services.
• Teaching health workers.
• Assisting with research.
• Statistical purposes.
• Investigating any concerns or complaints that you and your family may have about your care.

Some research or audits require person-identifiable information to be effective. We will always ask your permission before information that could identify you is used for research. We will never sell your information or provide it to any organisation for sales or marketing purposes.

Is information transferred outside the UK?

Our data is hosted in United Kingdom and is only available to our staff and technical support staff in the UK.

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

(a) We have your consent - this must be freely given, specific, informed and unambiguous. This is not relied upon for your individual, direct care but may be required for the use of cookies on the website, for example.

(b) We have a legal obligation - the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.

(c) We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care. This will likely apply to the provision of NHS and Social Care Services provided to that is regulated by the CQC.

(d) We have a legitimate interest – this particularly applies to CityCare as a Social Enterprise and Private Limited Company by Guarantee.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

(a) We need it for employment, social security and social protection reasons (if authorised by law). See this list for the most likely laws that apply when using and sharing information in health and care.

(b) We need for a legal claim or the courts require it.

(c) There is a substantial public interest (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(d) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(e) To manage public health (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(f) For Archiving, research and statistics (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses).
• we have a legal requirement to collect, share and use the data.
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

Everyone working for health and social care providers has a legal duty to keep information about you confidential. Other organisations providing you with care, who have access to your records, also have a legal duty to keep it confidential.

Information which is collected about you may be electronic, on paper or a mixture of both. CityCare’s computers, shared drives and email systems are kept on the NHS secure network.

CityCare’s electronic records about your health are stored on a records system called SystmOne, which is used by many healthcare providers in England and Wales. The system and all records on it are also held on NHS secure networks. SystmOne automatically records who has accessed any of your records that are held on this system.

Paper records are locked in secure locations. All our staff are trained on how to manage confidential information and annual audits are carried out to make sure that our systems are working. We also use technology such as password protecting documents to make sure your information is kept confidential and secure.

To protect your privacy, our staff may not leave telephone messages for routine contacts, or will only leave their first names. CityCare sometimes uses general or team email addresses because these can be checked daily, whereas an individual may be out of the office and unable to respond to you.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

• securely dispose of your information by shredding paperwork.
• securely dispose of your electronic information by wiping hard drives to legal standards of destruction including when disposing of electronic equipment.
• archive your information within the relevant electronic system or shared drive. Some paper-based records are held offsite at secure storage locations by Third Party Contractors.
• deleting your record from the organisations shared drive, where applicable.

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request). To make a subject access request, please visit https://www.nottinghamcitycare.nhs.uk/about-us/public-policies-and-statement/accessing-your-health-records

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances. The right to erasure does not apply to your medical records or information that has been provided by health and care employee by their ‘medical professional opinion’, or information we have a legal obligation to hold.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances. Should you object to us sharing your health and care data with the Hospital for example, then your treatment may be impacted and another service or department may not be able to see you.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at the details above if you wish to make a request.

Automated decision making 

CityCare does not use automated decision making processes to determine your health and care needs.

CityCare are applying the national data opt-out because we may use confidential patient information for planning or research purposes.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided.
• research into the development of new treatments.
• preventing illness and diseases.
• monitoring safety.
• planning services.

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

If you have any concerns about our use of your personal information, you can make a complaint to us at ncp.customercare@nhs.net who will liaise with CityCare’s Data Protection Officer at ncp.dataprotection@nhs.net

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:         

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

This Privacy Notice was last reviewed on 28^th September 2023.

The next annual review is due 28^th September 2024.

Patients Know Best (PKB)

Patients Know Best (PKB) provides a patient-held repository which allows for both patient access and patient contribution to their own health records. Patients can determine which organisations and teams can view their personal data. This processing is done through article 9(2)(h) and 9(2)(a) of GDPR 2018.

PKB cannot see your health record and has no control over your record. They keep your information on secure servers. They encrypt the data so no one can see your health record except the people you choose or those with a lawful basis. PKB is registered with the Information Commissioner’s Office (“ICO”), which regulates data protection in the UK, and its registration number is Z2704931.

If Nottingham CityCare Partnership (CityCare) has data about the User and CityCare agrees to release the data to Patients Know Best, Patients Know Best will show the data in the User Account.

At CityCare, we are utilising PKB and expanding its use through a number of our Clinical Services, therefore as part of your pathway with CityCare you may have the opportunity to sign up for PKB.

Any information that you choose to input in your PKB account is yours to decide who to share it with if anyone.

PKB tracks software usage to improve software quality. PKB does not track identifying information or records. PKB uses cookies to improve website operation and usage; for example, we use cookies to set a Users language and to monitor usage trends. Cookies do not contain identifying information such as IPs, health data or personal details.

You are able to see a view of who has viewed the data that you have given your health and care team permission to see by using the access log functionality: https://manual.patientsknowbest.com/patient/access-log

For more information please see PKB’s privacy notice: https://patientsknowbest.com/privacy-policy/

Text Health is a confidential text messaging service that enables children and young people (aged 11-19) or parents of children aged 0-19 to contact Nottingham City’s 0-19 Public Health Nursing Team.

Messages are reviewed by a team comprising Specialist Public Health Nurses (Health Visitors and School Nurses), and Registered Nurses working in Nottingham CityCare’s 0-19 Public Health Nursing Team.

Messages are answered within 24 hours, Monday to Friday, between 8:30am and 5pm, except Bank Holidays.

Text messages are transcribed onto Nottingham CityCare’s electronic patient records if users’ personal details are provided.

Where text messages are anonymous they are stored securely in line with national guidance on management of health records. Nottingham CityCare’s Text Health service is supported by Chat Health.

For more information and to see their privacy notice please visit https://chathealth.nhs.uk/