One Health and Care Privacy Notice
What is One Health and Care?
Information regarding your health and care is recorded across NHS organisations and local authorities. One Health and Care pulls the key information from these different health and social care systems and displays it in one combined record. This enables registered professionals involved in your care to find all the key, most up-to-date information in one place which helps to provide better, safer care.
When you visit any of the organisations listed below, or use services provided by them, staff directly involved in your care will have access to the important information from health and social care records.
The organisations participating in One Health and Care cover Staffordshire, Stoke-on-Trent, Shropshire, Telford and Wrekin, and Black Country and West Birmingham. Organisations who will be including Health and Social Care data are listed below:
- Staffordshire and Stoke-on-Trent GP practices
- University Hospitals of North Midlands NHS Trust
- University Hospitals of Derby and Burton NHS Foundation Trust
- Midlands Partnership NHS Foundation Trust
- North Staffordshire Combined Healthcare NHS Trust
- Staffordshire County Council (social care)
- Stoke-on-Trent City Council (social care)
- Continuing healthcare services provided by NHS Midlands and Lancashire CSU
- West Midlands Ambulance Service
- Shropshire, Telford and Wrekin GP practices
- Shropshire Community Health NHS Trust
- Shropshire Council (social care)
- Telford and Wrekin Council (social care)
- Shrewsbury and Telford Hospital NHS Trust
- Robert Jones and Agnes Hunt Orthopaedic Hospital
- Black Country and West Birmingham GP Practices - A full list of GP practices can be found here
- The Dudley Group NHS Foundation Trust
- Sandwell and West Birmingham Hospitals NHS Trust
- Walsall Healthcare NHS Trust
- Royal Wolverhampton Hospitals NHS Trust
- Black Country Healthcare NHS Foundation Trust
- Dudley Integrated Health and Care NHS Trust
- Dudley Metropolitan Borough Council
- Sandwell Metropolitan Borough Council
- Walsall Metropolitan Borough Council
- Wolverhampton City Council
All partner organisations involved with One Health and Care are registered with the Information Commissioner’s Office (ICO) to process your personal data in accordance with the current Data Protection Legislation and any subsequent revisions. The data protection notifications for all participating organisations can be found on the Information Commissioner’s website. This guidance explains in more detail the types of information that is record about you, why this is necessary and the ways in which this information may be used.
There are also plans to make your records available to other health and social care partners across the wider West Midlands Shared Care Record. A list of West Midlands partner organisations can be read here
The health and care professionals involved in your care keep records about your health and any treatment and care you receive from the NHS and local authority social care. Sometimes data is collected in order to provide services and sometimes it is collected because there is a statutory responsibility to do so. These records help to ensure that you receive the best possible care.
This information may include:
- Basic details about you such as name, address, date of birth, next of kin, NHS number etc
- The name of your GP Practice and GP
- Notes and reports about your health, treatment and care
- Medications, allergies, ongoing and historic conditions, immunisations and diagnoses
- Procedures and investigations
- Test results, hospital referrals, admissions, discharges appointments and clinics attended
- Relevant information from people who care for you and know you well such as health staff and relatives /carers
- Social and mental health information and care plans
It is essential that your details are accurate and up to date. Always check that your personal details are correct and please inform the individuals involved in your care of any changes as soon as possible.
As part of the information that gets fed securely into the One Health and Care system your data may be collected directly from you or data about you may be gathered from other sources who work in partnership together. It may be that other agencies or organisations could be asked for relevant data about you to fulfil partner legal responsibilities or to provide you with the correct service.
The personal information viewed within One Health and Care will be used for the purpose of your direct care. It will always be used in line with each organisations responsibilities, where there is a legal basis to do so, and in line with your rights under Data Protection Legislation. Personal data viewed within One Health and Care will only be used to provide services you have requested or require.
Only health and social care professionals involved in your direct care will have access to your health and social care data within One Health and Care.
If your data within One Health and Care is to be used for a purpose outside of your care, prior to it occurring information regarding this will be provided and you will have the opportunity to object .
The information within One Health and Care will be used in order to:
- Deliver health and care services and understand your needs
- Contact you when necessary
- Obtain your opinion and feedback about the services provided
- Ensure that partner legal obligations are fulfilled
One Health & Care will not use your personal data to make decisions about your Direct Care by automated means without any human involvement.
Covid-19 Supplementary Statement
This notice describes how we may use your information within One Health and Care to protect you and others during the Covid-19 outbreak. This supplements the information throughout the OHC main Privacy Notice.
The health and social care system has faced significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information is vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS organisations; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak.
Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.
Further information is available on gov.uk here and some FAQs on this law are available here.
It is also important to note it may also take organisations longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst efforts are focused on responding to the outbreak.
There may also be a requirement to share information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
This privacy notice may be updated at any time so please review it frequently.
All the organisations which contribute data to One Health and Care collect, store and use large amounts of personal data every day and take the duty to protect your personal information and confidentiality very seriously. Under Data Protection Legislation the partners have a legal duty to protect any information held about you and are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which they are responsible.
Therefore measures are taken to safeguard your data and apply security standards and controls to prevent any unauthorised access. One Health and Care information will be stored securely. It will only be used for the purpose of direct care and your information will not be disclosed to any other third parties without your permission unless required/permitted to do so by law.
All partners have a Senior Information Risk Owner appointed for their organisation and who is accountable for the management of all information assets and any associated risks and incidents. As well as a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.
Each partner and its employees that use One Health and Care must adhere to the following information security measures:
- Up to date annual staff training
- Robust policy and procedures for example regarding password protection
- Technical security measures to prevent unauthorised access
The use of One Health and Care system can be audited at any time. This allows confidentiality to be monitored where necessary.
Your information will always be held and processed securely. The “One Health & Care approach” is in line with the Data Protection legislation which provides the legal basis to share information between health and care services when it is needed to deliver care. The Care Act 2014, Children Act 2004 and the Health and Social Care Act 2015 show that Health and Social Care organisations must work together when providing care. The Data Protection Act 2018, also referred to as UK GDPR, shows the legal basis for data sharing and your rights. Both Article 6(1)(e) “performance of a task carried out in the public interest” and Article 9(2)(h) – “medical diagnosis, the provision of health or social care or treatment or management of health or social care systems” give the legal basis for our shared care record.
Your data may also be shared by organisations where there is a high risk of harm to yourself or others, this may be to respond to an emergency situation or to provide protection to vulnerable adults or children. The legal basis for sharing for these reasons are Article 6(1) d and Article 9(2) h – “Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”, and Article 6(1) c – “legal obligation to with the controller is subject” and Article 9(2)g “processing is necessary for the purposes of substantial public interest (protection of vulnerable individuals)”.
Your records are kept for as long as necessary within the source systems in accordance with your care. Changes within the source systems are reflected within One Health and Care at the next available data upload. The retention schedules managed and maintained by the partners are aligned to industry best practice.
Further information can be found in a document called Record Management Code of Practice for Health and Social Care 2021.
Please consider carefully before raising an objection as it could mean that vital information about you is not immediately available when you require health or social care support. If your data is restricted, your information will not be viewable within One Health and Care however it will continue to be shared by health and care organisations by phone, email and on paper where required as part of your direct care. If you would like to find out more information you can either speak to your GP Practice or the Health and Care professional involved in your care/treatment.
If you have received care from any of the organisations who are contributing data to One Health and Care information will be viewable by health and care professionals who are involved in your direct care. If you do not want your information viewable you can raise an objection to stop your information being seen. If your GP Practice is contributing data to One Health and Care you will need to raise your request by contacting your GP Practice and discussing the request with them. GPs reserve the right to refuse the objection if they are satisfied that your removal from the record would cause significant detriment to your care or compromise your safety.
If you are aged 16 or above, we will process your ‘right to object’ by carrying out our normal checks on the details you have given us. From the age of 13 to 16, we will consider your right to object if submitted on your behalf by someone with parental responsibility. If it has not, we will ask a recognised health or care professional if they consider you to be competent to make such a decision. If you are under the age of 13, we will only consider your right to object if has been signed on your behalf by someone with parental responsibility.
Please click here to review participating GP Practices.
If your GP Practice is not listed, please raise your request by emailing OHC.Objection@nhs.net You will need to provide your full name, DOB and NHS Number to enable your request to be processed.
If your data is restricted from view, you can change your mind at any time and have your data viewable by contacting your GP Practice. If you opted out of the national Summary Care Record previously then your data will be automatically restricted from view within One Health and Care and do not need to contact your GP unless you wish to change this.
Please consider carefully before raising an objection as it could mean that vital information about you is not immediately available when you require health or social care support. If you are uncertain about if you should have your information shared please talk to those who are involved in your care and treatment.
If your data is restricted, your information will not be viewable within One Health and Care however it will continue to be shared by health and care organisations by phone, email and on paper where required as part of your direct care.
If you do not want your information viewable you can raise an objection to stop your information being seen. You will need to contact your GP Practice to request an objection to be updated within your GP record, to stop your information being shared in One Health and Care. Your GP has the right not to action your request should they feel it is not in your best interest and effect your health and care treatment provided. Please check on the links below to see if your GP Practice is sharing information.
- Staffordshire and Stoke-on-Trent GP Practices
- Shropshire, Telford and Wrekin GP Practices
- Black Country and West Birmingham GP Practices
Due to national changes on how opt outs are recorded for the National Summary Care Record, from 1st April 2022 your information will be viewable within One Health and Care. If you do not want your information viewable an objection can be raised.
Under Data Protection Legislation you have various rights regarding your data. In relation to One Health and Care the following rights could be requested.
- Access- You have the right to request access to information held about you by organisations that are providing your care.
- Rectification– If you think data held about you is factually incorrect you have the right to ask for it to be corrected. You may be requested to provide evidence of the alleged inaccuracy.
- Restriction- You have the right to request the restricting of processing your data in certain scenarios, for example if you contest the accuracy of the data and the verification of its accuracy requires checking.
- Object– You have the right to raise an objection to your data being included in One Health and Care. It should be noted this is not an absolute right and would be considered on a case by case basis.
- Raise a complaint or concern – Regarding how your data is handled to the relevant partner organisation.
Due to the One Health and Care System viewable data being sourced from varying partners requests will need to go to the relevant originating organisation who can then process your request.
- For GP practices please contact your own GP surgery for guidance.
- For each NHS organisation, please write to the Access to Health Records Department of the organisation that has generated the information.
- For local authorities, please write to the data protection officer of the relevant council.
The organisation should provide your information to you within one month (or two months if the request is deemed complex) following receipt of:
- Adequate information (for example full name, address, date of birth, NHS number, etc.) so that your identity can be verified and your records located
- An indication of what information you are requesting to enable the organisation to locate it.
Please contact the respective organisation regarding information held about you, or if you have a complaint about privacy or misuse of data relating to one of the partner organisations.
If you have specific query around One Health and Care please email: email@example.com
If you are not satisfied with a response from a partner of the One Health and Care partnership in regards to your above rights or believe your data is not being processed in accordance with the law you can raise this with the Information Commissioner’s Office (ICO).
If your GP Practice is not listed, please raise your objection request by emailing OHC.Objection@nhs.net You will need to provide your full name, DOB and NHS Number to enable your request to be processed.