How We Use Your Information

Using your personal data: the legal basis and purposes

We will use your personal data to direct, manage and deliver the care you receive to ensure that:

  • The doctors, nurses and other health and social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
  • Health and social care professionals have the information they need to be able to assess and improve the quality and type of care you receive
  • Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS

Your information will also be used to help us manage the NHS:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Manage the health service and ensure our services can meet future patient needs
  • Ensure the Trust receives payment for the care you receive
  • Prepare statistics on NHS performance
  • Audit NHS accounts and services
  • Investigate patient queries, complaints and legal claims
  • Helping to train and educate healthcare professionals

For these purposes we use anonymous data wherever possible.

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

Your information may also be used to protect the health of the general public.

This data will be processed when it is necessary to comply with a legal obligation (UK GDPR Article 6(1)(c) and necessary for public health (UK GDPR Article 9(2)(j)).  Wherever possible we will use anonymous data.

Your information may also be used to ensure that adult and children’s safeguarding matters are managed appropriately.

This will only be when it is necessary to perform a public task (UK GDPR Article 6(1)(e)) and when it is necessary to carry out obligation under social protection law (UK GDPR Article 9(2)(b)).

Your information may also be used for health research and development (see below).

The legal basis for this processing is necessary to perform a public task (UK GDPR Article 6(1)(e)) and is necessary for scientific or historical research purpose (UK GDPR Article 9 (2)(j)).  However, we must also comply with our Common law duty of confidence and individual consent will be sought for participation in particular research projects. 

NHS Digital 

The Trust is required to share information with NHS Digital under Section 259(1) of the Health and Social Care Act 2012.

When we are required to provide data under this legislation, a Data Provision Notice is issued to the Trust.  This details information such as the purpose, benefits, data required, frequency and legal basis.  An example is the Mental Health Service Data Set.

For more information on how NHS Digital look after your health and care information, please click:

https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public/how-we-look-after-your-health-and-care-information

Yorkshire and Humber Health Care Record

The Trust participates in the Yorkshire and Humber Health Care Record.  The Yorkshire & Humber Care Record is a shared system that allows Healthcare staff within the Humber, Coast and Vale Health and Social Care community to appropriately access the most up-to-date and correct information about patients, to deliver the best possible care.

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

The Yorkshire & Humber Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing.

If you would like any further information or would like to discuss this further, please contact the Yorkshire and Humber Care Record on 0113 206 4102 or hnf-tr.yhcr@nhs.net

Yorkshire and Humber Care Record

SystmOne Information Sharing

Some Trust services use an electronic system called SystmOne.  SystmOne allows us to share your medical records with others providing you with care.  The system is set to automatically share your medical record to ensure that that those treating you have the most up to date information.   This may include district nurses, community services, child health, urgent care and out of hours services.  Please speak to the member of staff involved in your care if you would prefer your record not to be shared.  You are free to change your mind at any time.

For further information, please see Your electronic health record  patient information leaflet. 

Summary Care Record

The Summary Care Record (SCR) is a short summary of your GP medical records. All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one.  The information held in your Summary Care Record gives health and care professionals access to information to provide you with safer care, reduces the risk of prescribing errors and improves your patient experience. 

Your SCR contains basic information about allergies and medications and reactions that you have had to medication in the past.

Some patients have previously agreed to have Additional Information shared as part of their Summary Care Record.  This includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place, unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these choices by doing the following:

  1. Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.

  2. Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.

  3. Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete this form and return it to your GP practice.

 For further information, please see Summary Care Records (SCR) - information for patients.

NHS e-Referral Service

The Trust receives referrals from GP practices and other organisations using the NHS e-referral service. This is a secure system provided by NHS Digital.

e-RS combines electronic book with a choice of place, date and time for first clinic appointments, which patients can book at the point of referral.

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e) and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

Further information can be found at Privacy Statement - NHS e-Referral Service - NHS Digital 

GP Connect

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect. 

The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services. 

In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.

Find out more about GP Connect.

Risk Stratification

Trust GP practices use your information for the purposes of Risk Stratification. This is used to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

This processing has Section 251 Approval (CAG 7-04(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority.

Our GP practices use the services of a health partner, North of England Commissioning Unit (NECS) to help with Risk Stratification.  NECS process personal confidential data on our behalf under a contractual agreement that requires the security and protection of information. 

Our GP practices can access identifiable information (NHS Number) to see which patients may benefit from additional help.

The Integrated Care Board (ICB) and Public Health have access to de-identified information to help them plan the most appropriate health services for our local population.

If you do not want your information to be used for risk stratification, please speak to your practice manager. 

Electronic Palliative Care Co-ordination System (EPaCCS)

The Trust participates in the Electronic Palliative Care Co-ordination System (EPaCCS). EPaCCS enables the recording and sharing of a patient’s care preferences and key details about their care at the end-of-life. As it is electronic, it can easily be shared 24/7 between all of the clinicians and carers involved in the patient’s care across organisational and geographical boundaries.

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e)) and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

To find out more about EPaCCS and how it supports end-of-life care in Humber, Coast and Vale, please go to: https://humberandnorthyorkshire.org.uk/our-work/digital-technology/

Please click here for the full privacy notice for EPaCCS.

If you have any queries, please contact: hnf-tr.yhcrhcv.carerecord@nhs.net 

Heart Failure Patient Reviews

To provide the best possible care, our East Riding GP practices work with an independent company, Oberoi Consulting to conduct patient reviews for patients with heart failure. 

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e)) and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

The company fully complies with data protection legislation and their work is overseen by your GP. Data will only be processed on the instructions of your GP as part of a written contract. Personal data is treated as strictly confidential and access only by a qualified Heart Failure Specialist Nurse. Anonymised summary data is collated for the purposes of reporting and research.

If you have any concerns about your data being used in this way, please contact the practice staff.

Medicines Optimisation

Humber GP Practices work with the North of England Commissioning Support Unit (NECS) to review the prescribing of medicines to ensure that it is safe and cost-effective. This may require the use of identifiable information. 

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

In cases where identifiable data is required, this is done with Trust agreement. Patient records are viewed in the GP practice and may also be viewed remotely. 

There is a protocol that provides a framework for Medicines optimisation team (MO) members to access patient records for routine medicines optimisation operations.

The protocol is used in conjunction with:

  • NHS Confidentiality Policy (NHS England, 2014)
  • North Of England Commissioning Support (NECS) Standards of Business Conduct procedure
  • NECS Information Risk Policy
  • Relevant professional codes of conduct and ethical standards
  • NHS IG requirements should be adhered to at all times.

The staff groups that are covered by the protocol are:

  • Medicines Optimisation Pharmacists
  • Medicines Optimisation Technicians.

National Fraud Initiative

The Trust participates in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.  This is necessary to comply with a legal obligation (UK GDPR Article 6(1)(c)) and does not require consent under the data protection legislation. For further information, please see the full text fair processing notice

Call recording 

The Trust operates call recording on some telephone lines to Humber Teaching NHS Foundation Trust. Recordings are used for verification purposes, including:

• To support clinical practice
• To provide delivery of training
• To check the quality of the service provided
• For complaints and investigations

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e)) and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

National Data Opt Out

Information may only be used for purposes beyond your care when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.  Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

You can find out more about how patient information is used for research at: Patient information and health and care research - Health Research Authority (hra.nhs.uk) (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations had until 2020 to put systems and processes in place so they can apply your national data opt-out choice to any confidential patient information they use or share for purposes beyond your individual care.  Our organisation is compliant with the national data opt-out policy.

Type 1 Opt-out

You can also ask your GP practice not to share your data for research and planning purposes by registering a Type 1 Opt-Out. To do this, you will need to fill in an opt-out form and return it to your GP Surgery. Download a Type 1 Opt-out form

Please note that NHS Digital will still be able to collect and share data from other health care providers such as hospitals. Your health information will still be used to make sure you get the treatment and care you need.

National Patient Survey Programme

The Trust participates in the NHS Patient Survey Programme.  The Programme is delivered by the Care Quality Commission (CQC) on behalf of NHS England, NHS Improvement and the Department of Health and Social Care. 

This means we will send out local surveys to ask you for your views on your recent healthcare experiences.  These surveys provide feedback to us on the standard of service and care you received, which will help us to deliver better services in the future.  Anonymised survey results are also used by the CQC to measure and monitor the Trust’s performance. 

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e))and necessary for the provision of health or social care systems and services (UK GDPR Article 9(2)(h)).  

More information on the NHS Patient survey Programme is available here