CARDIFF SOUTH EAST CLUSTER PRIVACY NOTICE

MDT stands for multi-disciplinary team is where a range of professional representatives from primary care i.e., GPs, Dentists, Optometrists, Nurses, Pharmacists, Cardiff and Vale University Health Board Allied Health Professionals such as Psychologists, Therapists, Dieticians etc, Cardiff Council social workers and third sector organisations are able to liaise with each other to discuss the support to help you with your healthcare needs.

 

What information do we collect about you?

 

For the purposes of providing direct and indirect care and treatment, the following personal information is collected:

 

• Your name

• Address

• NHS No.

• Date of Birth

• Gender

• Racial / ethnic origin

• Relevant medical information pertaining to your physical and/or mental health

• Reason(s) for referral

• Criminal offences, if the processing is either under the control of official authority, or authorised by domestic law under Schedule 1 of the DPA 2018.

• Employment, school, social services, housing records

 

Partners we may share your information with:

 

To support the delivery of your care, subject to your agreement, we may share your information, that will be kept to a minimum (as described above) that will include a brief summary of the support that your GP feels will be helpful to you when making a referral to another professional that includes the following organisations:

 

• Community Resource Team (CRT), Cardiff and Vale University Health Board

• Independent Living Services, Cardiff Council

• Adult Social Services, Cardiff Council

• Mental Health for Older Persons, Cardiff and Vale University Health Board

• ACE (*Third Sector)

• Care & Repair (*Third Sector)

• Tier Zero, MIND (*Third Sector)

• Red Cross (*Third Sector)

• Community Connectors (*Third Sector)

 

 

*The third sector includes charities, social enterprises and voluntary groups who deliver important services to help improve people's wellbeing.

 

 

How is your personal information collected?

 

The information we hold is collected through various routes and these may include:

 

• Interactions with you as our patient from input by the clinician involved in your care and treatment

• Indirectly from other health care providers, such as the Cardiff and Vale University Health Board

• When you attend other organisations providing health or social care services for example, out of hours GP appointments or visits to A&E and some interactions with Social Care who will let us know so that your GP record is kept up to date

 

How do we use your information?

 

The information we collect about you, for the purposes of providing direct care and treatment to you, may also be used for:

 

• The management and administration of healthcare services provided to you for your healthcare needs.

• To contact you about patient surveys for research that can help improve the care we provide.

• Anonymised reporting for the purposes of service evaluation and performance where any identifiable information relating to you, is removed.

 

Access and security of your personal information:

 

The sharing of your information will be managed in a way that assures it remains confidential, as any organisation that either shares or receives your information has a duty of confidentiality to ensure that the personal data of patients is shared and stored securely.

 

Your information is securely stored on the GP practice’s IT systems. All users accessing the systems will use a secure username and password and all activity performed is fully audited. If any of your information needs to be communicated by email, this is done by using secure NHS Wales email addresses where all information is protected via secure web communication channels.

 

Referrals to the third sector organisations listed above are made via our secure social prescribing system, Elemental and our secure email system.

 

Retaining and storing your information:

 

We are required by UK law to keep your information and data for a defined period, often referred to as a `retention period’.  Your GP practice will keep your information in line with the Records Management Code of Practice for Health and Social Care 2022 and your GP Practice’s records management policy, which is available upon request.

 

Legal basis for processing your information:

 

The legal basis used to process your personal information, relates to your direct and indirect care and treatment and sharing this with 3rd sector organisations as necessary. We rely on the following conditions to lawfully process your information:

 

Health and Social Care Services:

 

Where personal data is processed by GP and NHS staff, or by social care staff, they are using the following legal basis:

 

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

This is known as a ‘public task’. The specific laws which we are following are:

 

• The Social Services and Wellbeing (Wales) Act 2014 which includes the following:

  • Part 3 – duty to assess the needs of an individual

  • Part 4 – duty to meet eligible needs of an individual

  • Part 9 –duty of social services and the health service to cooperate to promote well-being of the population, and to cooperate in order to carry out social services functions in Wales.

 

These functions are listed in Schedule 2 to this Act.

 

In addition, Codes of Practice are issued by Welsh Government explaining what local authorities and local health boards must do to comply with the relevant Parts noted above.

 

• The National Health Service (Wales) Act 2006 describes how health services in Wales should be organised and delivered. It covers the full range of NHS services

 

• The Well-Being of Future Generations (Wales) Act 2015 requires partners to balance short-term needs with longer-term objectives and specifies an integrated approach. The Well-Being of Future Generations guidance from Welsh Government describes the duty to take reasonable steps to facilitate integrated working, including the ability to be ability to share data.

 

These laws also support the processing of more sensitive data. For this, we are processing data under exemptions provided by Article 9 of GDPR: 

 

• Article 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, … medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service.

 

• Article 9(2)(i): processing is necessary for reasons of public interest in the area of public health, such as … ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

 

Services provided by voluntary organisations, charities and other community groups

 

Many of these non-public sector organisations have a preventative purpose and some aim to stand in with services which would not otherwise be provided by the NHS or social care.

 

When processing personal data, non-public sector organisations are able to rely upon the following legal basis for processing:

 

• Article 6(1)(f): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…

 

Organisations we work with will have prepared a Legitimate Interests Assessment to help them work out whether they are justified in using personal data, and how they can best protect privacy if they do use it.

 

This Legitimate Interests Assessment is also needed to allow these organisations to process more sensitive data, such as health data. This will take place under the following exemptions provided by Article 9 of GDPR. 

 

• Article 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, … medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service.

 

• Article 9(2)(i): processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

 

Services provided by these organisations may also sometimes receive more sensitive information (such as health information) if it is necessary to protect patients or staff from risk of serious harm.

 

Your rights in relation to the South East Cluster:

 

The UK GDPR includes several rights for individuals. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data. For the South East Cluster, the following rights are listed and how they apply are described below:

 

• Right to be Informed: Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly and at the point of contact.

 

• Right of Access: You have the right to obtain a copy of personal data that we hold about you and other information specified in the UK General Data Protection Regulation (UK GDPR), although there are exceptions to what we are obliged to disclose.

 

• Right to Rectification: You have the right to ask us to rectify any inaccurate data that we hold about you.

 

• Right to Erasure (‘right to be forgotten’): You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and relies upon your request being accompanied with a reasoned explanation as to why your data should be erased and on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

 

• Right to Restriction of Processing: You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for legitimate interests with an explanation of your reasons for restriction, where you contest the accuracy of the data.

 

• Right to Object: You have the right to object to the processing of personal data about you on grounds relating to your individual situation. This right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your object relates to marketing.

 

How to Contact us

 

Please contact your GP Practice if you have any questions about our privacy notice or information we hold about you.

 

Data Protection Officer

 

The Practice is required to appoint a data protection officer (DPO).  This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.

 

Our Data Protection Officer is:

 

Digital Health and Care Wales,
Information Governance, Data Protection Officer Support Service
4th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD

 
Email: DHCWGMPDPO@wales.nhs.uk

 

Right to complain to the Information Commissioner

 

You have the right to complain to the Information Commissioner if you are not happy with any aspect of practices processing of personal data or believe that we are not meeting our responsibilities as a data controller.

 

The contact details for the Information Commissioner are:

 

Information Commissioner’s Office Wales
2nd Floor

Churchill House

Churchill Way
Cardiff

CF10 2HH

Tel: 0303 414 6421

 

Email: wales@ico.org.uk

Website: Wales office | ICO