Your information and how we use it

City Health Care Partnership’s Privacy Notice

This privacy notice tells you what to expect us to do with your personal information when you contact us or use our services.

We are the controller for your information. A controller decides on why and how information is used and shared.

Data Protection Officer contact details

Our Data Protection Officer is Claire Attwood and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at CHCP.customercare@nhs.net 

How do we get information and why do we have it?

The personal information we collect is provided directly from you for one of the following reasons: 

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care.
• you have sought funding for continuing health care or personal health budget support.
• you have signed up to our newsletter/ Service User Voice (patient participation group.)
• you have raised a concern or made a complaint.
• You have made a request to access information we hold about you (subject access request).

We also receive personal information about you indirectly from others, in the following scenarios: referrals from GP practices, information sharing with Hull University Teaching Hospital Trusts, Humber Foundation Trust, Local Authority, care homes and ambulance services.

• from other health and care organisations involved in your care so that we can provide you with care
• from family members or carers to support your care

Your information will also be used to help us manage and protect the health of the public by being used to:

• Review the care we provide to ensure it is of the highest standard and quality.
• Health and care professionals may look at confidential patient information about the care they gave you to understand and learn from their work. This is called ‘reflective practice’ and is done to help staff to provide better and safer care. Only regulated health or social care professionals who cared for you are allowed to access your information for this reason.
• Protect the health of the general public
• Manage the health service.
• Ensure our services can meet patient needs in the future.
• Investigate patient queries, complaints and legal claims.
• Ensure CHCP receives payment for the care you receive.
• Prepare statistics on CHCP’s performance.
• Audit CHCP’s accounts and services.

Helping to train and educate healthcare professionals. For these purposes we use anonymous data wherever possible.

What information do we collect?

Personal information

The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any treatment and care you receive.  Personal information is any information that can be used to identify a living person. For example, an individual's name, address, date of birth, email address, telephone number, or NHS number.

We currently collect and use the following personal information:

• personal identifiers and contacts (for example, name and contact details)
• medical information, test results and diagnoses.
• Notes and reports about your health, treatment and care
• Relevant information from people who care for you and know you well such as health professionals and relatives.
• Photographs, scans and/or x-rays
• CCTV footage

It is essential that your details are accurate and up to date. We may contact you using SMS texting to your mobile phone if we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up-to-date details. As this is operated on an ‘opt out’ basis we will assume that you give us permission to contact you via SMS if you have provided us with your mobile telephone number. Please let us know if you wish to opt out of this SMS service.

We may also contact you using the email address you have provided to us. Please ensure that we have your up-to-date details.

Always check that your personal details are correct when you visit us and please tell us about any changes as soon as possible.

More sensitive information

The UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care. Data that relates to criminal offences is also considered particularly sensitive.

We process the following more sensitive data (including special category data):

• data concerning physical or mental health (for example, details about your appointments or diagnosis)
• data revealing racial or ethnic origin
• data concerning a person’s sex life
• data concerning a person’s sexual orientation
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• biometric data (where used for identification purposes)
• data revealing political opinions
• data revealing religious or philosophical beliefs
• data revealing trade union membership
• data relating to criminal or suspected criminal offences

Who do we share information with?

We may share information with the following types of organisations:

• Hospitals and NHS Trusts
• GPs
• Community Care Teams
• Care homes
• Local Authorities
• NHS England
• third party data processors (please contact us of you require more information or a list of these)
• planners of health and care services (such as Integrated Care Boards)

You may be receiving care from other people as well as the NHS, for example Social Care services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

• Social care services
• Education services
• Local authorities
• Voluntary and private sector providers working with the NHS.

In some circumstances we are legally obliged to share information. This includes:

• when required by NHS England to develop national IT and data services
• when registering deaths
• when reporting some infectious diseases
• when a court orders us to do so
• where a public inquiry requires the information

We will also share information if the public good outweighs your right to confidentiality. This could include:

• where a serious crime has been committed
• where there are serious risks to the public or staff
• to protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

What is our lawful basis for using information?

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

(b) We have a contractual obligation

(c) We have a legal obligation

(e) We need it to perform a public task

(f) We have a legitimate interest

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

(f) We need for a legal claim or the courts require it.

(g) There is a substantial public interest (with a basis in law).

(h) To provide and manage health or social care (with a basis in law).

(i) To manage public health (with a basis in law).

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we have a legal requirement to collect, share and use the data
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case-by-case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

How do we store your personal information?

Your information may be stored both electronically or by paper, there are technical and organisational security measures in place to protect personal data, this can be through appropriate access controls in place.  Everyone working within CHCP has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will: Adult records are held for 8 years after being discharged from the service.

• securely dispose of your information by shredding paper records, or putting your electronic hard drive data to ‘beyond use’ until the retention period of backups are written over. Medical records are deducted from the system.
• archive your information at a historically significant service’s record may be archived with the local Archive Service, which is run by the Local Authority.

CCTV

CHCP utilises surveillance cameras (CCTV) in and around the sites.

The legal basis for collection of CCTV images is that processing is necessary for the purpose of the legitimate interests pursued by the controller, CHCP (GDPR Article 6(1) (f)). Our legitimate interest in doing so is in order to:

• Protect staff, patients, visitors and property;
  Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts;
  • Provide a deterrent effect and reduce unlawful activity;
  • Help provide a safer environment for our staff;
  • Assist with the verification of claims
  • Assist with Human Resource investigations which may include
  o Acts which constitute Gross Misconduct in accordance with CHCP policy.
  o Practices that seriously jeopardise the health and safety of other staff, patients or visitors.
  o Inappropriate treatment of patients.

We do not perform any covert surveillance and all buildings where CCTV is fitted will display awareness signs.

What are your data protection rights?

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request).

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Should you wish to exercise your above rights please contact us at CHCP.Accesstorecords@nhs.net Telephone: 01482 976821. Address: Access To Records Team Business Support Centre, 5 Beacon Way, Hull HU3 4AE if you wish to make a request.

National data opt-out

We are applying the national data opt-out because we are using confidential patient information for planning or research purposes.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at chcp.customercare@nhs.net or Telephone 01482 976821   

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:        

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Freedom Of Information (FOI)

City Health Care Partnership CIC is not a public authority and therefore the Freedom of Information Act 2000 does not apply entirely to all services within the organisation. However, where our services fall within the scope these will be processed as per the act.

CHCP are a provider of healthcare services and work with our commissioners in support of healthcare services. You may wish to direct your FOI to one of our commissioners who may be able to support your request for information.

Humber and North Yorkshire Integrated Care Board
Email: hnyicb.foi@nhs.net
Address: Freedom of Information, Humber and North Yorkshire ICB Team, Health House Grange Park Lane, Willerby, HU10 6DT

East Riding of Yorkshire Council
Email: foi@eastriding.gov.uk
Address: Freedom of Information, East Riding of Yorkshire Council, Democratic Service, County Hall, Beverley, HU17 9BA

Hull City Council
Email: info@hullcc.gov.uk
Address: Information Governance Team, Hull City Council, The Guildhall, Alfred Gelder Street, Hull, HU1 2AA

NHS England
Email: england.contactus@nhs.net
Address: NHS England, PO Box 16738, Redditch, B97 9PT

St Helen’s Council
Email: contactcentre@sthelens.gov.uk
Address: St. Helens Council, Contact Centre, Wesley House, Corporation Street, St Helens, WA10 1HF

Federated Data Platforms (FDP)

NHS services such as CHCP use this platform to directly support your care by holding your information within it.  This supports your care teams by collating relevant information about you in the same place making it available for use.

The OPTICA Community product in use within CHCP uses the information held on the platform to support your care teams to work together to make sure you have all the additional care, equipment, medication, and support that you might need to be discharged safely and as soon as possible.

Processor acting on behalf of CHCP

The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of the NHS who are using this Product. They provide the data platform and the technology that the Product uses and only act on our instructions.

For more information, please see below links for NHS England privacy information.

NHS England » NHS Federated Data Platform privacy notice

NHS England » FDP products and product privacy notices

OpenSAFELY

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

Patients who do not wish for their data to be used as part of this process can register type 1 opt out with their GP.

Find additional information about OpenSAFELY.

Heidi Health

We use a data processor Heidi Health, an AI-powered medical scribe, to enhance the quality and efficiency of consultations. Heidi Health transcribes patient interactions in real-time and uses this to generate clinical notes, fill out documents, dictate letters for GPs to review, and other administrative tasks, ensuring accuracy and up-to-date information. You will be asked for consent before using Heidi AI in a consultation, and you can withdraw consent at any time. Heidi Health will help us improve accuracy in medical records, increase efficiency by automating the transcription process, and enhance patient care by allowing GPs and staff to focus more on interactions rather than note-taking.

Heidi Health adheres to stringent NHS standards, including the DSPT and DTAC, ensuring that personal information is handled securely and confidentially. Transcriptions and summaries are deleted once saved to patient records and are kept for no longer than one day. For more information, please see the Heidi Health website and  our patient explainer

Date of last review January 2026

Next Review Date January 2027

For further information on how your data can be used within the NHS please see the below website for short animation videos provided by Understanding Patient Data. Keeping NHS Data Safe | Understanding patient data

City Health Care Partnership - Data Privacy Impact Assessments (DPIA)