Your information and how we use it
Confidential information about you
City Health Care Partnership collects stores and uses large amounts of personal data every day, such as medical records, personal records, and computerised information. This data is used by many people in the course of their work.
This makes City Health Care Partnership the Data Controller.
Our registered address is 5 Beacon Way Brighton Street HULL, HU3 4AE
What Data Protection means to us
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to make sure the personal data we are responsible for is confidential and secure, whether it’s on a computer or on paper.
A training requirement for all our staff is to undertake Data Protection and Security Training annually, we aim to achieve 95% compliance. This embeds key information governance updates to all staff and provides awareness of our responsibility and best practice guidelines.
We have a Senior Information Risk Owner on our Board, who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.
We have a Data Protection Officer who makes sure CHCP is accountable and that we comply with the GDPR/Data Protection Act 2018.
Data Protection Officer:email@example.com
5 Beacon Way, HULL HU3 4AE Tel: 01482 347627
CHCP is registered with the Information Commissioners office.
What information do we collect about you?
The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any treatment and care you receive. The information in the record may come from you or other care providers like social care or your GP. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on a computer. These records may include:
- Basic details about you such as name, address, date of birth, next of kin, etc
- Contacts we have had with you such as appointments or clinic visits
- Notes and reports about your health, treatment and care
- Results of x-rays, scans and laboratory tests
- Relevant information from people who care for you and know you well such as health professionals and relatives.
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please tell us about any changes as soon as possible.
How your personal information is used
Your records are used to direct, manage and deliver the care you receive. This is to make sure that:
- The doctors, nurses and other healthcare professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
- Healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive
- Appropriate information is available if you see another doctor or are referred to a specialist or another part of the NHS.
Our lawful basis for processing your information under Data Protection legislation is:
- Public task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law. Article 6 (e) (GDPR/DPA18)
- The processing is necessary for the purpose of preventative or occupational medicine, the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care or treatment or management of health or social care system. Article 9 (2) (h) (GDPR/DPA18)
- The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. Article 9 (2) (b) (GDPR/DPA18)
Your information will also be used to help us manage the NHS and protect the health of the public by being used to:
- Review the care we provide to ensure it is of the highest standard and quality
- Protect the health of the general public
- Manage the health service
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints, and legal claims
- Ensure the hospital receives payment for the care you receive
- Prepare statistics on NHS performance
- Audit NHS accounts and services
- Undertake heath research and development (see below)
- Help to train and educate healthcare professionals
For these purposes, we use anonymous data wherever possible.
Who do we share personal information with?
Everyone working within CHCP has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
We will share information with the following main partner organisations:
- Other NHS trusts and hospitals that are involved in your care
- Clinical commissioning groups and other NHS bodies (see below)
- General practitioners (GPs)
- Ambulance services.
You may be receiving care from other people as well as the NHS, for example Social Care services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:
- Social care services
- Education services
- Local authorities
- Voluntary and private sector providers working with the NHS.
We will not disclose your information to any other third parties unless:
- We have your permission
- We have to share by law
- We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse
- We hold information that is essential to prevent, detect, investigate, or punish a serious crime.
Please ask our staff if you have any concerns or would like further information. Alternatively, you can contact the Data Protection Officer or the Information Governance Team, 5 Beacon Way, HULL, HU3 4AE or Tel: 01482 347627 or
Consenting to care
The lawful basis is GDPR Article 6(1)(c), compliance with a legal obligation, or Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services). The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. You can withdraw your consent at any time by either contacting the service involved in your care or the Customer Care Team, 5 Beacon Way, Hull, HU3 4AE or Tel: 01482 347627 or
National Data Opt Out
Information may only be used for purposes beyond your care when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this were allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified, in which case your confidential information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters
You can find out more about how patient information is used for research at: https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until March 2022 to put systems and processes in place so they can apply your national data opt-out choice. Our organisation is able to apply your national data opt-out choice to any confidential patient information we may use or share with other organisations for purposes beyond your individual care.
Integrated Care Boards (ICBs)
Integrated Care Boards are responsible for planning the health needs of their patients and for paying to keep their local hospitals running. Electronic data is sent to ICB’s with your name and address removed but including NHS numbers and postcodes. Exactly the same information is sent to the Office of National Statistics which produces information about the performance of hospitals.
Other organisations such as specialist disease registries receive information about particular areas of healthcare. This is important to ensure that the NHS provides the best possible treatments both now and in the future.
Sometimes we undertake studies, and we may ask you for additional co-operation to take part in these; they may involve you in extra tests or visits to the hospital. You always have a choice whether or not to be involved after being given detailed information. If you choose not to take part this will not affect your future treatment in any way.
From time to time, staff caring for you may be accompanied by students for teaching purposes. You have the right to refuse the presence of a student. If you have any strong feelings about this or require any further information do not hesitate to let staff know.
The NHS Care Record Guarantee
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people’s access to their own records, controls on others’ access, how access will be monitored and policed, options people have to further limit access, access in an emergency and what happens when someone cannot make decisions for themselves. Everyone who works for the NHS, or for organisations delivering services under contract to the NHS, must comply with this guarantee.
We will ensure your rights are respected. You have the right to:
- Be informed – we will tell you what we do with your information. We do this through notices like this, service information leaflets, notices on our website and posters
- Rectification - we will correct any personal information if it is inaccurate or rectify any data that is incomplete
- Object – you have the right to object how we process your information. Your objection will be considered in relation to your particular situation. We will stop processing unless there is a legitimate reason for us not to e.g. we need to process your data to provide you with safe care.
If you would like to raise an objection about how we process your information, please speak to your health professional or alternatively write/email the Information Governance Team at the below address.
- Restrict processing - we will temporarily restrict processing your data, whilst we check the information, if you query the accuracy of it. We will also restrict processing (if you raise an objection to how we process your data) whilst we consider your objection.
- Access – you can ask for copies of information we hold about you. This is called a subject access request.
How you can access your records
If you would like to request a copy of your medical record, please complete our access to record form which can be found in the useful information section or on the access to records page. Send the form to Access to Records Team at 5 Beacon Way Brighton Street, Hull, HU3 4AE or email / write to us at firstname.lastname@example.org
If you are registered with a CHCP GP, you can view your GP record online. For more information to register for an online account, please visit their website https://www.thequayshull.co.uk/ or contact your GP Practice.
Humber Information Sharing Charter
City Health Care Partnership has signed to participate in the Humber Information Sharing Charter. All orgainsation who sign the Charter, accept we need to the share information in the most effective and secure way. The Charter details the rules about how local organisations share information.
To find out more information or to view the list of signatures please see the link: https://www.nelincs.gov.uk/your-council/information-governance/information-sharing/
SMS Text Messaging
Your contact details are important to us, meaning that we can contact you in regard to appointment bookings, appointment cancellations and as a means of reminding you of your forthcoming appointments. The contact information we store will only be used by us in relation to your healthcare and we will not pass on your information to any other party other than the third-party company used to deliver our free of charge appointment reminder service. They are also obliged to keep your information secure and used only for that purpose.
Sending Data to other countries
Sometimes your data may be processed outside the UK. In most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within this country. When this is outside the EEA we will identify the data protections in place prior to transfer.
How long we keep your information
All personal information will be kept in line with the retention periods in the Department of Health Records Management Code of Practice for Health and Social Care Records 2021, Once paper records have reached their retention date, they are destroyed in line with the policy. Electronic records are archived. Please see the useful information section for a copy or alternatively it can be found at: https://www.nhsx.nhs.uk/media/documents/NHSX_Records_Management_CoP_V7.pdf
Data Privacy Impact Assessments (DPIA)
The Data Protection Impact Assessment (DPIA) is a process which helps assess privacy risks to individuals in the collection, use and disclosure of information. DPIAs help identify privacy risks, foresee problems and bring forward solutions. This is a requirement under the General Data Protection Regulation and Data Protection Act 2018.
Listed below are Data Privacy Impact Assessments:
NHS Mail Office 365
Humber Long Covid Triage and Assessment Service
Access to CPD
Insight 3D Wound Management
Access People Planner
Freedom Of Information (FOI)
City Health Care Partnership CIC is not a public authority and therefore the Freedom of Information Act 2000 does not apply entirely to all services within the organisation. However, where our services fall within the scope these will be processed as per the act.
CHCP are a provider of healthcare services and work with our commissioners in support of healthcare services. You may wish to direct your FOI to one of our commissioners who may be able to support your request for information.
East Riding of Yorkshire and Hull Integrated Care Board CCG
Address: Freedom of Information, Humber and North Yorkshire ICB Team, Health House Grange Park Lane, Willerby, HU10 6DT
East Riding of Yorkshire Council
Address: Freedom of Information, East Riding of Yorkshire Council, Democratic Service, County Hall, Beverley, HU17 9BA
Hull City Council
Email: email@example.comAddress: Information Governance Team, Hull City Council, The Guildhall, Alfred Gelder Street, Hull, HU1 2AA
Address: NHS England, PO Box 16738, Redditch, B97 9PT
St Helen’s Council
Address: St. Helens Council, Contact Centre, Wesley House, Corporation Street, St Helens, WA10 1HF
City Health Care Partnership’s legal basis for collection of CCTV images is that processing is necessary for the purpose of the legitimate interests pursued by City Health Care Partnership (GDPR Article 6(1) (f)). Our legitimate interest in doing so is in order to:
- Protect staff, patients, visitors and property;
Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts;
• Provide a deterrent effect and reduce unlawful activity;
• Help provide a safer environment for our staff;
• Assist with the verification of claims
The Data Protection Act 2018 requires organisations to notify with the Information Commissioner to describe the purpose for which they process personal information. These details are publicly available on the Information Commissioner’s website: ico.org.uk/
If you have any complaint about how we have handled your data, you can make a complaint to CHCP directly by contacting the Customer Care team by completing the concerns and complaints form, which can be found in the useful information or email firstname.lastname@example.org or telephone 01482 347627. To find out more information please see the Customer Care Section.
You also have the right to raise a complaint with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 or report online at: https://ico.org.uk/concerns/handling/
Information governance enquiries please contact:
Data Protection Officer, City Health Care Partnership CIC, 5 Beacon Way, Hull, HU3 4AE. Tel: 01482 347627 or email: email@example.com
If you require the privacy notice in a different format or language, please contact us Tel: 01482 347627.
We will ensure your rights are respected. You have:
- The right to be informed – we tell you what we do with your information. We do this through notices like this, service information leaflets, notices on our website and posters
- The right to rectification - we will correct any personal information that is inaccurate or rectify any data that is incomplete
- The right to object – you have the right to object to how we process your information. Your objection will be considered in relation to your particular situation and we will stop processing unless there is a legitimate reason for us to continue processing. E.g. we will not be able to stop processing your data to provide you with direct patient care, as we need to provide you with safe care.
- The right to restrict processing – we will temporarily restrict processing your data whilst we check the information, if you query the accuracy of it.
We will also restrict processing (if you raise an objection to how we process your data) whilst we consider your objection.
- The right of access – you can ask for copies of information we hold about you. This is called a subject access request.
How you can access your records
If you would like to request a copy of your medical record, please contact the CHCP.firstname.lastname@example.org or phone: 01482 347627
For more information click here.
The confidentiality and security of information is essential to maintain the trust of service users.
Further information detailing the main requirements for maintaining a confidential service can be found in the Confidentiality NHS Code of Practice produced by the Department of Health.
Data Protection Contacts:
Senior Information Risk Officer (Incidents and information risk)
Paul Hillary, Company Resources Director, 5 Beacon Way, Brighton Street, HULL, HU3 4AE, Tel: 01482 347620
Caldicott Guardian (confidentiality)
Carol Waudby, Executive Nurse, 5 Beacon Way, Brighton Street, HULL, HU3 4AE, Tel: 01482 347620
Data Protection/Information Governance Lead
Claire Attwood, 5 Beacon Way, Brighton Street, HULL, HU3 4AE, Tel: 01482 347620 (confidentiality and data protection queries, IG training, access to records)
Information Governance ensures that personal information is dealt with legally, securely, efficiently and effectively in order to give the best possible care. It provides a framework to bring together all of the requirements that apply to the handling of personal information.
Those requirements are:
Common law duty of confidentiality
Data Protection Act 2018
Freedom of Information Act 2000
Information Governance Management
Information Quality Assurance
Last Updated Jan 2023