General Privacy Notice
This Privacy Notice informs you of how Barnet, Enfield and Haringey Mental Health NHS Trust (the Trust) collects and uses your personal information. It applies to all information collected from service users accessing our health services in the community.
Why we collect personal information from you
The Trust provides a range of inpatient and specialist mental health and learning disability services to over one million people in the London boroughs of Barnet, Enfield and Haringey. Since the transfer of Enfield Community Services in 2011, we have provided a full range of children and adult community health services in Enfield which are increasingly being integrated with our mental health services to provide a range of holistic services. The Trust also provides mental health services to prisons in London and Aylesbury.
In order to provide these services, the Trust must collect personal information from you to ensure it can provide appropriate care and treatment and to meet its statutory and regulatory obligations. The Health and Social Care Act 2012 and The Care Act 2014 require us to keep records of your care and treatment that you receive from us.
As a public health organisation we need to ensure:
- you receive the best possible care and treatment from us;
- we have full and accurate information available about you when you are referred to a specialist or another area of the Trust;
- we can work safely and effectively with everyone involved;
- our health professionals have a good basis to make health decisions about you.
All information collected, together with your details of care are placed on a file for our clinicians to view every time they provide treatment to you.
At the same time, we may also use your information for non-direct care purposes in the Trust where we need to:
- plan and improve our service user’s needs;
- investigate any serious complaints, untoward incidents or legal claims;
- monitor clinical practices and check the quality of care provided to you (e.g. clinical audits);
- audit our accounts and services in the Trust;
- determine the allocation of NHS Funding;
- provide anonymised statistics for NHS Digital performance management and monitoring activity;
- collect data about public matters e.g. the monitoring of infectious diseases etc.;
- train and educate staff;
- conduct and support medical training and research and development in the Trust.
Most of the time, any data collated for the above secondary purposes will be provided in an anonymised format, for example for research and planning purposes your personal data will be removed so that you are not identifiable from any information provided. For national reporting, any reports that we are legally obliged to send to NHS Digital for financial funding of our community services will only provide a summary of the numbers of patients referred to particular services. Again no personal information will be used.
Information we record
We record various items of personal data about you. This will include:
- basic details such as your name, date of birth, address, postcode, telephone number, email address, education/schooling etc.;
- relevant details about your next of kin, professionals, family and relatives and carers who look after you;
- details about your care and treatment and any advice given at referrals e.g. notes and assessments;
- any contacts you may have had with us for home visits or outpatient appointments;
- any information on medicines, side effects and allergies;
- the results of investigations undertaken e.g. blood tests, x-rays, complaints, tribunals etc.;
- patient experience feedback and treatment outcomes.
We also collect sensitive data (i.e. special category information) about you:
- details of your nationality, ethnicity, race etc.;
- your religious or philosophical beliefs;
- your sexual orientation / gender;
- health information (physical and mental health) e.g. health care assessments;
- genetic data (about the genes in your body);
- biometric data (recognition data such as fingerprints, iris patterns, facial geometry etc).
We may also hold information about any criminal activities and offences you may have been involved in.
Generally, this primary information is held electronically in our IT systems to contribute to your direct care. It is also used by our administration teams to ensure that we maintain high standards in our service delivery of health care services that you expect from us.
How information is collected
Information is collected when you:
- consult with out clinicians and supporting staff;
- complete our online or paper forms;
- email us with your information;
- when you give us feedback on our services; or
- when you apply for a job with us.
Why we collect this personal information and how we use it
As a public authority we will always process your personal data fairly and lawfully. This means that we will not need your consent for the delivery of direct care because we are a Trust. Rather we will process and use your data to carry out our activities by relying on a lawful basis under the General Data Protection Regulations 2016 (GDPR).
For the delivery of health services and administration this will be:
- Article 6 (1) (e) - The processing is necessary for the Trust to perform a task in the public interest of the Trust’s official functions, where the task has a clear basis in law. (i.e. for the processing of personal data)
- Article 9 (2) (h) - The processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services Health and Social Care Act 2015. (i.e. for the processing of sensitive data)
If we do collect secondary data from you for non-health care purposes for e.g. research audits, service improvements and contract monitoring we will require your explicit consent for this. The legal conditions relied on where this situation applies are:
- Article 6 (1) (a) – The processing has been given explicit consent (i.e. for personal data)
- Article 9 (2) (a) – The processing has been given explicit consent (i.e. for special category data)
How we share information
As a Trust we may share your information internally as well as with a variety of other external individuals and organisations that are involved in your direct care. For example this may be with:
- your friends, family and carers (including anyone who has the authority to act as your Power of Attorney or deputy for the provision of social or healthcare, vital interests or with consent if applicable);
- other Healthcare and Multi-Disciplinary Teams e.g. other NHS Trusts (Acute Health/Mental Health), General Practitioners (GPs), Private Care Providers, Emergency Services, NHS 111, Ambulance Services, CCGs;
- social Services and Local authorities;
- education Services;
- regulators and Safeguarding Authorities/Commissioners who may be involved in investigating a regulatory obligation e. g. MASH, the Care Quality Commission (CQC), Public Health England, the ICO etc.;
- the Trust’s service providers such as the Trust’s language and sign language interpretation/translation and telephone call recording service;
- professional advisors such as lawyers in the exercise or defense or legal claims;
- charitable organisations that support the provision of further care (e.g. hospices) and funding treatments;
- bulk mailing providers in order to communicate with our patients to satisfy our legal obligations and healthcare requirements.
In limited circumstances information may be shared with the Police and other law enforcement agencies where there is a need to:
- protect the public safety of you or others;
- there is a legitimate enquiry to trace a missing person or prosecute or apprehend a person for a serious crime;
- there is a safeguarding matter involving a vulnerable child or adult;
- there is a legitimate fraud investigation being undertaken on you; or
- we have a received a Court Order requesting information about you.
The Trust currently works with the Metropolitan Police to support the work of the Serenity Integrated Mentoring (SIM) and High Intensity Network) which is an initiative aimed at reducing the number of people detained by the Police under S136 of the Mental Health Act (MHA) in the community. All data shared is in accordance with Data Protection Legislation.
Where information is shared, this will be done proportionately to the legal requirement of the request.
National Data Opt Out Service
In order to improve your individual care, we may securely share your information with others whenever you attend our Accident and Emergency or Community Services. Should you not want your information to be shared or used beyond the provision of your direct care then you can choose to opt out. This is called a National Opt Out. If you choose to opt out, Barnet, Enfield and Haringey Mental Health NHS Trust will apply an opt out to your record. If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you will not need to do anything. Please note you can change your mind on this at any time. The Trust will respect your decision for your information not to be shared for any other purposes unless we are legally obliged to do so.
All health and social care organisations are required to have all national data opts out applied by 30 March 2020. Due to COVID-19, this has now been extended to 30 September 2020.
Patients can find out more about this and set their opt-out choice at nhs.uk/your-nhs-data-matters or by calling 0300 303 5678.
Cross Border Data Transfers
The Trust does not routinely transfer any personal data outside of the European Economic Area (EEA). This is reviewed annually through our internal review processes. If however, we do need to transfer your data overseas appropriate safeguards will be put in place to protect the transfer of your data. If data needs to be transferred outside of the EEA to a third country we will inform you of this before it is done.
The Trust routinely records all crises calls for quality control and training purposes and to prevent crime, staff abuse and non-compliance with Trust procedures. Service users are entitled to a copy of the recording as per their subject access rights.
CCTV and Body Warn Cameras
The Trust employs CCTV cameras and body worn surveillance cameras across its Trust sites and departments in order to provide a safe environment for its service users, staff and visitors. Posters and CCTV signage have been placed in all areas where cameras are located to inform members of the public that they may be recorded on CCTV for the purposes of crime prevention, crime detection and the promotion of public safety. It is anticipated these cameras will assist with our car management facilities, the verification of claims and act as a deterrent to reduce unlawful activity and abuse and violence towards our staff and third parties.
You have a right to request a copy of any surveillance that may have been recorded about you subject to the exemptions of data protection legislation. Please refer to our CCTV web page for further information. Please note this legal right does not entitle you to any third party information.
Car Park Management
Our car park facilities are provided through a third party company contract. The contractor will collect vehicle information on behalf of the Trust to support traffic flows and prevent and detect crime and ensure individuals do not park in any restricted areas. Further information about this is provided through our Estate Services.
SMS Texts and Emails
The Trust employs various methods to keep in touch with its service users. As a service user you may be asked if we can contact you by either post, email or by text message in order to receive appointment reminders, automated calls or service information. From our initial point of contact, we will always record your preferences and choose to contact you in this way. Please be mindful that you have a right to change these options at any time. Please ensure that we hold an accurate email address or mobile telephone number to contact you on.
Data Protection by Design
The Trust carries out data protection impact assessments (DPIA) in accordance with the General Data Protection Regulations 2016, when contemplating new projects that involve the use of personal data or changes in processing operations. These are not published but are available on request from the Trust’s Data Protection Officer at the contact details below.
As a NHS organisation we have a set of strict information security and data protection policies and procedures to ensure we protect your privacy and confidentiality.
The Trust has secure encrypted networks (at rest and transfer) and appropriate IT safeguards such as the NHS Smartcard to ensure data is protected from unauthorised access, hacking and loss. Access to systems is based on role privileges and responsibilities and system audits are regularly undertaken to ensure our controls remain fit for purpose.
Any third parties (i.e. data processors) that are deployed to support us are robustly verified in terms of their governance controls and are legally and contractually bound to operate in a secure environment with appropriate security arrangements in place.
Retention of Data
The Trust retains all data in accordance with the Trust’s Record Management Policy and Retention Schedule which is in accordance with the Records Management Code of Practice for Health and Social Care 2016.
All records have a minimum retention period and will be disposed securely once they reach their recommended retention period. The retention period for typical records across the Trust include:
- adult mental health records – 20 years from closure date;
- deceased records of mental health patients – 8 years from date of death;
- children records are kept until their 25th birthday or 26th birthday depending on their age at the conclusion of treatment.
Data Subject Rights
Under the General Data Protection Regulations 2016 (GDPR) and the Data Protection Act 2018 all service users have a range of legal rights. As a service user you have:
a) A Right to be Informed
To be provided with information in a concise, transparent, intelligible and clear, plain language format about how your data is handled. This is outlined in this Privacy Notice.
b) A Right to Access
You have a right to access information held about you. This is known as a Subject Access Request (SAR). All SARs are free (unless they are complex or voluminous by scope where an administrative charge may be applied) and must be processed within one month (i.e. 30 calendar days) of the Trust receiving the request.
All requests for access to health records must be referred to the Medical Records Team at the address below. For further information on this please refer to our medical records page.
c) A Right to Erasure (also known as a Right to be Forgotten)
Service users have a right to request the erasure of their personal data where:
- The personal data is no longer needed and has reached its retention period;
- There are no legitimate reasons for the Trust holding the data;
- The personal data has been unlawfully processed;
- You have withdrawn your consent for the processing of your data.
d) A Right to Rectification
You have a right to request without any undue delay the rectification or update of any inaccurate data we may hold about you. All requests must be responded to within 30 days (i.e. one month) from the receipt date of the request.
e) A Right to Restrict Processing
You have a right to restrict any processing of data where the accuracy of the data is contested. This means that we will only store your data and not share it or further process it except in limited circumstances.
f) A Right to Object
You have a right to object to how your data is used for e.g. for direct marketing. This right applies to all processing involving scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest.)
g) A Right to Data Portability
You have a right to request data to be transmitted directly from one data controller to another where it is on the basis of consent and automated means. To achieve this the process must be technically possible.
h) A Right to Automated Decision Making and Profiling
Automated decision making does not take place in the Trust.
Raising a General Complaint or Concern
Any service users who have a general concern or complaint about any aspect of their care or treatment at the Trust should contact the Patient Experience Team at the following email address: email@example.com
Raising an Information Governance Complaint or Concern
The Data Protection Officer is the main contact point for all data protection enquiries and any investigations received from the Information Commissioner’s office.
The Data Protection Officer for the Trust is:
The Information Governance Manager
St Ann’s Hospital
St Ann’s Road
Tel: 0208 702 4134
The Medical Records Team is the main contact point for all access to health records requests. They can be contacted at: firstname.lastname@example.org
Information Commissioner’s Office (ICO)
For independent advice you have a right to submit a complaint to the Information Commissioner’s Office. The ICO is the UK’s independent body for overseeing all data protection matters. Do be mindful that the ICO will only consider any complaints once an organisation’s internal procedures have been exhausted. The ICO can be contacted at:
Information Commissioner’s Office
Helpline: 0303 123 1113 (local rate) or 01625 545 745
The Trust’s Data Protection Registration
For the purposes of this Privacy Notice, the Trust is registered as a Data Controller. Our DP registration number is: Z8836068.
Our registration can be viewed online via the public register on the ICO website.
Further information about the way we handle your personal data can be found in our patient leaflet: Protecting Your Information leaflet (PDF document)
Changes to this Privacy Notice
The Trust reserves the right to make any changes to this Privacy Notice at any time and will provide you with any substantial updates as and when necessary.
This Privacy Notice was last updated on 22 June 2020.