General Privacy Notice
This Privacy Notice informs you of how Barnet, Enfield and Haringey Mental Health NHS Trust (the Trust) collects and uses your personal information. It applies to all information we collect and store that has been received directly from you through your accessing our services or from other health and social care organisations, including GP Practices and other community providers.
Who we are and our duty
At Barnet, Enfield and Haringey Mental Health NHS Trust (BEH), we provide, design and implement services that meet the diverse needs of our population and workforce. We ensure that none are placed at a disadvantage over others. The Trust takes into account its legal obligations under the Data Protection Act 2018, General Data Protection Regulation (GDPR), Equality Act 2010, the Human Rights Act 1998 and other relevant legislation.
The Trust is committed to its duty to protect the privacy and confidentiality of service users and staff. The Trust have put measures in place to ensure safety, and security of all the personal data that we hold, use and collect about you; both in paper or electronic format.
As a Data Controller the Trust has appointed specialist Information Governance roles who have Board level report and accountability.
- The Senior Information Risk Owner (SIRO) and a Deputy Information Risk Owner are accountable for the management of information risks, assets and incidents.
- The Caldicott Guardian (CG) is responsible for the management of patient information and patient confidentiality.
- The Chief Clinical Information Officer (CCIO), who is also the Deputy Caldicott Guardian (CG), is responsible for providing clinical focus to promote good health outcome in the use of technology and information use to support the Trust’s Clinical information strategic needs.
- The Data Protection Officer (DPO) is responsible for overseeing the Trust’s data protection strategy and its implementation to ensure compliance with GDPR requirements.
For your safety, we recommend use of one care provider (NHS or Private). Parallel care from Barnet, Enfield and Haringey NHS Mental Health Trust and concurrent care under a Private care provider can cause patient safety issues and be counterproductive, this practice the BEHMHT discourage and suggest patient and carers refrain from pursuing.
You can contact us via our website. http://www.beh-mht.nhs.uk/contact-us
Why we collect personal information from you
The Trust provides a range of inpatient and specialist mental health and learning disability services to over one million people in the London boroughs of Barnet, Enfield and Haringey. We also provide a full range of children and adult community health services in Enfield which are increasingly being integrated with our mental health services to provide a range of holistic services.
The Trust also provides mental health services to prisons in London and Aylesbury.
In order to provide these services, the Trust must collect personal information from you to ensure it can provide you with the appropriate care and treatment and to meet its statutory and regulatory obligations. The Health and Social Care Act 2012 and The Care Act 2014 require us to keep records of your care and treatment that you receive from us.
As a Health Care organisation we are required to ensure:
- You receive the best possible care and treatment from us.
- We have accurate and up to date information available about you when you are referred to a specialist or another area of the Trust.
- We can work safely and effectively with everyone involved.
- Our health professionals have a good basis to make health decisions about you.
All information collected, together with your details of care is saved on our various services Clinical Systems, for our Clinicians to view every time they provide treatment to you.
At the same time, we may also use your information for non-direct care purposes where we need to:
- Plan and improve our service user’s needs;
- Investigate any serious complaints, untoward incidents or legal claims;
- Monitor clinical practices and check the quality of care provided to you (e.g. clinical audits);
- Audit our accounts and services in the Trust;
- Determine the allocation of NHS Funding;
- Provide Anonymised statistics for NHS Digital performance management and monitoring activity;
- Collect data about public matters e.g. the monitoring of infectious diseases etc.;
- Train and educate staff;
- Conduct and support medical training and research and development in the Trust.
Most of the time, any data collated for the above secondary purposes will be provided in an anonymised format, for example for research and planning purposes your personal data will be removed so that you are not identifiable from any information provided. For national reporting, any reports that we are legally obliged to send to NHS Digital for financial funding of our community services will only provide a summary of the numbers of patients referred to particular services. Again no personal information will be used.
Information we record
We record various items of personal data about you. This will include:
- Basic details such as your name, date of birth, address, postcode, telephone number, email address, education/schooling etc.;
- Relevant details about your next of kin, professionals, family and relatives and carers who look after you;
- Details about your care and treatment and any advice given at referrals e.g. notes and assessments;
- Any contacts you may have had with us for home visits or outpatient appointments;
- Any information on medicines, side effects and allergies;
- The results of investigations undertaken e.g. blood tests, x-rays, complaints, tribunals etc.;
- Patient experience feedback and treatment outcomes.
We also collect sensitive data (i.e. special category information) about you:
- Details of your nationality, ethnicity, race etc.;
- Your religious or philosophical beliefs;
- Your sexual orientation / gender;
- Health information (physical and mental health) e.g. health care assessments;
- Genetic data (about the genes in your body);
- Biometric data (recognition data such as fingerprints, iris patterns, facial geometry etc).
We may also hold information about any criminal activities and offences you may have been involved in.
Generally, this primary information is held electronically on our IT systems to contribute to your direct care. It is also used by our administration teams to ensure that we maintain high standards in our service delivery of health care services that you expect from us.
How information is collected
Information is collected when you:
- Consult with out clinicians and supporting staff;
- Complete our online or paper forms;
- Email us with your information;
- When you give us feedback on our services; or make a complaint.
- When you apply for a job with us.
Why we collect this personal information and how we use it
As a health service provider we will always process your personal data fairly and lawfully. This means that we will not need your consent for the delivery of direct care to you. Rather we will process and use your data to carry out our activities by relying on lawful basis under the General Data Protection Regulations (GDPR).
For the delivery of health services and administration the lawful basis we rely on and will apply to fulfil our obligation are:
- Article 6 (1) (e) - The processing is necessary for the Trust to perform a task in the public interest of the Trust’s official functions, where the task has a clear basis in law. (i.e. for the processing of personal data)
- Article 9 (2) (h) - The processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services Health and Social Care Act 2015. (i.e. for the processing of sensitive data)
If we do collect secondary data from you for non-health care purposes for e.g. research audits, service improvements and contract monitoring we will require your explicit consent for this. The legal conditions relied on where this situation applies are:
- Article 6 (1) (a) – The processing has been given explicit consent (i.e. for personal data)
- Article 9 (2) (a) – The processing has been given explicit consent (i.e. for special category data)
How we protect your Privacy - Information Confidentiality and Data Security
As an NHS organisation we have a set of strict information security and data protection policies and procedures to ensure we protect your privacy and confidentiality.
Our staffs have a duty of confidence and written contract statements which require them to maintain strict confidence and keep personal information disclosed by you or created by us during your encounter with us in strict confidence.
If you suspect a member of our staff has been indiscrete with your personal information (such as sharing it for non-health related organisations, or harassing you at home or work) please do not hesitate to contact the Trust with a written complaint via our patient’s complaint team.
The Trust has secure encrypted networks (at rest and transfer) and appropriate IT safeguards such as the NHS Smartcard to ensure data is protected from unauthorised access, hacking and loss. Access to systems is based on role privileges and responsibilities and system audits are regularly undertaken to ensure our controls remain fit for purpose.
Any third parties (i.e. data processors) that are deployed to support us are robustly verified in terms of their governance controls and are legally and contractually bound to operate in a secure environment with appropriate security arrangements in place.
Employees of Barnet, Enfield and Haringey Mental Health Trust are not allowed to support their relatives or family members to view or obtain information from their record. Employees of the Trust, who deliberately view or look at records of patients they do not have legitimate clinical employment relationship with; will be subjected to displinary actions.
How we share information
As a Trust we may share your information internally as well as with a variety of other external individuals and organisations that are involved in your direct care and for other legitimate reasons including for the purpose of safeguarding individuals and crime investigation and prevention. For example this may be with:
- Your friends, family and carers (including anyone who has the authority to act as your Power of Attorney or deputy for the provision of social or healthcare, vital interests or with consent if applicable);
- Other Healthcare and Multi-Disciplinary Teams e.g. other NHS Trusts (Acute Health/Mental Health), General Practitioners (GPs), Private Care Providers, Emergency Services, NHS 111, Ambulance Services, CCGs;
- Social Services and Local authorities;
- Education Services;
- Regulators and Safeguarding Authorities/Commissioners who may be involved in investigating a regulatory obligation e. g. Multi Agency Safeguarding Hub, the Care Quality Commission (CQC), Public Health England, the Police and Information Commissioners Office etc.;
- The Trust’s service providers such as the Trust’s language and sign language interpretation/translation and telephone call recording service;
- Professional advisors such as lawyers in the exercise or defense or legal claims;
- Charitable organisations that support the provision of further care (e.g. hospices) and funding treatments;
- Bulk mailing providers in order to communicate with our patients to satisfy our legal obligations and healthcare requirements.
In limited circumstances information may be shared with the Police and other law enforcement agencies where there is a need to:
- Protect the public safety of you or others;
- There is a legitimate enquiry to trace a missing person or prosecute or apprehend a person for a serious crime;
- There is a safeguarding matter involving a vulnerable child or adult;
- There is a legitimate fraud investigation being undertaken on you; or
- We have a received a Court Order requesting information about you.
The Trust currently works with the Metropolitan Police to support the work of the Serenity Integrated Mentoring (SIM) and High Intensity Network; which is an initiative aimed at reducing the number of people detained by the Police under S136 of the Mental Health Act (MHA) in the community. All data shared is in accordance with Data Protection Legislation.
Where information is shared, this will be done proportionately to the legal requirement of the request.
When and where we will share your Information without your consent
In certain circumstances the health care organisations are legally and morally obliged to share your information. In some of these circumstances your consent will not be requested by us for this sharing to take place and we may not be obliged or able to report that the sharing has taken place.
The following list includes, but is not limited to, such circumstances:
Courts (civil and criminal)
If a court serves the Trust a court order we are obliged to provide the requested information. It is the responsibility of the court to contact you to inform you of their actions.
Department of Health
The Department of Health requires us to submit information for performance and financial monitoring purposes.
Police and law enforcement
Police and other law enforcement agencies can require us to submit information they require to fulfil their investigation. Most only have powers to request information when investigating criminal matters. We would in most cases be unable to inform you that your information has been shared until after the investigation had been completed.
Professional bodies, such as the General British Medical Association Council or the Nursing and Midwifery Council have obligations to ensure their licensed members adhere to their codes of practice. Under some circumstances they can request information to assist in malpractice or misconduct investigations.
National Government department
Some National Government departments have powers to request information to assist in their investigations (eg The Home Office).
National Disease Registries or Research Projects
The Trust may by law be obliged to report some communicable diseases if a service user is infected (e.g. COVID-19, Influenza, and Tuberculosis). We may also be required to submit information to national research registries (e.g. Heart Disease, Cancer) under the Data Protection Act 1998.
We are required by law to report suspicion of, or documented cases of, abuse, neglect or circumstances of risk. Similarly we are obliged to support the investigations of Social Services, particularly in regards vulnerable individuals (Children and Adult), which may require us to release information. In this circumstance however the
Trust is obliged to release only the information it considers necessary and would rarely release an entire set of care records.
The Trust may have other legitimate needs to share your information, under its public task obligation, to fulfil some information sharing requirements; this will depend on the care service you are engaged with.
Information Sharing Initiatives
Health Information Exchange (HIE)
Health Information Exchange (HIE) is a National information sharing initiative across the health service to support delivery of timely and safe “Direct” care to patients at any healthcare setting. The initiative is to improve the services you receive from health care professionals wherever you are being treated or go to receive treatment.
The Health Information exchange in North Central London (NCL), between all North Central London NHS providers, including Acute hospitals, Specialist hospitals, Community Providers, Mental Health Providers including GPs and the London Ambulance Service (LAS), have joined up to facilitate the sharing of health information via the Health Information Exchange (HIE) to improve the services you receive when you present at any care setting.
The connectivity via the HIE system will enable the healthcare professional treating you at any of the above listed care settings to view health data that is held about your care. This information sharing on HIE provides the benefit of a broad understanding of your current condition without the need for you to repeat them to the health professional treating you.
National Record Locator Programme (NRL)
The Trust is also enabling the sharing of Mental Health crisis plans with the Ambulance Service in a mental health crisis situation via NHS Digital’s National record locator programme to enable better care and information to be provided, when a 999 or 111 call is made in an emergency situation.
Further Information on the National Record Locator (“NRL”) is available on NHS Digital’s public-facing internet pages: https://digital.nhs.uk/services/national-record-locator
What does this mean for you?
Health and care professionals have shared information on paper for many years – we are now able to do this using digital technology.
When you visit one of our hospitals in North Central London or your GP, your healthcare worker will have all the information to hand to treat you effectively and efficiently. You will not need to provide the full story of your symptoms, what happened or the medicines you were prescribed, as this will be already accessible from your notes via the HIE platform.
Information will be available in real time – or in some cases within 24 hours – and will ensure your health and care teams have the most up to date information about your care.
Under General Data Protection Regulations (GDPR), information will only be shared and accessed on a strictly need to know basis by health by care professionals across the settings, only for the purposes of providing you with direct care. Your data is securely held on this platform, with strict access control and audits.
What are the benefits of joined-up records?
Joined up health records provides many advantages in the delivery of care by health care professionals and for people using health and care services, as follows:
- Everyone involved in your direct care will have the whole picture, when you visit somewhere different for care or meet a new care professional, they will have access to your health and care information and you won’t need to repeat your story.
- The results of common tests (for example blood tests) will be available to everyone involved in your care, regardless of where the test took place, reducing the need to repeat them or obtain printed results.
For us and other health and social care professionals:
- There is up-to-date information to plan and improve your care and make more informed decisions.
- Less time will be spent on finding out relevant information from different health and social care organisations and IT systems, saving time and reduce duplication and recording of information across records.
- We can work as a team across North Central London to identify opportunities for improvement, such as analysing health needs for specific patient groups.
- Seeing if there are needs to be more focus on providing physical health checks for people with learning disabilities.
More information on the benefits of NCL’s Health Information Exchange and what it means for you is available on the North Central London Partner's website.
Do I have a choice?
Due to the COVID-19 (coronavirus) pandemic and in the public interest all health and care organisations are currently required to share and process data. This is to ensure health and care professionals have access to vital information to make quicker, safer decisions about your care.
The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure. Therefore, the national data opt-out will not apply to data sharing for the purposes of responding to Covid-19. This directive is currently in place until 30 September 2021 and may be subject to further review. For more information on how to opt out, please click here: www.northlondonpartners.org.uk/ourplan/Areas-of-work/Digital/Info-residents/opt-out-form.htm
Where can I find out more?
Read more about this on the North London Partners website.
National Data Opt Out Service
In order to improve your individual care, we may securely share your information with others whenever you attend our Services. Should you not want your information to be shared or used beyond the provision of your direct care then you can choose to opt out. This is called a National Opt Out.
If you choose to opt out, Barnet, Enfield and Haringey Mental Health NHS Trust will apply an opt out to your record. If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice then you will not need to do anything.
Please note you can change your mind on this at any time. The Trust will respect your decision for your information not to be shared for any other purposes unless we are legally obliged to do so.
All health and social care organisations are required to have all national data opts out applied by 30 September 2021.
Patients can find out more about this and set their opt-out choice by clicking on this link nhs.uk/your-nhs-data-matters or by calling 0300 303 5678.
Cross Border Data Transfers
The Trust does not transfer any personal data outside of the UK. If however, we do need to transfer your data overseas appropriate safeguards will be put in place to protect the transfer of your data. If data needs to be transferred outside of the UK to a third country we will inform you of this before it is done.
The Trust routinely records all crises calls for quality control and training purposes and to prevent crime, staff abuse and non-compliance with Trust procedures. Service users are entitled to a copy of the recording as per their subject access rights.
CCTV and Body Warn Cameras
The Trust employs CCTV cameras and body worn surveillance cameras across its Trust sites and departments in order to provide a safe environment for its service users, staff and visitors. Posters and CCTV signage have been placed in all areas where cameras are located to inform members of the public that they may be recorded on CCTV for the purposes of crime prevention, crime detection and the promotion of public safety. It is anticipated these cameras will assist with our car management facilities, the verification of claims and act as a deterrent to reduce unlawful activity and abuse and violence towards our staff and third parties.
You have a right to request a copy of any surveillance that may have been recorded about you subject to the exemptions of data protection legislation. Please note this legal right does not entitle you to any third party information.
All CCTV images are retained by the Trust for 30 days.
Please refer to our CCTV web page for further information.
Car Park Management
Our car park facilities are provided through a third party company contract. The contractor will collect vehicle information on behalf of the Trust to support traffic flows and prevent and detect crime and ensure individuals do not park in any restricted areas. Further information about this is provided through our Estate Services contact Trust switch board for details 020 8702 3000..
SMS Texts and Emails
The Trust employs various methods to keep in touch with its service users. As a service user you may be asked if we can contact you by either post, email or by text message in order to receive appointment reminders, automated calls or service information. From our initial point of contact, we will always record your preferences and choose to contact you in this way. Please be mindful that you have a right to change these options at any time. Please ensure that we hold an accurate email address or mobile telephone number to contact you on.
Data Protection by Design
The Trust carries out Data Protection Impact Assessments (DPIA) in accordance with the General Data Protection Regulations (GDPR), when contemplating new projects that involve the use of personal data or changes in processing operations. These are not published but are available on request from the Trust’s Data Protection Officer at the contact details below.
Retention of Data
The Trust retains all data in accordance with the Trust’s Record Management Policy and Retention Schedule which is in accordance with the Records Management Code of Practice for Health and Social Care 2016.
All records have a minimum retention period and will be disposed securely once they reach their recommended retention period. The retention period for typical records across the Trust include:
- Adult Mental Health records – 20 years from closure date.
- Deceased records of mental health patients – 8 years from date of death.
Children records are kept until their 25th birthday or 26th birthday depending on their age at the conclusion of treatment.
Data Subject Rights
Under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 all service users have a range of legal rights.
You should be aware that in certain circumstances your right to see some details in your health records may be limited or withheld in your own interest or for other reasons; this will always be in accordance with the GDPR/Data Protection Act 2018. The “serious harms test” will be applied to most information requests before disclosures by the Trust. This means some information may be withheld based on Health Care Professional (Clinician) Judgement.
The Trust will endeavour to respond to your request within the 30days time line. However, due to the current position of things in the NHS re COVID 19 the response may be delayed beyond the time line. Your request may also be delayed if it is complex and require more time to be processed, in which case an extension will be applied which may be up to 3 months or more, you will be notified of this by the clinical team if this applies to you.
The Trust is only responsible for providing information, which is held by us.
You do not need to give a reason to access your health records.
As a service user you have:
a) A Right to be Informed
To be provided with information in a concise, transparent, intelligible and clear, plain language format about how your data is handled. This is outlined in this Privacy Notice.
b) A Right to Access
You have a right to access information held about you. This is known as a Subject Access Request (SAR). All SARs are free (unless they are complex or voluminous by scope where an administrative charge may be applied) and must be processed within one month (i.e. 30 calendar days) of the Trust receiving the request.
All requests for access to health records must be referred to the Medical Records Team at the address below. For further information on this please refer to our medical records page.
c) A Right to Erasure (also known as a Right to be Forgotten)
Service users have a right to request the erasure of their personal data where:
- The personal data is no longer needed and has reached its retention period;
- There are no legitimate reasons for the Trust holding the data;
- The personal data has been unlawfully processed;
- You have withdrawn your consent for the processing of your data.
d) A Right to Rectification
You have a right to request without any undue delay the rectification or update of any inaccurate data we may hold about you. All requests must be responded to within 30 days (i.e. one month) from the receipt date of the request.
e) A Right to Restrict Processing
You have a right to restrict any processing of data where the accuracy of the data is contested. This means that we will only store your data and not share it or further process it except in limited circumstances.
f) A Right to Object
You have a right to object to how your data is used for e.g. for direct marketing. This right applies to all processing involving scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest.)
g) A Right to Data Portability
You have a right to request data to be transmitted directly from one data controller to another where it is on the basis of consent and automated means. To achieve this process must be technically possible.
h) A Right to Automated Decision Making and Profiling
Automated decision making does not take place in the Trust.
Your right to complain
Raising a General Complaint or Concern
Any service users who have a general concern or complaint about any aspect of their care or treatment at the Trust should contact the Patient Experience Team at the following email address: email@example.com or 020 8702 4700
Raising an Information Governance Complaint or Concern
The Data Protection Officer is the main contact point for all data protection enquiries and any investigations received from the Information Commissioner’s office.
The Data Protection Officer for the Trust is:
The Information Governance Manager
St Ann’s Hospital
St Ann’s Road
Tel: 020 8702 4134
The Medical Records Team is the main contact point for all access to health records requests. They can be contacted at: firstname.lastname@example.org
Information Commissioner’s Office (ICO)
You have a right to make a complaint to the Information Commissioner’s Office (ICO) at any time. However, we would appreciate the chance to deal with your concerns before you approach the ICO. Please contact us in the first instance via our Patient Experience Team via email email@example.com or call 020 8702 4700.
For independent advice you have a right to submit a complaint to the Information Commissioner’s Office. The ICO is the UK’s independent body for overseeing all data protection matters. Do be mindful that the ICO will only consider any complaints once an organisation’s internal procedures have been exhausted. The ICO can be contacted at:
Information Commissioner’s Office
Helpline: 0303 123 1113 (local rate) or 01625 545 745
The Trust’s Data Protection Registration
For the purposes of this Privacy Notice, the Trust is registered as a Data Controller. Our DP registration number is: Z8836068.
Our registration can be viewed online via the public register on the ICO website.
Further information about the way we handle your personal data can be found in our patient leaflet: Protecting Your Information leaflet (PDF document)
Changes to this Privacy Notice
The Trust reserves the right to make any changes to this Privacy Notice at any time and will provide you with any substantial updates as and when necessary.
Last updated March 2021