Community Children’s Health Partnership Privacy Notice
Sirona (Sirona care & health C.I.C) is a Data Controller and is registered with the Information Commissioner’s Office (ICO), registration number is Z2861455. Our registered office is Sirona care & health, 2nd Floor, Kingswood Civic Centre, High Street, Kingswood, Bristol, BS15 9TR.
As an organisation, we are committed to protecting the information you provide us with and respecting you and your family’s privacy in accordance with the Data Protection Act 2018 (DPA18) and the UK General Data Protection Regulation (UK GDPR).
This notice explains what information we collect, why we collect it and how we keep it secure. It also explains your rights and our legal obligation. We undertake information audits to establish clear lines on what personal data we hold and what we do with it.
Although we provide healthcare services for children and young people, our website is not intended for children directly. This privacy notice covers how we process data of our children and young people and of their guardians/ families. It is aimed at the parents and other legal guardians of the children and young people in our care, as it covers their data as well as the data of the child/young person (who may find it difficult to understand this privacy notice either by virtue of their young age or lack of mental capacity).
We also have the following Privacy notices that are specific to services we provide:
ChatHealth (School Nursing Service)
Staff and Bank workers (Recruitment)
Notification of changes to this privacy notice
This privacy notice was last updated in May 2023.
If we use your personal data for any new purposes, updates will be made to the policy information and changes communicated, where necessary in accordance with current legislation. For all queries relating to our privacy notice, please email: Sirona.dataprotection@nhs.net
Why we collect information about you/your child
A partnership called the Community Children’s Health Partnership (CCHP) exists between Sirona care & health CIC, Avon and Wiltshire Mental Health Partnership NHS Trust and Barnardo’s. Its purpose is to provide healthcare to children and young people and child and adolescent mental health services across Bristol, North Somerset and South Gloucestershire. For the purposes of the UK Data Protection Act 2018 and EU General Data Protection Regulations 2018, the partner organisations are all Data Controllers of information they are individually responsible for.
Our aim is to provide you and your family with the highest quality care. To do this we must keep records about you and family members, the health and the care we have provided or plan to provide. It is important for us to have a complete picture as this information enables us to provide the right care to meet individual’s needs.
What information is collected and by whom
The records we keep can be collected in paper form or electronically (or both) and may include:
- Personal details about your child including name, address, gender, date of birth, next of kin, NHS number.
- Data about you including title, name, address, marital status, email address, telephone numbers, ethnicity, religion and name and age of any siblings.
- We may also hold sensitive personal information including details and records of treatment and care; contacts we have had with you or your child such as appointments, attendances and home visits; results of investigations including x-rays, scans, blood tests; relevant information from other people such as heath and social care professionals, teachers, relatives etc; data about you, your child or your family disclosed to us from you or from third party sources in relation to criminal records and convictions.
How do we collect information?
Your or your child’s information can be collected in a number of different ways. This might be from a referral made by your GP or another health or social care professional you have seen, or perhaps directly from you in person, over the phone or on a form you have completed.
How the NHS and care services use information
Your child’s personal data and health records are used to plan the care or treatment by doctors, nurses or any other care professionals, such as social care staff, to ensure we provide the best possible care.
Sirona is one of many organisations working in the health and care system to improve care for patients and the public. The information collected about you or your child when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All this helps to provide better care for you, your family and future generations.
Information may be shared with other organisations to enable the continuation and/or support of care eg. NHS Trusts, your GP, clinical networks, etc. We may also share some information, subject to strict agreement on how it will be used, with local authorities, education services, voluntary or private care providers. If it’s necessary to be referred to another service for further treatment, relevant information about medical conditions and care will be sent to that service. Information may be shared to provide out-of-hours clinical support, or other support services, such as transport. All such services are bound by the Common Law of Confidentiality and local agreements. There are occasions where we have a legal duty to pass information to relevant authorities. This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others.
Our legal basis for processing personal data
Our business is based on statutory powers which underpin the legal bases that apply for the purposes of the UK GDPR. The legal bases for most of our processing are:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:
Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special categories data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:
Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
Where we process special categories data for employment or safeguarding purposes the condition is:
Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
Sirona may rely on the following legal bases when processing either your or your child’s personal information:
When required to comply with the law. This may be in circumstances to:
- Communicating when things go wrong: we have a duty which is set out under The Health and Social Care Act 2008 (HSC) 2008 to report incidents, set out in the HSC 2008.
- Safeguard individuals, set out in the (Safeguarding Vulnerable Groups Act 2006), Children Act 1989 & 2004.
- Notify officials of infectious diseases which present significant risk to human health and the wider public, set out in The Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010.
- Support other organisations with their regulatory requirements, eg Care Quality Commission (CQC), Information Commissioner's Office (ICO).
- Support detection, investigation or to prevent a serious crime, monitor referral to treatment times and ensuring compliance with the NHS Constitution and the NHS Operating Framework, conduct audits to measure compliance with the law (e.g., Confidentiality Audits), respond to the rights of individuals requests under data protection law, share information relating to vulnerable individuals with emergency services in the event of an emergency (Civil Contingencies Act 2004).
- To support court orders requiring us to share information.
Vital interests
To protect someone’s life. This may be in circumstances to:
- Share information to safeguard an individual and therefore prevent harm.
Public task
When carrying out statutory, governmental or statutory functions. This may be in circumstances to:
- Deliver patient care, when responding to complaints or concerns relating to the delivery of care, when monitoring patient pathways, to share information about a patient for their direct care (subject to both the common law duty of confidence, data protection legislation), and statutory duty under section 251B of the Health and Social Care Act 2012, to manage waiting lists, performance against national targets, activity monitoring e.g. number of referrals, when undertaking local clinical audits, commission funding for treatment and/or equipment.
Legitimate interests
This may be in circumstances to:
- Support business functions, eg raising system level tickets, arranging access to system, take photos of service users to publish on twitter and interests’ websites, for general website enquiries, store next of kin data in the event of a medical emergency record of CCTV.
Other legal obligations
We recognise the importance of protecting personal and confidential information in all that we do, and take great care to meet our legal and other duties, including compliance with the following:
- UK General Data Protection Regulation (GDPR) and Data Protection Act 2018
- Human Rights Act 1998
- Access to Health Records Act 1990
- Health and Social Care Act 2012, 2015
- Public Records Act 1958
- Copyright Design and Patents Act 1988
- Re-Use of Public Sector Information Regs 2004
- Computer Misuse Act 1990
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International information Security Standards
- Information Security Code of Practice
- Records Management Code of Practice for Health & Social Care 2016
- Accessible Information Standard
Any personal information we hold about you/your child is processed for the purposes of ‘provision of health or social care or treatment or the management of health or social care systems’ and services under chapter 2, section 9 of the Data Protection Act 2018.
How we share information
In circumstances where we need to share your or your child’s personal data; we will always ensure this is conducted lawfully and account the justifications for doing so. Under current data protection legislation, we are authorised to share health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share health records beyond these purposes. Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can remove any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal.
When sharing information external to our organisation, Sirona will always assess the potential benefits and risks to you and others, we will weigh the proportionality for the purpose and what we are trying to achieve by this activity. We will also consider if the objective be achieved without sharing personal data and have measures to ensure adequate security is in place to protect the data when sharing this.
Sometimes we are required by law to disclose or report certain information that may include details that identify you/your child. However, this is only done after formal authority by the courts or by a qualified health professional. This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others as stated above
Overseas transfers
Information about you or your child will not normally be sent outside of the United Kingdom (UK). For any request to transfer your data outside of the UK, we will make sure that an adequate level of protection is guaranteed before the transfer happens.
Retention of records
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for the specific purposes. All records are kept in line with the NHS Records Management Code of Practice 2021 and the Retention Schedule.
Sirona will regularly review the length of time we keep your personal data and securely delete information that is no longer needed for the purposes it was originally intended. This process will enable clear and accurate data, keeping it up to date, available and confidential.
National data opt out
Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you/your child is collected in a record for that service. Collecting this information helps to ensure your child gets the best possible care and treatment.
The information collected when you use these services can also be used and provided to other organisations for purposes beyond an individual’s care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential information about you or your child’s health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified.
You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential information will still be used to support you or your child’s individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.
Protecting information
Everyone working for, or with Sirona, has a legal duty to keep information about you or your child secure and confidential at all times. Staff are trained on requirements of keeping data secure and the Common Law of Confidentiality. We are committed to protecting you and your family’s privacy and will only process data in accordance with legislation.
Strict principles govern our use of information and our duty to ensure that it is kept safe and secure. Information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information, can get access. This might be through the use of technology or other environmental safeguards.
What are your data protection rights?
Right of access
We have a duty to provide you with rights of access to your data when requested.
Under Data Protection Legislation, individuals have the right to obtain a copy of their personal records held by us; this is called a Subject Access Request (SAR).
To obtain a copy of your child’s health records, please submit your request to the Sirona Subject Access Request Team.
Mail: Sirona care & health, 2nd Floor, Kingswood Civic Centre, High Street, Kingswood, Bristol, BS15 9TR.
Email: Sirona.dataprotection@nhs.net
You will need to provide your child’s information (e.g., full name, address, date of birth, Hospital/NHS number) and forms of identification which may include proof of parental responsibility. Those with parental responsibility have a statutory right to apply for access to their children’s health records, although if the child is capable of giving consent, he or she must consent to the access.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Where parents are separated and one of them applies for access to the record, health professionals are under no obligation to inform the other parent, although they may consider doing so if they believe it to be in the child’s best interests.
If you wish for another person to process your request on your behalf, they will need to obtain your written permission to do so before we can provide copies of health records. This ensures we are providing confidential information to authorised persons(s).
An individual may choose to nominate a representative (such as a solicitor or relative) to make a request on their behalf, however when this happens the request must be explicitly authorised by the person (e.g., evidenced by a signed letter of consent).
Young people with capacity have the legal right to access their own health records and can allow or prevent access by others, including their parents. But we would not allow them access to information that would cause them serious harm or any information about another person without the other person’s consent.
You cannot make a request to access records of a deceased individual under the Data Protection Act 2018/ UK GDPR. Requests are processed under the Access to Health Records Act 1990.
Further guidance and assistance can be obtained from the Subject Access Request Team.
Under data protection legislation, you also have a right to:
Be informed
Be informed about the collection and use of your or your child’s personal data. This communication is achieved through this privacy notice.
Object and restrict
The legislation gives individuals the right to object to the processing of their personal data in some circumstances. This will depend on the legal basis (as described above) for processing your information. In order to formally object, you will need to do so verbally or in writing to Sirona.dataprotection@nhs.net
Request the restriction of your personal data, however this will only apply when/if you contest the accuracy of the personal data, the data has been unlawfully processed and/if you oppose erasure and requests. You can make a request for restriction verbally or in writing to Sirona.dataprotection@nhs.net
Rectification and erasure
Have inaccurate personal data rectified or completed if it is incomplete. The legislation states that ‘personal data is inaccurate if it is incorrect or misleading as to any matter of fact.’ You can make a request for rectification verbally or in writing to Sirona.dataprotection@nhs.net
Consent
When you are providing consent for the purpose of processing your personal data and activity, you will always have the freely given right to actively accept and withdraw.
Sirona manages consent when processing data in the following ways:
- Regularly reviewing consent to check that the relationship with the individual and the purpose for processing information has not changed.
- By having appropriate processes in place to refresh consent at appropriate intervals, including any parental consents.
- Acting on withdrawals of consent as soon as reasonably possible.
What we ask of you
Please:
- Let us know when you change address or name
- Tell us if any information in your record is incorrect
- Tell us if you change your mind about how we share the information in your record.
Contact information and further advice
If you would like to know more about how we use your or your child’s information, require information in any accessible format or language or if (for any reason) you do not wish to have information used in any of the ways described, please contact:
Data Protection Officer
Sirona care & health
Kingswood Civic Centre (2nd Floor)
High Street
Kingswood
South Gloucestershire
BS15 9TR
Email: Sirona.dataprotection@nhs.net
How can you make a complaint?
You have the right to make a complaint if you feel unhappy about how we hold, use or share your or your child’s information. We would recommend contacting our Data Protection Officer (contact details above) in the first instance to talk through any concerns that you have.
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office. Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your right of complaint to us directly.
Mail: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 (local rate) or 01625 545 745
Email: casework@ico.org.uk
Website: www.ico.org.uk
Our website and your information
We take the handling of individual’s personal data extremely seriously. This includes any information provided via this website. We will retain any information submitted online, in digital and/or hard copy form, in order to respond or deal with any request, enquiry, feedback or other submission you may have made.
While we take every precaution to protect the information supplied to us, we cannot guarantee the safety of emails sent in. All information sent via this website or email is done so at the owner’s risk, therefore you may wish to call us if you need to pass on sensitive or confidential information. Any personal information submitted in the form of a job application will be used only for the purpose of processing that application. You might find links to third party websites on our website. These websites should have their own privacy notices which you should check. We do not accept any responsibility or liability for their notices whatsoever as we have no control over them.
Cookies
By using this website, you may receive certain third-party cookies on your computer. Third party cookies may be used on this website for improvement of our products or services. These cookies are not integral to the services provided by the website. All cookies used by this website are used in accordance with current UK and EU Cookie Law. Certain features of the website may depend upon cookies to function. UK and EU Cookie Law deems these cookies to be strictly necessary. This website uses analytics services provided by Google Analytics. Website analytics refers to a set of tools used to collect and analyse usage statistics, enabling us to better understand how users use the website. This, in turn, enables us to improve the website and the products services offered through it. Whilst our use of them does not pose any risk to your privacy or your safe use of the website, it does enable us to continually improve our business.
You can choose to enable or disable cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third-party cookies. By default, most internet browsers accept cookies but this can be changed. For further details, please consult the help menu in your internet browser. You can choose to delete cookies at any time however you may lose any information that enables you to access the website more quickly and efficiently including, but not limited to, personalisation settings.
Changes to this policy
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the last updated date as documented in the version control (below).
We reserve the right to change this notice as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the website, and you are deemed to have accepted the terms of the notice on your first use of the website following the alterations.
Connecting Care
Connecting Care is a digital care record system for sharing information in Bristol, North Somerset and South Gloucestershire. It allows instant, secure access to health and social care records for the professionals involved in your or your child’s care.
Further information about ‘Connecting Care’ can be found using the web link below. This includes details about how you can ‘opt out’ of having your information being accessed by appropriate staff.
https://www.connectingcarebnssg.co.uk/
Your contact with local Connecting Care NHS Partner Organisations may result in them seeking your consent to participate in a research study. Where you have consented to participate in such a study, the research team may access the information held by GPs and hospital Trusts through Connecting Care to ensure that your participation (or those that you are responsible for) will not put you at risk of increased harm and is suitable for the aims of the study. If you later choose to withdraw from the study, the research team will discuss the use of your information with you. As part of the consent process, the research team will inform you of the information they would seek access to.
Information updated: May 2023