Dudley Integrated Health and Care NHS Trust Privacy Statement

  • COVID-19 Data Sharing and interim processes

    COVID-19 Privacy Notice Update

    COVID-19 Data Sharing and interim processes

    Updated 29th September 2020

    This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. This supplements the Trust's main Privacy Notice.

    Throughout the COVID-19 pandemic across the Trust our services will be working under alternative agile conditions.  This is to safeguard our service users and staff against the virus.

    During this period of emergency we may contact you by alternative ensure that our staff can continue to provide a service to you.  Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.  Alternative contact methods include:

    • Text Message
    • Video conferencing; please be aware that by accepting the invitation and entering the consultation you are consenting to this.
    • Email
    • Telephone calls

    If you have any concerns with how staff are contacting you please raise this with the staff members.

    In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

    The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. 

    Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak.

    There are new data sharing requirements that the Trust must comply with to support the national public health review of COVID-19.  Information will be shared linked to COVID-19 for the following purposes:

    • To ensure that services remain available and accessible
    • To monitor trends in the virus
    • To understand areas of risk of
    • To monitoring and managing the response to COVID-19 contracting the virus
    • To monitor the effectiveness of capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
    • To support research and planning in relation to Covid-19.

    We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.  

    NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

    Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. 

    All information shared linked to COVID-19 is inline with Data Protection 2018/GDPR as well as Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002.

    In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

    Please note that this does not affect your usual rights under the Data Protection Act 2018.  However;  be mindful that if you do require access to your records or want to enforce any other rights under Data Protection there may be a delay in providing you a full response to these request as staff are focusing efforts on frontline services to assist with the demand faced by services due to COVID-19.

    NHS Track and Trace

    The NHS test and trace service:

    • - ensures that anyone who develops symptoms of coronavirus (COVID-19) can quickly be tested to find out if they have the virus, and also includes targeted asymptomatic testing of NHS and social care staff and care home residents
    • - helps trace close recent contacts of anyone who tests positive for coronavirus and, if necessary, notifies them that they must self-isolate at home to help stop the spread of the virus.

    NHS Test and Trace is a key part of the country’s ongoing COVID-19 response and is run by Department for Health and Social Care (DHSC). It includes dedicated contact-tracing staff working at national level under the supervision of Public Health England (PHE) and local public health experts who manage more complex cases.

    By maintaining records of staff, customers and visitors (and sharing these with NHS Test and Trace where requested) this can help to identify people who may have been exposed to the virus.

    The Trust is collecting information about visitors and staff to support the NHS Track and Trace process.  Where an individual develops symptoms of COVID-19 and identifies that they have been within Trust locations we may need to share information of other individuals that the person may have been in contact with.

    Due to this the Trust will collect information in relation to visitors:

    • - name
    • - contact telephone number
    • - email address
    • - time of arrival
    • - time of departure

    Staff who visit sites, which is not their usual working base or location, will also be required to sign the visitors log and provide the following information:

    • - name
    • - Job Title
    • - Time of arrival
    • - Time of departure

    This information will be collected on site at the point of entry within each Trust location.  It will be secured daily and held for 21 days; following which the information will be destroyed.

    In relation to staff information if it is confirmed that that you contracted COVID-19 from a work-related exposure the Trust is obliged to report this to the Health and Safety Executive.

    The Trusts legal basis for sharing the data with DHSC, and for DHSC’s processing of your personal data is:

    • GDPR Article 6(1)(e): the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
    • GDPR Article 9(2)(h): the processing is necessary for the management of health or social care systems and services
    • GDPR Article 9(2)(i): the processing is necessary for reasons of public interest in the area of public health
    • DPA 2018 – Schedule 1, Part 1, s.3: Public Health
    • DPA 2018 – Schedule 1, Part 1, (2)(2)(f): Health or social care purposes

    If you have any queries around the Trust use and sharing of data in relation to the Track and Trace service please contact the Trusts Data Protection Officer.

    RAPTOR Clinical Trial

    Pensnett Assessment Centre (Dudley Red Centre) is collaborating with the RAPTOR Clinical Trial run by Oxford University (RAPid Testing fOR Covid-19). RAPTOR will gather one or more throat swabs and a blood test from each patient to allow comparison of the sensitivity and specificity of various swabs. This will improve knowledge of the value of each test.

    Pensnett Assessment Centre is run by Dudley Integrated Health & Care NHS Trust (DIHC) who are signing a Data Processing Agreement with uMed who administer the RAPTOR Trial alongside Oxford University.

    DIHC is satisfied that the trial is being run to a high standard with excellent Information Governance. Formal consent will be taken with each patient according to the study protocol by staff at Pensnett Assessment Centre. 

    We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.


  • Who is the Data Protection Officer?

    The Data Protection Officer (DPO) is:

    Katie Sparrow, Head of Information Governance (and DPO)


    Tel: 0121 612 8017

    The Data Protection Officer operates independently on how to deal with data protection matters putting patient rights at the heart of their decision making process.  The Data Protection Officer will be the first point of call for individuals, such as patients, whose data is being processed, but will also be the person for staff to turn to relating to any data protection queries.

  • How do I access my health record?

    Any request for access to health records should be forwarded on to:

    Information Governance Team
    Delta House
    Delta Point
    Greets Green Road
    West Bromwich B70 9PL


    Telephone: 0121 612 8037

  • Why do we collect information about you?

    Your doctor and the team of Health Professionals caring for you keep records about your health and any care or treatment you receive from the NHS. These records help to ensure that you receive the best possible care.

    They will need to keep records, which may be written or held on computer, about your health and the care and treatment that you are receiving from them.

  • What will we collect?

    The records that we keep about you will include:

    • Personal details about you, such as name, address, date of birth, next of kin and telephone numbers.
    • Sensitive details about you such as ethnicity, gender, what you are doing at the moment and what problems, if any, you may have.
    • Any contact that we have had with you previously
    • Notes and reports about your health and any treatment you have and may receive.
    • Results of investigations and tests.
    • Relevant information from people who care for you and know you well such as other health professionals and relatives.

    It is essential that we have your correct details to ensure the appropriate care and treatment is provided to you, if your detail change please inform us as soon as possible.

  • What will we do with it?

    Our staff will use this information to enable them to assess your health and to decide what care and treatment you will need. To maintain the accuracy of this information it will be regularly up dated and kept securely.

    Your information can also be used for statistical purposes; in these cases we take strict confidentiality measures to ensure that the information is anonymous so individual patients cannot be identified.

    Patient records can also be used within audit and for teaching purposes; in these cases we use anonymous information when possible.

    In working together for your benefit we may need to share some information with others involved in your care.

    If you are involved in a research project or your information is used for non-medical purposes, you will be asked for consent before your information is used.

    We will only ever use or pass on information about you with others involved in your care where we have consent to do so. However there may be occasions where we have a statutory obligation to do so by law.

  • Do we share your information?

    Yes the organisation does share information. We may need to share some information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.

    You may be receiving care from other people as well as the NHS (e.g. Social Services). We may need to share information about you with them so we can all work together for your benefit. We will only ever pass this information about you if:

    • They have a genuine need for it such as where there is a danger of harm to a child or vulnerable adult or to aid the prevention and detection of serious crime
    • There is a court order
    • We have your consent

    We will not disclose your information to a third party without your consent unless there are exceptional circumstances, such as when the health and safety of others is at risk or if the law requires us to.

  • How long do we hold your information?

    We follow destruction and retention periods as set out in the NHS Record Management Code of Practice

    Our Record Management Policies and Procedures in relation to retention and destruction of information have been produced in line with the Code of Practice and is available via our Publication Scheme.

  • Your Rights

    1) Restrict Disclosure of Information:

    You do have the right to restrict the disclosure of your personal information. By choosing this option, it may make the provision of care or treatment you receive more difficult or unavailable and we will fully inform you of this. You can also change your mind at any time about a disclosure decision.

    2) Access to your Information:

    The General Data Protection Regulation allows you, the patient, or an individual acting on your behalf to view or have copies of your health record. The Act provides a right of access to your information; however the organisation is entitled to withhold information considered to be detrimental to the physical or mental health of the patient or other person, or if the information contains information given by a third party.

    3) Right to Rectification (to correct information held):

    You can ask for corrections to be made to your records and you are entitled to a copy of the correction, or, if the record is not corrected, the record holder’s note of the request and any discussion.

    4) Right to be Forgotten:

    You can ask for your information to be deleted/erased; however where the information we hold about you is for the provision of health not all information can be erased. You can request to have information erased via the Trust’s Information Governance Team 

    Information Governance Team
    Delta House
    Delta Point
    Greets Green Road
    West Bromwich B70 9PL


    Telephone: 0121 612 8037 

    5) Right to Restrict Processing:

    You have the right to limit the way in which we can use your data; this includes who we share data with. Please note that there are limitations to this as we need to ensure that we can meet your Health and Care needs. You can request to restrict the use of your data via the Information Governance Team (contact details are below)

    In addition to the above you also have the right to raise any complaints or concerns in relation to the use of your information with the Information Commissioner, who is the UKs supervisory body who oversees the Data Protection Act 2018 and GDPR.

  • We keep your health records secure

    Everyone working for the NHS has a legal duty to keep information about you confidential and secure under the General Data Protection Regulation / Data Protection and the Caldicott principles. We use the minimum amount of information required to inform the people who need to know to provide you care.

    Anyone who receives information from us is also under a legal duty to do the same and has a confidentiality clause in their contract. Breaking those rules can result in being dismissed.

  • Do we have a Lawful Basis for Processing your Information?

    Yes; The organisation has the following Lawful basis for processing your information under Article 6 of the General Data Protection Regulation (GDPR);

    Public task:

    1 (e) the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

    In addition to this the organisation also uses special category data in line with Article 9 as follows:

    2 (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

    Please note that this does not include the processing of our staff information in line with their employment, the legal basis for this will differ due to the employment contract.

  • National Fraud Initiative

    National Fraud Initiative

    Dudley Integrated Health and Care NHS Trust is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

    The Cabinet Office is responsible for carrying out data matching exercises.  Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

    We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the website.

  • Mental Health Alliance for Excellence, Resilience, Innovation and Training (MERIT)

    MERIT exploring new models of care which will act as the blueprints for the NHS moving forward and the inspiration to the rest of the health and care system. MERIT comprises our Trust along with Black Country Healthcare NHS Foundation Trust, Birmingham and Solihull Mental Health NHS Foundation Trust and Coventry and Warwickshire Partnership NHS Trust.

    This unique mental health alliance will focus on three priority areas: Every day working in acute services, crisis care and the reduction of risk and recovery culture.

    Some of the specific transformations we want to see are:

    • Crisis care – exploring ways to map bed management and improving access and the patient experience
    • Recovery – helping people to gain and stay in employment, working better with local communities, and developing a way to track quality of life
    • Every day services (previously known as Seven Day Working) – exploring the benefits of weekend services, and charting comparisons with best practice in similar organisations
    • Equality and diversity – developing a bespoke equality impact assessment to support other work streams and exploring ways to gather improved equality data Information technology – scoping options for a shared patient record
    • Quality governance – developing a mock inspection tool to develop a consistent standard, which will also support CQC inspections
    • Research and innovation – supplying evidence to support work stream priorities
    • Workforce – developing baselines for statutory training and wider workforce planning
  • Transfer of Services

    As Dudley Integrated Health and Care NHS Trust continues to grow as services transfer to the Trust there will be a requirement to transfer data from organisations that previously managed such services.  This is to ensure that Dudley Integrated Health and Care NHS Trust is able to continue with the health and care provision for our services users. The information transferred will cover all health records linked to the specific service only.

    School Health Services transferred from Shropshire Community NHS Trust to Dudley Integrated Health and Care NHS Trust on 1st April 2021.

    Primary Care Network (PCN) Services, delivered via GP Practices, transferred to Dudley Integrated Health and Care NHS Trust on 1st April 2021. Previous health data from this service will remain within the service users GP records, all records moving forward will be stored within PCN records held by Dudley Integrated Health and Care NHS Trust.