The Christie NHS Foundation Trust is one of Europe's leading cancer centres, treating over 44,000 patients a year. We provide a networked service that serves a population of 3.2 million across Greater Manchester & Cheshire delivering care as close to the patients home as possible. As a national specialist centre, around a quarter of our patients are referred to us from other parts of the country. 

This notice explains how we use and share your information. Information may be collected on paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners. 

The Christie NHS Foundation Trust is a registered Data Controller with the Information Commissioner’s Office (ICO) and our registration number is Z7091213. 

Principle one under the GDPR requires the Trust to ensure that all personal information held is processed under lawfulness, fairness and transparency. The sections below provide you with information about how we use and manage the information we hold about you, including how we share it within the NHS and with non-NHS organisations, and how we maintain confidentiality. 

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. 

Read more about our partnerships and joint ventures. 

See our directory of services to see what we offer. 

Read more about Data Protection Impact Assessments

The Christie NHS Foundation Trust is part of the Greater Manchester Health and Social Care Partnership (GMHSC), which was formed to oversee the devolution of health and social care services across Greater Manchester under a Sustainable Transformation Partnership (STPs). For further detail in relation to this, see the GMHSC website. 

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provide. The GM Care Record pulls together this key information about you from these different health and social care records and displays it in one combined record. This enables health and social care staff to find key information about your care in one place which helps them to make the most informed decisions and provide the best care to you as a patient or service user.

It is also essential that health and social care staff have access to the most up to date information including alerts that may be helpful for staff involved in your care. Further information about the use of your information within the GM Care Record can be found on the Health Innovation Manchester website.

Child-friendly privacy notices 

How the NHS and care services use your information

The Christie NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public). 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

 

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

 

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit the NHS website.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

 

You can also find out more about how patient information is used at the

HRA website (which covers health and care research) and the

understanding patient data website (which covers how and why patient information is used, the safeguards and how decisions are made)

 

You can change your mind about your choice at any time.

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

 

Data Controller contact details

The Christie NHS Foundation Trust

Wilmslow Road

Manchester

M20 4BX

Tel No: 0161 446 3000

Data Protection Officer contact details

Data Protection Officer

The Christie NHS Foundation Trust Wilmslow Road

Manchester

M20 4BX

Tel no 0161 446 3043

Email : dpo@christie.nhs.uk

What kind of personal information does the Trust collect?

  • Name, address, date of birth, NHS number and next of kin
  • Details of diagnosis, treatment and hospital visits
  • Allergies and health conditions

The Trust use the Personal Demographics Service (PDS), which is the national electronic database provided by NHS Digital for holding NHS patient details such as name, address, date of birth and NHS Number (known as demographic information).  The PDS helps healthcare professionals to identify patients and match them to their health records.  It also allows them to contact and communicate with patients. Further information can be found on the NHS digital website.

Why we collect information about you

The people who care for you use your information and records to:

  • provide a good basis for all health decisions made by you and your care professionals
  • allow you to work with those providing care
  • make sure your care is safe and effective
  • work effectively with those providing you with care

Others in the NHS may also need to use records about you to:

  • check the quality of care (called clinical audit)
  • collect data regarding public health matters
  • ensure NHS funding is being allocated appropriately
  • help investigate any concerns or complaints you may have about your health care
  • teach healthcare workers and help with research

Purpose of the processing

The following is a broad description of the way this organisations / data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communication you have received from the Trust or to contact the Data Protection Officer. 

Direct Care and Administration Purposes

Direct Care is the care delivered to a patient, some of which can be provided in the patient’s home or on a Trust premises (i.e. hospital / clinic). Direct care usually results from a referral from another NHS hospital. As such there is a need to share relevant and proportionate information with other healthcare workers such as specialists, doctors, nurses, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatment, therapies and or care.

As part of our administration purposes, we process information about:

• Our patients

• Suppliers

• Employees

• Complainants, enquirers

• Survey respondents

• Professional experts and consultants

• Individuals captured by CCTV images

Commissioning, Planning and Research Purposes

Most national and local flows of personal data in support of commissioning / planning are established as collections by NHS Digital either centrally or for local flows by Commissioners. Where the collection or provision of data is a legal requirement, the Trust will need to oblige. Data minimisation (or pseudoynmisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.

Safeguarding

Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately. Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Serious Incident Management

The Christie NHS Foundation Trust works with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.

Analysis – Risk Stratification

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Lawful basis for processing

We will process personal identifiable information (article 6) and also special category of personal data (article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life. The lawful basis we use is:

The processing of personal data in the delivery of direct care and for providers’ administrative purposes (i.e. management of serious untoward incidents) in this organisation and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”* (see below reference)

Lawful basis processing for commissioning and planning purposes (including risk stratification) is:

Article 6(1) (c) – for compliance with a legal obligation

For disclosure to NHS Digital is:

Article 6(1)(e) – for the performance of a task carried out in the public interest or in the exercise of official authority.

As for direct care purposes the most appropriate Article 9 condition for commissioning purposes is:

Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Lawful basis for research is:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

The Article 9 condition for research is:

Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects.

The Trust operates secure disclosure / sharing of information practices all of which are recorded as a record of our processing activities. Further information is available on request.

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection legislation. Further information is available on request.

Direct care

When you are referred to our services and attend our hospital, clinics, or are seen at home, information about the care you receive is recorded in your health record held electronically and in your paper based patient case note file.  This information is required to make sure that we give you the best possible care and treatment. Information from your health record is used to ensure we provide the best possible care. We consider a “health record” to be information about providing health care which identifies the patient or service user whether they are an adult or a child.

Your information may be used for any of the following purposes:

Safeguarding

Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Serious incident management

The Christie NHS Foundation Trust work with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.

Analysis – risk stratification

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

How your records are used to help the NHS

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance. Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities and research institutions.

Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. The Information Commissioner’s Anonymisation Code of Practice will be used and further guidance is available here.

For further information on what information held within the Trust is being passed to other organisations and for what purpose please see our entry on the ICO website.

Recipient or categories of recipients of the processed data

The data will be shared with health and care professionals and support staff in the Trust and at hospitals and treatment centres who contribute to your personal care for direct care purposes. This will include your GP.

Where necessary or required we may consider sharing information with any other categories of recipients as follows:

  • Our patients
  • Family, associates and representatives of the person whose personal data we are processing
  • Staff
  • Current, past or potential employers
  • Healthcare social and welfare organisations
  • Suppliers, service providers, legal representatives
  • Auditors and audit bodies
  • Educators and examining bodies
  • Research organisations
  • People making an enquiry or complaint
  • Financial organisations
  • Professional advisors and consultants
  • Business associates
  • Police forces
  • Security organisations
  • Central and local government
  • Voluntary and charitable organisations

Information sharing

Information sharing with other NHS organisations

Your health records are shared with other NHS organisations that provide a service on behalf of the Christie or are involved directly with your health care. In addition, The Christie provides a computerised facility to allow secure access to the NHS staff who care for you in the Manchester and Cheshire regions. This facility allows clinicians (such as your GP, A&E staff, hospital nurses and doctors) to view details of your record to help inform their decisions about you and your care. 

The Christie also has access to your health records from other NHS organisations which can be used to help Christie staff make the best decisions about your care.

If you do not want your Christie record to be made available to other NHS organisations, please write to us and we will remove this facility.

If you do not want Christie staff to access your health records from other specific NHS organisations, please write to us and we will remove this facility.

Please write to:

Information Governance Department
The Christie NHS Foundation Trust
Wilmslow Road
Manchester
M20 4BX

Information.governance@christie.nhs.uk

Information sharing with non-NHS organisations

For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving direct care, such as social services or private healthcare organisations. We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the Trust. We will always seek your permission to share your information with organisations for purposes other than your direct care. However, in exceptional situations we may need to share information without your permission if:

  • it is in the public interest – for example, there is a risk of death or serious harm
  • there is a legal need to share it – for example, to protect a child under the Children Act 1989
  • a court order tells us that we must share it
  • there is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime.

Where processing is likely to result in a high risk to individuals' privacy interests, the trust will conduct a Data Protection Impact Assessment (DPIA). The aim of a DPIA is to identify and minimise the data protection risks of a project. Read more about Data Protection Impact Assessments. A copy of the Trust’s DPIAs can be requested from the Data Protection Officer, see contact details above. 

What are your rights?

You have the right to withdraw and refuse consent to information sharing at any time, but note that not sharing your information may affect the quality and safety of the care you receive. 

Where information from which you can be identified is held, you also have the right to:

  • request that your information is corrected
  • have your information updated where it is no longer accurate.

The Trust can only provide access to information it holds. For example to see the records held by your GP you have to contact your GP practice directly.

The Access to Health Records Act 1990 also allows access, in certain circumstances, to information that we hold on deceased patients.

How do I access information recorded about me?

Under the Data Protection legislation, individuals have a right to access information that is held about them by an organisation. If you wish to make a subject access request (accessing your information), requests need to be addressed to the Trust’s Health Records Department and we will aim to respond to your request within one month from receipt of your request.  If you require access to your health records you must make a written request.  The process for this can be found on our health records page.

Freedom of Information Requests (FOI)

The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days. For email requests, please send to the Freedom of Information Team by emailing foi@christie.nhs.uk

Further information about Freedom of Information Requests received by the Trust can be accessed on our Freedom of Information page.

How long do we hold information for?

Records are retained in accordance with national guidance from the Department of Health and Social Care and the Records Management Code of Practice for Health and Social Care 2016. Records including confidential information are securely destroyed in line with this code of practice. Further information can be found on the NHS Digital website

How do I raise a concern?

If you have a concern or complaint about the Trust we will use your information to communicate with you and investigate the matter. Please note that the details will not form part of your health care record.

Please email the PALS team or send a letter to the below address:

Patient Advice & Liaison Service (PALS)

The Christie NHS Foundation Trust

Wilmslow Road

Withington

M20 4BX

Tel: 0161 446 8217 between the hours of 10am - 4pm. (Outside of these hours call 0161 446 3000 and ask staff to bleep the on-call manager)

Should you have any concerns about how your information is to be used having read this Privacy Notice or you wish to request the notice in another format please contact the Data Protection Officer.

If you are not happy with our response and have exhausted all the avenues, you have the right to complain on the Information Commissioner’s Office website or by calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are also National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Information Commissioner’s Office Wycliffe House

Water Lane

WILMSLOW

Cheshire

SK9 5AF

Or email: casework@ico.org.uk

General data protection regulation statement

The Christie NHS Foundation Trust is a ‘Data Controller’ under the General Data Protection Regulation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z7091213and our registered entry can be found on the Information Commissioner’s website.

All of our staff receive annual data security awareness training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so.

As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf. These contractors are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by Law. Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.

Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent. In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;

• where disclosure is in the public interest; and

• where there is a legal duty to do so, for example a court order.

Version Control

Last updated - This is Version 0.2 of The Christie NHS Foundation Trust GDPR Privacy Notice and was published on 12.03.2020.