The Christie NHS Foundation Trust Privacy Notice

How the Trust manages your information under the UK General Data Protection Regulation (UK GDPR)

The Christie NHS Foundation Trust is the largest single site cancer centre in Europe treating more than 60,000 patients a year and the first UK centre to be accredited as a comprehensive cancer centre. Based in Manchester, we serve a population of 3.2 million people across Greater Manchester and Cheshire while more than a quarter of our patients are referred to us from across the UK.

There are several ways you can reach out and contact us, we are here to listen to your concerns and provide help and assistance: contact us at a time to suit you.

We process information for several different types of individuals:

The Christie NHS Foundation Trust is one of many organisations working in the health and care system to deliver and improve care for patients and the wider public. To understand more about the wider use of patient data, including how and why patient information is used, the safeguards and how decisions are made, we recommend you look at the Understanding Patient Data website.

Information we collect about you could be collected on paper and/or electronically.

This includes:

  • Personal details such as name, address, date of birth, ethnicity and religion, NHS number and next of kin
  • Contact we have with you e.g. hospital admissions, outpatient/ clinical appointments and home visits
  • Notes and reports by health and care professionals about your health
  • Details and records about our treatment and care
  • Results of X-rays, scans and tests
  • Relevant information about people that care for you and know you well
  • Basic details about accompanying people, such as children, partners, carers, relatives

Whenever you use a health or care service, such as attending an outpatient clinic or using Community services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment, sharing information can also support the correct information is with the correct clinician to deliver the best care possible for you.

Your information is used to:

  • Provide you with care and treatment, both now and in the future, ensuring that appropriate information is available to all those who treat you medically and care for you professionally
  • Ensure your care is safe and effective
  • Support you in managing your own care, and worth with health and care professionals to ensure there is “no decision about you without you”
  • Support the trialling of new and innovative products and technologies as we strive to continually seek to deliver new and improved cancer treatments
  • Investigate any complaints or legal claims
  • As part of proactive auditing to ensure that all access into medical records is for legitimate purposes

Your information in anonymised format can also be used by use and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • look after the health of the general public
  • research into the development of new treatments, where approved by research bodies
  • preventing illness and diseases
  • monitoring safety
  • manage and plan services, this may include audits by external companies
  • help staff review the care they provide, such as clinical audit
  • train and educate staff

Processing your information may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law.

To find out how data from your health records can help with research and planning and how to choose if you want to share your data for research and planning, read further details about how your data matters. We will check the register each time data is processed to ensure your latest preferences are respected.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

The Christie NHS Foundation Trust, like almost all NHS organisation participates in and supports health and social care research, we use personally-identifiable information to conduct research to improve health, care and services. During any research study that you have agreed to take part in, information about you is collected to conduct the study and for analyses. On some occasions information that has already been collected for your normal care is then re-used for research purposes.

Researchers use information to increase our understanding of diseases and to improve treatment. We also use it to develop innovative software or treatments. Before any research is conducted it usually needs approval from an independent ethics committee, who ensure any patient information is used ethically and appropriately.

If you participate in a specific research study, in most cases you are asked to sign a consent form. The consent form, and a participant information sheet, will describe how your data will be handled during the study. Your signed consent form and your personal details will be stored by the research team in a secure location along with the study information.

Occasionally some studies will use your routinely collected information for research without your consent. For researchers to use any patient information without consent, it must either be completely anonymous to anyone outside of your direct care team, or the researcher may need to apply for permission from the Confidentiality Advisory Group (CAG), an independent national body that advises on the use of patient information. This is in line with the UK’s research governance framework.

A list of studies which are approved to use routinely collected information without patient consent is available on the HRA website.

Additionally, routinely collected information in medical records can also be used to support medical research. At The Christie, routinely-collected information is anonymised and added to a secure research database called ukCAT. Our internal research teams use this anonymised data for approved research projects aimed at patient and societal benefit.

Patient information is kept for research in line with the UK Data Protection Act 2018 and the EU General Data Protection Regulations 2016 – Article 9 (h) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. Learn more on our About medical research page.

Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.

Key types of research we participate in are Imaging Studies, laboratory research and Clinical trials (drug trials).

At The Christie we have internationally recognised skills in sponsoring, hosting and delivering clinical research studies and trials. We run over 650 studies and trials at any given time. Read more on our Studies and trials page.

At The Christie, we partner and collaborate with health, academic, scientific and industry organisations, which may require us to share your personal data. Details of these organisations can be found on our research collaborations page.

All research involving NHS patients requires approval from the hospital where the research is taking place. This approval is issued by the hospital’s research department, who ensure that all applicable approvals are in place before the research begins.

The Trust collects information about overseas patients to comply with our legal obligations, which is to ensure that the Trust receives payment for any services it may provide and also to undertake processing that will allow us to verify if you are entitled to free NHS care. Our obligations are explained in the Department of Health and Social Care Guidance on implementing the overseas visitor charging regulations.

Whilst the majority of our information is received from you when you come into contact with the Trust, we also receive information from other organisations or individuals, such as when you are referred for treatment or in response to questions relating to your eligibility for free NHS care. We also need enough information to be able to provide you with appropriate healthcare services.

What types of information do we use?

  • Personal Data – any information relating to an identified or identifiable individual; an identifiable person is one who can be identified directly, or indirectly.
  • Special Category data – any information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union activities, physical or mental health, sexual life or genetic or biometric data.

The Trust may need to process our information in order to:

  • Establish your identity and your entitlement to free NHS Discount
  • Ensure the information we hold about you is valid and up to date
  • Record NHS debtors to the Department of Health and Social Care
  • Determine your immigration status using Home Office services
  • Prevent, detect and prosecute fraud and other crime
  • Provide translation and interpreter services to you
  • Deal with the safety, security, health and wellbeing or someone associated with you
  • Respond to an alert or warning and are legally obliged to act on it

Where it is necessary for discharging our obligations in this area, your personal information may be sent to the Home Office. The information provided may be used and retained by the Home Office for its own purposes, which include enforcing immigration controls overseas, at the ports of entry and within the UK. The Home Office may also share this information with other law enforcement and authorised debt recovery agencies for purposes including national security, investigation and prosecution of crime and collection of fines and civil penalties.

The General Data Protection Regulations and the Data Protection Act 2018 allow us to process such data under the following conditions:

  • Where we process overseas patients personal or special category data, we will do so in order to comply with a legal obligation to which the Trust is subject.
  • There may be occasions when we will be obliged to process overseas patients’ information in order to comply with a court order, coroner’s instruction, to prevent or detect crime or to comply with the law. Where we do this, we will process overseas patients personal and/or special category data to comply with a legal obligation to which the Trust is subject.

If we process overseas patients’ information for other purposes that are not described above then we will seek their consent to do so before we process it.

There are many justified reasons The Christie processes personal information:

Direct Care and Administration Purposes

Direct Care is the care delivered to a patient, some of which can be provided in the patient’s home or on a Trust premises (i.e. hospital / clinic). Direct care usually results from a referral from another NHS hospital. As such there is a need to share relevant and proportionate information with other healthcare workers such as specialists, doctors, nurses, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatment, therapies and or care.

As part of our administration purposes, we process information about:

  • Our patients
  • Our patients, carers and next of kin
  • Suppliers
  • Employees
  • Complainants, enquirers
  • Survey respondents
  • Those who visit our website
  • Professional experts and consultants

Our proton beam therapy patients

Proton beam therapy (PBT) has been available abroad for eligible NHS patients since April 2008. In autumn 2018, the proton beam therapy centre at The Christie, providing high-energy proton beam therapy in the UK was opened. PBT enables a dose of high-energy protons to be precisely targeted at a tumour, reducing the damage to surrounding healthy tissues and vital organs. As a specialist treatment we have a dedicated Privacy notice to outline to these patients variations in data usage.

Cancer education awareness

The Christie School of Oncology is a world class teaching centre, bringing together professional and pre-registration education, plus continuing professional development activities into one structure. This makes us uniquely able to support health care professionals at all stages of their career.

We deliver world class education to health care professionals at all stages of their career. The School is unique in that it offers education to all members of the healthcare team, throughout their career – from undergraduate education through to specialist training. Where your data is processed through the School, read our Christie education privacy policy for details of how your data is processed.

GatewayC

GatewayC is a dedicated arm of The Christie education provision providing accessible, innovative, and tailored information to support early cancer detection.

Offers free evidence-based materials and learning for GPs, nurses, AHPs, students, and anyone else with an interest in cancer. This service has its own learning platform and with that a dedicated Privacy Notice.

Commissioning, Planning and Research Purposes

Most national and local flows of personal data in support of commissioning / planning are established as collections by NHS Digital either centrally or for local flows by Commissioners. Where the collection or provision of data is a legal requirement, the Trust will need to oblige. Data minimisation (or pseudonymisation) is a standard process for commissioning, planning and research purposes, audits, service management, commissioning, contract monitoring and reporting facilities.

Safeguarding

Advice and guidance is provided to care providers to ensure that adults and children’s safeguarding matters are managed appropriately. Access to identified information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Serious Incident Management

The Christie NHS Foundation Trust works with provider and commissioning organisations to ensure effective governance and to learn from Serious Incidents. The Francis Report (February 2013) emphasised providers had a responsibility for ensuring the quality of health services provided.

Analysis – Risk Stratification

Risk stratification entails applying computer-based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.

National Fraud Initiative

The Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds or where undertaking a public function in order to prevent and detect fraud. We participate in the Cabinet Office’s National Fraud initiative – a data matching exercise to assist in the prevention and detection of fraud.

What recent new processing has been approved?

Before any new methods of processing of your information is undertaken, we complete a data risk assessment. This is to assess that that the planned processing is lawful, transparent and in line with best security standards. This could be working with new partners or introducing new systems to support delivery of your care. Details of those recent approved initiatives are detailed on our data protection impact assessments page.

The Christie NHS Foundation Trust is a registered Data Controller with the Information Commissioner’s Office (ICO) and our registration number is Z7091213.

All health and social care providers, including The Christie NHS Foundation Trust, have a statutory duty under section 251B of the Health and Social Care Act 2012 to share patient information for their direct care. This duty is subject to both the common law duty of confidence (See 'Common Law Duty of Confidentiality' below) and applicable data protection legislation, namely the Data Protection Act (DPA) 2018 and the UK General Data Protection Regulations (UK GDPR).

Personal Data

Personal data is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The processing of personal data is covered by Article 6 of the GDPR.

We will process personal identifiable information (Article 6) and also special category of personal data (Article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life. The lawful basis under Article 6 is dependent on the legitimate use we have to process different types of data.

Consent (Article (1)(a))

Lawful Basis for Processing

Article 6(1)(a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’.

Purpose of Processing

The Trust processes personal data on the basis of consent for services including, but not limited to; medical studies, managing Governance and Members data, research and development. Where consent is the lawful basis for processing your personal data, the processing will be for the purposes of indirect care only. Pertinently it must be stated that the withholding of your consent will not impact on the direct care provided by the Trust.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of your consent:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • The right to object: You have the right to object to the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact: the-christie.dpo@nhs.net

Contract (Article (1)(b))

Lawful Basis for Processing

Article 6(1)(b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Purpose of Processing

The Trust processes personal data on the basis of contractual obligations for services including, but not limited to; background checks, payments, procurement, staff employment and all other processes related to entering and performing contractual obligations. Pertinently it must be stated that where some or all of the personal data requested is withheld, the Trust may be unable to enter into and perform a contract as per its contractual obligations.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of contractual obligations:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • The right to object: You have the right to object to the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

Legal Obligation (Article (1)(c))

Lawful Basis for Processing

Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.

Purpose of Processing

The Trust processes personal data on the basis of legal obligations for services including, but not limited to; legal proceedings, obtaining legal advice, assessment of potential fraud and establishing, exercising or defending legal rights. 

Health and Social Care Act 2008 – to carry out clinical audits and to take other quality improvement measures.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of legal obligations:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

Vital Interests (Article (1)(d))

Lawful Basis for Processing

Article 6(1)(d) ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’.

Purpose of Processing

The Trust processes personal data on the basis of vital interests only when it is deemed necessary to protect life. This basis for processing will only be utilised in situations of life and death, such as emergency health care, whereby you are unable to give consent yourself.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of your vital interests:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

Public Task (1)(e))

Lawful Basis for Processing

Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

The Article 9 condition for direct care is:

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...' to carry out clinical audits and to take other quality improvement measures.

The Article 9 condition for research is:

Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects.

Article 9 (2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’.

Purpose of Processing

The Trust processes personal data on the basis of public task for services including, but not limited to; direct healthcare provision, issue of SMS/Email to data subjects, establishment of sub processors for delivery of elements of direct care, safeguarding, management of serious untoward incidents, National clinical audits, research and statistical analysis and reporting.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of public task:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • The right to object: You have the right to object to the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

We may share information with the following types of organisations: 

Your data will be shared with health and care professionals and support staff in the Trust and at hospitals, hospice and treatment centres who contribute to your personal care for your direct care purposes. This will include your GP, where you wish to receive copies of letters we send to your GP, you should notify the reception or clinic staff who can arrange for this on your behalf.

Where necessary or required we may consider sharing information with any other categories of recipients as follows:

  • Our patients
  • Family, associates and representatives of the person whose personal data we are processing
  • Staff
  • Current, past or potential employers
  • Healthcare social and welfare organisations
  • Suppliers, service providers, legal representatives,
  • Auditors and audit bodies
  • Educators and examining bodies
  • Research organisations
  • People making an enquiry or complaint
  • Financial organisations
  • Professional advisors and consultants
  • Business associates
  • Police forces
  • Security organisations
  • Central and local government
  • Voluntary and charitable organisations. 

Information sharing with other NHS organisations

Your health records are shared with other NHS organisations that provide a service on behalf of The Christie or are involved directly with your health care. In addition, The Christie provides a computerised facility to allow secure access to the NHS staff who care for you in the Manchester and Cheshire regions. This facility allows clinicians (such as your GP, A&E staff, hospital nurses and doctors) to view details of your cancer record to help inform their decisions about you and your care.

The Christie also has access to your health records from other NHS organisations which can be used to help Christie staff make the best decisions about your care. For example, the

If you do not want your Christie record to be made available to other NHS organisations, please write to our Data Protection Office and we will remove this facility.

If you do not want Christie staff to access your health records from other specific NHS organisations, please write to our Data Protection office and we will remove this facility.

Sharing with those we work closely with

Read more about our partnerships and joint ventures. See our directory of services to see what we offer. 

Greater Manchester Health and Social Care Partnership

The Christie NHS Foundation Trust is part of the Greater Manchester Health and Social Care Partnership, which was formed to oversee the devolution of health and social care services across Greater Manchester under a Sustainable Transformation Partnership (STPs). For further detail in relation to this, see the GMHSC website.

The Christie Pathology Partnership

The Christie Pathology Partnership (CPP) is a joint venture between SYNLAB and The Christie NHS Foundation Trust in Manchester. SYNLAB in the UK is a trusted expert in clinical laboratory services. Commencing in 2014, the Partnership will run for 10 years and operates out of the existing Christie pathology laboratories, where around 70 staff have transferred from the NHS to the CPP.

Christie private partnership

The Christie Private Care LLP is a joint venture limited liability partnership between The Christie NHS Foundation Trust and HCA (HCA International Limited). The partnership means that a share of the profit from The Christie Private Care is invested back into the NHS for the development of care and future service enhancement, therefore benefiting all patients.

The Christie Private Care board is made up of 3 Christie executive directors and 3 HCA directors. HCA International has operational responsibility for the day to day running of these services.

Visit The Christie Private Care website to find out more or access the HCA privacy notice.

The Christie Pharmacy

The Christie Pharmacy Company is a wholly owned subsidiary company of The Christie NHS Foundation Trust (as such this Privacy Notice covers all processing undertaken). The company was formed in December 2017 to provide a high-quality pharmacy service to both inpatients and outpatients of the Trust.

Our services include:

  • dispensing and supplying medication to inpatients in wards and clinics
  • supporting The Christie at Home service to ensure patients can receive certain treatments from the comfort of their own home
  • providing bespoke medication for The Christie at Salford, The Christie at Oldham and other sites
  • advising patients who want to self-medicate
  • wholesale supplying medicines and devices to all wards on the Withington site

Manchester Cancer Research Centre

The Manchester Cancer Research Centre MCRC is a unique partnership founded in 2006 by The University of Manchester, Cancer Research UK and The Christie NHS Foundation Trust. Since its creation, the MCRC partnership has since expanded to encompass cancer research activities across Manchester, driving a consistent, compatible and integrated cancer research strategy with the ultimate aim of creating a future free from the burden of cancer.

Information sharing with other non-NHS organisations

For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving direct care, such as social services, hospice or private healthcare organisations. We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the Trust. We will always seek your permission to share your information with organisations for purposes other than your direct care. However, in exceptional situations we may need to share information without your permission if:

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • it is in the public interest – for example, there is a risk of death or serious harm
  • there is a legal need to share it – for example, to protect a child under the Children Act 1989
  • there is a legitimate enquiry from the police for information related to a serious crime

In some circumstances we are legally obliged to share information. This includes:

  • when required by NHS England to develop national IT and data services
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons.

Where processing is likely to result in a high risk to individuals' privacy interests, the Trust will conduct a Data Protection Impact Assessment (DPIA). The aim of a DPIA is to identify and minimise the data protection risks of a project and your confidentiality. Read more about Data Protection Impact Assessments. A copy of the Trust’s DPIAs can be requested from the Data Protection Officer – see contact details below.

Completing a Data Protection Impact Assessment ensure that where we process your data through a 3rd party, such as a supplier of an IT system, the full security checks and data protection assurances are carried out.

It may sometimes be necessary to transfer personal information overseas. Any transfers made will be in full compliance with all aspects of the data protection legislation.

Under the Data Protection legislation, individuals have a right to access information that is held about them by an organisation. If you wish to make a subject access request (accessing your information), requests need to be addressed to the Trust’s Health Records Department and we will aim to respond to your request within one month from receipt of your request. If you require access to your health records you must make a written request. The process for this can be found on our health records page.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code. For example we will:

  • securely dispose of your information by [through secure confidential waste contracts or wiping hard drives to legal standards of WEEE destruction].
  • archive your information at [historically significant service’s record may be archived with the local Archive Service, which is run by the Local Authority].
  • take another action [Through use of new cloud hosted solutions, which meet NHS prescriptive standards].

If you have any concerns about our use of your personal information or you wish to request a copy of this Privacy Notice in another format please contact the Data Protection Officer by email at the-christie.dpo@nhs.net.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO (Information Commissioner’s Officer) – the UK regulatory body who monitor Data Protection compliance.

Contact: Information Commissioner’s Office website or by calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

Information Commissioner’s Office,
Wycliffe House,
Water Lane, Wilmslow, Cheshire, SK9 5AF

The Christie NHS Foundation Trust is a ‘Data Controller’ under the UK General Data Protection Regulation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity.

As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to provide our Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf. These contractors are subject to the same legal rules and conditions for keeping personal information confidential and secure.

We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

As a public authority, we are required to have a Data Protection Officer

The role of the Data Protection Officer is to:

  • to inform and advise the Trust Board and employees about their obligations to comply with the UK General Data Protection Regulation and other data protection laws;
  • to monitor compliance with the UK General Data Protection Regulation and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits; and
  • to act as the first point of contact for the Information Commissioner’s Office and for individuals whose data is processed.

Our Data Protection Officer is Louise Westcott, she can be contacted:

  • Via email: the-christie.dpo@nhs.net
  • Via post: The Christie NHS Foundation Trust, Wilmslow Road, Manchester, M20 4BX
  • Via phone: Tel No 0161 446 3000

We are required to maintain the security of information we process

Information is an asset and like other important business assets it has value to an organisation and needs to be suitably protected. Information security and incident prevention protects information from a wide range of threats to ensure business continuity.

There are 3 essential standards crucial to Information Security which are:

  • Confidentiality - ensuring that information is accessible to those authorised to have access
  • Integrity - safeguarding and completeness of information and processing methods
  • Availability - ensuring that authorised users have access to information and associated assets when required

In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. The Christie has systems, process and tooling to ensure all personal data we process complies with these 3 principles. This is measures externally through NHS England, details can be found on the Data Security and Protection Toolkit website.

All of our staff receive annual data security awareness training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality and may face disciplinary procedures if they do not do so.

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
  • we have a legal requirement to collect, share and use the data
  • for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case-by-case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.

Last Updated - This is Version 0.3 of The Christie NHS Foundation Trust UK GDPR Privacy Notice and was published on 21 November 2023.

These details are also available in a Child Friendly format:

Last updated: March 2024