Sheffield Health and Social Care

Identity of the Data Controller:

Sheffield Health and Social Care NHS Foundation Trust
Centre Court
Atlas Way
Sheffield
S4 7QQ

Website: www.shsc.nhs.uk

The implementation of Data Protection is overseen by our Data Protection Officer.

You can contact them via this email DPO@shsc.nhs.uk or you can write to them at this address:

The Data Protection Officer
Information Department
Sheffield Health and Social Care NHS Foundation Trust
Wardsend Road North
Sheffield
S6 1LX

We process personal information about our staff, service users, volunteers, carers and other people for a variety of purposes:

• to provide health and social care services
• to manage our services and to plan for the future
• to monitor how we are performing against targets
• to make sure we comply with legislation about equality
• to allow us to get paid for the work we do
• to manage our staff and fulfil the duties we have as an employer
• for research and training
• to safeguard our service users, staff and the public

The main reason we process personal data is because it is necessary:

• for exercising the public task of running a health and social care trust

We process information which is defined in law as ‘special category’ data – this includes health records amongst other items.  This is necessary:

• for the provision of health or social care or treatment or the management of health or social care systems and services

We also process some personal information because it is necessary:

• for employment purposes

We process some personal information because it is necessary:

• for reasons of public interest in the area of public health, such ensuring high standards of quality and safety of health care

Sometimes we may process information on the basis of consent from the data subject but this is not the basis for the majority of our processing.

Where consent is used as the basis for processing this will be made clear to the data subject along with their rights regarding consent.
 

We collect different types of personal information:

• Personal identifiers – name, address, date of birth, NHS number etc, plus contact details
• Bank details for our staff
• Employment records, disciplinary records
• Professional registration details, qualifications
• Referrals, assessments and notes 
• Information about appointments, contacts, hospital admissions and other service use
• Medical information such as prescriptions, test results, diagnoses
• Use of services provided by other organisations
• Details of incidents
• Processing of queries and complaints
• Records about our Trust members    

We share information with other health and social care organisations such as hospitals, GPs, care homes and social services.

We may share information with carers of service users where the service user has agreed to this.

We may share information with the police or courts where we are legally obliged to do so or in order to help prevent or investigate serious crimes.

We provide datasets to purchasers/commissioners of our services and to NHS England.

Regulators have the ability to view information we collect as part of the process of ensuring we provide good services.
 

Some of our services use the SystmOne patient information system to record their work. Where they do, it is possible to share patient information with other services which also use this system, where the service user has agreed to allow this to happen. The teams which this applies to are:

• Myalgic Encephalomyelitis/Chronic Fatigue Syndrome (ME/CFS) Service
• Neuro Case Management Service
• Neurological Enablement Service (NES)
• Sheffield Community Brain Injury Rehabilitation Team (SCBIRT)
• Health Inclusion Team

What is a care record?

All the information about the care and treatment we provide is held on a care record.

Your care record is stored electronically on a secure system.

Healthcare staff use this information to make sure you get the right care and support you need. Staff make sure this information stays confidential and is kept safe.

We know that other health and care services such as hospitals, clinics, GPs and social care may also provide you with care or support.

To help us all work together, we want to share the information we have with them so they can continue to support you with the best care and treatment. We call this a 'shared care record'. 

 We also want to see the information they have recorded about you and your health and care needs. This is so that we also know everything we need, to provide you with the best care at the Trust.

A shared care record means:

• Everyone who provides your care will have the information they need, when they need it.
• You get the right treatment for your mental and physical health.
• You do not have to repeat your story.
• You get the best health and care services we can provide.

Care records will only be shared with services that provide you with care or treatment, and on a 
need-to-know basis.

You have a right to choose who will see your care record.

Consent to share your records

You will be asked by your healthcare worker at the Trust if you are happy to share your care record with other health and care services that also provide you with care. This is called consent.

You will be asked to complete a consent form. On this consent form you will be asked to give consent to share your information:

• If you consent to the sharing of your information, other services caring for you will be able to see your care record. For example, your GP or a district nurse that visits you will be able to see the information recorded by the Trust.
• If you do not consent, only staff caring for you at the Trust will be able to see your record. Your record will not be shared with other health and care staff that provide you with care and treatment outside of the Trust. Your healthcare worker at the Trust will not be able to see information recorded by any other professionals involved in your care, for example your GP.

You can also ask for some of the information on your care record to be made private. This means that only the service at the Trust who recorded the information can view this part of your care record.

How does consent work?

If you consent to share your heath record, everyone who provides you with care will be able to see the same record.
 
However, you can choose who can see your full health records. The example across should help to explain this more:

Patient A receives care from three different NHS services (a GP, a district nurse and a smoking clinic).

You can see from the image that the GP and nurse will share the same information.

But the smoking clinic will not be able to see Patient A's shared record which has information about the care they receive from the GP and district nurse. The GP and district nurse will not be able to see the smoking clinic record.

What if I change my mind about consent?

You can change your mind about consent. All you need to do is contact your health worker at the Trust who will help you.

What else do I need to know?

If you haven't been asked to share your care record at other NHS services, including your GP, you can always speak to them about recording your choice around consent.

In a serious situation, for example if you are unconscious, a health and care service will be able to view your care record. They will do this even if you have not given consent.

More information

If you are still unsure about sharing your care record, speak to a member of staff for more information.

You can also have a look at our frequently asked questions (FAQs):

Frequently asked questions

How do I opt-in or out of sharing my records?

You can choose whether you want your health records sharing with other health and social care services. Talk to your health care worker at Sheffield Health and Social Care NHS Trust about how you would like your information to be shared.

They will ensure you complete a consent form to record your request.

We will then update your record and make sure that the necessary permissions are enabled for you.

What are the benefits of sharing my health record?

It’s important that health and social care professionals have access to basic information about patients and the people they care for. This is especially important when care is urgent or required during the evenings or weekends. Sharing the information, we hold with other health and social care services will save time and could be life-saving in some circumstances.
 
Sharing your health record will mean that everyone who provides your care will have the information they need, when they need it. We will all use the same information to make sure you get the best health and social care services we can provide. This means:

• You get the right treatment for your mental and physical health
• Everyone has the same information they need to treat you
• You do not have to repeat your story.

Without sharing being available, other professionals involved in your care would need to wait for information, which could cause delay in providing treatment, care or medication.

If I haven’t chosen to share my record and I have a medical emergency, will the services treating me be able to access my record?

If you are being treated in a medical emergency by a service that uses the same or compatible clinical record system as the Trust (SystmOne), then certain clinicians will be able to override your refusal to share either with your permission or, if you are unable to give your permission; because it would be in your best medical interests to do so. Any override of your sharing settings is strictly monitored to ensure that it is appropriate and done in the best interests of your care.

I am happy to share my record with other health and care services but there are some things that I would prefer to keep confidential between me and my healthcare professional. Can I do that?

You can ask your healthcare professional at the Trust to mark individual items on your record as private. When your full record is shared, the private information will not be visible to any other service.

Healthcare professionals are used to receiving these requests and may have already marked parts of your record as private if they feel it’s inappropriate to share, so please don’t be afraid to ask.

If I choose not to share my record, what information will other health and care services involved in my care be able to see?

If you choose not to share your record, the only information other health and care services that are involved in your care will be able to see is basic demographic data such as your name, date of birth, address, and your registered GP practice. This availability of only basic information is why we encourage you to opt into sharing.

What is included in my health record?

Your health record includes details of your appointments and includes information about medications you are taking, test results and any allergies you may have.

It will include details about any medication that hasn’t agreed with you in the past, details of any health conditions which mean you shouldn’t have certain medicines and any factors which need to be considered when planning your care.
 
Will other services be able to see everything on my record?

For another health or social care service to view your record, they must have registered you under their care and have gained your consent to view your record. If you give permission, they will be able to see your full record except for any items you have asked your healthcare professional to mark as private.
Your records will only be shared with services that provide you with care or treatment, and on a need to know basis.

Will insurance companies and private healthcare companies have access to my shared record?

No. Only health and social care organisations directly caring for you and using a compatible electronic health record system will have access to your shared health record.

Can I change my mind about sharing my record?

Yes. You can change your mind at any time. Let your health professional know if you want to change your original choice.

You will be asked to recomplete a consent form to record your request of not sharing. Once you have completed and return it, we will record your preference in the computer system.

Why is sharing of my heath record not set automatically? Why do I have to opt-in?

The electronic patient record adopts a “consent at the point of care” model. If consent is refused or not asked, then the clinician will not be able to view the record.

What security is in place for my health record?

All computer software systems used by health and social care have to conform to stringent national safety standards. This is the care records guarantee. The system itself runs on a secure network which is separate from the internet so cannot be compromised from unauthorised access.

For another service to view your record they must be using a compatible clinical system to the one we use at the Trust.

They must ask your permission to view your record. You also must be registered for treatment with them.

The healthcare staff viewing your health record must use a smartcard which looks like a credit/bank card. The chip on the card authorises them for a certain level of access so they can only see the level of detail required for them to carry out their job role in support of your care and treatment.

The system also has a tamper-proof audit trail that shows the name, time, and date of any access to a health record. It also will show any data added, changed, or deleted to ensure appropriate and safe use.

Your GP practice would also be alerted when you receive care elsewhere – unless you have asked them not to disclose this information.

As a NHS organisation we use person-identifiable information to conduct research to improve health, care and services. As a publicly-funded organisation, we have to ensure that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.

You may be asked if you want to take part in research projects undertaken by the Trust. If you agree to take part in a research study we will use your data in the ways needed to conduct and analyse the study. Once you have agreed to participate in a research study we will be processing your information under the basis of a “Public task” so your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained.

In certain circumstances, where it is not practical to get consent from individual patients' we may be granted legal approval to process personal information for research purposes without consent - any such requests are subject to processes imposed by the Health Research Authority and have strict requirements to protect patient confidentiality imposed upon them.

To safeguard your rights, we will use the minimum person-identifiable information possible.

You can find out more about patient information and health and care research on the Health Research Authority website.
 

The Trust is a mandatory participant in the Cabinet Office’s National Fraud Initiative data-matching exercise, run every two years.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018. All Trust staff and suppliers’ data may be submitted to the National Fraud Initiative on a regular basis.

You can read further information about the national fraud initiative on the GOV.UK website.

We do not routinely transfer personal information to other countries.

Where we are requested to send individual service user records abroad we will do so with their consent and via a secure method.
 

We adhere to the retention periods set out in the NHS Records Management Code of Practice, available here.

We will develop systems to allow us to archive records which have passed their recommended minimum retention period but we will not destroy records which may be relevant to ongoing inquiries
 

Right to be informed

Data subjects have a right to know when their personal information is being processed.  We let you know about the processing we do via this notice and via our staff when they collect information from you. You can also contact our Data Protection Officer.

Right of access

You can ask us to confirm whether we process information about you and for an explanation of the processing.  You can also ask for access to the information we hold about you – we won’t charge for this and we have to provide the information within a specified time period.  If you have a keyworker you can ask them for details of how to access your information or you can contact our Access to Records Team – there are details on how to access your records on our website here.

Right to rectification

If you think any of the information we hold about you is inaccurate you can ask us to change it – if we agree then we will correct the information but we will usually keep a copy of the previous version in case we need to refer back to see the information as it was at the time any decisions were made. If we disagree about the information being incorrect then you can add a note to your records to say what you disagree with.

Right to erasure

Data protection legislation gives data subjects a limited right to have their personal information deleted where there is no compelling reason for the processing to continue. This is sometimes known as the ‘right to be forgotten’. For the majority of the personal information we process we will need to keep it for the minimum retention period specified in national guidance so that we have the information we need to treat our service users, to manage and plan our services and to be paid for the work we do and in case it is needed for any future legal proceedings so we cannot delete the information. If you want to know more, please contact our Data Protection Officer.

Right to restrict processing

In certain circumstances you may have a right to restrict the processing of your personal data – it would then still be held but not further processed. This would apply where you had contested the accuracy of the data or objected to the processing and were awaiting our response, or we no longer needed the data but you required us to keep it for legal purposes.

Right to data portability

Where you provide your information to a data controller with consent or for the performance of a contract with you and if the data is processed automatically then you can ask for your data to be downloaded in a form that allows you to transfer it to another provider. This is not how we process the information we hold so the right to data portability does not apply but you still have the right to make a subject access request for your data, as above.

Right to object

You can object to processing of your information for direct marketing or profiling. We may contact you to tell you relevant information about our services or to ask for your opinions - this is not marketing but you can tell us your preferences about how and when we contact you. You can object to having your identifiable information used for research – if we ask you whether you would like to be involved in research projects we will tell you what would be involved and will respect your decision. This is different from the decision whether to allow data about you to be used as part of national datasets – see the national Data Opt-Out website to find out more about this here.

Rights in relation to automated decision making/profiling

You have the right not to be subject to decisions based on automated processing which have a significant effect on you.  We may use assessment tools which score people according to certain criteria but we don’t use them as the sole way of making decisions about our service users and there will always be an element of human decision making.

We may use data to profile service user populations so we can plan services and offer appropriate interventions to improve their health and wellbeing.  Where we do that then we will be open about the logic we use, we will use reliable processes and make sure the processing is secure.

Right to withdraw consent to processing

If we process information on the basis of consent from the data subject then they can withdraw their consent if they choose.  We do not rely on the consent of data subjects for the majority of the processing we do – we process information in order to provide health and social care services and to run our Trust as described elsewhere in this notice.

If you wish to withdraw your consent for any processing which you think is undertaken on the basis of that consent then please contact our Data Protection Officer in the first instance by emailing DPO@shsc.nhs.uk

If you have a complaint about how your personal information has been processed then you can raise it informally with the appropriate service or formally using our complaints procedure, details available on our website here.

You can also complain to the Office of the Information Commissioner which oversees the operation of Data Protection legislation. The ICO website is here or you can write to:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
 

We receive information when other services such as GPs or social workers make referrals to our services. This will include the identity of the person being referred and their contact details plus relevant information about the reason for their referral.

We will collect information from our service users and from other people involved in their care.

We will receive results of medical tests from other health organisations.

We use national systems in order to find NHS numbers so that we can uniquely identify our service users, to find their registered GPs and check that other details about our service users are accurate and up to date.
 

We need to collect information about our service users in order to provide them with safe and effective care.  This includes keeping records of the treatment we provide.  We cannot provide our services without keeping records.

We also need to record the work we do in order to meet the contractual requirements of the bodies that purchase our services and to comply with national reporting requirements.

We process information about our staff in order to make sure they are qualified to do their jobs, to make sure we pay them and respect their rights and to ensure the safety of the people they provide services to.

This section describes how we may use your information to protect you and others during the COVID-19 pandemic.

The health and social care system is facing significant pressures due to the COVID-19 pandemic. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information is also vital in researching, monitoring, tracking and managing the outbreak. During the pandemic it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency has been used during the pandemic. Using this law the Secretary of State required the NHS, GPs and local authorities to share confidential patient information to respond to the COVID-19 pandemic. This legal requirement was time limited and came to an end on 30 June 2022. A more limited requirement to process patient information for COVID-19 purposes was then imposed on NHS England, NHS Digital and GP practices, but does not include Sheffield Health and Social Care NHS Foundation Trust. 

Processing of confidential information about our staff and service users for COVID-19 purposes may continue where it is covered by another legal basis to use the data. Further information is available on the gov.uk website. 

In order to look after your health and care needs we may share your contacts details and sometimes confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example other NHS Trusts, GP practices and the local authority. We may also use the details we have to send public health messages to you, either by phone, text, e-mail or post.

Since the beginning of the pandemic we have offered more consultations via telephone or video-conferencing. If you accept the invitation and enter the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We have also been required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.   

NHS England and Improvement have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.   

Specific data flows related to COVID-19

Electronic Prescribing and Medicines Administration (EPMA) data

We are required to supply the NHS with data on medicines we prescribe to our patients who will be identified by their NHS numbers. Where medicines are associated with certain conditions, procedures or treatments which are legally protected, the information which could identify specific patients will be removed. The information will be used for research into the effect of medicines with COVID-19 and for wider analysis of the use and effectiveness of medicines.

Asymptomatic staff testing results

Where our staff are tested for COVID-19, any positive tests must be reported to Public Health England. We collate individual staff test results and upload them via secure file transfer. The information is also used within the Trust in order to manage services and inform our measures to counteract the pandemic.

Staff vaccination

We are required to collect information to identify which of our staff are more vulnerable to COVID-19 because of their age, ethnic group or medical conditions. We will use this information to prioritise the vaccination of vulnerable staff. During the pandemic we have monitored the uptake of vaccinations amongst our staff. 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services may also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This can only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, information used for research and planning is anonymised so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used for purposes beyond your direct care. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

On this page you will:

• see what is meant by confidential patient information
• find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• find out more about the benefits of sharing data
• understand more about who uses the data
• find out how your data is protected
• be able to access the system to view, set or change your opt-out setting
• find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• see the situations where the opt-out will not apply

You can also find out more about how patient information is used at: www.hra.nhs.uk/information-about-patients (which covers health and care research); and understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Sheffield Health and Social Care NHS Foundation Trust has processes in place to comply with the national data opt-out policy.