Sentinel recognises how important data protection is and that the data we hold is protected and used in a safe and conscientious manner.
To ensure that your information is kept confidential and that our data is kept safe and secure, all our staff receive training in data protection and information governance before they start work with us. Current staff also have to undertake regular refresher training courses tailored to their individual roles.
Who we are and what we do
We are Sentinel Healthcare South West CiC – a company owned and operated by the GP practices in Plymouth, West Devon and South Hams and cover an area from Looe to Bodmin to Bude to Salcombe.
Our address is :
Sentinel Healthcare South West CiC
6 Research Way
Plymouth Science Park
Telephone: 01752 434 102
We provide interface service to the NHS, research and support to General Practice. We are a not for profit social enterprise.
Access to your information
Our staff will only have access to information that is necessary for them to complete the activity they are involved in. This is reflected in Caldicott Principles that access to your information should be on a need to know basis only. Staff access of confidential information is monitored to ensure your confidentiality is maintained.
Information we can hold about you
1. Your name and date of birth;
2. Caller/carer/next of kin and patient contact details, including full home address, telephone numbers and current location;
3. Details of each contact we have with you;
4. Records of your health and wellbeing, including reports from other organisations providing health and social care;
5. Details of your care and treatment, including clinical notes, assessments, examinations, test results and care you have received; and
6. Information shared in the public domain e.g. online. For example, social media, this information is used to improve services and inform feedback, learning and training. It will not affect the care you receive in any way. There may be some circumstances where we share this information with others, for example, where it concerns another healthcare provider, to protect an individual or assist the police in the investigation of a serious crime.
As we do not always have access to your full GP, dental or other health records, other health professionals may provide us with important information such as a special note to highlight any specific medical history and/or care plans. This will support our health professionals in their decision making in the event of contact from you.
We will also record and keep further information about you if you contact us for reasons not regarding your direct care (for example, to make a complaint, report a concern via our patient surveys or if you leave us feedback online or post on social media).
In some cases, we may need to obtain or provide information from another service provider (such as our commissioners) for example to fully investigate a complaint, enquiry or to assist with a Freedom of Information Act request.
How do we keep your records confidential and secure
Everyone working in the NHS has a legal and professional duty to ensure that all your information is safely and securely protected and kept confidential. The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances, for example, where we are required to by law.
In all cases, where personal information is shared, either with or without your consent, a record will be kept. Information that identifies you will only be used for the purposes it was provided for or where there is a clear legal basis for that information to be used. We adhere to the Caldicott Principles to ensure information is accessed and held securely and appropriately.
Our staff are required to protect your information, inform you of how your information will be used and allow you to decide how it can be shared. Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality.
We only keep hold of any of our records as long as we need to and are required to manage our records in accordance with national guidance such as the NHS Records Management Code of Practice.
How your records are used
Your records are used to guide healthcare professionals in the care you receive. Your records:
1. Inform the decisions made about your care;
2. Ensure your treatment and advice, and the treatment of others, is safe and effective;
3. Help us work effectively with other organisations and healthcare professionals who may also be involved in your care;
4. Can be available if you see another doctor, or are referred to a specialist or another part of the NHS or health care system for the purposes of direct care;
5. Help us to investigate complaints, legal claims and untoward events;
6. Help us prepare statistics on NHS performance and assist with health research and development.
7. Help us to teach, train and monitor staff and their work (including providing staff and clinicians with anonymised feedback from patient surveys) to audit and improve our services and ensure they meet your needs;
8. Help us conduct clinical audit to ensure we are providing a safe, high quality service and support the provision of care by other healthcare professionals;
9. There are circumstances where we need to share information without your consent. For example, when the health and safety of others, including members of staff, is at risk, to ensure we provide you with the correct care, to protect public health or when the law requires information to be passed on (for example in the prevention of serious crime or under a court order); and
10. You may be receiving care from other non-NHS organisations such as Social Services and we may need to share information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.
Information may be withheld if it is believed it may cause serious harm or distress to yourself or another person.
We will not transfer or process your information outside of the European Economic Area.
How you can access your records
The Data Protection Act allows you to find out what information about you is held on computer and in certain paper records. This is known as a ‘right of subject access’. If you would like to see your records you can make a written request to us (which must include your authorising signature).
You are entitled to receive a copy of your records and do not have to give a reason for the request however, there may be a charge. Consent will be required when requesting information relating to someone else. Requests can be made in writing to the address above.
Using information for purposes other than direct healthcare
We will use your personal information for the purposes of providing you with direct care and to locally audit our services to ensure our organisation meets your needs and maintains our high standards.
Direct Care: is when information is used for healthcare and medical purposes. For example, directly contributing to your treatment, diagnosis, referral and care. This also includes any relevant supporting administrative processes and audit/assurance of the quality of the healthcare service provided such as appointment bookings, management of waiting lists, inputting test results or sharing information regarding contacts with the patient’s registered GP practice.
We will also use your personal information when required to by the law (for example following a court order to release documentation) and, in exceptional circumstances, where the use of your personal information is justified in the public interest.
For all other uses of your personal information we will either directly ask for your consent or use information that does not identify you. For example, it may be that we use anonymised and/or pseudonymised data for:
- Processing information – taking your information and changing it so it does not identify you so it can be used for secondary purposes such as research.
- Audits – including local clinical audit to provide quality assurance of the care received by our service users.
- Service management
- Local and national benchmarking.
- Commissioning and commissioners reports e.g. service use, performance reports and contract monitoring.
- Reporting, including public health alerts, performance and board reports, capacity and demand planning. We may share anonymised and pseudonymised information with other organisations with a legitimate interest such as universities and research institutions. This data will be provided in a way that respects your right to confidentiality and does not identify individual patients.
- Teaching and training.
- Sharing best practice/serious case reviews/incident management of adverse events.
- Staff and patient surveys.
- Personal development/review (particularly for clinicians).
- Subject access requests.
Third parties we share information with
Sometimes we need to share your information with other organisations. For example, you may be receiving care from social services and we may need to share information about you so we can all work together for your benefit.
When assisting the police with the investigation of a serious crime, or if there are concerns regarding child protection/vulnerable adults, it may be necessary for us to share your personal information with external agencies without your consent.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. Anyone who receives information from us is also under a legal duty to keep it confidential and secure.
We may also share information with organisations such as:
- NHS Trusts
- Community/district nurses
- The ambulance or other emergency services
- General Practitioners
- Child and adult safeguarding services e.g. MASH
- Social Services
- Local Authorities
- NHS 111
- The Care Quality Commission, ICO and other regulated auditors
- Public Health England
- HSCIC (https://www.hscic.gov.uk) and the data services for commissioners programme
Note: Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request your information that identifies you from GP practices and other providers without seeking your consent.
Information/data sharing agreements
We are bound by data and information sharing agreements with our partner organisations. These sharing agreements ensure that we only share information in a way that complies with the law. Regular information sharing is supported by information sharing agreements with our partner organisations to ensure all parties are clear on how this information may be used and their legal obligations to protect and keep your information safe and secure.
You have the right to confidentiality and for your information to be used fairly in a way that is safe and secure under the Data Protection Act 1998, common law duty of confidentiality and other relevant legislation. The Equality Act 2010 may also apply in certain circumstances. You have the right to know what information we hold about you, what we use it for and who we share it with.
You have the right to apply for access to you information (a Subject Access Request) and have a copy of that information in a permanent form, for example, on paper. You also have the right to have that information explained to you in a way you can understand, explained where necessary. For example, if there are any codes or abbreviations you do not understand.
Comments, queries or objections
At any time, you have the right to object, refuse or withdraw consent to information sharing/processing and have your objections heard. We will comply with your request where we are able to do so in accordance with the law. The possible consequences of not sharing this data will be fully explained to you.
To provide a safe, professional and efficient service, we need to keep information on record. Your personal details will be handled with sensitivity and confidentiality. If you think any information we hold about you is not accurate, please let us know. You can write to us if you have any privacy concerns or queries, or if you wish to update your personal information.
Further information can also be obtained from legislation such as the Data Protection Act 1998, the Care Record Guarantee and the NHS Confidentiality Code of Conduct all of which can be accessed via the internet. You have the right to access your records and to request corrections of errors, but not to change the content as this may be clinically unsafe.
The Data Protection Act 1998
The data protection act 1998 states:
Personal data shall be processed fairly and lawfully and in particular, shall not be processed unless:
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
This is the first data protection principle. In practice, it means that you must:
- have legitimate grounds for collecting and using the personal data; • not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure you do not do anything unlawful with the data.
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with us.
Once it has been established that a data controller does have the ‘lawful’ power to share personal data it would then need to satisfy a Schedule 2 condition for processing and where sensitive personal data is involved, a Schedule 3 condition. It should be remembered though that even where a condition or conditions for processing can be met this will not on its own ensure that the processing is fair or lawful.
These issues need to be considered separately. It is also worth briefly looking at the issue of ‘consent’. To the ICO “consent” means just that. For example, someone is asked if their information can be used in a certain way. If they agree the release of information can proceed, but if they refuse their consent, then in the view of the ICO, their wishes should be respected and the information should not be used.
In addition it needs to be remembered that in data protection terms ‘consent’ is but one condition that could be relied on to process personal and sensitive personal data. There are several other conditions that it may be possible to rely on depending on the purpose of the processing (and which are set out in Schedule 2 and in Schedule 3).
In terms of meeting a Schedule 2 condition there are two that could be relied on these are:
The processing is necessary:
(a) for the exercise of any other functions of a public nature exercised in the public interest by any person, or,
(b) the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Meeting a Schedule 3 condition is more difficult (and which is the way it should be). However, in these circumstances the ICO considers that a condition provided for in SI 417 (2000)1 could be met, namely:
The processing –
(a) is in the substantial public interest;
(b) is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and
(c) is carried out without the explicit consent of the data subject because the processing must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service.
The ICO stresses that where these conditions are being relied upon that there is the provision of fair processing information to the individuals involved, with more information being required where the data sharing is more extensive. Privacy notices should make it clear to individuals about how their information is being used and where they can find out more about the processing and/or object to the processing (s10 of the DPA).
As the conditions above require that the sharing is either in the substantial public interest or is for confidential counselling purposes added to the fact that public authorities must not act in any way that is incompatible with the Human Rights Act we will seek the explicit informed consent of the patient or individual.
It is also important to ensure that the other Data Protection principles are complied with e.g. the information shared needs to be relevant and not excessive, it must be accurate and kept up to date, not kept for longer than necessary and kept secure.
If individuals know at the outset what we propose to use their information for, they will be able to make an informed decision about whether to:
(a) enter into a relationship with us, or perhaps to try to renegotiate the terms of the relationship;
(b) consent or dissent to the use of their information.
If anyone is deceived or misled when the information is obtained, then this is likely to be unfair and will be a breach of the DPA. The DPA says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised, or required, to provide it. The DPA does not define ‘lawfully’. However, ‘lawful’ refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation.