St Helena and its partners in the MCCR sharing agreement are committed to protecting the privacy of everyone whose information we collect and process. This statement explains what personal data is collected and processed, how we collect it, whom we share it with, and why we do so. It also explains the steps we take to keep data secure. If you have any questions about this privacy statement or privacy and data processing in general, please contact our Data Protection Officer dpo@sthelena.org.uk or 01206 845566 or write to the address below. For privacy concerns relating to a specific patient, you may also contact our Caldicott Guardian at caldicott.guardian@sthelena.org.uk

What is personal data?

By personal data, we mean any information that might allow you to be identified, such as your name, address, date of birth, credit card details, I.P. address, photo or video image or voice recording. We may also collect what is known as ‘special category data,’ which is more sensitive information, such as that concerning your health, ethnicity, sexuality, sex life, and religious views.

Who are we?

We are St Helena (Charity No. 280919), a charity that helps local people face incurable illness and bereavement in the North Essex area. Our registered office address is:

Myland Hall, Barncroft Close, Highwoods, Colchester, CO49JU

We manage and administer the MCCR with a number of other Healthcare providers in North East Essex and St Helena is the designated contact point. Other joint data controllers are East Suffolk and North Essex NHS Foundation Trust, Anglian Community Enterprise, East of England Ambulance Service, Care UK, Integrated Care 24, Essex Partnership University NHS Foundation Trust and the majority of North Essex GP surgeries

Why do we collect personal data from you? 

We collect your personal information, with your consent, so that your preferences about how you want to be cared for near the end of your life can be recorded and shared with any care provider in the scheme who may be involved with your care. You are under no obligation to share information with us but doing so will help us to improve how we care for you.

If you are referred to one of our clinical services, we will collect data from you and may also receive it from other healthcare providers. Other providers in the scheme may also collect your data. Our current lawful basis for collecting your personal data is Article 6(1)(e) of the GDPR, which concerns our duty as a public authority providing healthcare. We also require a second lawful basis to process your special category data and this is specified under Article 9(2)(h), where processing is necessary to provide health and social care. Our statutory authority for processing is Section 251B of the Health and Social Care (Quality and Safety) Act 2015; specifically the duty it imposes on us to share information where this may be likely to ‘facilitate the provision to the individual of health services or adult social care in England’ and is ‘in the individual’s best interests.’

What type of information is collected about you?

The personal information we collect about you includes your name, address, email, phone number, date of birth and details of your care preferences around how providers look after you near the end of life.

How we use your information

We will use your information to record and share your preferences for how you want to be cared for near the end of your life. We also collect and store it for the purposes of audit, quality control, and incident reporting. Your anonymised data may also be used for statistical reporting an archiving in the public interest. We will not use your data for any other purpose without seeking your prior consent.

We respect your rights of privacy and are happy to provide further information about any profile details that we may hold about you, in accordance with your data subject access rights under current legislation.

Who has access to your information?

We will never sell or swap your details with third parties.  The data is available to all of the healthcare providers listed in the ‘Who Are We’ Section. We may share data you provide with trusted partners, such as the subcontractors who provide our electronic records and incident management systems, our regulators, local authorities, and law enforcement authorities.

Your rights

You have rights over your personal data under the legislation. The first step, in exercising any of the rights below, is to contact our SinglePoint team on 01206 890360. They will then facilitate your Data Subject Access Request. We summarise your rights, below:

  • Your right to be informed

We have a duty to provide you with certain information at the time we collect data from you and we do that using this privacy notice.

  • Your right to access your data

You have the right to see the medical records we keep about you. This will require a written request to our Director of Care, although the first step is still to contact SinglePoint.

  • Your right to have your data corrected

Where you think the data we hold about you is incorrect, you can ask us to correct it. We will consider such requests on a case by case basis; however, please note that current legislation empowers us to refuse where we think they are unfounded.

  • Your right to erasure

You can ask us to delete the data we hold about you. We will consider such requests on a case by case basis; however, please note that current legislation empowers us to refuse such requests where we think that complying will harm the patient and so we are likely to comply only in exceptional circumstances.

  • Your right to object

Where you object to us processing your data but do not want us to erase it, you can ask us to stop processing it. We will consider such requests on a case by case basis; however, please note that current legislation empowers us to refuse such requests where we think that complying will harm the patient and so we are likely to comply only in exceptional circumstances.

  • Your right to restrict processing

You can ask us to stop processing your data while we are considering an objection or a request to erase it. You can also ask us to restrict processing of your data if you think we gathered it unlawfully or no longer need it. We will consider such requests on a case by case basis; however, please note that current legislation empowers us to refuse such requests where we think that complying will harm the patient and so we are likely to comply only in exceptional circumstances.

  • Your rights relating to automated decision making including profiling

We will not be carrying out any automated profiling with your information so this right is non-applicable.

Security

The healthcare providers that utilise MCCR take your security and privacy seriously. We use a variety of technical processes to prevent unauthorised access including firewalls, digital surveillance, and encryption. Each partner in the MCCR is party to a binding Information Sharing Agreement, which imposes strict confidentiality duties on each of us.

How long we keep your data

We will retain your healthcare data in accordance with the requirements imposed upon us by the National Health Service Records Management Code of Practice for Health and Social Care 2016, which in usual circumstances will be eight years following our last contact with the patient.

Your right to lodge a complaint with a supervisory authority

If you believe that we breached your privacy in any way, we urge you in the first instance to contact our Data Protection Officer. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office at the address below: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 (local rate) 01625 545 745 (national rate) https://ico.org.uk/global/contact-us/email/  

Changes to this policy

We may amend this privacy policy from time to time, so please check back every so often for updates. This policy was last updated December 2018.