Privacy notices

At Walsall Healthcare NHS Trust, we aim to provide you with the highest quality healthcare. The Trust uses personal and confidential information for a number of purposes. Our privacy notices provide a summary of how we use your information.

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses, or the government. Under the Act Walsall Healthcare NHS Trust is defined as a ‘data controller’ of your personal information. The Trust is registered with the Information Commissioners Office (ICO).

Our Registration number is Z5161445

Definitions

Personal Data: ‘Personal Data’ is information relating to a natural (living) person which can be used to identify the person, for example:

  • Name
  • Address
  • Telephone number
  • Employee number
  • Gender
  • National Insurance (NI) Number
  • NHS Number

Sensitive personal data (Special Category): ‘Special Category’ data is information, which is classed as more sensitive personal data, for example:

  • Religious beliefs
  • Ethnic Origin
  • Sexual Orientation
  • Criminal convictions
  • Disabilities
  • Trade Union Membership

Data controller: ‘Data controller’ means the organisation that determines or decides the purposes, conditions, and means of the processing of personal data.

Processing: ‘Processing’ includes the collection, recording, storage, use, disclosure, or destruction of personal data.

What is Data protection law?

The Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. This is the Data Protection Act 2018.

Under Data Protection Law, we must be able to demonstrate compliance with the Data Protection Principles governing the protection of personal data. Below is a summary of the Principles and how the Trust complies with them.

UK GDPR Principles (Article 5) require that personal data must be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Purpose limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Data Minimisation: Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Data Accuracy: Accurate and, where necessary, kept up to date and every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased, or rectified without delay.
  5. Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals.
  6. Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  7.  Accountability: Ensuring we are responsible for complying with UK data legislation and that we can demonstrate our compliance.

Article 5, Clause 2 states “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

This means that under the UK GDPR, organisations must be able to demonstrate and prove that they are compliant with the Data Protection Principles.

How will we meet the principles of UK GDPR?

We will process your personal information fairly and lawfully by:

  1. a) Only using it if we have a lawful reason to do so and when we do, we will inform you about how we intend to use your data and inform you about your rights

Whilst we do not rely on consent as a legal basis for processing your information, we are obliged to inform you of how and when we use it. We do however rely on specific provisions under Article 6 and 9 of the Data Protection Act, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

This allows us to use your personal information to provide you with your care. However, you do have the right to say ‘NO’ to our use of your information, but this is likely to impact on our ability to provide you with care.

b) Only collecting and using your information to provide you with your care and treatment and not using it for anything that is not considered by law to be for this purpose. We would never share your information for marketing or insurance purposes.

c) Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks for the delivery of your care.

d) Keeping your information accurate and up to date when using it and if it is found to be inaccurate, we will correct it, where appropriate, as soon as we can.

e) Only keeping your information in a way that it will identify you for as long as we are legally required to.

f) Having secure processes in place to keep your personal information safe when it is being used, shared, or stored.

Contact

Should you require any further information or advise please contact the Information Governance Team on: wht.data.protection2@nhs.net