General Data Protection Regulation 2016 (GDPR)
The General Data Protection Regulation 2016 (GDPR) came into force on 25 May 2018 and it applies to Walsall Healthcare NHS Trust as Data Controller. The legislation will replace current data protection law, giving more rights to individuals and more obligations to organisations processing personal data.
As Data Controller, we determine the purpose and manner of processing personal data for both employees and patients. Where we are responsible for processing personal data on behalf of another data controller we act as a Data Processor.
The Trust has robust processes and systems to support compliance with the new laws, which includes keeping you informed about how your data is used.
The Trust’s policy on the implementation of the GDPR can be found here.
Read more about the legal basis for processing personal and special category date under GDPR here.
Collecting your information
Why do we collect information about you?
The purpose of the NHS is to provide you with the highest quality of health care, and to help us achieve this we must keep records about your health, treatment and care we have provided or plan to provide.
These records are called your healthcare records and may be stored in paper format or electronically. They include:
- personal details about you, such as name, date of birth, address, NHS number, next of kin, ethnicity, and next of kin
- Details of your hospital appointments/visits
- Notes and reports about your health, treatment and care
- Results of x-rays, scans and tests
- Relevant information from people who care for you such as healthcare professionals
- information based on the professional opinion of the staff caring for you
It is extremely important that your personal details are accurate and we will often check with you at appointments or visits that these details are correct.
We collect this information to ensure we are providing you with the right care and, should you see another health professional or be referred to another part of the organisation, accurate and up to date information is shared to enable a continuation in the quality of care you receive.
If you are employed by Walsall Healthcare NHS Trust we will have your education, training and employment details, and your financial details.
Who do we collect information from?
Walsall Healthcare NHS Trust will collect data about you in a variety of ways. The main source of collection is directly from you and this is likely to be done either face to face, during a telephone call, or via email.
We may receive information from other organisations that are also required by law to share information about you with us. An example of this could be the Trust receiving a referral for you from your GP, another Trust or any health or social care provider.
Our Trust and our staff may have access to specific clinical systems from other organisations such as the Summary Care Record, in order to access information about you that is relevant to your care. All systems are auditable and access is on a strictly need to know basis.
How long do we keep your information?
We keep your information in accordance with the National Guidance. All our records are destroyed in line with the NHS Retention Schedule, which sets out the appropriate length of time each NHS record is retained.
Records are destroyed confidentially once they reach their retention. We do not keep your records for longer than is necessary.
For further information please see Record Management Code for Practice for Health and Social Care 2016, retention schedules.
Using your information
How do we use your personal information?
The Trust processes personal information about:
- next of kin;
- employees (including students, apprentices, potential employees and volunteers);
- complainants, enquirers;
- survey respondents;
- professional experts and consultants;
Health professionals caring for you manage information about your health and the care you receive from the NHS. This information is recorded in a healthcare record which is held either manually or electronically. It is important as it helps to ensure that you receive the best possible care from us. Your information is used in the following ways to guide and administer the care you receive:
- To ensure that your health professional has accurate and up to date information to provide a good basis for any treatment or advisory services we provide to you.
- To ensure that full and correct information is available to other healthcare providers from whom you may be receiving treatment.
- To ensure your treatment is safe and effective, and the advice we provide is appropriate and relevant to you.
- To ensure that there is a good basis for referring to and checking on the type and quality of treatment you have received in the past.
- To ensure that your concerns can be properly investigated should you wish to raise a complaint.
Your rights in relation to my personal information
You have a number of rights in relation to your personal information. These are described in detail below:
The right of access
You have a right to request a copy of any of your information held by the Trust. Alternatively, you can request to view the information that relates to you, free of charge.
The Trust does have the right to charge an administration fee in situations where requests are repetitive or if it is deemed to be excessive. You are required to prove your identity at the time of making your request and provide specific details in relation to the information you require access to.
Subject Access Request under GDPR will be processed within 30 days. However, this can be extended by up to a further two months; in particular if there are significant personal data to review. If this is the case, you will be contacted within 30 days.
A Subject Access Request (SAR) can be submitted in relation to your healthcare record.
If you would like further information about accessing your healthcare record please contact the Health Records Manager below:
Tel: 01922 721172 ext. 7458
Walsall Healthcare NHS Trust
Walsall Manor Hospital
The right to object
The right to object means that data should stop being processed if requested. This only applies where data is obtained with your consent. Generally, we rely on our legal basis to process your data and not consent and therefore for healthcare purposes, this right may not apply. However, if your data is used for any other reason this right may apply to you.
The right to rectification
If you believe your personal information may be inaccurate or incomplete, you can make a request to have your information reviewed.
The right to erasure
The right to erasure is also known as the ‘right to be forgotten’. This allows you the right to have your personal data erased. Generally, this right is not available within healthcare data due to the information we process often being essential to us in continuing to provide you with services. You will be notified where the right is available for specific processing activities.
The right to restrict processing
This right enables you to request a restriction or limit to the processing of your personal data. The right is closely linked with the right to rectify and the right to object and will only apply if:
- You believe your personal data is inaccurate and it is verified by the Trust;
- The data has been unlawfully processed;
- The personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.
The right to object
The right to data portability enables you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data from one IT environment to another in a safe and secure way, without hindrance or usability. The right to data portability is not an absolute right and generally will not apply to your healthcare records unless the processing is based on your consent, or processing is carried out by automated means.
Making a complaint
If you have any questions or complaints about your care, please speak to your health professional in the first instance. If this is not resolved to your satisfaction you can contact Patient Relations.
The Data Protection Officer (DPO) is a point of contact for advice and guidance in relation to your rights. The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as well as any policies the Trust has in relation to the protection of personal data.
The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The Data Protection Officer is:
Walsall Healthcare NHS Trust
Walsall Manor Hospital
Tel: 01922 721172 ext. 5806
You also have the right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively. The Commissioner can be contacted at:
Information Commissioners Office
Recruitment privacy notice
‘We’ / ‘Us’ / ‘The Trust’ means Walsall Healthcare NHS Trust.
Links to other sites/Databases
Collection of personal information
Your data will be held securely and in accordance with the Data Protection Act 2018 (GDPR) (DPA), the EU Data Protection Directive 95/46/EC, the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner.
The Trust processes personal data and sensitive personal data (as described in the Data Protection Act 2018 (GDPR) (DPA) the EU Data Protection Directive 95/46/EC, the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), this is to support the Recruitment process when transferring data and information from NHS Jobs into Trac and ESR.
Personal data is data that relates to an identifiable living person (‘data subject’).
We are processing this information at your request prior to you potentially entering into a contract of employment. Following your contract commencement, your personal information will be collated, stored and sent to your line manager. Also, this information will be stored in the Electronic System Records (ESR)
Special Categories of personal data we may process include:
- Race or ethnicity
- Physical or mental health
- Sexual orientation and sexual life
Additional information that is considered sensitive is:
The commission or alleged commission of an offence, or proceedings or sentence relating to offences or alleged offences
We may be required to do this by employment law relating to access your capacity to work, to monitor that equality law is being met through the recruitment process and to comply with any safeguarding laws relating to the role you are applying for
The Trust will also collect and collate the following data for appointed candidates only;
- ID (Photo Graphic ID, Proof of Address and Right to Work documents
- Disclosure and Barring Service Checks (convictions, reprimands and cautions)
- Occupational Health Screening
- Bankruptcy and Insolvency register check (Directors only for Fit and Proper Persons)
- Disqualified Director’s check (Directors only for Fit and Proper Persons)
As per the NHS Employment Check Standards, the above is essential for the Recruitment process.
We will use your particularly sensitive personal information in the following ways:
We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. This information will not be available to anyone involved in the selection process and will not be published except a part of a set of anonymised statistics.
Use of your information
By using NHS Jobs and Trac, you agree that we may collect, hold, process and use your information (including personal information) for the purpose of providing you with the NHS Jobs and Trac service and:
- informing you about the outcome of your application;
- informing you about the outcome of your interview
- keeping you updated on the progress of your conditional offer of employment
- conducting market research in terms of understanding retention within the Trust
- carrying out technical and statistical analysis to measure the performance of our services and ensuing we are compliant with the NHS Workforce Race Equality Standard
Sharing your information
Trac has an interface to the Electronic Staff Record System (ESR) which is a payroll and human resources system used by most NHS organisations and by a number of other organisations providing NHS services.
The data you submit to NHS Jobs and Trac may be transferred to ESR for the purposes of:
- establishing the human resources and payroll record; completing the recruitment process or parts of the process on ESR;
- or for reporting purposes such as equal opportunity monitoring.
- The data you submit to NHS Jobs as part of your job application may be downloaded and transferred to a third-party system (Trac) where an employer chooses to complete the recruitment process using a different system.
- If you apply for a job on NHS Jobs then the Trust will have access to your application and any other material you submit in support of the application for example, your accompanying CV.
- The Trust may copy and hold some or all of this data locally in their own systems to facilitate their administration of the recruitment exercise.
We have an obligation to inform you how we are processing your application before you apply including but not limited to:
- automatic decision making on selection,
- updating information the employing organisation has downloaded from NHS Jobs and/or Trac
- withdrawing an application the Trust has downloaded from NHS Jobs and/or Trac
- how the Trust handles attachments that accompany the application form
- what the Trust uses the Equality and Diversity data for
- how the Trust handle any safeguarding concerns
- transferring of your application to a 3rd party recruitment agency should the agency be used for recruitment purposes i.e. psychometric testing
We also have an obligation to provide any relevant privacy notice(s) when a request for an offline application is made.
If you have agreed to accept SMS texts via Trac and/or NHS Jobs these will only be sent when invited to an interview and a further (reminder) text is sent 2 days before the interview is scheduled to take place.
We will not sell or share your information for marketing purposes.
Note that summary (high level) non-identifiable data is being shared with NHS Digital for NHS vacancy monitoring purposes only.
We will not transfer your personal data outside of the UK
We reserve the right to disclose your personal information to comply with applicable laws and government or regulatory bodies’ lawful requests for information.
Job applications and adverts are retained on NHS Jobs and Trac for up to 460 days after the closing date, depending on the relevant advert’s or recruitment’s closing date, and then deleted. If you need to access an application form and accompanying CV/attachments or an advert and attachments relating to the vacancy, we recommend you make a copy and retain it within 400 days of the advertisement’s closing date as this is the minimum period we will retain the data.
An audit log will be retained for 24 months to allow our processes to be independently checked.
Removal of your account
If you are a jobseeker and no longer wish to retain your account on NHS Jobs and/or Trac then please contact the NHS Jobs Helpdesk (firstname.lastname@example.org<) or Trac helpdesk (email@example.com) and advise them of your wish to have your account removed completely.
If you have an employer’s user account then please contact the Trust administrator directly (firstname.lastname@example.org). Please note that once the account has been deleted the data will no longer be retrievable.
Keeping your personal information secure
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
Storage and destruction
We will retain your personal information for six months after we have communicated to you our decision about whether to appoint you. This is so that we can show; in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information unless your application had been successful and you have started employment with us. The data then transfers to ESR
Changes to this privacy notice
If we change this privacy notice, we will communicate the revised privacy notice with an updated effective date.
Staff privacy notice
If successful in obtaining employment with Walsall Healthcare NHS Trust then please refer to the staff privacy notice.
The information you provided will be managed as required by Data Protection law.
You have the right to:
- Receive a copy of the information the Trust has on you
- Request your information be changed if you believe it was not correct at the time you provided it
- Request that your information be deleted if you believe NHS Jobs, Trac and/or the Trust are processing it for longer than is necessary after 25 May 2018. This request can be declined if valid reasons not to are concluded
Who to contact
Details of NHSBSA processing are shown on our website at https://www.nhsbsa.nhs.uk/our-policies/data-protection
To make use these rights or have any concerns about our professing of your information then please contact the NHSBSA Data Protection Officer:
Head of Information Governance
NHS Business Services Authority
Newcastle upon Tyne
You also have the right to contact the Data Protection Regulator about any concerns you may have about the use of your information. They can be contacted at:
Information Commissioner’s Office
For further information on how the Trust handles your data, how the data is stored and what your data is used for please contact Walsall Healthcare NHS Trust data protection officer at:
Sharon Thomas – Data Protection Officer
Corporate Governance Manager
Walsall Healthcare NHS Trust
Walsall Manor Hospital
House 20, New Manor Court
Tel: 01922 721172 ext. 5806