Privacy Notice

In recent years the NHS has changed the way we share patient information among health professionals in different settings e.g. Hospitals, GP practices, Urgent Care Centres.

To prevent delay and ensure safe treatment, especially in urgent situations, doctors and other specialists may access essential parts of your record electronically, rather than writing to or phoning your GP or other healthcare professionals involved in your treatment and care.

The NHS nationally and locally currently uses three systems to share information electronically. These are all currently ‘opt out schemes’, meaning that your records are automatically included unless you opt out of each Individual scheme.

Artificial intelligence

MCHFT may use ‘Artificial Intelligence’ as part of some of our systems. However, decisions about your care will not be made based solely on artificial intelligence and will continue to have the input of a clinician.

As part of your care when you are a patient at the Trust either attending an appointment or as part of an inpatient stay you may have an image taken (x-ray) or procedure (CT scan, MRI, ultrasound etc.)  as part of your treatment and care. We may use a Artificial Intelligence to help us review your image(s) as quickly as possible and to make sure that images of those patients who are the sickest are reviewed first by a Doctor.  Your images will continue to be viewed by a doctor as they are now but the use of AI helps us make sure the order they are reviewed in helps identify those patients who are the sickest first.

In addition to the above, the Trust are using Ambient Voice Technologies to scribe consultations. These technologies work by unobtrusively recording consultations in the background. They then convert the consultation dialogue into text and other outputs. This technology positively transforms any care setting by improving clinical efficiency, enhancing patient care, reducing clinician workload, and improving data quality.

Summary Care Record

The Summary Care Record (SCR) is a secure national electronic record, enabling doctors and health specialists to access information about you that could be vital in an emergency or out-of-hours situation.

Records for each individual will be created automatically. This will enable NHS staff caring for you anywhere in England to access the following information to support your care in an emergency.

• Any medicines you are taking
• Any allergies you have
• Any bad reactions you have had to medicines

Healthcare staff will ask your permission before they look at your record except in certain circumstances (e.g. if you are unconscious).

How to Opt-Out of the Summary Care Record

You can download the ‘opt-out form’ at NHS Care Records and give this to your GP.

Cheshire Care Record

The Cheshire Care Record is a local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record.

Your Cheshire Care Record will help those caring for you to manage your care better, and allow information to be shared quickly and safely. Only authorised staff providing health and social care services, or services such as palliative care across Cheshire and Merseyside can access this record.

For more information about Cheshire Care Record, visit the Cheshire Care Record website at www.cheshirecarerecord.co.uk which includes information on:

• What the Cheshire care record is
• Why we share information
• Who information is shared with
• How to Opt Out/In of sharing

National Data Opt-Out Programme

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

National Fraud Initiative

Mid Cheshire Hospitals NHS Foundation Trust is required by law to protect the public funds it administers.  It may share information provided to it with other bodies responsible for: auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.  We participate in the Cabinet Office’s National Fraud Initiative – a data matching exercise to assist in the prevention and detection of fraud.  For more information, please click here. For further information on data matching, please contact your Anti-Fraud Specialist.

In June 2025 Mid Cheshire Hospitals NHS Foundation Trust (MCHFT) and East Cheshire NHS Trust (ECT) launched a shared Electronic Patient Record (EPR). The EPR will benefit patients by supporting both Trusts in maintaining a digital health record of patient care and treatment. It will allow patient information to be safely shared between MCHFT and ECT when necessary to provide patient care or treatment.

Information contained within the EPR will be retained for the periods outlined within the NHS Records Management Code of Practice.

Both Trusts are committed to ensuring complete transparency to patients in the way their information is used.  Patients have the right to see the information contained within their health record which can be done by making a Subject Access Request to either MCHFT or ECT. Patients may also wish to register for the NHS App which allows access to several areas of their NHS health record.  

Information held within the EPR will be kept secure, private and confidential and will only be shared with third party organisations where the law allows. Patient information from the EPR may be shared with third party organisation such as other care providers, with the patients consent, when necessary to support a patients care and treatments. In rare circumstances information may be shared with other third-party organisations without a patients consent where required by law, e.g. to the police investigating a serious crime.

The EPR has been made available via a thorough implementation process to ensure that the system and its functionality complies with data privacy and security laws, regulations and industry best practice.

Any patients who have questions regarding how their health information is used by the Trust may in the first instance wish to raise this question with the clinician responsible for their care. They may also wish to use the contact details provided within this privacy notice to raise any questions with the Information Governance department.

What are the lawful bases for processing?

The lawful bases for processing personal data are set out in Article 6 of the General Data Protection Regulation and article 9 for the processing of special categories data.

We collect and process your Personal Data for a variety of purposes as outlined in this Privacy Policy. 

In many cases, separate consent is not required and therefore we will rely on another ‘legal basis for processing’. These include:

Contract: the processing is necessary for a contract we have with you or because you have asked us to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

Health Purposes: the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of working capacity of an employee, medical diagnosis, the provision of health or social care treatment or the management of health or social care services.  

Occasionally we may ask you for your consent.

Managing Preferences and Withdrawing Consent

Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in. 

We will not use pre-ticked boxes or any other method of consent by default.

As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.

• We will keep consents separate from other terms and conditions
• Be specific and granular, clear and concise
• We will name any third party controllers who will rely on consent as required
• Make it easy for people to withdraw consent.

We will:

• Keep evidence of consent - who, when, how and what individuals were told
• Keep consent under review and refresh if and when anything changes
• Avoid making consent a precondition of a service.

The Trust takes the security of your information seriously and uses different controls and access mechanisms for both electronic and paper based data. Everyone working for the NHS has a legal duty to keep information about you confidential and secure under Data Protection Legislation, Caldicott Principles and the Confidentiality Code of Conduct. 

We use the minimum necessary information about you to be able to provide you with the care and services required. Anyone who receives information from us, as part of a sharing initiative or continuity of care, is also bound by the same legal duties as our staff and have the same confidentiality clauses within their contracts. Breaking those rules can result in investigations, disciplinary proceedings and even dismissal from employment.

The Trust will retain your information for as long as you receive health care services from us, and in line with Health and Social Care Records Management Code of Practice 2016.

You as an individuals have the right to:

• Be informed about what information an organisation hold about you as the 'Data Subject'
• The right of access to that information (commonly known as a ‘Subject Access Request’)
• The right to rectify any inaccuracies of that information
• The right in certain circumstances to have that information erased (known sometimes as ‘right to be forgotten’)
• The right to object to that processing of information and restrict that processing of information
• To know about whether certain decisions have been made about you through automated decision making or profiling.

Data Controller Details: 

Mid Cheshire Hospitals NHS Foundation Trust

Leighton Hospital

Crewe

Cheshire

CW1 4QJ

ICO Registration Number: Z4846564

Data Protection Officer:

Stuart Basford

Mid Cheshire Hospitals NHS Foundation Trust

Leighton Hospital

Crewe

Cheshire

CW1 4QJ

Email: dpo@mcht.nhs.uk 

The Information Commissioner

Wycliffe House

Water Lane,

Wilmslow,

Cheshire 

SK9 5AF

Telephone: 01625 545700

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

Your individual rights

You as an individuals have the right to:

• Be informed about what information an organisation hold about you as the 'Data Subject'
• The right of access to that information (commonly known as a ‘Subject Access Request’)
• The right to rectify any inaccuracies of that information
• The right in certain circumstances to have that information erased (known sometimes as ‘right to be forgotten’)
• The right to object to that processing of information and restrict that processing of information
• To know about whether certain decisions have been made about you through automated decision making or profiling.

To submit a request under this process, please visit our Legal Services page for further information. If you have any questions regrading this, please contact legal.services@mcht.nhs.uk / 01270 273916

The GDPR gives individuals (Data Subjects) the right to request and in most cases to be given, a copy of the information which Mid Cheshire Hospitals NHS Foundation Trust holds about them. This is called a Subject Access Request (SAR).

Please note that the Act only entitles an individual to see, or be given a copy of, their own information. You are not entitled to see someone else’s information unless they have given their permission for you to do so. Likewise, someone else cannot ask for your information unless you have given permission for them to do so. This applies to spouses, relatives, friends etc.

If you want to see, or be given, a copy of information that Mid Cheshire Hospitals NHS Foundation Trust holds about you, you need to make a Subject Access Request.

The Trust is not required to respond to a request made verbally, but depending on the circumstances, it may be reasonable to do so (as long as your identity has been satisfied). 

As a requestor you do not have to tell us the reason for making the request or what you intend to do with the information. However, it might be helpful to inform us so we can find the relevant information if you do explain the purpose of the request.

What Information am I entitled to?

‘Subject Access’ is most often used by individuals 'Data Subjects' who want to see the information the Trust holds about them, but now goes further than this and entitles an individual to be:

• Told whether any personal data is being processed
• Given a description of that information and be told whether it will be shared with any other organisation of people
• Given details of the source of the data (where this is known and available)
• Access to their personal information
• Other supplementary information - this will correspond to the information supplied in our ‘Privacy Policy’.

‘Subject Access’ provides a right for you to see your own personal data, rather than a right to see copies of documents that contain personal data.

Is there a fee for submitting a Subject Access Request?

The Trust must provide a copy of the information free of charge. However, the Trust can charge a ‘reasonable fee’ when the request is deemed ‘manifestly unfounded or excessive’ and particularly if it is repetitive.

The Trust can also charge a ‘reasonable fee’ to comply with a request for further copies of the same information.

The fees will be based on administrative costs of providing the information; for example photocopying, postage and packaging.

How long for the Trust have to comply?

Information must be provided without delay and at least within one calendar month of receipt of the request. However, the Trust can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case the Trust will inform you within one month of receipt of the request and explain why the extension is necessary.

If requests are manifestly unfounded or excessive because they are repetitive, the Trust can:

• Charge a ‘reasonable fee’ taking into account administrative costs or refuse to respond.
• If the request is for a large amount of personal data, the Trust is permitted to ask you to specify the information the request relates to.

Verifying your identity

The Trust has a legal obligation to verify the identity of the Data Subject and any authorised person making the request and to verify if they are entitled to the information.

The Trust will verify the identity of the person making the request, using ‘reasonable means’.

Can information be exempted?

Some types of personal information are exempt from the right of subject access and so cannot be obtained by making a ‘Subject Access Request’.

Information may be exempt because of its nature or because of the effects its disclosure is likely to have.

There are also some restrictions on disclosing information in response to a subject access request that would involve disclosing information about another individual.

How to make a make a Subject Access Request?

To submit a Subject Access Request please complete the GDPR Subject Access Request Form - Living Patients and send to legal.services@mcht.nhs.uk or Legal Services, Leighton Hospital, Middlewich Road, Crewe, Cheshire, CW1 4QJ.

If you are requesting information under The Access to Health Records Act 1990 regarding a deceased patient please use the Access to Health Records Form - Deceased Patients. Please contact the Legal Services Team with any queries regarding your request at 01270 273917 or legal.services@mcht.nhs.uk.

Please note – in processing your request the Legal Services team may contact other Trust departments to retrieve the data you have requested. This may include individual specialities, IT or line managers (in the case of staff requests).

How we use cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, and sometimes provide useful information to the owners of the site.

There are some cookies necessary to this site functioning, such as interacting with our accessibility toolbar. These cookies will usually remove themselves when you close your browsing session. More information can be found in the ‘Necessary cookies’ section.

We use some additional cookies, such as Google Analytics, to help us gather information and improve the website. You have the option to deny use of these cookies; more information can be found in the ‘Additional cookies’ section.

You can find more information on managing and deleting cookies on the Information Commissioners Office.

Necessary cookies

The following cookies are necessary to our site functioning.

Necessary accessibility cookies

Additional cookies

In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the using Google Analytics.

You can read Google’s extensive information on data practices in Google Analytics.

You can opt-out of Google Analytics on our website by denying additional cookies or by using the Google Analytics Opt-out Browser Add-on.

Embed cookies

We may use embeds from YouTube, Google Maps or Vimeo on our site to display content. That content uses the following third-party cookies. Where possible, we will use privacy-oriented settings to ensure as few cookies as possible require consent.

These additional cookies that remain, and the content from which they stem, will not display on the site unless you choose to ‘Accept additional cookies’.

Captcha cookies

We use Google reCAPTCHA in order to verify whether or not you are a human when submitting data to the website. Most of the time, this will only be present on pages containing forms.

MCHFT are pleased to offer patients the opportunity to sign up for Patients Know Best (PKB) - our patient information portal that gives you secure access to your medical information from any smartphone, tablet or computer.  

It is intended that you will be able to view all your hospital letters and appointments online, with other applications becoming available over time.  

This service is provided in partnership with Patients Know Best (PKB).  

You can find answers to some Common Questions, or learn more about the features of the PKB Patient System, at Common Questions - Patients Know Best 

The NHS app links to ‘Patient Knows Best’ (PKB) and provides patients with a single point of entry to NHS services. 

For more information on how NHS England and other organisations may use your data when you use the NHS app, please click here. 

The NHS Long Term Plan highlighted the importance of technology in the future NHS; setting out the critical priorities that will support digital transformation and provide a step change in the way the NHS cares for patients. People, data and technology are crucial to the ongoing evolution of the NHS. Working together in these key areas will support and enable local NHS organisations to:

• work in more efficient ways,
• improve diagnosis and treatment,
• improve services.

A key enabler for this is the roll-out of the NHS Federated Data Platform (FDP). The FDP resolves the issue of data being held in different systems that don’t always speak to each other, creating burden for staff and delays to patient care, when we try and use the data every day to manage patient care and plan services. The FDP brings data together from existing IT systems to enable staff to access that information in a single, safe and secure place.

The NHS FDP is made up of a number of separate independent data platforms, each of which is called an “Instance” alongside transparency and privacy enhancing technology, which is called “PET”.  Mid Cheshire Hospitals Trust operates an Instance where our data resides.

Information about how personal data is processed within our Instance is set out below where we have described each individual use (known as a “Product”)

For more information about how personal data is processed within the Federated Data Platform on a national level, please see the NHS Federated Data Platform Privacy Notice here.

Product Description

The care organisations who make sure care is provided in the right way, use this Product to support and improve the NHS services provided to you and all patients across the nation. The Product enables care organisations to assess the effectiveness of their services, supporting them to plan and deliver care.

What are the purposes for processing my personal data in this Product?

The Product enables the NHS to better understand how NHS monies are being used. This is through the use of personal information (called ‘personal data’ under data protection laws) about patients who are receiving treatment. This information is only accessible by the care organisations providing you with treatment.

What personal data about me is processed in this Product?

Personal data which directly identifies you (we call this directly identifiable data) will be processed by the Trust about patients who have received treatment, for the purposes above. Data that is processed by hospitals that use this Product may include your;

• Name
• Address and postcode
• Date of birth and age
• Sex and gender
• Physical description
• General Identifier e.g NHS Number
• Physical / Mental Health or Condition, Diagnosis / Treatment

Personal data about members of staff involved in the delivery of care may also be processed when using this Product, including the names of staff involved in providing care, and their email addresses.

Who is my personal data shared with?

Any identifiable personal data will not be shared with organisations and remains with the care organisations providing you with treatment.

Where identifiable information relating to you is shared with NHS England, more information can be found here;

NHS England » National Identifiable Data Collections Instance Acute Dashboard

De-identified data is securely analysed by a small number of data analysts in NHS England for the purposes of creating anonymous aggregated data to display in dashboards. This is statistical counts of data that doesn't identify you. It is therefore not personal data. Your personal data will not be shared with any other organisation as part of this Product.

Authorised users from NHS England, care organisations and Integrated Care Boards can access the anonymous data in the dashboards for the purposes described above.

UK GDPR Information

Controllers of your personal data

Under data protection law the Trust using the Product are the legal controllers of your personal data under data protection laws. The specific Trust using the Product are listed on the Product Description page of the NHS England website here.

Legal grounds for processing your personal data

Under data protection law the Trust using the Product are the legal controllers of your personal data under data protection laws. The specific Trust using the Product are listed on the Product Description page of the NHS England website here.

• Public Task - Article 6(1)(e) of UK GDPR ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Health Care - Article 9(2)(h) of UK GDPR  ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  In addition, the legal grounds under paragraph 2 of Part 1 of the DPA 2018 apply (health care purposes).

The personal data processed about patients by the Trust for the purposes above is also confidential data. As the care organisation is processing your confidential data to provide you with individual care, it is relying on your implied consent to do this, as you would reasonably expect the hospital to process your personal information this way to provide you with care. The care organisation will keep your personal data confidential and only use and share it with other members of the care team to provide you with care, where you would reasonably expect them to, and subject to strict confidentiality controls to ensure your information remains confidential.

Processor acting on behalf of care organisations and the Trust

The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of the NHS England who are using this Product. They provide the data platform and the technology that the Product uses and only act on the instructions of the NHS England and the care organisations.

Your rights under UK GDPR

You have the following rights under UK GDPR in relation to the processing of your personal data by the care organisations for the purposes above:

• Right to be informed
• Right of access
• Right to rectify
• Right to object

Further information about these rights is in the NHS Federated Data Platform Privacy Notice here. Your Trust will also have a Privacy Notice on its own website which will explain more about how the Trust processes your personal data, your rights and how to exercise them.

Contact details for data protection officers in the Trust using this Product are here.

Does the National Data Opt Out or any other opt out apply to this Product?

The National Data Opt Out by the care organisation for the purposes explained above. This is because the care organisations is processing your personal data to provide you with individual care and treatment. Type 1 Opt Outs by the care organisations do not apply to the processing of your personal data the data used is not received from your GP Practice, this opt-outs don’t apply in these circumstances.

Product Description

The Trust uses this Product to support and improve the services which identify illnesses for patients. It allows you, as a patient, to book available appointments with Trusts within your local area.  This will hopefully mean you have a shorter wait for your test appointment.

What are the purposes for processing my personal data in this Product?

This Product processes personal information (called ‘personal data’ under data protection laws) about patients who are scheduled to have appointments at a Trust and identify if they are able to be seen sooner if the patient is content to go to a nearby Trust.  

The use of the Product by the Trust is intended to improve your wait time and support a faster diagnosis. This is completed through better use of the information that the Trusts hold, bringing together all required information into one place to support your care.

What personal data about me is processed in this Product?

Personal information which directly identifies you (we call this directly identifiable data) will be processed by the Trust about patients who are having planned treatment scheduled, for the purposes above. Data that is processed by hospitals that use this Product may include your:

• Name
• Address
• Postcode
• Date of Birth and Age
• Sex
• Living Habits
• Email Address
• Home and Mobile Phone Number
• General Identifier, such as NHS Number
• Health information, including information about your medical condition, symptoms, diagnosis and treatment
• Sexual Life / Orientation
• Religion or Other Beliefs
• Racial / Ethnic Origin

Email addresses of members of staff involved in the delivery of care will also be processed when using this Product.

Who is my personal data shared with?

Your personal data is accessed and used by hospital staff who are coordinating your appointments, this includes support staff who need to support health care professionals to administer your care journey. It includes NHS Trusts within your area who can offer a quicker appointment.

UK GDPR Information

Controllers of your personal data

Under data protection law the Trusts using the Product are the legal controllers of your personal data under data protection laws. The specific Trusts using the Product are listed on the Product Description page of the NHS England website here.

Legal grounds for processing your personal data

The processing of personal data by the Trust for the purposes explained above is permitted under the following legal grounds under data protection law (this is UK GDPR and the Data Protection Act 2018 (DPA2018)):

• Public Task - Article 6(1)(e) of UK GDPR ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Health Care - Article 9(2)(h) of UK GDPR  ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  In addition, the legal grounds under paragraph 2 of Part 1 of the DPA 2018 apply (health care purposes).

The personal data processed about patients by the Trust for the purposes above is also confidential data. As the Trust is processing your confidential data to provide you with individual care, it is relying on your implied consent to do this, as you would reasonably expect the hospital to process your personal information this way to provide you with care. The Trust will keep your personal data confidential and only use and share it with other members of the care team to provide you with care, where you would reasonably expect them to, and subject to strict confidentiality controls to ensure your information remains confidential.

Processor acting on behalf of NHS Trusts

The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of the NHS Trusts who are using this Product. They provide the data platform and the technology that the Product uses and only act on the instructions of the NHS Trust.

Your rights under UK GDPR

You have the following rights under UK GDPR in relation to the processing of your personal data by the NHS Trust for the purposes above:

• Right to be informed
• Right of access
• Right to rectify
• Right to object

Further information about these rights is in the NHS Federated Data Platform Privacy Notice here. Your Trust will also have a Privacy Notice on its own website which will explain more about how the Trust processes your personal data, your rights and how to exercise them.

Contact details for data protection officers in the Trust using this Product are here.

Does the National Data Opt Out or any other opt out apply to this Product?

The National Data Opt Out policy does not apply to this Product as the Confidential Patient Information Processed in this Product is used and shared for the purposes of the Direct Care of patients.

Type 1 Opt Outs do not apply to this Product because the Confidential Patient Information Processed in this Product is not derived from GP Data.  

Product Description

The Trust uses this Product to support and improve the patient experience and outcomes by tailoring aftercare and self-management of the cancer pathways. The overall aim of this product is to personalise the follow up support patients received after cancer treatment. The product allows the trusts involved in your care to share information about the on-going care you require with each other to provide you with the best follow-up care available.

What are the purposes for processing my personal data in this Product?

This Product processes personal information (called ‘personal data’ under data protection laws) about patients who are receiving post treatment for cancer care and aims to ensure that all patients are reviewed and risk assessed to ensure that the appropriate care is provided post treatment.  

The use of the Product by the Trust aims to reduce delays in communicating results and enable faster clinical response to abnormal results which may require clinical intervention, as a result improving patient experience and outcomes.

What personal data about me is processed in this Product?

Personal data which directly identifies you (we call this directly identifiable data) will be processed by the Trust about patients who are receiving care from the Trust for the purposes above. Data that is processed by hospitals that use this Product may include your:

• Name
• Address
• Postcode
• Date of Birth and Age
• Sex
• Living Habits
• Email Address
• Home and Mobile Phone Number
• General Identifier, such as NHS Number
• Health information, including information about your medical condition, symptoms, diagnosis and treatment
• Sexual Life / Orientation
• Religion or Other Beliefs
• Racial / Ethnic Origin
• Genetic Data

Email addresses of members of staff involved in the delivery of care will be processed when using this Product.

Who is my personal data shared with?

Your personal data is accessed and used by hospital staff who are coordinating your appointments, this includes support staff who need to support health care professionals to administer your care journey.

UK GDPR Information

Controllers of your personal data

Under data protection law the Trust using the Product are the legal controllers of your personal data under data protection laws. The specific Trust using the Product are listed on the Product Description page of the NHS England website here.

Legal grounds for processing your personal data

The processing of personal data by the Trust for the purposes explained above is permitted under the following legal grounds under data protection law (this is UK GDPR and the Data Protection Act 2018 (DPA2018)):

• Public Task - Article 6(1)(e) of UK GDPR ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Health Care - Article 9(2)(h) of UK GDPR  ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  In addition, the legal grounds under paragraph 2 of Part 1 of the DPA 2018 apply (health care purposes).

The personal data processed about patients by the Trust for the purposes above is also confidential data. As the Trust is processing your confidential data to provide you with individual care, it is relying on your implied consent to do this, as you would reasonably expect the hospital to process your personal information this way to provide you with care. The Trust will keep your personal data confidential and only use and share it with other members of the care team to provide you with care, where you would reasonably expect them to, and subject to strict confidentiality controls to ensure your information remains confidential.

Processor acting on behalf of NHS Trusts

The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of the NHS Trusts who are using this Product. They provide the data platform and the technology that the Product uses and only act on the instructions of the NHS Trust.

Your rights under UK GDPR

You have the following rights under UK GDPR in relation to the processing of your personal data by the NHS Trust for the purposes above:

• Right to be informed
• Right of access
• Right to rectify
• Right to object

Further information about these rights is in the NHS Federated Data Platform Privacy Notice here. Your Trust will also have a Privacy Notice on its own website which will explain more about how the Trust processes your personal data, your rights and how to exercise them.

Contact details for data protection officers in the Trust using this Product are here.

Does the National Data Opt Out or any other opt out apply to this Product?

The National Data Opt Out policy does not apply to this Product as the Confidential Patient Information Processed in this Product is used and shared for the purposes of the Direct Care of patients.

Type 1 Opt Outs do not apply to this Product because the Confidential Patient Information Processed in this Product is not derived from GP Data.