Fair Processing Notice (Privacy Notice)
Your Personal Information – what you need to know
Who we are and what we do?
The BEATdiabetes Service is to provide a self-referral service to those who wish to receive online support for their diabetes in North East Hampshire and Farnham. BEATdiabetes is one of seven national test beds funded by NHS England. Please follow this link for more information, https://www.england.nhs.uk/ourwork/innovation/test-beds/
BEATdiabetes is led by NHS North East Hampshire and Farnham Clinical Commissioning Group (CCG) and it made up of partners to help deliver and evaluate the national test bed. These partners are the CCG (local commissioner), the University of Surrey (academic partner), Salus Medical Services (clinical service provider), SilverCloud, OurPath & Commit to Change (programme partners). A link to the privacy notice for each of the partners can be found at the bottom of this document.
The BEATdiabetes portal provides you with access to the online registration (the “Website) with UK server hosting provided by Amazon Web Services.
Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time. The legislation requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.
What kind of information do we use and how do we use it?
The BEATdiabetes Service will collect and process information provided by filling in forms on the Website. These forms require name, date of birth, email, phone number, registered GP surgery. These details will be assigned to a unique reference number. Only this number will be visible to the CCG and university when carrying out the evaluation of the service, protecting your personal information.
Your personal information: name, date of birth, email, phone number, registered GP surgery and unique reference number will be accessible to the Health Care Assistants employed under Salus Medical Services. Salus Medical Services is a data controller of the personal data collected from you. This data will be collected into a secure electronic patient record (EPR) system. The following data will be collected and stored within the EPR system: Name, Address, Date of Birth, Gender, Ethnicity, Smoking history, Alcohol history, Date of diabetes diagnosis, Current Diabetic Medication, Measured blood pressure reading (done at the start of the programme and may be done again at 6 and 12 months), Blood test undertaken to measure HBA1c and lipid/cholesterol profile (done at the start of the programme and may be done again at 6 months and 12months), Diabetic relevant past medical history (see terms for further information).
Your registered GP will be notified of your wish to take part in the BEATdiabetes programme. A copy of your brief medical summary history will be requested from your GP surgery by Salus Medical Services in order to facilitate the above information collection. It may vary amongst GP surgeries as to the level of data included within a brief medical summary history but in most cases this would include the following information: Name, Date of Birth, Address, NHS number, Phone number, Email, Registration Date, Active Problem list with dates, Significant Past Medical List with dates, Medications, Allergies, Health Status data (Blood pressure, smoking, alcohol, BMI, weight, height and cervical screening history), Immunisations, Last three consultations, Values and Investigations.
A copy of the data collected from you outlined above and through attendance at the BEATdiabetes clinics will be sent to your GP surgery.
The data collected above and held in the EPR record will be pseudonymised, using only a unique reference number to identify a particular data set. All personal identifiable data (name, address (except first 4 digits of postcode), email, phone contact, date of birth, NHS number) will be removed prior to transmission to the BEATdiabetes Website.
Questionnaire data will be sent to all participant registered to take part in the BEATdiabetes programme. These comprise four questionnaires and will be either accessed through a link to the Website or email at the start of the programme and at 1 month, 3 months, 6 months and 12 months into the programme:
- Diabetes Distress
- Work and Social Adjustment Scores
- EQ-5D Score
- Friends and Family Test (except at baseline)
Only the unique reference number will be used to link this questionnaire data to the other data collected above with no personal identifiable data being used/collected.
Your personal contact information: name, email and/or phone contact will be sent to the Diabetes self-support programmes: SilverCloud, OurPath and Commit to Change. Your contact information may be sent to one, two or all three programme providers depending on your choices. These providers will each individually be the data controllers for the data they collect from you.
- SilverCloud is an Ireland based company with UK offices. Activity data is stored on a public server in Ireland hosted by Armor Defence and Amazon Web Services.
- OurPath is a UK based company. Activity data is stored on a server hosted with Amazon Web Services within the European economic area.
- Commit to Change is a franchise of the American based company SticKK.com LLC. Activity data is stored on a server in Montreal, Canada. If the user opts to place a financial wager, credit card information will be stored on the payment gateway.
Activity data on these sites will be monitored and uploaded from the providers to the BEATdiabetes Website linked to the unique reference number only (with no personal identifiable data) to identify the data set. Please view the terms for details about the level of data captured.
All data will be collated within the BEATdiabetes Website using only the unique reference number as the identifier. This data will be accessed only by the University of Surrey and CCG to allow for a service evaluation into the efficacy of the BEATdiabetes programme. The CCG and University of Surrey will be Joint data controllers for the evaluation data set. You may be asked to take part in an interview survey by the University of Surrey if you opt to do so during the registration on the BEATdiabetes Website, the University of Surrey will be sole data controller for any interview data collected. If you opt to take part in this, your personal information: name, email and phone contact will be made available to the University of Surrey to allow them to get in touch with you.
Data collected by the University of Surrey from you during these interviews together with other such interviews will be evaluated to understand how well the service is working.
The outcome data from the BEATdiabetes programme Test Bed will be published in medical related journals or news items. No personal identifiable data relating to any specific individual taking part in the programme will be published. Only aggregated data will be published, that is statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.
The CCG has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian.
They are supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner (SIRO).
The above two roles are also supported by our Data Protection Officer (DPO). The DPO is responsible for monitoring compliance with Data Protection legislations (GDPR & DPA 2018), Information Governance (IG) policies, providing advice and guidance, raising awareness, training and audits. The DPO acts as a contact point for the ICO, employees and the public. They co-operate with the ICO and will consult on any other matter relevant to Data Protection. The contact details of our DPO are as follows:
How long do we hold information for?
All records held will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice. Once information held has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures. Research data is retained for 10 years by the university. Evaluation and pseudonymised/anonymised data will be retained for 3 years by the CCG. Programme provider data is retained for 6 years.
Your right to opt out
Participants have the right to opt out of the programme at any time and can do so through the programme partners or by contacting NEHFCCG.BEATdiabetes@nhs.net
Gaining access to the data we hold about you
If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to respective Bead Diabetes Partner who holds your information. Information on how to do this can be obtained from each individual Partners Privacy Notice.
You have the right to:
- View this or request copies of the records by making a Right of Access request under the General Data Protection Regulation.
- request information is corrected/rectified
- have the information updated where it is no longer accurate
- where applicable, request information is erased
- where applicable, request for your data to be made portable
- where applicable, ask us to stop processing information about you where we are not required to do so by law
Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld.
Automated Decision Making
The BEATdiabetes Service will not make decisions based solely on automated processing.
What is the right to know?
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the CCG holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Legislation under FOIA. However you can request this under a right of access request – see section above ‘Gaining access to the data we hold about you’.
Your request must be in writing and sent to the relevant BEATdiabetes Partner to which the FOI act is applicable. Information on how to do this can be obtained from each individual partners Privacy Notice.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This Fair Processing Notice was last updated in April 2019.
Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in:
The NHS Care Record Guarantee: This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
The NHS Constitution: The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively
To share or not to share? Information Governance Review: This was an independent review of information about service users shared across the health and care system led by Dame Fiona Caldicott and was conducted in 2012.
NHS Commissioning Board – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets: Provides further information about the data flowing within the NHS to support commissioning.
NHS Digital – Guide to Confidentiality: NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system.
Information Commissioner’s Office (ICO): The ICO is the Regulator for GDPR and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.
Health Research Authority: The HRA protects and promotes the interests of patients and the public in health and social care research.
Information Commissioners Office
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
By post: Information Commissioner’s Office
Water Lane, Wilmslow,
Cheshire, SK9 5AF
By email: firstname.lastname@example.org or visit the ICO website.
Purpose – To process your personal and pseudonymised information for BEATdiabetes Registration and service evaluation
Legal Basis – Explicit Consent.
Data Processor – Amazon Web Services portal provider.
Purpose – To process personal information for the provisions of the service/programmes being chosen to aid in the self-management of Diabetes.
Legal Basis – Explicit Consent.
Data Processor – Programme provider and their data processors please refer to their individual Privacy Notices.
|BEATdiabetes test bed Evaluation||
Purpose – To process psuedonymised data to evaluate the BEATdiabetes service and programmes.
Legal Basis – Explicit Consent.
Data Processor – the CCG will process this information through Amazon Web Services, SCW CSU (CCG IT provider) and the University of Surrey will process this information themselves on their secure servers.
|BEATdiabetes Evaluation Interviews||
Purpose – to process interviewed data collected to evaluate the BEATdiabetes service/programme.
Legal Basis – Explicit Consent.
Data Processor – The University of Surrey will process this information themselves.
|BEATdiabetes Clinical Data||
Purpose – to process and collect the clinical data required for the Beats Diabetes service
Legal Basis – Explicit Consent.
Data Processor – Salus Medical Services will collect and process the information themselves using EMIS an electronic clinical system