Services

Privacy Notice

Who we are

Locala Health and Wellbeing (Locala) is a not-for-profit community healthcare provider that provides a variety of NHS and local authority services to care for and support people of all ages. Locala is a registered company in England and Wales under registration number 07584906, with a registered office in Eddercliffe Health Centre, Bradford Road, Liversedge WF15 6LP. Locala is the ‘Controller’ of personal information we collect about you unless otherwise stated.

So that we can provide you with the best possible service, a variety of information is collected about you from a range of sources, such as your General Practitioner (GP). This information is used to support your healthcare.

Locala will process your personal information in accordance with all applicable laws, including the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Under the United Kingdom General Data Protection Regulation (UK GDPR), information about your physical and mental health, racial or ethnic origin and religious belief are considered as special category personal information and is subject to strict laws governing its use. The sections below will explain why Locala Health and Wellbeing collects personal information about you, the ways in which such information may be used, and your rights under UK GDPR. We are legally responsible for ensuring we comply with the UK GDPR when processing your personal information.

What is personal data?

Personal data means any information relating to you that identifies you, or through which you can be identified, directly or indirectly. In particular, by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to you physical, physiological, genetic, mental, economic, cultural or social identity.

The purpose of this Privacy Notice

The purpose of this Privacy Notice is to let you know how we process your Personal Data when you engage with our services or visit our website. This Privacy Notice explains what Personal Data we collect from you and how we collect, use, store and disclose it. This Privacy Notice also contains information about your rights under applicable data protection legislation.

We are committed to compliance with the applicable data protection legislation. We believe that ensuring data protection compliance is the foundation of trustworthy relationships.

It is important that you read this Privacy Notice together with any other Privacy Notice we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

What information do we collect about you?

All clinicians, health and social care professionals caring for you, keep records about your health, and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

  • Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
  • Contact we have had with you such as appointments or clinic visits.
  • Notes and reports about your health, treatment and care – A&E visits, in patient spells or clinic appointments
  • Details of diagnosis and treatment given
  • Information about allergies or health conditions.
  • Results of x-rays, scans and laboratory tests.
  • Relevant information from people who care for you and know you well, such as health care professionals and relatives.

It is essential that your details are accurate and up to date. We will always check that your personal details are correct when you visit us and please inform us of any changes to your contact details or GP Practice as soon as possible. This minimises the risk of you not receiving important correspondence.

By providing Locala with your contact details, you are agreeing to us communicating with you about your healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

How your personal information is used and collected

In general terms, your records are used to direct, manage and deliver your care so that:

  • The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
  • Health and social care professionals have the information they need to assess and improve the quality and type of care you receive.
  • Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS or social care.
  • Your concerns can be properly investigated if a complaint is raised.

The Care Record

The Care Record is a shared system that allows health or social care professionals within the local health and social care community to appropriately access the most up-to-date and accurate information about patients to deliver the best possible care.

The NHS Care Record Guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained here.

Yorkshire and Humber Care Record

Locala Health and Wellbeing view data from the Yorkshire and Humber Care Record. The Yorkshire and Humber Care Record is a shared system that allows Healthcare staff within Yorkshire and Humber to appropriately access the most up-to date and correct information about patients, to deliver the best possible care.

This processing is necessary to perform a public task (UK GDPR Article 6(1)(e)) and necessary for the provision of health or social care treatment (UK GDPR Article 9(2)(h)).

The Yorkshire and Humber Care Record Guarantee

The Yorkshire & Humber Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. If you would like any further information, or would like to discuss this further, please contact the Yorkshire and Humber Care Record on 0113 206 4102 or [email protected].

Yorkshire and Humber Care Record Patient Information Leaflet

The Records Management Code of Practice

This Records Management Code of Practice for Health and Social Care 2016 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to, NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS.

The Code is based on current legal requirements and professional best practice. It will help organisations to implement the recommendations of the Mid Staffordshire NHS Foundation Trust Public Inquiry relating to records management and transparency.

You can read the Code of Practice here.

How long health records are retained

All patient records are kept and destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

Locala does not keep patient records for longer than necessary and all records are confidentially destroyed once their retention period has been met, and we have made the decision that the records are no longer required.

Legal basis for the processing of your data

The UK GDPR requires that a Controller must have a legal basis for processing Personal Data. These may be:

  1. Your consent. We will obtain you consent directly from you, and you are able to withdraw your consent at any time. You can do this by contacting [email protected]
  2. We have a contractual obligation.
  3. We have a legal obligation.
  4. We have a vital interest.
  5. We need it to perform a public task.
  6. We have a legitimate interest.

In some cases, we may process special category data. This is afforded some extra protection due to its sensitive nature, and therefore, under UK GDPR we are required to provide a lawful basis for processing, and a secondary condition under Article 9. The conditions we may rely on are:

  1. Explicit consent
  2. Employment, social security and social protection (if authorised by law)
  3. Vital interests
  4. Not-for-profit bodies
  5. Made public by the data subject
  6. Legal claims or judicial acts
  7. Reasons of substantial public interest (with a basis in law)
  8. Health or social care (with a basis in law)
  9. Public health (with a basis in law)
  10. Archiving, research and statistics (with a basis in law).

When do we share information about you?

We share information about you with others directly involved in your care; and also share more limited information for indirect care purposes, both of which are described below.

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.

Direct Care Purposes

Unless you object, we will normally share information about you with other health and social care professionals so that you may receive the best quality care:

  • Other NHS organisations and hospitals that are involved in your care.
  • NHS Digital and other NHS bodies.
  • General Practitioners (GPs).
  • Ambulance Services.

You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • Social Care Services.
  • Education Services.
  • Local Authorities.
  • Voluntary and private sector providers working with the NHS.

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.

Indirect Care Purposes

We also use information we hold about you to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Ensure our services can meet patient needs in the future
  • Investigate patient queries, complaints and legal claims
  • Ensure the hospital receives payment for the care you receive
  • Prepare statistics regarding NHS performance
  • Audit NHS accounts and services
  • Undertake heath research and development (with your consent – you may choose whether or not to be involved)
  • Help train and educate healthcare professionals

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites:

Care Quality Commission

The Care Quality Commission has powers under the Health and Social Care Act 2008 to access and use information – including personal and medical records – where they consider this is necessary for them to carry out their functions as a regulator. They also have powers to access and use information as part of their role protecting the rights of people whose rights are restricted under the Mental Health Act 1983, and powers under the Health and Safety at Work Act 1974.

For example, they check that care services are complying with the regulations regarding record keeping, care planning, consent, cooperating with other providers, and management of medicines. 

They publish guidance for our staff on accessing medical and care records. They usually look at only a small sample of these records during an inspection, often in anonymised form. In rare circumstances they may take a copy of parts of a person’s records.

If you do not want CQC to look at your personal information when they check our services, please let us know. We can mark your records to show that you do not want CQC to see them.

If we know that you don’t want CQC to look at your information, your wishes will be respected, other than in rare circumstances which are explained in their Code of Practice on Confidential Personal Information here.

Transfers of information Outside the European Economic Area

Locala Health and Wellbeing ensures that personal confidential data, even it would constitute fair processing, is not, unless certain exemptions apply or protective measures taken, disclosed or transferred outside the European Economic Area to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.

When do we share information about you

We share information about you with others directly involved in your care; and also share more limited information for indirect care purposes, both of which are described below.

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.

How the NHS and care services use your information

Locala Health and Wellbeing is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please click here.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used here (which covers health and care research); and here (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Since 2020, Health and care organisations are required to have systems and processes in place so they can apply your national data opt-out choice. Locala Health and Wellbeing is not currently able to apply your national data opt-out choice to any confidential patient information we may use or share with other organisations for purposes beyond your individual care.  The national implementation plan is available on the nhs.uk website above.

When other people need information about you

Everyone working in Health and Social Care has a legal duty to keep information about you confidential and anyone who receives information from us is also under a legal duty to keep it confidential.

From time to time, we may need to share information with other professionals and services concerned in your care. This may be for instance, when your healthcare professional needs to discuss your case with other professionals (who do not work for Locala Health and Wellbeing) in order to plan your care. We do this in order to provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.

There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent.

Examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm
  • If there is a concern that you are putting another person at risk of serious harm
  • If there is a concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a court
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases

 

(copy 1)

Other ways in which we use your information

Call recording

Telephone calls to our Single Point of Contact are routinely recorded for the following purposes:

  • To make sure that staff act in compliance with our procedures.
  • To ensure quality control.
  • Training, monitoring and service improvement
  • To prevent crime, misuse and to protect staff

SMS text processing

When attending one of our services for an outpatient appointment or a procedure you may be asked to confirm that we have an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.

Surveillance Cameras (CCTV)

Some of the premises we use have surveillance cameras (CCTV) for the purpose of prevention and detection of crime as well as to:

  • protect staff, patients, visitors and Trust property
  • apprehend and prosecute offenders, and provide evidence to take criminal or civil action in the courts
  • provide a deterrent effect and reduce unlawful activity
  • help provide a safer environment for our staff
  • assist in traffic management and car parking schemes
  • monitor operational and safety related incidents
  • help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
  • assist with the verification of claims

You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Please see the ‘Data Subjects Rights’ section. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.

We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.

Security of information

Confidentiality affects everyone: Locala Health and Wellbeing collects, stores and uses large amounts of personal and special category personal data every day, such as medical and clinical records, personal records and computerised information. This data is used by many of our colleagues in the course of their work.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. All our colleagues are bound by a duty of confidentiality and undertake regular training.

At Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.

Additionally, we put in place appropriate organisational and technical security measures. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.

In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach.

Although we use appropriate security measures once we have received your Personal Data, you will appreciate that the transmission of data over the internet (including by email) is never completely secure. We endeavour to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us.

Examples of our security include:

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what is called a ‘cypher’. The hidden information is said to then be ‘encrypted’.
  • Pseudonymisation, meaning that we’ll use a different name or key so we can hide parts of your personal information from view.  This means that someone outside of Locala could work on your information for us without ever knowing it was yours.
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • Data stewardship is a way for us to be clear about who is responsible for what data and sets out clearly who has access to the data – limiting access to only those who need it to carry out our duties.
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates.

Individual Rights

You have rights under the data protection legislation and, subject to certain legal exemptions, we must comply when you inform us that you wish to exercise these rights. There is no charge, unless your requests are manifestly unfounded or excessive. In such circumstances, we may make a reasonable charge or decline to act on your request. Before we action your request, we may ask you for proof of your identity. Once in receipt of this, we will process the request without undue delay and within one calendar month. In order to exercise your rights please contact our Resolution Team. Details of how to contact the Resolution Team are below.

You can contact us if you wish to complain about how we collect, store and use your Personal Data. It is our goal to provide the best possible remedy with regard to your complaints.

However, if you are not satisfied with our answer, you can also contact the relevant competent supervisory authority. In the UK, the relevant supervisory authority is the ICO, contact details of which can be found below.

Right to be informed – we will tell you what we do with your information.  We do this through notices like this, service information leaflets, notices on our website and posters.

Subject Access Request - You have a right to receive a copy of all the Personal Data we hold about you. Please see below for information on how to exercise this right.

Right to Rectification - we will correct any personal information that is inaccurate and rectify any data that is incomplete

Right to Erasure - This is also known as the “right to be forgotten”. You have a right to ask us to delete your Personal Data where there is no good reason for us continuing to process it. However, certain criteria apply and if we have a legitimate reason to continue processing your personal data, we will not be legally required to delete it.

Right to Objection – Where we are relying on the legal basis of ‘public task’, you have a right to object to how we process your information and with whom we share your information.  If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.

Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.

Right to Restriction - You have a right to ask us to restrict the processing of your Personal Data in certain circumstances. For example, we will temporarily restrict processing your data whilst we check the information, if you query the accuracy of it.  We will also restrict processing (if you raise an objection as to how we process your data) whilst we consider your objection.

Right to Portability - You have the right to ask us to transfer any Personal Data you have provided to us to another party, subject to certain criteria being satisfied. We will provide this Personal Data in a structured, commonly used and machine-readable format.

Right to withdraw consent - If you have given us your consent for the processing of your Personal Data, you can withdraw this at any time. Please note, the withdrawal has no effect on the legality of the data processing carried out in the past on the basis of your consent. To exercise your right to withdraw consent contact us at [email protected]

Right related to automated profiling – some of our services use profiling for medical treatments, by applying machine learning to predict patients’ health or the likelihood of a treatment being successful for a particular patient based on certain group characteristics.  In all cases, the results will be fully discussed with you and you will be involved in planning further treatment and care.

Right to complain - If you are unhappy with the way in which your personal information has been or is being processed, you have the right to make a complaint about it to the Information Commissioner’s Office (ICO). They can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow
Cheshire
SK9 5AF

www.ico.org.uk

How can you access your records?

The UK GDPR gives you a right to access the information we hold about you on our records. Requests should be made to the Resolution team. We will provide your information to you within one month (this can be extended dependent on the complexity of the request) from receipt of your application:

Before fulfilling your request, we will need to be able to verify your identity and will ask you to provide relevant documents. 

Information will be provided free of charge except where requests are unfounded or excessive, in particular repeat requests when we may either charge a reasonable administrative fee or refuse to act on the request.

Resolution Team
Cleckheaton Health Centre

Greenside

Cleckheaton

BD19 5AP

Tel:  030 3330 8831

Email: [email protected]

Freedom of Information

The Freedom of information Act 2000 provides you with the right to obtain information held by Locala Health and Wellbeing, subject to a number of exemptions.  If you would like to request some information from us, please visit the Freedom of information section of our website.

Our Data Security and Protection policy is available through this website ‘About us/Locala/Policies.

Please note: if your request is for information we hold about you (for example, your health record), please instead see the section on Your Rights.

Data controller

The Data Controller responsible for keeping your information confidential is:

Locala Health and Wellbeing,

Eddercliffe Health Centre
Bradford Road,

LIversedge,

West Yorkshire,

WF15 6LP

Data Protection Officer is Hayley Silverwood.

The Data Protection Officer’s role is to monitor and advise the organisation on meeting its data protection responsibilities. 

Our Caldicott Guardian is Victoria Vallance, Director of Quality and Professional Practice. She can be contacted using the details below.

Email: [email protected]

 

Raising a concern

Patients who have a concern about any aspect of their care or treatment from Locala Health and Wellbeing, or about the way their records have been managed, should contact the Customer Liaison Team on [email protected]; telephone 030 3330 4529

If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.

The UK GDPR requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information. These details are publicly available from:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF

Telephone: 08456 306060

Website: ico.org.uk

Your obligations

If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account to ensure that the data we hold about you is accurate and up to date.

The Data Protection Principles

We will comply with the UK GDPR and the DPA 2018. Article 5 of the UK GDPR contains the data protection principles, which require that Personal Data shall be:

  • Processed lawfully, fairly and in a transparent way.
  • Collected for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Kept for no longer than is necessary for the purposes we have told you about.
  • Kept securely.

We operate according to the principles of the UK GDPR, and PECR, regardless of the location of the data subject.

Changes to this Privacy Notice

We reserve the right to update this Privacy Notice from time to time. Updates to this Privacy Notice will be published on our website. To ensure you are aware of when we make changes to this Privacy Notice, we will amend the revision date at the bottom of this page.  Changes apply as soon as they are published on our website. We therefore recommend that you visit this page regularly to find out about any updates that may have been made.