Our privacy statement outlines our commitment to being transparent and accountable in handling your data.
We know how important it is to protect your personal data and to give you clear information about how your personal data will be shared, stored and how long it will be kept for.
The Derbyshire Shared Care Record (DSCR) is a major project facilitated by Joined Up Care Derbyshire (JUCD), this being a partnership of health and social care providers across Derbyshire. The aim of this work is to provide better and more joined up health and social care services to the residents of Derbyshire.
The DSCR will allow health and care professionals to have an overall view of your care needs. Each of the DSCR partners maintain, and have responsibility for, their own recording systems which hold personal data. By allowing key information to be shared, it helps us to provide improved assessment of care needs, treatment, and support when you need it.
Personal data held in the DSCR is only used by health and care professionals who are providing direct care (providing a service, intervention, support or treatment, to an individual) with the purpose of enhancing the quality of that person's health and social care, and at all times maintaining high standards of confidentiality.
Sharing your data
Dame Fiona’s Caldicott’s 2013 review (Caldicott2) “To Share or not to share” provided a clear steer on information sharing that was endorsed by the government. It introduced a seventh Caldicott principle that “the duty to share information can be as important as the duty to protect patient confidentiality”.
To provide the best possible care for an individual, it is essential that health and care professionals can share relevant information to ensure the best outcomes. The DSCR enables health and care professionals to share effectively. When we share data, we promise:
- we will share data securely
- we will not share more than we need to
Sometimes the law requires us to share data without your permission. For example, where it is necessary to prevent harm to someone or to prevent fraud or other crimes. To give the best outcomes to the people of Derbyshire we continually review and update our services.
The data from your DSCR will only be used for purposes that benefit your care. We will never share it for marketing or insurance purposes.
More details about your information rights can be found on the Information Commissioner’s Office.
Who can access your data
Your health and care record, held within DSCR, will only be accessed by health and care professionals providing you with direct care, treatment, and support.
Access to the DSCR is only available to health and care professionals using very specific access permissions and only on completion of specified training. All activity in the DSCR is monitored and recorded.
Data that could be shared
Your data might include personal and sensitive characteristics such as:
- your name, address, date of birth and a phone number
- your religion, race or ethnic background
- your gender or sexuality
- your reasons for needing a service
- professional observation about you and your needs
- the details of the services we provide to meet your social care needs
The DSCR will ensure your data is:
- processed lawfully, fairly and in a transparent manner
- only accessed by members of staff with a specific legitimate purpose
- adequate, relevant, and limited to what is necessary
- accurate and up to date
- not kept any longer than is necessary and destroyed in accordance with each partner system's record retention policy
- stored and disposed of securely
How long your data is kept
The data held in DSCR will be kept in line with the partner organisations' retention periods, national guidance and good practice. Your personal data will be stored in the UK and will only be held in each partner organisation's systems.
Legal basis for processing your information
UK GDPR and the Data Protection Act 2018 allows us to process your personal data to provide you with the best available services, including preventative and sign posting services.
In UK GDPR, Article 6 (1) (e) - public task - allows for processing when it is necessary to carry out a task in the public interest or to undertake official functions (for example a public body's tasks, functions, duties, or powers).
Article 9(2)(h) of the GDPR is the condition for processing ‘data concerning health’ (personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status) for direct care as part of the DSCR:
9(2) (h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
There are legal provisions that support the release of data for the purposes of safeguarding children and vulnerable adults. The Children Acts 1989 and 2004 establishes implied powers for local authorities to share information to safeguard children, safeguard and promote the welfare of children within their area who are in need, and to request help from specified authorities including NHS organisations. The Care Act 2014 sets out a legal framework for how local authorities and other parts of the health and social care system should protect adults at risk of abuse or neglect.
For UK GDPR, in addition to the Articles 6(1)(e) and Article 9(2)(h) cited, there is an additional provision for sharing data for the purposes of safeguarding, as follows:
9(2)(b) …’is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of…social protection law in so far as it is authorised by Union or Member State Law …’
All health and social care organisations are required to adhere to what are known as the ‘Caldicott Principles’ when handling your personal data, which provide a framework for protecting your privacy when sharing your data.
The Caldicott Principles say that the duty to share information can be as important as the duty to protect service user confidentiality.
Opting our and removing your records
If you do not want your health and care information to be shared, you can leave the DSCR. Removing your records means that your information will be hidden and not available in the DSCR, even in an emergency situation: unless you change your mind.
We are sharing information in order to improve care. However, there are 2 ways you can opt out:
- contact the DSCR Privacy Officer, email firstname.lastname@example.org
- complete the DSCR opt-out form following the instructions and post it to:
DSCR Privacy Officer
IT Services Department
Derbyshire Support and Facilities Services Ltd
Chesterfield Royal Hospital NHS Trust
Read more about the Derbyshire Shared Care Record at Joined Up Care Derbyshire.
Opting out will not affect your treatment, but the DSCR will make information sharing quicker, easier, and more complete. This helps to get you the right treatment at the right time, especially in an emergency situation.
If you do opt out of electronic record sharing, information will continue to be shared, as it is now, by email, phone, and paper.
Opting back into the DSCR
If you change your mind after initially opting out, you can opt back in by contacting the DSCR privacy officer, email email@example.com.
Keeping your information secure
Derbyshire Shared Care Record (DSCR) works under the legal obligations of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The data controller
Each partner has a responsibility for their data and therefore, a data controller contributing to the DSCR. Each partner has a legal duty to protect your personal information. We take confidentiality very seriously and we are committed to keeping all personal information within the DSCR safe, secure and confidential.
The national data opt-out programme
The national data opt-out gives you more control over how your health and care information is used. It offers the opportunity to make informed choices about whether your personal data is used either for your individual care and treatment or also for research and planning purposes. Please note that this is separate from the local DSCR opt-out process.
You have rights, including:
- right of access: you can see the information that we hold about you
- right of rectification: if data we hold about you is wrong, we will put it right as soon as possible
- right of erasure: the ‘right to be forgotten’ if the information we are holding is no longer justified or is incorrect, you can ask us to delete or erase it
- right to restrict processing: if you think the information we hold about you is inaccurate or incorrect, you can ask us to limit how we use it
If you would like to know more or see a summary of the data activity on your DSCR record, please contact the DSCR privacy officer at firstname.lastname@example.org
However, if you would like to see your personal data that has been shared with DSCR you will need to submit a subject access request (SAR) by the relevant partner organisation.
Complaints and questions
We take any complaints seriously. If you think that our collection, storage and use of your data is wrong, please contact us. If you need independent advice about data protection, privacy or your data sharing rights you can email email@example.com, tel: 0303 123 113 (local rate) or 01625 545 745, or write to:
The Information Commissioner’s Office
You also have the right to contact the Information Commissioner.
This privacy statement does not provide exhaustive detail of all aspects of the DSCR. This privacy statement can be made available in audio tape, large print, Braille, or alternative languages on request. Please note that we regularly review all privacy statements.