One Health and Care privacy notice 

Information about your health and care is recorded across NHS organisations and local authorities. When you contact organisations involved in your care as a patient or service user, information is collected about you and records maintained about the care and services that have been provided. 

One Health and Care pulls the key information from these different health and social care systems and displays it in one combined record. This enables registered health and social care professionals involved in your care to find all the key, most up-to-date information in one place, which helps them provide better, safer care. 

The organisations across The Black Country and West Birmingham that are participating in One Health and Care are: 

  • Local GP practices in the Black Country and West Birmingham (a full list of GP practices can be found here

  • The Dudley Group NHS Foundation Trust 

  • Sandwell and West Birmingham Hospitals NHS Trust 

  • Walsall Healthcare NHS Trust 

  • Royal Wolverhampton Hospitals NHS Trust  

  • Black Country Healthcare NHS Foundation Trust 

  • Dudley Integrated Health and Care NHS Trust 

  • Dudley Metropolitan Borough Council 

  • Sandwell Metropolitan Borough Council 

  • Walsall Metropolitan Borough Council 

  • Wolverhampton City Council  

  • West Midlands Ambulance Service.

Our neighbouring organisations in Stoke-on-Trent and Staffordshire, and Shropshire, Telford and Wrekin, are also participating in and contributing data to One Health and Care. More information, including a full list of participating organisations can be found on the link above.  

In order to ensure your information will be available to any health or social care professional who provides you with a service, there are also plans to make your records available to other health and social care partners across the wider West Midlands. A list of West Midlands partner organisations can be read here.

All partner organisations involved with One Health and Care that process your personal data are registered with the Information Commissioner’s Office (ICO), to process your personal data in accordance with the current Data Protection legislation and any subsequent revisions.

The data protection notifications for all participating organisations can be found on the Information Commissioner’s website

This notice explains in more detail the types of information that is recorded about you, why this is necessary and the ways in which this information may be used. 

 

The health and care professionals involved in your care keep records about your health and any treatment and care you receive from the NHS and local authority social care. Sometimes data is collected in order to provide services and sometimes it is collected because there is a statutory responsibility to do so. These records help to ensure that you receive the best possible care. 

This information may include: 

  • Basic details about you such as name, address, date of birth, next of kin, NHS number etc. 

  • The name of your GP Practice and GP 

  • Notes and reports about your health, treatment and care 

  • Medications, allergies, ongoing and historic conditions, immunisations and diagnoses 

  • Procedures and investigations 

  • Test results, hospital referrals, admissions, discharges appointments and clinics attended 

  • Relevant information from people who care for you and know you well such as health staff and relatives /carers 

  • Social and mental health information and care plans. 

It is essential that your details are accurate and kept up to date. Always check that your personal details are correct and please inform the individuals involved in your care of any changes as soon as possible. 

Your data may be collected directly from you, or data about you may be gathered from other agencies who work in partnership together. It may be that service providers ask other agencies or organisations for relevant data about you so that they can fulfil legal responsibilities or ensure they are providing you with the correct service. 

Information about you is already collected by individual providers of health and care services. One Health and Care is about making this information available across providers, to help inform your care at the point of need. 

Only health and social care professionals involved in your direct care will have access to your health and social care data within One Health and Care. There will be an audit trail in your record of each person who has accessed your information. 

The personal information viewed within One Health and Care will be used for the purpose of your direct care. It will always be used in line with each organisation’s responsibilities, where there is a legal basis to do so, and in line with your rights under data protection legislation. Personal data viewed within One Health and Care will only be used to provide services you have requested or require. 

If your data within One Health and Care is to be used for a purpose outside of your care, you will be provided with information about it before it happens and you will have the opportunity to object. 

The information within One Health and Care will be used in order to: 

  • Deliver health and care services and understand your needs 

  • Contact you when necessary 

  • Obtain your opinion and feedback about the services provided 

  • Ensure that partner legal obligations are fulfilled. 

One Health and Care will not use your personal data to make decisions about your direct care by automated means without any human involvement. 

One Health and Care allows your data to be shared between the partners involved. A list of these is included at the top of this page. An information sharing agreement is in place, which commits each partner to appropriate standards of privacy, security and transparency. 

Where necessary, information may be shared with other organisations that provide services on the partner’s behalf, but this will only be as part of your direct care. In such cases, the information provided is only the minimum necessary to enable them to provide services to you. These organisations would be required to retain your information in a secure manner and only use it to undertake the services they provide to you. 

Your information will not be disclosed to any other third parties without your permission unless required/permitted to do so by law. 

At no time will the information viewed within One Health and Care be passed to organisations for marketing or sales purposes or for any commercial use.

All the organisations that contribute data to One Health and Care collect, store and use large amounts of personal data every day and take the duty to protect your personal information and confidentiality very seriously. Under data protection legislation the partners have a legal duty to protect any information held about you and are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which they are responsible. 

Therefore, measures are taken to safeguard your data and apply security standards and controls to prevent any unauthorised access. One Health and Care information will be stored securely. It will only be used for the purpose of direct care and your information will not be disclosed to any other third parties without your permission unless required/permitted to do so by law.  

All partners have a Senior Information Risk Owner appointed for their organisation and who is accountable for the management of all information assets and any associated risks and incidents. They also have a Caldicott Guardian, who is responsible for the management of patient information and patient confidentiality. 

Each partner and its employees that use One Health and Care must adhere to the following information security measures: 

  • Up to date annual staff training 

  • Robust policy and procedures, for example regarding password protection 

  • Technical security measures to prevent unauthorised access. 

The use of the One Health and Care system can be audited at any time. This allows confidentiality to be monitored where necessary. 

Your information will always be held and processed securely. The “One Health and Care approach” is in line with data protection legislation, which provides the legal basis to share information between health and care services when it is needed to deliver care. The Care Act 2014 and the Health and Social Care Act 2015 show that Health and Social Care organisations must work together when providing care. The Data Protection Act 2018, also referred to as UK GDPR, shows the legal basis for data sharing and your rights. Both Article 6(1)(e) “performance of a task carried out in the public interest” and Article 9(2)(h) “medical diagnosis, the provision of health or social care or treatment or management of health or social care systems” give the legal basis for our shared care record. 

Your records are kept for as long as necessary within the source systems in accordance with your care. Changes within the source systems are reflected within One Health and Care at the next available data upload. The retention schedules managed and maintained by the partners are aligned to industry best practice. 

Further information can be found in a document called Records Management Code of Practice 2021, a guide to the management of health and care records.

If you wish to raise an objection to your data being viewed for the purpose of the digital shared care record, One Health and Care, then you can do this through contacting your GP practice and discussing this with them. If it is deemed appropriate, they can action the objection and this will result in your data being restricted from view. GPs reserve the right to refuse the objection if they are satisfied that your removal from the record would cause significant detriment to your care or compromise your safety. 

If you are aged 16 or above, we will process your ‘right to object’ by carrying out our normal checks on the details you have given us. From the age of 13 to 16, we will consider your right to object if submitted on your behalf by someone with parental responsibility. If it has not, we will ask a recognised health or care professional if they consider you to be competent to make such a decision. If you are under the age of 13, we will only consider your right to object if has been signed on your behalf by someone with parental responsibility. 

If you would like more information or to discuss your options, please speak to your GP Practice. 

If your data is restricted from view, you can change your mind at any time and have your data viewable again by contacting your GP Practice. If your data is restricted, your information will not be viewable via One Health and Care, however, it will continue to be shared by care organisations by phone, email and on paper where required as part of your direct care. 

Please consider carefully before raising an objection, as doing so could mean that vital information about you is not immediately available when you require health or social care support. 

The Personal Health Record element of One Health and Care is optional and requires you to proactively download the app to your personal device. Please see Personal Health Record section for more information regarding what data is presented and what data you can add/upload to the app for your information. NB any information you add can only be viewed by yourself, not your healthcare team, however it will be stored within the One Health and Care (the ICR) and available for data analysis.

Under Data Protection Legislation you have various rights regarding your data. In relation to One Health and Care the following rights could be requested. 

  • Access – You have the right to request access to information held about you by organisations that are providing your care. 

  • Rectification – If you think data held about you is factually incorrect you have the right to ask for it to be corrected. You may be requested to provide evidence of the alleged inaccuracy. 

  • Restriction – You have the right to request the restricting of processing your data in certain scenarios, for example if you contest the accuracy of the data and the verification of its accuracy requires checking. 

  • Object – You have the right to raise an objection to your data being included in One Health and Care. It should be noted this is not an absolute right and would be considered on a case-by-case basis. 

  • Raise a complaint or concern – regarding how your data is handled to the relevant partner organisation. 

Due to the One Health and Care System viewable data being sourced from varying partners, requests will need to go to the relevant originating organisation who can then process your request:

  • For GP practices please contact your own GP surgery for guidance. 

  • For each NHS organisation, please write to the Access to Health Records Department of the organisation that has generated the information. 

  • For local authorities, please write to the data protection officer of the relevant council. 

The organisation should provide your information to you within one calendar month (or two months if the request is deemed complex) following receipt of: 

  • Adequate information (for example full name, address, date of birth, NHS number, etc.) so that your identity can be verified and your records located 

  • An indication of what information you are requesting to enable the organisation to locate it. 

Please contact the relevant organisation regarding information held about you, or if you have a complaint about privacy or misuse of data relating to one of the partner organisations (see "your data, your rights" section for more).

If you have any comments, questions, or feedback on any part of One Health and Care, contact our Time2Talk team: 

  • Telephone: 01216124110 

  • Emailbcwbccg.time2talk@nhs.net 

  • Post: Time2Talk, Black Country and West Birmingham CCG, Civic Centre, St Peters Square, Wolverhampton, WV1 1SH 

If you are not satisfied with a response from a partner of the One Health and Care partnership in regards to your above rights, or you believe your data is not being processed in accordance with the law, you can raise this with the Information Commissioner’s Office (ICO).