One Health and Care privacy notice
Information about your health and care is recorded across NHS organisations and local authorities. When you contact organisations involved in your care as a patient or service user, information is collected about you and records maintained about the care and services that have been provided.
One Health and Care pulls the key information from these different health and social care systems and displays it in one combined record. This enables registered health and social care professionals involved in your care to find all the key, most up-to-date information in one place, which helps them provide better, safer care.
The organisations across The Black Country and West Birmingham that are participating in One Health and Care are:
Local GP practices in the Black Country and West Birmingham (a full list of GP practices can be found here)
The Dudley Group NHS Foundation Trust
Sandwell and West Birmingham Hospitals NHS Trust
Walsall Healthcare NHS Trust
Royal Wolverhampton Hospitals NHS Trust
Black Country Healthcare NHS Foundation Trust
Dudley Integrated Health and Care NHS Trust
Dudley Metropolitan Borough Council
Sandwell Metropolitan Borough Council
Walsall Metropolitan Borough Council
Wolverhampton City Council
West Midlands Ambulance Service.
Our neighbouring organisations in Stoke-on-Trent and Staffordshire, and Shropshire, Telford and Wrekin, are also participating in and contributing data to One Health and Care. More information, including a full list of participating organisations can be found on the link above.
In order to ensure your information will be available to any health or social care professional who provides you with a service, there are also plans to make your records available to other health and social care partners across the wider West Midlands. A list of West Midlands partner organisations can be read here.
All partner organisations involved with One Health and Care that process your personal data are registered with the Information Commissioner’s Office (ICO), to process your personal data in accordance with the current Data Protection legislation and any subsequent revisions.
This notice explains in more detail the types of information that is recorded about you, why this is necessary and the ways in which this information may be used.
The health and care professionals involved in your care keep records about your health and any treatment and care you receive from the NHS and local authority social care. Sometimes data is collected in order to provide services and sometimes it is collected because there is a statutory responsibility to do so. These records help to ensure that you receive the best possible care.
This information may include:
Basic details about you such as name, address, date of birth, next of kin, NHS number etc.
The name of your GP Practice and GP
Notes and reports about your health, treatment and care
Medications, allergies, ongoing and historic conditions, immunisations and diagnoses
Procedures and investigations
Test results, hospital referrals, admissions, discharges appointments and clinics attended
Relevant information from people who care for you and know you well such as health staff and relatives /carers
Social and mental health information and care plans.
It is essential that your details are accurate and kept up to date. Always check that your personal details are correct and please inform the individuals involved in your care of any changes as soon as possible.
Your data may be collected directly from you, or data about you may be gathered from other agencies who work in partnership together. It may be that service providers ask other agencies or organisations for relevant data about you so that they can fulfil legal responsibilities or ensure they are providing you with the correct service.
Information about you is already collected by individual providers of health and care services. One Health and Care is about making this information available across providers, to help inform your care at the point of need.
Only health and social care professionals involved in your direct care will have access to your health and social care data within One Health and Care. There will be an audit trail in your record of each person who has accessed your information.
The personal information viewed within One Health and Care will be used for the purpose of your direct care. It will always be used in line with each organisation’s responsibilities, where there is a legal basis to do so, and in line with your rights under data protection legislation. Personal data viewed within One Health and Care will only be used to provide services you have requested or require.
If your data within One Health and Care is to be used for a purpose outside of your care, you will be provided with information about it before it happens and you will have the opportunity to object.
The information within One Health and Care will be used in order to:
Deliver health and care services and understand your needs
Contact you when necessary
Obtain your opinion and feedback about the services provided
Ensure that partner legal obligations are fulfilled.
One Health and Care will not use your personal data to make decisions about your direct care by automated means without any human involvement.
One Health and Care allows your data to be shared between the partners involved. A list of these is included at the top of this page. An information sharing agreement is in place, which commits each partner to appropriate standards of privacy, security and transparency.
Where necessary, information may be shared with other organisations that provide services on the partner’s behalf, but this will only be as part of your direct care. In such cases, the information provided is only the minimum necessary to enable them to provide services to you. These organisations would be required to retain your information in a secure manner and only use it to undertake the services they provide to you.
Your information will not be disclosed to any other third parties without your permission unless required/permitted to do so by law.
At no time will the information viewed within One Health and Care be passed to organisations for marketing or sales purposes or for any commercial use.
All the organisations that contribute data to One Health and Care collect, store and use large amounts of personal data every day and take the duty to protect your personal information and confidentiality very seriously. Under data protection legislation the partners have a legal duty to protect any information held about you and are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which they are responsible.
Therefore, measures are taken to safeguard your data and apply security standards and controls to prevent any unauthorised access. One Health and Care information will be stored securely. It will only be used for the purpose of direct care and your information will not be disclosed to any other third parties without your permission unless required/permitted to do so by law.
All partners have a Senior Information Risk Owner appointed for their organisation and who is accountable for the management of all information assets and any associated risks and incidents. They also have a Caldicott Guardian, who is responsible for the management of patient information and patient confidentiality.
Each partner and its employees that use One Health and Care must adhere to the following information security measures:
Up to date annual staff training
Robust policy and procedures, for example regarding password protection
Technical security measures to prevent unauthorised access.
The use of the One Health and Care system can be audited at any time. This allows confidentiality to be monitored where necessary.
Your information will always be held and processed securely. The “One Health and Care approach” is in line with data protection legislation, which provides the legal basis to share information between health and care services when it is needed to deliver care. The Care Act 2014 and the Health and Social Care Act 2015 show that Health and Social Care organisations must work together when providing care. The Data Protection Act 2018, also referred to as UK GDPR, shows the legal basis for data sharing and your rights. Both Article 6(1)(e) “performance of a task carried out in the public interest” and Article 9(2)(h) “medical diagnosis, the provision of health or social care or treatment or management of health or social care systems” give the legal basis for our shared care record.
Your records are kept for as long as necessary within the source systems in accordance with your care. Changes within the source systems are reflected within One Health and Care at the next available data upload. The retention schedules managed and maintained by the partners are aligned to industry best practice.
Further information can be found in a document called Records Management Code of Practice 2021, a guide to the management of health and care records.
If you wish to raise an objection to your data being viewed for the purpose of the digital shared care record, One Health and Care, then you can do this through contacting your GP practice and discussing this with them. If it is deemed appropriate, they can action the objection and this will result in your data being restricted from view. GPs reserve the right to refuse the objection if they are satisfied that your removal from the record would cause significant detriment to your care or compromise your safety.
If you are aged 16 or above, we will process your ‘right to object’ by carrying out our normal checks on the details you have given us. From the age of 13 to 16, we will consider your right to object if submitted on your behalf by someone with parental responsibility. If it has not, we will ask a recognised health or care professional if they consider you to be competent to make such a decision. If you are under the age of 13, we will only consider your right to object if has been signed on your behalf by someone with parental responsibility.
If you would like more information or to discuss your options, please speak to your GP Practice.
If your data is restricted from view, you can change your mind at any time and have your data viewable again by contacting your GP Practice. If your data is restricted, your information will not be viewable via One Health and Care, however, it will continue to be shared by care organisations by phone, email and on paper where required as part of your direct care.
Please consider carefully before raising an objection, as doing so could mean that vital information about you is not immediately available when you require health or social care support.
The Personal Health Record element of One Health and Care is optional and requires you to proactively download the app to your personal device. Please see Personal Health Record section for more information regarding what data is presented and what data you can add/upload to the app for your information. NB any information you add can only be viewed by yourself, not your healthcare team, however it will be stored within the One Health and Care (the ICR) and available for data analysis.
Under Data Protection Legislation you have various rights regarding your data. In relation to One Health and Care the following rights could be requested.
Access – You have the right to request access to information held about you by organisations that are providing your care.
Rectification – If you think data held about you is factually incorrect you have the right to ask for it to be corrected. You may be requested to provide evidence of the alleged inaccuracy.
Restriction – You have the right to request the restricting of processing your data in certain scenarios, for example if you contest the accuracy of the data and the verification of its accuracy requires checking.
Object – You have the right to raise an objection to your data being included in One Health and Care. It should be noted this is not an absolute right and would be considered on a case-by-case basis.
Raise a complaint or concern – regarding how your data is handled to the relevant partner organisation.
Due to the One Health and Care System viewable data being sourced from varying partners, requests will need to go to the relevant originating organisation who can then process your request:
For GP practices please contact your own GP surgery for guidance.
For each NHS organisation, please write to the Access to Health Records Department of the organisation that has generated the information.
For local authorities, please write to the data protection officer of the relevant council.
The organisation should provide your information to you within one calendar month (or two months if the request is deemed complex) following receipt of:
Adequate information (for example full name, address, date of birth, NHS number, etc.) so that your identity can be verified and your records located
An indication of what information you are requesting to enable the organisation to locate it.
GDPR Article 6 (1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. N.b. Public authorities will need to justify why processing is necessary to carry out their functions if using Art 6. (1) (e).
GDPR Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
As reinforced by:
DPA 2018 Schedule 1, Part 1 (2) – (1) condition is met if the processing is necessary for health and social care purposes, (2) means the purposes of (c) medical diagnosis, (d) provision of health care or treatment, (e) provision of social care and (f) management of health care systems or services or social care systems or services.
Additional lawful basis that OHC Partners may rely on in specific circumstances:
Emergency situations where the data subject is incapable of giving consent to treat:
- GDPR Article 6(1)(d) – processing is necessary in order to protect the vital interests of the Data Subject or of another Natural Person.
- GDPR Article 9(2)(c) – processing is necessary to protect the vital interests of the Data Subject or of another Natural Person where the Data Subject is physically or legally incapable of giving consent.
Safeguarding of vulnerable adults and children:
- GDPR Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the Controller is subject.
- GDPR Article 9(2)(g) – processing is necessary for reasons of substantial public interests, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
Staff Data Processing:
- Access control and audit logs of user credentials used for authentication purposes
- GDPR Article 6(1)(b) – processing is necessary for a contract to which the Data subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
Please contact the relevant organisation regarding information held about you, or if you have a complaint about privacy or misuse of data relating to one of the partner organisations (see "your data, your rights" section for more).
If you have any comments, questions, or feedback on any part of One Health and Care, contact our Time2Talk team:
Post: Time2Talk, Black Country and West Birmingham CCG, Civic Centre, St Peters Square, Wolverhampton, WV1 1SH
If you are not satisfied with a response from a partner of the One Health and Care partnership in regards to your above rights, or you believe your data is not being processed in accordance with the law, you can raise this with the Information Commissioner’s Office (ICO).