Registration with College Nurse Privacy Policy
Data controller: GP Member Practices (Oxford City Practice registered patients)
Oxford Health NHS Foundation Trust (OHFT) (unregistered/Non-Oxford registered patients)
Data Processor: Oxford Health NHS Foundation Trust
Purpose of this document
Oxford Health NHS Foundation Trust, and member practices are committed to protecting the privacy and security of your personal data.
This privacy notice describes how we collect, store, use and share personal data about you during and after your relationship with us in accordance with data protection law, including the General Data Protection Regulation (GDPR).
This notice applies to patients registering with the Oxford College Nurse Service (OCNS).
OHFT is a registered ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
OHFT is also a ‘data processor’ where we are responsible for processing personal data on and behalf of a ‘data controller’, Oxford City GP practices.
It is important that you read this policy, together with any other privacy notice that is provided on specific occasions when we are collecting or processing personal data about you so that you are aware of how and why we are using such information.
Introduction
Oxford Health NHS Foundation Trust (OHFT) is providing healthcare services for people who live, work and study at University of Oxford Colleges. These services are usually provided by approved healthcare staff (College Nurses) employed by Oxford University Colleges and supervised by OHFT (the registered provider). OHFT work very closely with the College Nurses but will also communicate where necessary with the College Doctors, or if a patient is registered elsewhere, the patient’s registered general practice. The services may alternatively be provided by other registered health professionals employed by or seconded to OHFT.
Benefits of registering with the College Nurse/ Oxford Health NHS Foundation Trust College Nurse
Students are encouraged to register with the College Doctor when they start their studies in Oxford to easily access locally tailored NHS care, for example access evening and weekend appointments. The College Doctor also has the facility to provide University Medical Certificates when needed for examinations which your home GP is not able to do etc.
The College/ OHFT Nurse is however available throughout the academic year to register patients as and when healthcare is required. These College Nurses are supervised by OHFT and have good links with the College welfare teams as well as the University Counselling Service and Disability Advisory Service.
The information we hold about you
‘Personal data’, or ‘personal information’ means any information about an individual from which that person can be identified. This does not include information where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection. This includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data Protection Principles
We will comply with Data Protection Law which states that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way,
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes,
- Relevant to the purposes we have told you about and limited only to those purposes,
- Accurate and kept up to date,
- Kept only as long as necessary for the purposes we have told you about,
- Kept securely.
Our lawful grounds for processing
The GDPR requires us to rely on one or more lawful ground to process your personal information. We will only use your personal data when the law allows us to. Most commonly, we will process your personal information in the following circumstances:
‘where necessary for the purpose of the legitimate interest pursued by us or a third party’
The legitimate interests we rely on are:
- To fulfil the purpose of OHFT as a health and social care provider. The processing is necessary for compliance with our obligations in relation to our regulators. If we are unable to process your personal data, we cannot provide you with the services you need as we will not be able to meet our contractual obligations with our commissioners (Clinical Commissioners Group CCG and local authorities) and our legal obligations with our regulators, Care Quality Commission (CQC).
- To safeguard the health and safety of our visitors, service users and clinical rooms.
‘Where we need to protect your vital interests (or someone else’s interests)’.
We rely on vital interests if we need to process your personal data to protect yours or someone else’s life in the event that you are unable to provide consent. For example, in a medical emergency your information may need to be shared with the ambulance service.
‘Performance of a task carried out in the public interest or in the exercise of official duty’.
It is necessary for us at OHFT to process your personal data for these purposes as well as to ensure safer joined up care. We rely on the basis that it is reasonable and proportionate, and we cannot achieve our health and social care objective by any other means.
‘Explicit Consent’
Consent means offering you real choice and control. We may request to sharing your information with the College for the purpose of your welfare. If this is necessary, we will provide you with a form and obtain your explicit consent. Your consent may be withdrawn at any time.
We may also share your ‘de-identified’ records held between NHS organisations and data sets extracted by NHS approved research and evaluation systems for the purpose of research and planning locally and nationally. ‘De-identified’ data is data where your identity has been removed.
Type 1 Opt-Out – If you do not want to share your anonymous information locally that identifies you for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents information from your GP record from being shared other than for your direct care. Please contact your GP if you wish to exercise this right or OHFT if you have not registered with a GP practice.
National Opt-Out – NHS Digital also collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your information to be shared outside of NHS Digital, for purposes other than for your direct care, you will need to register a ‘National Opt-Out’. To do this you will need to contact NHS Digital directly on, https://digital.nhs.uk/services/national-data-opt-out-programme.
1. Patients and college students
We may collect, store, and process the following categories of personal data about you:
- your name, date of birth, address, email address, telephone numbers and next of kin,
- Any contact our staff and services have had with you. Such as phone calls, emails, appointment, clinic visits etc.
We will also collect, store, and use the following “special categories” of sensitive personal data:
- Information about your health, including any medical conditions, disabilities, health and sickness records,
- Details about your medications, treatment, and care,
- Results of investigations,
- Relevant information from other health professionals, relatives or those who care for you,
- Genetic information and biometric data,
- Information about your race or ethnicity, religious beliefs, sexual orientation, and political opinions for the purposes of equal opportunities monitoring.
Who has access to this data?
We at OHFT are committed to ensuring the care provided to you goes above and beyond. We ensure our College Nurses are supervised and reviewed on a frequent basis to ensure the care they provide to you is compliant with the CQC standard of care. Your full medical records and consultations will therefore be accessed by our OHFT Clinical supervisors to ensure the adequate care and service is being provided to you.
If you are registered with a member practice in Oxford, relevant information originating from consultations with the College Nurse will be captured and recorded directly by staff via a data entry form with secure software (EMIS system). This information will be processed and transferred for storage directly into your GP electronic health record and your GP will be the Data Controller. This is for the purpose of full and complete medical records and ensuring joined up and safer care.
If you are not registered with a GP practice or your registered GP is not based in Oxford, we at OHFT will securely store and process your data as Data Controllers ourselves. If you are registered with a GP practice not based in Oxford and you provide details, we may send your records to your GP to ensure joined up and safer care. Our OHFT Clinical supervisors will also have access to this data, again for the purpose of monitoring College Nurses and ensuring adequate care and service is being provided to you.
Your data will be shared internally at OHFT (and member practices if you are registered). This includes with GPs, supervisors, and reception staff in the business area if access to the data is necessary for performance of duties carried out in your interest. This will be on a strict need-to-know basis.
We will also share personal information with law enforcement or other authorities if required by applicable law.
Your data will not be shared with the College or any other non-medical parties without your express consent unless the College Nurse is concerned that you may pose a danger to yourself or to others or that you lack capacity to make decisions and that sharing is deemed to be in your best interest.
We will not share your information with third parties without your prior agreement.
We will also not transfer your data outside the European Economic Area (EEA).
How we protect your data
We take the security of your data seriously. We have a secure EMIS clinical services system, internal policies, and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed in an unauthorised way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions.
If we engage third parties to process personal data on our behalf, this will be carried out on the basis of our written instructions only, under a duty of confidentiality and are obligation to implement appropriate technical and organisational measures to ensure the security of your information.
Communication
Effective information and communication are vital components of a ‘patient centred’ service. Where information and health information about an individual who has made contact and/ or wish to engage with our OCNS has been recorded, College Nurses will ensure that relevant records are stored including details of any relevant information and/ or communication needs. In line with the Accessible Information Standard, individuals will be asked to self-define their needs and a record will be made of any and all requirements for:
- Alternative or specific contact method(s),
- Professional interpretation or communication support,
- Information in an alternative language or format, and
- Adjustments of aids to support effective communication.
This information is necessary for our Nurses to be able to provide you with adequate health care services.
How long we retain your data
To comply with our legal requirement, where OHFT are data controllers, we hold all personal health records in accordance with the NHS guidance and thereafter for no longer than reasonably necessary. Retention periods can be accessed via the NHS digital website, https://transform.england.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice-2021/.
All other records, including accounting records are held for the duration of our professional relationship and thereafter for a period of 6 years in order to meet legal requirements under the Limitation Act 1980. Examples include in case of any legal claims/ complaints or for safeguarding purposes.
If you are a patient registered with an Oxford GP practice, please speak to your GP practice regarding retention of your information.
What if you do not provide personal data?
If you fail to provide certain information and are not satisfied to being registered, we will not be able to provide you with our Oxford College Nurse Services (OCNS). Although you are under no statutory obligation to provide this information, failure to provide will hinder our ability to administer the rights and obligations arising as a result of our relationship efficiently.
You may however consult with your own GP, call 111 or visit A&E for assistance with your medical enquiry.
Your rights
Under the General Data Protection Regulations, you have a number of rights. These rights include:
- Fair processing of data and transparency over how we use your personal information,
- Access to/ obtain a copy of your personal information on request in a structured, machine-readable format and have the right to transmit the information to a third party in certain situations,
- require us to change incorrect or incomplete information,
- require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing, and
- withdraw your consent/ object/ erasure of specific processing in certain circumstances.
Data Protection Officer
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you would like to exercise any of the above rights, have any questions about this privacy notice or how we handle your personal information, please contact your member practice or Dr Rachel Hardwick, Clinical Lead for the Service, rachelhardwick@nhs.net. Please ensure you provide proof of your identity (passport or driving licence) and address (in the form of a recent utility bill or bank statement) along with your request so we can deal with your query promptly.
You have the right to make a compliant at any time to the Information Commissioner’s Officer (ICO), the UK supervisory authority for data protection issues.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time and we will provide you with a new privacy policy notice when we make any substantial updates. We will also notify you in other ways from time to time about the processing of your personal information. Please regularly review this policy to be informed of how we are protecting your personal data.