Privacy notice: East Surrey

We will review the information contained within this notice regularly and update it as required.  We therefore recommend that you check this webpage regularly to remain informed about how we use your data. 

This version was last updated by NHS Surrey Heartlands Integrated Care Board’s Data Protection Officer on the 4 April 2023.

How we use your information

Introduction

The purpose of this notice is to inform you of how we, East Surrey Place Partnership, use information (including personal data) about you. In this notice we will explain:

  • Who East Surrey Place Partnership are and what we do
  • The types of information our partners hold about you
  • How we use this information and why we need to do this
  • Who we may share your information with
  • How you can object to or complain about the way we use your information
  • How you can access a copy of the information we hold about you
  • What other rights you may have in relation to this information
  • How we keep your information secure and confidential
  • Where to go if you require further information 

This information is sometimes known as a ‘Privacy Notice’ or ‘Fair Processing Notice’, which we have a legal obligation to provide you with under data protection law.

This notice applies to all individuals whose information is used for East Surrey Place Partnership activities. It links to and supplements the information held in partners’ main notices and those for specific services.

We will review this information regularly and update it as required - we would therefore recommend that you check this webpage regularly to ensure that you remain informed about how we use your information.

Alternative Formats

If you would like any information on this notice translated into another language or alternative format such as large print, Braille, audio, or British Sign Language, please contact Surrey Heartlands.

Who we are

This notice applies to East Surrey Place Partnership.  We bring together health, local government, the voluntary, community and charity sector with wider partners across local populations of around 250,000 – 300,000, using local knowledge and relationships to reduce health inequalities and support delivery of local services across these smaller geographical footprints.  Please see the East Surrey Place website for further information regarding East Surrey Place Partnership.  

The East Surrey Place Partnership are part of the Surrey Heartlands Health and Care Partnership.  Surrey Heartlands is an ‘Integrated Care System’ (ICS) and the purpose of ICSs is to bring partner organisations together to:

  • improve outcomes in population health and healthcare
  • tackle inequalities in outcomes, experience and access
  • enhance productivity and value for money
  • help the NHS support broader social and economic development.

Please see What are integrated care systems? for further information regarding ICSs.

Partner organisations are registered with the Information Commissioner’s Office (ICO) as Data Controllers.  You can search the ICO’s public register for further information using the registration numbers provided at the end of this Notice.

As partner organisations work together to plan and deliver services, in many cases they will be Joint Data Controllers of your information.  This means that Place Partners are jointly responsible for ensuring that your data is used safely and lawfully.              

What we do

The East Surrey Place Partnership work together to:

  • deliver integrated health and social care and treatment / services within East Surrey – e.g., Anticipatory Care Hubs, Ageing Well Programme, and Virtual Ward
  • undertake the planning and commissioning (buying) of health and social care services that best meet the needs of local people
  • carry out monitoring and management of local health and social care services.

Please see the East Surrey Place website for further information regarding our current and future activities. 

Whose information we hold

To allow us to undertake the activities above we will use information relating to the following types of people: 

  • who live within the area we cover and the wider Surrey Heartlands area / County
  • who are registered with GP Practices within the area we cover and the wider Surrey Heartlands area / County
  • who use the services we commission and deliver
  • undertaking work for or on behalf of partner organisations
  • undertaking work for or on behalf of other health and social care organisations with which we work and suppliers of goods and services to partners.   

What types of information we use

To allow us to undertake the activities above we will use different types of information, this includes: 

  • Identifiable Personal Data – you can easily be identified from this information, which relates to you.  We will only use this where there is no other viable alternative.  Identifiable personal data includes: 
    • Personal Data (for example your name, contact details, or date of birth). 
    • Special Categories of Personal Data (which includes data relating to ethnicity and data relating to physical or mental health).
  • Non-Identifiable / De-identified Personal Data – this includes:
    • Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym.
    • Anonymised Data – you cannot be identified from this, even if it is added to other information.        

How we get this information

We generally receive information about people in one of the following ways: 

  • The person it relates to (e.g., a service user or staff member) or their authorised representative has provided it to a partner organisation directly
  • A partner organisation has received it from another health and social care organisation with which they work
  • It is provided to a partner organisation by NHS England / the Department of Health, Department for Levelling Up, Housing and Communities, or another Government Agency / Department.    

Why we use this information

We use different types of information for different purposes as detailed below:    

  • to deliver integrated health and social care services / treatment we will seek to use Non-Identifiable Personal Data wherever this is possible. However, we may need to use Personal Data and Special Categories of Personal Data, such as information relating to physical or mental health, to ensure that risks to service user safety are minimised
  • to undertake commissioning and planning or monitoring and management of health and social care services we will use Anonymised Data wherever appropriate or Non-Identifiable Personal Data where we require this to be able to undertake detailed work and to be able to link data together
  • to enable partners to work together effectively and to fulfil applicable statutory duties under various pieces of applicable legislation we may need to process Personal Data and Special Categories of Personal Data (such as data relating to ethnicity, gender, and sexual orientation etc.) relating to individuals undertaking work for or on behalf of partners and other organisations with which we work.    

The lawful basis for this activity 

Data protection legislation requires us to explain the lawful basis for us processing personal data for East Surrey Place Partnership activities. 

The activity involving Personal Data we carry out will be lawful under data protection legislation because it is necessary for performance of a task carried out in the public interests or in the exercise of official authority.  This official authority arises from: 

  • UK Legislation including the NHS Act 2006, Health & Social Care Act 2012, the Care Act 214, and the Health & Care Act 2022.
  • Contracts in place for delivery of health and social care services. 

Where the East Surrey Place Partnership process Special Category Personal Data this will also be lawful as this activity will be undertaken for the purposes of medical diagnosis, the provision of health and social care treatment, or the management of health and social care systems and services.  All partners have either contractual or statutory duties relating to delivery of integrated health and social care within the Integrated Care System.     

In the case of disclosure of confidential personal data we will also ensure that we meet the Common Law Duty of Confidentiality by ensuring that one of the following applies:    

  • we have consent from the person, whether explicit or implied (implied consent is where the person could reasonably expect their data to be used in this way and has not objected)
  • that this is authorised by law or legal proceedings
  • that there is an overriding substantial public interest (for example in the case of infectious diseases where the public is at risk)
  • this has been set aside – e.g., by Section 251 exemption under the Health & Social Care Act 2012. 

Who we may share data with

We may share your personal data with the following organisations: 

  • East Surrey Place Partnership Members (included at the end of this Notice). 
  • Other ICS Partner Organisations – see the Surrey Heartlands website for further information.
  • Organisations that deliver health and care services to you.
  • Organisation that we have asked to process this information on our behalf and which include:
  • Organisations that have a legal right to obtain this from us (such as NHS England, the NHS Counter Fraud Authority, the Police, and certain Government Departments). 

Where organisations process your data on behalf of partners, these organisations are known as Data Processors.  We put in place controls to ensure that they use your data only as instructed by us and in accordance with this notice.  Our Data Processors may transfer your data outside of the UK or the European Economic Area - where this is done, we ensure that there is adequate protection in place. 

The Surrey Heartlands Health and Social Care Information Sharing Agreement has been established to support partners to share data safely and lawfully. Please see the Surrey Heartlands Information Sharing Agreement for further information.

Your information related rights

Under data protection legislation everyone has rights regarding how their information can be used and the East Surrey Place Partnership is committed to ensuring that partners and our authorised data processors meet these – please see below for further information: 

Under data protection legislation and the NHS Constitution you have the right to be informed, which will be met via this Privacy Notice and related notices for specific East Surrey Place Partnership partner organisations and services.

You are able to opt-out of having your data used for specific purposes: 

  • You can choose whether your confidential information is used for Research and Planning. To find out more about the NHS National Data Opt-Out programme visit nhs.uk/your-nhs-data-matters
  • You can also tell your GP practice if you do not want your confidential information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a Type 1 Opt Out’. This opt-out request can only be recorded by your GP practice.

You are unable to opt-out of having your data shared for direct care purposes, however you can submit an objection to this. 

You have the right to object to the way we use your information and to ask us to stop using it in this way. 

  • If you wish to object to having your information used for your direct care and treatment you should contact Surrey and Sussex Healthcare NHS Trust as they handle such objections on behalf of partners.  Please make clear to them that your objection includes integrated care activities provided via East Surrey Place Partnership.
  • If you wish to object to having your data used by partners for Planning and Commissioning of local services you can do this by contacting the Surrey Heartlands ICB Information Governance Team by email as they handle these requests on behalf of partners. 

You have the right to erasure - i.e. to request that we delete your information. We will do this if we no longer require it for the purpose for which it was provided or to meet a contractual, regulatory or legal duty.  Please note this right does not apply to health data or anonymised data.  Please contact the Surrey Heartlands ICB Information Governance Team by email if you wish to make a request for partners to delete your data that is used for East Surrey Place Partnership activities.  

You have the right to access a copy of the information we hold about you by requesting this in writing.  Please contact the Surrey Heartlands ICB Information Governance Team by email if you wish to make a request to access data used for East Surrey Place Partnership activities – please be aware they may need to pass your request on to other partners.   

You have the right to have your information corrected if it is inaccurate.  You should contact the partner organisation which first recorded the data that you believe to be incorrect.    

If you receive marketing email communications from partners, you can withdraw consent to receiving the emails by clicking on the unsubscribe link in the email or by contacting the partner who is sending the email to you. 

East Surrey Place Partnership does not undertake any automated individual decision-making (e.g., a decision made solely by automated means without any human involvement).  We do however carry out some automated processing to support our commissioning activity, and you can object to this processing by contacting the Surrey Heartlands ICB Information Governance Team by email. 

Requests relating to ‘staff data’ processed by partners to support delivery of East Surrey Place Partnership activities should be managed in accordance with the policies and procedures of the partner organisation employing the individual. 

If you require further information relating to your rights, please contact the Surrey Heartlands ICB Information Governance Team by email.

How to contact the Data Protection Officer (DPO)

Under data protection legislation partner organisations are required to have a Data Protection Officer (DPO) whose role is to:

  • Inform and advise the partner organisations and their employees about their obligations to comply with applicable data protection legislation
  • Support and monitor compliance with applicable data protection legislation
  • Be the first point of contact for individuals whose data is being processed. 

Further information regarding the role of the DPO can be on the ICO’s website

The ICB’s Data Protection Officer is Daniel Lo Russo who you can contact by email.  They may need to pass your correspondence to another partner organisation’s DPO.    

How we keep information secure

Partners ensure that we keep your personal information secure and handle it in accordance with the 10 Data Security Standards arising from the National Data Guardian’s review; which are based around the following areas: 

  • People - ensure individuals undertaking work for the organisation are equipped to handle information respectfully and safely, according to the Caldicott Principles.
  • Processes - ensure the organisation proactively prevents data security breaches and responds appropriately to any incidents or near misses.
  • Technology - ensure technology used is secure and kept up-to-date.

We demonstrate our compliance with the Data Security Standards via:

We follow a ‘privacy by design and default’ approach and, where our processing of personal data may potentially have a significant negative impact on people, partners will undertake a detailed Data Protection Impact Assessment (DPIA) to ensure that data protection and confidentiality related risks are identified and suitably mitigated.  

How long we keep information for

Partners will hold records containing personal data for a limited time and securely destroy them when no longer required.  Partners will ensure that records are held in accordance with the guidance and retention schedules included within the 2021 Records Management Code of Practice for Health and Social Care.    

How to complain

If you wish to complain about how we use your information you can initially contact the ICB’s Data Protection Officer, Daniel Lo Russo, by email. They may need to pass your complaint on to other partner organisations.     

You are however also entitled to contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used for East Surrey Place Partnership activities and you can contact them by: 

  • Visiting their website: www.ico.org.uk
  • Telephoning them on 0303 123 1113

List of Partners in the East Surrey Place Partnership

The East Surrey Place Partnership includes the following organisations: 

Links to associated guidance

For further associated guidance please see the ICO’s website which provides independent advice about data protection, privacy and data sharing etc. 

Changes

This version (1.0) was last updated by the ICB’s Data Protection Officer on the 4th April 2023.