Your information

Under the UK General Data Protection Regulation (UK GDPR), East Midlands Ambulance Service NHS Trust (EMAS) is the Data Controller for any personal information it processes. Our contact address is:

The Data Protection Officer is Janette Kirk, Head of Information Governance. Janette can be contacted at DataProtectionOfficer@emas.nhs.uk

Personal information is information about a living person such as name, address, date of birth and National Insurance number that can identify that person. 

There is also personal information that is considered to be more sensitive (known as special category data) under the UK General Data Protection Regulation (UK GDPR). This includes details of race, ethnic origin, political opinion, religious beliefs, sex life, sexual orientation, trade union membership, health data and biometric and genetic data.

In order to process personal information, we must make sure we comply with a specific section of the UK GDPR, (Article 6); however, when we process the sensitive information, we must also comply with another section of the law (Article 9). Further information can be found in the 'what legal basis do we have for processing personal information' section.

We have a Data Protection Policy in place and this provides further information.
 

We will share your information with other NHS and social care organisations to support your care and treatment. For example, if you call 999 and we take you to hospital, we will pass on your information to the nurse or doctor there so they can see what treatment or medicines we may have given.  We also have a legal obligation to share with Coroners in certain circumstances.  As we are unable to remove or blank out any of the details, this information may include other individuals’ personal information that may be included in a 'disclosure bundle' prepared by the coroner.

There are other circumstances where we will share your information with other third parties. However, we will ensure that there is a legal reason for doing so and that the correct processes have been followed before we do so. This sharing will be supported by an information sharing agreement, where necessary, that will be signed by the relevant organisations. This agreement will provide details about why the information is being shared, making sure that it is legal, what information is being shared and how it will be protected.  If we are introducing a new service or system, we will conduct a Data Protection Impact Assessment which will identify any areas of concern before any sharing is carried out. This allows us to put steps in place to protect your information.  We keep a log of all assessments completed which can be made available on request.

We proactively share details of your treatment with your GP, and they will share with us. This is to ensure we provide the best possible care and treatment to you. You can find further information in our GP Privacy Notice.

If we are sharing your information for research purposes, we will ask for your consent to do this. Even if you do consent, you are allowed to withdraw this consent at any time if you change your mind.

In order to continually improve our service and support our staff, we may use phone calls made to our Emergency Operations Centre for training and monitoring purposes.

We will always try to remove any information that may identify you if it is not necessary. Statistical information often only requires anonymised data, and this will always be used whenever possible.

We can also share your personal information with law enforcement agencies, such as the police or His Majesty's Revenue and Customs.  Disclosures to these would be made under certain laws that we must comply with and would not require consent.  Included in this would be CCTV footage showing assaults on our staff that may have been recorded inside or outside one of our vehicles.

We are also legally required to share your information to support the National Fraud Initiative (NFI). View the NFI Privacy notice.

Your personal information may be transferred outside of the UK, for example if a cloud service is hosted in the United States. If it is transferred, this will be done so under a contract. This will state that it will need to give the same level of protection as the UK GDPR provides to information remaining within the UK.

We will never share or sell your personal information for marketing purposes including with marketing, insurance companies, etc.  

In the UK GDPR, Article 6, we are able to process your personal information if one of the following conditions have been met:

1. Consent – you have given clear consent (this can be withdrawn at any time).
2. Contract – the processing is necessary for a contract we have with you.
3. Legal obligation – the processing is necessary to comply with the law.
4. Vital interests – the processing is necessary to protect someone’s life.
5. Public task – the processing is necessary to perform a task in the public interest or for official functions that have a clear basis in law. In short, this would be for our core business - providing emergency and urgent care.
6. Legitimate interests – this can only be used by public authorities, like the NHS, if it is not part of the core business but there is a legitimate reason to process the information. This would have to be clearly documented.

In order to process your sensitive information, we would have to meet one of the following conditions (Article 9 of the UK GDPR) as well as one of those stated above. These are:

1. You have given your explicit consent (this can be withdrawn at any time).
2. Processing is necessary for the purposes of carrying out obligations in the area of employment and social security law.
3. Processing is necessary to protect the vital interests of an individual or another person where the individual is physically or legally incapable of giving consent.
4. Processing is carried out in the course of the legitimate activities of not for profit organisations with a political religious or trade union interest.
5. Processing relates to personal data which has been made public by the data subject.
6. Processing is necessary for the establishment, exercise or defence of legal claims.
7. Processing is necessary for the reasons of substantial public interest.
8. Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health or social care treatment or the management of health or social care systems.
9. Processing is necessary for reasons of public interest in the area of public health.
10. Processing is necessary for archiving purposes in the public interest.

The circumstances of the sharing would dictate which legal basis would be relied upon. However, the vast majority of sensitive information is processed in accordance with number 8 in the list above.

Under the UK General Data Protection Regulation (UK GDPR), individuals have specific rights. These allow you to:

1. request a copy of any personal information we hold about you
2. request that your information is corrected if you think it is wrong
3. request us to stop processing your information if you think it is no longer necessary to do so
4. request us to stop processing your information until it is corrected
5. be informed about the collection and use of personal information
6. request that personal information about you is erased (or forgotten)
7. have your personal data transferred to another service (if technology is compatible)
8. object to the processing of your personal information
9. object to processing that is done purely by automated means - no manual intervention has been involved.
10. withdraw your consent to the sharing of your information

Not all of these rights are automatic as there may be a legitimate or legal reason why we cannot meet your request, for example we cannot erase your medical record. If we are unable to meet your request, we will let you know the reason for this.

Read our Data Protection Rights Procedure.
 

The length of time we are required to keep your personal information for is often dictated by law. This includes your health records. We follow the guidance in the Records Management Code of Practice 2021. You can view this code of practice by clicking on the following link: Records Management Code of Practice 2021

If you wish to ask a question about a data protection issue or if you have any concerns about how we process your information, you can contact the Data Protection Officer at:

Email: dataprotectionofficer@emas.nhs.uk

If you would like to contact us to request your personal information or to invoke any of the other rights you have under the UK General Data Protection Regulation (UK GDPR), you can contact us as at SAR@emas.nhs.uk.

If you are not satisfied with the way we have handled your personal information after you have complained, you can contact the national regulator, the Information Commissioner's Office, at: The Office of the Information Commissioner 

Website: www.ico.org.uk
Email: casework@ico.org.uk

The NHS wants to make sure you and your family have the best care now and in the future.  Your health and care information supports your individual care.  It also helps us to research, plan and improve health and care services in England.

There are very strict rules on how your data can and cannot be used, and you have clear data rights.  We are committed to keeping patient information safe and will always be clear on how it is used.

You can choose whether or not your confidential information is used for research and planning by using the National Data Opt-Out service.

Privacy notice on Covid-19 for Patients/Service Users of East Midlands Ambulance Service NHS Trust (EMAS) 

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice. 

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information is available on  the gov.uk website.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak. 

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is on the NHSX website. 

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Updated 3 November 2021

The Government has announced a public enquiry is to be held into the handling of the Coronavirus pandemic.  As a result, we are required to retain documentation relating to decision making until advised otherwise.  This page will be updated with further information around the specifics of the inquiry when they become available. 

East Midlands Ambulance Service NHS Trust (EMAS) utilises surveillance cameras (CCTV and Body Worn Cameras) in and around the Trust’s sites, on our emergency vehicles as well as body worn cameras being trialled by operational crews.

Please note, our surveillance cameras inside our vehicles and our body worn cameras are only activated by the crew should they feel there is a risk to safety. Should they be activated, you will be advised by the crew and/or an audio message will be played inside the vehicle or a recording light will flash on the body worn cameras.

The legal basis for collection of CCTV and body worn camera images is Article 6(1)f under the UK General Data Protection Regulation (UK GDPR) 2016, that processing is necessary for the purpose of the legitimate interests pursued by the controller (EMAS). Our legitimate interest in doing so, is in order to;

• Protect staff, patients, visitors and Trust property
• Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts
• Provide a deterrent effect and reduce unlawful activity
• Help provide a safer environment for our staff
• Assist with the verification of claims

You have a right to request personal information which may have recorded yourself and ask for a copy of this. For details on how to make a subject access requests please click here and select 'Requests for information or complaints'. Please be aware, you will need to provide sufficient information to identify you and assist us in finding any images on our systems and any third party will be redacted. We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Camera data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.

Should you have any further queries on the uses of your information or you wish to lodge a complaint about the use of your information please contact the Trust’s Data Protection Officer via dataprotectionofficer@emas.nhs.uk

If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at ico.org.uk

East Midlands Ambulance Service NHS Trust routinely collect information from the initial contact when we receive a call in the 999 Emergency Operations Centre (EOC) through to completing an electronic patient record (ePR) with information about the patient and care we provide, when we attend an incident. Some of this information goes on to form part of the Ambulance Data Set (ADS).

If a patient is transferred from ambulance services to the care of an Emergency Department, information within the Ambulance Data Set is subsequently linked with key information collected in Emergency Departments as part of the Emergency Care Data Set (ECDS).

The purpose of this is to fully understand the patient’s journey from the ambulance service to other urgent and emergency healthcare settings. This will enable clinicians, ambulance services and the NHS to learn from patient journeys and further improve the care they provide in the future.

Data collected by ambulance services and emergency departments is securely linked and transferred to us. Data collected as part of the Ambulance Data Set is shared with NHS Digital* – a section of NHS England specialised in data and IT systems – where it is linked with key relevant information in the Emergency Care Data Set and securely returned to us.

This linked information includes a unique number generated by us during the initial 999 call, as well as a unique vehicle reference which will help us re-identify the original care record for the incident and the patient.

Appropriate access to this information will enable us to help develop the skills of our clinicians to improve the care they provide and support us in delivering service improvements to improve patient experience.

Patients will be able to opt out from this process if they so wish and data about their emergency care will remain with the ambulance service and / or the Emergency Department. To opt out of this process, please tell us by contacting your local ambulance service by email at DataProtectionOfficer@emas.nhs.uk.  For more information about the National Data Opt-Out, please visit https://www.nhs.uk/your-nhs-data-matters/

The lawful bases under common law for this process are as follows:

For the ambulance service to process this information the lawful basis is the General Data Protection Regulation (GDPR) is Article 6 (1)(e) – “…exercise of official authority” and for processing special categories (health) data the basis is: Article 9(2)(h) – ‘…health or social care…’ of the GDPR Regulations.

For the data collected by ambulance services (ADS) to be linked with relevant data items collected at Emergency Departments (ECDS) the lawful basis is the Sections 254(1), (3), (5) and (6), section 260(2)(d), section 261(2)(e) and section 304(9), (10) and (12) of the Health and Social Care Act 2012, as per the Ambulance Data Set Directions 2022.

To share linked data back with ambulance services, NHS England on behalf of Ambulance Services, have obtained a Section 251 approval, as required by the NHS Act 2006 and Health Service (Control of Patient Information) Regulations 2002.

Overall, the above provides a legal bases for patient information to be processed for these purposes.

*= NHS Digital officially merged with NHS England on 1st Feb 2023, therefore the organisation previously known as NHS Digital is legally known as NHS England and data held by NHS Digital is now held within NHS England.