Your information

Under the UK General Data Protection Regulation (UK GDPR), East Midlands Ambulance Service NHS Trust (EMAS) is the Data Controller for any personal information it processes. Our contact address is East Midlands Ambulance Service NHS Trust, Trust HQ, 1 Horizon Place, Mellors Way, Nottingham NG8 6PY.

The Data Protection Officer is Janette Kirk, Head of Information Governance. Janette can be contacted at DataProtectionOfficer@emas.nhs.uk

Personal information is information about a living person such as name, address, date of birth and National Insurance number that can identify hat person. 

There is also personal information that is considered to be more sensitive (known as special category data) under the UK General Data Protection Regulation (UK GDPR). This includes details of race, ethnic origin, political opinion, religious beliefs, sex life, sexual orientation, trade union membership, health data and biometric and genetic data.

In order to process personal information, we must make sure we comply with a specific section of the UK GDPR, (Article 6); however, when we  process the sensitive information, we must also comply with another section of the law (Article 9). Further information can be found in the 'what legal basis do we have for processing personal information' section.

We have a Data Protection Policy in place and this provides further information.

We will use information you have provided for the following purposes:

• To support health and care

 

We log details electronically when we receive a call for help in an emergency.

If one of our ambulance crews attends you, or you are transferred between hospitals by ambulance, we will collect information about you to help us identify and treat you. This will be recorded on a patient clinical record along with details of your symptoms and condition, and any treatment we give you.

Personal information from 999 calls is processed on the lawful basis that:

• We have a legal duty to perform our tasks in the public interest or for our official functions;
• It is necessary to protect someone’s life;
• You have given us your explicit consent.

We record all 999 calls for the following purposes.  

• To make sure staff act in compliance with our procedures;
• To ensure quality control;
• For training, monitoring and service improvement.

We are not legally obligated to provide a notification that the call is being recorded due to the reasons noted above and also to do so would delay a response being provided.

Further purposes:

• For invoice validation for example, if a service has been provided to you that is being paid for by another organisation
• To identify services that will benefit you and your health and care

We will share your information with other NHS and social care organisations to support your care and treatment. For example, if you call 999 and we take you to hospital, we will pass on your information to the nurse or doctor there so they can see what treatment or medicines we may have given.  We also have a legal obligation to share with Coroners in certain circumstances.  As we are unable to remove or blank out any of the details, this information may include other individuals personal information that may be included in a 'disclosure bundle' prepared by the coroner.

There are other circumstances where we will share your information with other third parties. However, we will ensure that there is a legal reason for doing so and that the correct processes have been followed before we do so. This sharing will be supported by an information sharing agreement, where necessary, that will be signed by the relevant organisations. This agreement will provide details about why the information is being shared, making sure that it is legal, what information is being shared and how it will be protected.  If we are introducing a new service or system, we will conduct a Data Protection Impact Assessment which will identify any areas of concern before any sharing is carried out. This allows us to put steps in place to protect your information.  We keep a log of all assessments completed which can be made available on request.

We proactively share details of your treatment with your GP, and they will share with us. This is to ensure we provide the best possible care and treatment to you. You can find further information in our GP Privacy Notice.

If we are sharing your information for research purposes, we will ask for your consent to do this. Even if you do consent, you are allowed to withdraw this consent at any time if you change your mind.

We will always try to remove any information that may identify you if it is not necessary. Statistical information often only requires anonymised data and this will always be used whenever possible.

We can also share your personal information with law enforcement agencies, such as the police or Her Majesty's Revenue and Customs.  Disclosures to these would be made under certain laws that we must comply with and would not require consent.  Included in this would be CCTV footage showing assaults on our staff that may have been recorded inside or outside one of our vehicles.

We are also legally required to share your information to support the National Fraud Initiative (NFI). View the NFI Privacy notice.

Your personal information may be transferred outside of the UK, for example if a cloud service is hosted in the United States. If it is transferred, this will be done so under a contract. This will state that it will need to given the same level of protection as the UK GDPR provides to information remaining within the UK.

We will never share or sell your personal information for marketing purposes including with marketing, insurance companies, etc.  

In the UK GDPR, Article 6, we are able to process your personal information if one of the following conditions have been met:

a)    Consent – you have given clear consent (this can be withdrawn at any time).

b)    Contract – the processing is necessary for a contract we have with you.

c)    Legal obligation – the processing is necessary to comply with the law.

d)    Vital interests – the processing is necessary to protect someone’s life.

e)    Public task – the processing is necessary to perform a task in the public interest or for official functions that have a clear basis in law. In short, this would be for our core business - providing emergency and urgent care.

f)    Legitimate interests – this can only be used by public authorities, like the NHS, if it is not part of the core business but there is a legitimate reason to process the information. This would have to be clearly documented.

In order to process your sensitive information, we would have to meet one of the following conditions (Article 9 of the UK GDPR) as well as one of those stated above. These are:

a)    You have given your explicit consent (this can be withdrawn at any time).

b)    Processing is necessary for the purposes of carrying out obligations in the area of employment and social security law.

c)    Processing is necessary to protect the vital interests of an individual or another person where the individual is physically or legally incapable of giving consent.

d)    Processing is carried out in the course of the legitimate activities of not for profit organisations with a political religious or trade union interest.

e)    Processing relates to personal data which has been made public by the data subject.

f)    Processing is necessary for the establishment, exercise or defence of legal claims.

g)    Processing is necessary for the reasons of substantial public interest.

h)    Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health or social care treatment or the management of health or social care systems.

I)    Processing is necessary for reasons of public interest in the area of public health.

j)    Processing is necessary for archiving purposes in the public interest.

The circumstances of the sharing would dictate which legal basis would be relied upon.  However, the vast majority of sensitive information is processed in accordance with (h).

Under the UK General Data Protection Regulation (UK GDPR), individuals have specific rights. These allow you to:

• request a copy of any personal information we hold about you
• request that your information is corrected if you think it is wrong
• request us to stop processing your information if you think it is no longer necessary to do so
• request us to stop processing your information until it is corrected
• be informed about the collection and use of personal information
• request that personal information about you is erased (or forgotten)
• have your personal data transferred to another service (if technology is compatible)
• object to the processing of your personal information
• object to processing that is done purely by automated means - no manual intervention has been involved.
• withdraw your consent to the sharing of your information

Not all of these rights are automatic as there may be a legitimate or legal reason why we cannot meet your request, for example we cannot erase your medical record. If we are unable to meet your request, we will let you know the reason for this.

Read our Data Protection Rights Procedure.

The length of time we are required to keep your personal information for is often dictated by law. This includes your health records. We follow the guidance in the Records Management Code of Practice 2021. You can view this code of practice by clicking on the following link: Records Management Code of Practice 2021

 

 

If you wish to ask a question about a data protection issue or if you have any concerns about how we process your information, you can contact the Data Protection Officer at:

Data Protection Officer

Information Governance and Compliance Team

East Midlands Ambulance Service NHS Trust

Nottinghamshire Divisional Headquarters

Beechdale Road

Nottingham NG8 3LL

dataprotectionofficer@emas.nhs.uk

If you would like to contact us to request your personal information or to invoke any of the other rights you have under the UK General Data Protection Regulation (UK GDPR), you can contact us as at SAR@emas.nhs.uk.

If you are not satisfied with the way we have handled your personal information after you have complained, you can contact the national regulator, the Information Commissioner's Office, at:

The Office of the Information Commissioner 

www.ico.org.uk

email: casework@ico.org.uk

 

There are lots of organisations that can provide more information about confidentiality and personal information. The Information Commissioner's Office (ICO) is the English supervisory authority and oversees compliance with the UK GDPR (amongst other legislation). The link to their website is ICO

More general information and guidance has been developed by NHS Transformation England

Read the complete GDPR.

The NHS wants to make sure you and your family have the best care now and in the future.  Your health and care information supports your individual care.  It also helps us to research, plan and improve health and care services in England.

There are very strict rules on how your data can and cannot be used, and you have clear data rights.  We are committed to keeping patient information safe and will always be clear on how it is used.

You can choose whether or not your confidential information is used for research and planning by using the National Data Opt-Out service.  Click here to find out more about this service.

 Covid-19 and your information - Updated on 8th April 2020

Privacy notice on Covid-19 for Patients/Service Users of East Midlands Ambulance Service NHS Trust (EMAS) 

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice. 

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information is available on  the gov.uk website.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak. 

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is on the NHSX website. 

 NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

 In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

 We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Updated 3 November 2021

The Government has announced a public enquiry is to be held into the handling of the Coronavirus pandemic.  As a result, we are required to retain documentation relating to decision making until advised otherwise.  This page will be updated with further information around the specifics of the inquiry when they become available. 

East Midlands Ambulance Service NHS Trust (EMAS) utilises surveillance cameras (CCTV and Body Worn Cameras) in and around the Trust’s sites, on our emergency vehicles as well as body worn cameras being trialled by operational crews.

Please note, our surveillance cameras inside our vehicles and our body worn cameras are only activated by the crew should they feel there is a risk to safety. Should they be activated, you will be advised by the crew and/or an audio message will be played inside the vehicle or a recording light will flash on the body worn cameras.

The legal basis for collection of CCTV and body worn camera images is Article 6(1)f under the UK General Data Protection Regulation (UK GDPR) 2018, that processing is necessary for the purpose of the legitimate interests pursued by the controller (EMAS). Our legitimate interest in doing so, is in order to;

• Protect staff, patients, visitors and Trust property
• Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts
• Provide a deterrent effect and reduce unlawful activity
• Help provide a safer environment for our staff
• Assist with the verification of claims

You have a right to request personal information which may have recorded yourself and ask for a copy of this. For details on how to make a subject access requests please click here and select 'Requests for information or complaints'. Please be aware, you will need to provide sufficient information to identify you and assist us in finding any images on our systems and any third party will be redacted. We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Camera data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.

Should you have any further queries on the uses of your information or you wish to lodge a complaint about the use of your information please contact the Trust’s Data Protection Officer via dataprotectionofficer@emas.nhs.uk

If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/