Privacy Policy

The personal information we collect is provided directly from you for the provision of patient care, research, staff training, general enquiries, and any additional correspondence we may receive from you.

We log details electronically when we receive a call for help at our emergency operation centres or 111 service, or book a non-emergency transport service that we operate.

If one of our ambulances attends you, or you are transferred between hospitals by ambulance, we will collect information about you to help us identify and treat you. This will be written on a patient report form along with details of your symptoms, condition, and any treatment we give you. We are also required to record details of your ethnicity and other information to help us monitor the equality of the services we provide.

If you speak to one of our 111 health advisors or clinicians we will record your details and access your clinical information in order to provide the advice or care you need, which may include transferring you to the out-of-hours service, requesting an ambulance or, if it is in hours, putting you in touch with your dentist or GP. Patients may be put at risk if those who provide their care do not have access to relevant, accurate and up-to-date information about them.

We also receive personal information about you indirectly from others, in the following scenarios:

• from other health and care organisations involved in your care so that we can provide you with care; and
• from family members or carers to support your care

If you receive non-emergency transport services, we will record details about where you live, where we will be taking you and some details about your circumstances.

If you make a complaint or an enquiry about the service we have provided, or have contact with us on another matter, we will keep a record of all the relevant details in a file for case management purposes. In some cases, we may need to obtain information from the hospital we took you to in order to investigate a complaint or deal with an enquiry.

Surveillance and safety systems

NEAS utilises surveillance cameras (Static/Vehicle based CCTV and Body Worn Cameras) in and around the Trust’s sites, on our emergency vehicles, as well as body worn cameras used by operational crews.

Please note: Our body worn cameras are only activated by the crew when they feel there may be a risk to safety. Should these systems be activated, the crew will advise you and/or an audio message will be played inside the vehicle with a recording flashing light on the body worn cameras.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests.

• Health and safety at work act duties
• Protection of staff, patients and the public
• Crime reduction and investigation

Building and access control systems

We use access control systems (such as ID cards and electronic entry systems) to manage and monitor access to NEAS premises. These systems process staff and authorised visitor information, including identification details and access logs, to ensure the safety and security of our staff, patients, and facilities.

We use access control systems (such as ID cards and electronic entry systems) to manage and monitor access to NEAS premises. These systems process staff and authorised visitor information, including identification details and access logs, to ensure the safety and security of our staff, patients, and facilities.

Vehicles and fleet

NEAS operates a fleet of vehicles to deliver healthcare services safely and effectively. When our vehicles are in use, we may process limited personal data relating to staff, patients and members of the public. This can include vehicle location data and, where fitted, vehicle‑based CCTV or audio recordings.

We use this information to support service delivery, protect the safety and security of staff, patients and the public, investigate incidents, and meet our legal obligations.

Personal information

Personal information is any information that can be used to identify a living person.

Below are some examples of personal information that we currently collect and use:

• personal identifiers and contacts (for example, name, address, phone number);
• photographic identity (for example, photographs of staff for ID badges)

Special Category data

We process the following more sensitive data (including special category data):

• data concerning physical or mental health;
• data revealing racial or ethnic origin;
• data concerning a person’s sex life;
• data concerning a person’s sexual orientation;
• genetic data;
• biometric data;
• data revealing religious or philosophical beliefs;
• data revealing trade union membership
• data relating to criminal or suspected criminal offences

We may share information with the following types of organisations:

• organisations that provide health and care services (such as hospitals, councils, care homes, and GP surgeries)
• IT and other systems suppliers
• planners of health and care services (such as Integrated Care Boards, NHS England, and the Department of Health and Social Care)
• other organisations, including the police, and government organisations

In some circumstances, we are legally obliged to share information with these organisations. This includes:

• when required by NHS England to develop national IT and data services
• when registering births and deaths
• when reporting some infectious diseases
• when a court orders us to do so
• where a public inquiry requires the information

We may also share information if the public good outweighs your right to confidentiality. This could include:

• where a serious crime has been committed
• where there are serious risks to the public or staff
• to protect children or vulnerable adults

We may also de-identify your information, so that it can be shared and used for purposes beyond your individual care whilst maintaining your confidentiality.

Situations where we may share your information are:

If an ambulance takes you to hospital, we will share an electronic copy of the patient clinical record so that they have details of your condition and the treatment we have provided.

In addition to sharing your data with other clinicians, we can access your data from other health and care organisations across the North East of England via the Great North Care Record system to ensure we are providing you with the best possible care.

Where necessary, we use a limited number of private contractors to supplement our emergency and non-emergency transport services. In these cases, they are under contract to us and must comply with data protection legislation in the same way we do. Their performance is monitored and all the information they collect about you is transferred securely to us.

Other health and social care professionals involved in your treatment or care may ask us for information about your use of our services or the treatment you received. Provided we are satisfied that they need this information for your care, or you have given your permission, we will provide this to them.

In some circumstances we may share information or clinical records with other healthcare professionals – most commonly your GP but also specialist healthcare teams such as social service – even if we have not taken you to hospital or provided 111 advice. We do this to help them assess whether they can offer you support that may help to prevent a similar situation arising again.

We are sometimes also asked by the commissioning bodies that fund our services to provide information about incidents attended so they can identify and provide more appropriate care pathways for patients. The information we provide will not identify you.

Where another NHS organisation is funding a non-emergency transport service journey, we have to confirm personal information – although we will only provide the minimum of information required.

We will not disclose your information to third parties outside the NHS without your permission unless it is required for your direct care or there are exceptional circumstances. This can include, where it is necessary for the performance of the task carried out in the public interest or the public good outweighs your right to confidentiality, for example:

• when a serious crime has been committed;
• if there are risks to the public or NHS staff;
• to protect vulnerable children or adults who are not able to decide for themselves whether their information should be shared;
• we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority)
• Trust performance auditing and accreditation by Third party providers:

or we have a legal duty to do so, for example:

• when a court order has been issued;
• where a public inquiry requires the information;
• reporting some infectious diseases, or wounding by firearms.

We will seek your consent before we release information that identifies you to any third party for any other reason than direct patient care and those set out above.

Your information is never collected for direct marketing purposes, and is not sold on to any other third parties. Any data processed in a third country will only be approved following the completion of a Data Protection Impact Assessment, a Solutions Assessment Form and will also be subject to UK GDPR regulations regarding the processing of data in a third country.

Please note, anonymised or redacted information shall be shared to third parties such as, but not limited to, research bodies and media outlets. To ensure anonymity and possibilities of re-identification, NEAS undertakes relevant appropriate privacy and security assessments before any disclosure.

NEAS routinely reviews the outcomes of its patients in order to improve the quality and efficiency of its care. As part of this, the Service shares routine feedback with its staff on their patients’ outcomes, providing clinical staff with reflection and learning opportunities, and supporting them to continuously improve their care.

Great North Care Record

As a partner in the Great North Care Record (GNCR), we need to request and share patient information from and with other relevant parties who are part of their care and ongoing support network.

Full details of the member organisations of the GNCR, what data may be viewed across the GNCR network, and what are the benefits to being part of the GNCR are available from the GNCR website – https://www.greatnorthcarerecord.org.uk/

If you have an objection to being part of the GNCR you can contact the GNCR helpline on 0344 811 9587 and speak to a member of the team.  In order to log and process your objection, some basic demographic information will be collected. The GNCR will always seek to comply with your requests, but in some circumstances they may have to use patient information to comply with other legal duties. 

Ambulance Data Set (ADS)

We aim to provide the highest quality care. To do this, we routinely collect information about you and the care you receive from us.

Like other ambulance services across England, we are changing how we record and use this data.

The information we collect, including your NHS number, date of birth, and time of arrival to an Emergency Department (A&E), will now be securely matched with the same patient information collected by the hospital we transfer you to.

Following your episode of care, we will then receive details on your outcome. This information will help us better understand the patient journey and further improve the care we provide in the future.

This change will have no impact on the care we provide. Please read the information below to find out more

We routinely collect information from the initial contact when we receive a call in the 999 Emergency Operations Centre (EOC) through to completing an electronic patient record (EPR) with information about the patient and care we provide, when we attend an incident. Some of this information goes on to form part of the Ambulance Data Set (ADS).

If a patient is transferred from ambulance services to the care of an Emergency Department, information within the Ambulance Data Set is subsequently linked with key information collected in Emergency Departments as part of the Emergency Care Data Set (ECDS).

The purpose of this is to fully understand the patient’s journey from the ambulance service to other urgent and emergency healthcare settings. This will enable clinicians, ambulance services and the NHS to learn from patient journeys and further improve the care they provide in the future.

Data collected by ambulance services and emergency departments is securely linked and transferred to us. Data collected as part of the Ambulance Data Set is shared with NHS England (NHSE)– where it is linked with key relevant information in the Emergency Care Data Set and securely returned to us.

This linked information includes a unique number generated by us during the initial 999 call, as well as a unique vehicle reference which will help us re-identify the original care record for the incident and the patient.

Appropriate access to this information will enable us to help develop the skills of our clinicians to improve the care they provide and support us in delivering service improvements to improve patient experience.

Patients will be able to opt out from this process if they so wish and data about their emergency care will remain with the ambulance service and / or the Emergency Department. To opt out of this process, please contact your GP or visit https://www.nhs.uk/your-nhs-data-matters/

The lawful bases under common law for this process are as follows:

For the ambulance service to process this information the lawful basis is the General Data Protection Regulation (GDPR) is Article 6 (1)(e) – “…exercise of official authority” and for processing special categories (health) data the basis is: Article 9(2)(h) – ‘…health or social care…’ of the GDPR Regulations.

For the data collected by ambulance services (ADS) to be linked with relevant data items collected at Emergency Departments (ECDS) the lawful basis is the Sections 254(1), (3), (5) and (6), section 260(2)(d), section 261(2)(e) and section 304(9), (10) and (12) of the Health and Social Care Act 2012, as per the Ambulance Data Set Directions 2022.

To share linked data back with ambulance services, NHS England on behalf of Ambulance Services, have obtained a Section 251 approval, as required by the NHS Act 2006 and Health Service (Control of Patient Information) Regulations 2002.

Overall, the above provides a legal bases for patient information to be processed for these purposes.

*= NHS Digital officially merged with NHS England on 1st Feb 2023, therefore the organisation previously known as NHS Digital is legally known as NHS England and data held by NHS Digital is now held within NHS England.

The Trust will not transfer your personal data outside the UK unless there are arrangements in place to ensure an adequate level of protection for the rights and freedoms of data subjects.

Personal information

Under the UK General Data Protection Regulation (UK GDPR), we must have a “lawful basis” for collecting and using your personal information. The lawful basis we rely on for using personal information is:

(a) We have your consent - this must be freely given, specific, informed and unambiguous.

(b) We have a contractual obligation - between a person and a service.

(c) We have a legal obligation - the law requires us to do this. See this list for the most likely laws that apply when using and sharing information in health and care.

(e) We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

(f) We have a legitimate interest (such as the health and safety of our staff).

• the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health
• Data protection legislation states that it is appropriate to do so for the health and social care treatment of patients, and the management of health or social care systems and services.

More sensitive data

Under UK GDPR, the lawful bases’ we rely on for using information that is more sensitive (special category) is:

(b) We need it for employment, social security and social protection reasons (if authorised by law). See this list for the most likely laws that apply when using and sharing information in health and care.

(f) We need for a legal claim or the courts require it.

(g) There is a substantial public interest (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(h) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(i) To manage public health (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(j) For Archiving, research and statistics (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

Consent is rarely required for special category data in health and care.

Common law duty of confidentiality

We have a legal duty to keep information confidential. However, we can use or share health or care information because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we are either required or allowed by law to use and share the data
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest in protecting the duty of confidentiality. For example, sharing information with the police to support the detection or prevention of serious crime. This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

We store your personal information securely in both electronic systems and, where necessary, paper records.

Most information is held electronically within secure NHS systems used to support patient care, emergency call handling, service delivery, staff administration and legal or regulatory requirements. Paper records are used only where necessary and are kept in secure locations with controlled access.

We take the security of your information very seriously and use appropriate technical and organisational measures to protect it from loss, misuse, unauthorised access, alteration or disclosure. These measures include:

• Secure IT systems with access controls and role‑based permissions
• Encryption and secure networks
• Physical security for buildings and paper records
• Staff training and confidentiality obligations
• Regular monitoring and assurance of information security

Only authorised staff, and approved organisations working on our behalf, can access your information, and only where there is a legitimate need to do so.

We keep your information only for as long as necessary and in line with NHS records management and retention requirements. When information is no longer required, it is securely disposed of.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code.

Under data protection law, you have certain rights. You can:

• ask us for copies of your personal information (known as a subject access request: email subject.access.requests@neas.nhs.uk
• ask us to rectify personal information you think is inaccurate. You can also ask us to complete information you think is incomplete email: information.governance@neas.nhs.uk
• ask us to delete your personal information in certain circumstances. In general medical records can be corrected but have to be maintained.
• ask us to limit, or change, how your personal information is used in certain circumstances
• object to how your personal information is used in certain circumstances
• ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances

You do not need to pay any charge for using your rights. If you make a request, we have one month to respond to you.

If you wish to make a request, please contact us at: information.governance@neas.nhs.uk

Automated decision making

We may use your information to make automated decisions without human involvement, which could have a substantial impact on a person, for example in staff recruitment or staff rostering. We may also use profiling, which refers to the use of personal data to predict things such as an individual’s health.

National data opt-out

We are applying the national data opt-out, because we are using confidential patient information for planning or research purposes.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help:

• plan and improve health and care services
• research and develop cures for serious illnesses

You have a choice about whether you want your confidential information to be used in this way.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

NEAS is required to protect the public funds they administer. They may share information provided to them with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

For further information on data matching at NEAS, please contact your counter fraud specialist, Sarah McCloud on 07973 814 317 or email at sarah.mccloud@audit-one.co.uk. Alternatively, please contact the Counter Fraud team on 0191 441 5936 or email counterfraud@audit-one.co.uk.

Legal basis for processing

For the GDPR purposes NEAS lawful basis for processing is Article 6(1)(e) – ‘…exercise of official authority…’, or where there is a legal obligation to share information Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

1. Information we collect
We may collect the following information:

• Vehicle and location data: real-time GPS location, speed, routes, and trip history.
• Vehicle status/usage information ; e.g. braking performance/ engine management lights/ fluid levels

2. How we use your information
We use the collected data to:

• Provide real-time tracking and historical trip data.
• To support tasking of vehicle/ staff resources
• Improve the performance and features of fleet management
• Investigate accidents or incidents related to vehicles or users of vehicles
• Notify users of issues with a vehicle
• Prevent fraud or unauthorised access.
• Comply with legal obligations.

3. Systems we use:

• Vehicle telematics (ORTUS)
• Terratracks tracking
• Vehicle tracking via CAD
• Vehicle manufacturer telematic systems

If you complete our web forms

When someone visits www.neas.nhs.uk, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

If you contact us via social media

We use a number of social media platforms to manage our social media interactions. If you send us a private or direct message via social media the message will be stored on the platform or system which you used to contact us. It will not be shared with any other organisations.

If you email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software.

If you communicate with us for feedback, compliments and comments

We receive your name and contact details when you complete our online form here.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We will keep personal information contained in the file we hold for 10 years.

If you contact us for commercial training

You can read more about what to expect when NEAS collects personal information for paramedic-led first aid, health and safety and trauma training here.

Journalists who contact us

Whenever we are called by a journalist, we record your name, email address, phone number and media organisation. This is so that we can contact you with answers to your questions, but also so that we have a record of your inquiry.

NEAS takes the view that, as a category 1 emergency responder under the Civil Contingencies Act 2004, we have an obligation to keep you informed and updated on developments.

We also believe that, as an emergency service, we have a public interest duty to keep you informed. This means that we will not be asking for your consent to keep your details. The information held is controlled by NEAS communications staff and will be used to contact you with information relating to journalistic inquiries about the public services we provide. We will also use this information to contact you to events, photo-opportunities, interviews and briefings about other health-related issues, products and services that we feel may be of interest to you.

You can change your preferences by emailing publicrelations@neas.nhs.uk

Website cookies

'Cookies' are pieces of information stored by your web browser. NEAS may use cookies to track usage of our site and use this information to improve the site. If you would prefer not to receive cookies, you may alter the settings of your browser to refuse cookies. If you choose to do this, it is possible that some areas of our site will not function as effectively when viewed by you. A cookie cannot retrieve any other data from you or pass on computer viruses. A cookie does not hold any information about which sites you visited before this one. You can read more about our cookies here

Links

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

If you have any concerns about our use of your personal information, you can make a complaint to us filling in the Compliments and Complaints form 

We will acknowledge your complaint within 30 days.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:    

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk