Privacy Policy

Can I see the information you hold about me?

Data Protection laws gives you rights in respect of the personal information that we hold about you. These are:

• To be informed why, where and how we use your information.
• To ask for access to your information
• To ask for your information to be corrected if it is inaccurate or incomplete
• To ask for your information to be deleted or removed where there is no need for us to continue processing it
• To ask us to restrict the use of your information
• To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information
• To object to how your information is used
• To challenge any decisions made without human intervention (automated decision making).

The right of access to this information is referred to as Subject Access Request (SAR). 

How we collect your data

We aim to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you. 

These records may be on paper and/or kept on a computer. They include:

• Basic details about you, such as your name, address, date of birth
• Contact we have previously had with you
• Notes and reports about your health, treatment and care
• Relevant information from people who care for you for example, other health professionals and relatives.

It is essential that your details are accurate and up to date. Always check that your personal details are correct and please inform us of any changes as soon as possible.

Telephone calls are recorded for the following purposes:

• To make sure that staff act in compliance with our procedures
• To ensure quality control
• For training, monitoring and service improvement

People who contact us for NHS care and treatment

NEAS provides NHS care and treatment for people living in North East of England, and as a Trust we:

• Receive and respond to 999 calls from members of the public
• Respond to urgent calls from healthcare professionals e.g. GPs
• Receive and respond to 111 calls from members of the public
• Provide patient transport and urgent care services

Please click here to read more about how we handle patient information.

How long do we keep your records

Our Records Management Policy sets out rules for records management and retention. This Policy is based on Records Management Code of Practice for Health and Social Care 2021, which sets out what people working with or in NHS organisations in England need to do to manage records correctly. It's based on current legal requirements and professional best practice.

How we may capture CCTV images of you

Closed-circuit television (CCTV) operates outside our buildings and within our vehicles for security purposes. We also operate Body Worn Cameras where images are collected and used for prevention of aggression or crime against our staff. The information is retained by us for 28 days.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. Further information is provided in our Surveillance Camera Policy, available on request.

How we use your information

Your information is used to direct, manage and deliver the care you receive to ensure that:

• The paramedics, doctors, nurses and other healthcare professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
• Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive
• Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another service of the NHS or other agency connected with your care.

Who may we share your information with

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Unless you tell us not to, we will share information with the following main partner organisations:

• Other NHS hospitals that are involved in your care
• General Practitioners (GPs)
• GP led services – i.e. Out of Hours
• Dentists, opticians, pharmacists
• GNAAS (Great North Air Ambulance Service)
• British Red Cross
• St John’s Ambulance Service
• Local authorities (crisis team, etc)

The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health. Data Protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as social care; local authority education; voluntary and private sector providers working with the NHS or other care organisations.

Unless the sharing is specifically related to the direct provision of healthcare to you, we will not share your information with anyone without your permission. However, there are exceptions to this which are listed below:

• The public interest is thought to be of greater importance for example:
  • if a serious crime has been committed
  • if there are risks to the public or our staff
  • to protect vulnerable children or adults
• We have a legal duty, for example registering births, notification of death reporting some infectious diseases, wounding by firearms, road traffic collisions and court orders
• We need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority).

Other instances when we may use your data is as below: 

• Support future improvements in health and social care nationally
• Help teach health and social care professionals
• Aid health research and developments
• Monitor and audit the care we provide to ensure it is of the highest standard
• Investigate complaints, untoward incidents or legal claims
• Prepare reports on NHS and social care performance.

Information will not usually include anything that could identify. However on occasions when your personal information has to be used, we will ask for your consent before this information is shared.

Great North Care Record network

As a partner in the Great North Care Record (GNCR), we need to request and share patient information from and with other relevant parties who are part of their care and ongoing support network.

Full details of the member organisations of the GNCR, what data may be viewed across the GNCR network, and what are the benefits to being part of the GNCR are available from the GNCR website – https://www.greatnorthcarerecord.org.uk/

If you have an objection to being part of the GNCR you can contact the GNCR helpline on 0344 811 9587 and speak to a member of the team.  In order to log and process your objection, some basic demographic information will be collected. The GNCR will always seek to comply with your requests, but in some circumstances they may have to use patient information to comply with other legal duties. 

Ambulance Data Set (ADS)

The way we use patient data is changing.

We aim to provide the highest quality care. To do this, we routinely collect information about you and the care you receive from us.

Like other ambulance services across England, we are changing how we record and use this data.

The information we collect, including your NHS number, date of birth, and time of arrival to an Emergency Department (A&E), will now be securely matched with the same patient information collected by the hospital we transfer you to.

Following your episode of care, we will then receive details on your outcome. This information will help us better understand the patient journey and further improve the care we provide in the future.

This change will have no impact on the care we provide. Please read the information below to find out more

We routinely collect information from the initial contact when we receive a call in the 999 Emergency Operations Centre (EOC) through to completing an electronic patient record (EPR) with information about the patient and care we provide, when we attend an incident. Some of this information goes on to form part of the Ambulance Data Set (ADS).

If a patient is transferred from ambulance services to the care of an Emergency Department, information within the Ambulance Data Set is subsequently linked with key information collected in Emergency Departments as part of the Emergency Care Data Set (ECDS).

The purpose of this is to fully understand the patient’s journey from the ambulance service to other urgent and emergency healthcare settings. This will enable clinicians, ambulance services and the NHS to learn from patient journeys and further improve the care they provide in the future.

Data collected by ambulance services and emergency departments is securely linked and transferred to us. Data collected as part of the Ambulance Data Set is shared with NHS Digital* – a section of NHS England specialised in data and IT systems – where it is linked with key relevant information in the Emergency Care Data Set and securely returned to us.

This linked information includes a unique number generated by us during the initial 999 call, as well as a unique vehicle reference which will help us re-identify the original care record for the incident and the patient.

Appropriate access to this information will enable us to help develop the skills of our clinicians to improve the care they provide and support us in delivering service improvements to improve patient experience.

Patients will be able to opt out from this process if they so wish and data about their emergency care will remain with the ambulance service and / or the Emergency Department. To opt out of this process, please contact your GP or visit https://www.nhs.uk/your-nhs-data-matters/

The lawful bases under common law for this process are as follows:

For the ambulance service to process this information the lawful basis is the General Data Protection Regulation (GDPR) is Article 6 (1)(e) – “…exercise of official authority” and for processing special categories (health) data the basis is: Article 9(2)(h) – ‘…health or social care…’ of the GDPR Regulations.

For the data collected by ambulance services (ADS) to be linked with relevant data items collected at Emergency Departments (ECDS) the lawful basis is the Sections 254(1), (3), (5) and (6), section 260(2)(d), section 261(2)(e) and section 304(9), (10) and (12) of the Health and Social Care Act 2012, as per the Ambulance Data Set Directions 2022.

To share linked data back with ambulance services, NHS England on behalf of Ambulance Services, have obtained a Section 251 approval, as required by the NHS Act 2006 and Health Service (Control of Patient Information) Regulations 2002.

Overall, the above provides a legal bases for patient information to be processed for these purposes.

*= NHS Digital officially merged with NHS England on 1st Feb 2023, therefore the organisation previously known as NHS Digital is legally known as NHS England and data held by NHS Digital is now held within NHS England.

Information we share with external service providers

We use some external providers to help us provide you with the service you require. We share some of your information with them to enable them to provide these services. They cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Data processors

We have contracts in place with certain providers who will provide us with certain services. This includes provision of voice recording services, facility for video interview etc. NEAS retains the role of data controller for each of these services , which means that the processors work within the NEAS contractual terms. These contractors may hold and process data including patient information on our behalf. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) helps the Trust to identify, assess and mitigate any potential privacy risks that may arise when processing personal data. DPIAs are now a mandatory requirement for any changes to current data processing practices, the launch of a new project or the adoption of a new practice or system which involves personal data. All completed DPIAs are submitted to the Information Governance Working Group for review and approval. The membership includes the Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).

As an employer, the North East Ambulance Service Foundation Trust (NEAS) are committed to ensuring that the personal data of our employees is handled in accordance with the principles set out in the Data Protection Act (2018).

This privacy notice applies to all employees, volunteers, ex-employees, agency staff, contractors, seconded and non-executive directors.

How we collate information about you

We collate your information in the following ways: 

• Directly from you
• From an employment agency
• From your employer if you are a seconded
• From referees, either external or internal
• From security clearance providers
• From Occupational Health and other health providers
• From Pension administrators and other government departments, for example tax details from HMRC
• From your Trade Union
• From providers of staff benefits
• CCTV images taken from CCTV systems

Recruitment

Information we collect for recruitment and employment is available here

How long is the information retained for?

We store your information as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

Information we share with external service providers

We may share your data with external agencies as part of our legal obligations to aid an investigation and may not inform you of this. These agencies could include Police, HMRC, Court, Professional bodies and CQC.

We use some external providers to help us provide you with the service you require. We share some of your information with them to enable them to provide these services. They cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Data processors

We have contracts in place with certain providers who will provide us with certain services. This includes provision of voice recording services, facility for video interview etc. NEAS retains the role of data controller for each of these services , which means that the processors work within the NEAS contractual terms. These contractors may hold and process data including patient information on our behalf. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) helps the Trust to identify, assess and mitigate any potential privacy risks that may arise when processing personal data. DPIAs are now a mandatory requirement for any changes to current data processing practices, the launch of a new project or the adoption of a new practice or system which involves personal data. All completed DPIAs are submitted to the Information Governance Working Group for review and approval. The membership includes the Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).

If you would like a copy of any DPIAs, please contact information.governance@neas.nhs.uk

If you contact us as a patient

Please refer to the patient privacy notice for full details. It will on occasion be reasonable to process your personal data with the intention to protect you as a patient if the Trust can meet compliance legislation of Data protection Act 2018.  

How we may capture CCTV images of you

Closed-circuit television (CCTV) operates outside our buildings and within our vehicles for security purposes. We also operate Body Worn Cameras where images are collected and used for prevention of aggression or crime against our staff. The information is retained by us for 28 days.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. Further information is provided in our Surveillance Camera Policy, available on request.

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our main privacy notice, above.

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations including North East Ambulance Service and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and other health care providers.  We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response is here.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation. 

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Notice of new processing : Vaccination status of workers who have face-to-face contact with patients and/or service users and who are deployed as part of CQC regulated activity.

The Department of Health and Social Care, on 9 November 2021, laid regulations which amend the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (“the 2014 Regulations”), to provide that the registered person can only employ or otherwise engage a person in respect of a CQC regulated activity, if the person provides evidence that they have been vaccinated with a complete course of an authorised vaccine against COVID[1]19 or, if otherwise vaccinated against coronavirus is also within a specified time period, vaccinated with a single dose of an authorised vaccine, subject to specific exemptions. The Trust will be processing the vaccination data of our staff in order to comply with these regulations as it is a legal obligation.

If you complete our web forms

When someone visits www.neas.nhs.uk, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

If you contact us via social media

We use a number of social media platforms to manage our social media interactions. If you send us a private or direct message via social media the message will be stored on the platform or system which you used to contact us. It will not be shared with any other organisations.

If you email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software.

If you communicate with us for complaints, compliments and comments

We receive your name and contact details when you complete our online form here.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We will keep personal information contained in complaint files for 10 years.

If you contact us for commercial training

You can read more about what to expect when NEAS collects personal information for paramedic-led first aid, health and safety and trauma training here.

Journalists who contact us

Whenever we are called by a journalist, we record your name, email address, phone number and media organisation. This is so that we can contact you with answers to your questions, but also so that we have a record of your inquiry.

NEAS takes the view that, as a category 1 emergency responder under the Civil Contingencies Act 2004, we have an obligation to keep you informed and updated on developments.

We also believe that, as an emergency service, we have a public interest duty to keep you informed. This means that we will not be asking for your consent to keep your details. The information held is controlled by NEAS communications staff and will be used to contact you with information relating to journalistic inquiries about the public services we provide. We will also use this information to contact you to events, photo-opportunities, interviews and briefings about other health-related issues, products and services that we feel may be of interest to you.

You can change your preferences by emailing publicrelations@neas.nhs.uk

Website cookies

'Cookies' are pieces of information stored by your web browser. NEAS may use cookies to track usage of our site and use this information to improve the site. If you would prefer not to receive cookies, you may alter the settings of your browser to refuse cookies. If you choose to do this, it is possible that some areas of our site will not function as effectively when viewed by you. A cookie cannot retrieve any other data from you or pass on computer viruses. A cookie does not hold any information about which sites you visited before this one. You can read more about our cookies here

Links

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

NEAS is a registered Data Controller with the Information Commissioner’s Office.

Ambulance HQ
Bernicia House
Goldcrest Way
Newburn Riverside
Newcastle upon Tyne
NE15 8NY

Telephone number: 0191 430 2000

Registration number: Z4877768

The Data Protection Officer (DPO) is Seema Srihari this is the person to contact if you would like to know more about how we use your information, they can be contacted at: information.governance@neas.nhs.uk

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us on information.governance@neas.nhs.uk and we will respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office, the contact details are as below:                                              

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113