Privacy Notice

Confidentiality and security of information 

East Cheshire NHS Trust collects, stores and uses large amounts of personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work. 

We take our duty to protect your personal information and confidentiality very seriously and use appropriate technical and organisational measures to ensure the confidentiality and security of the personal data for which we are responsible. 

A Senior Information Risk Owner has been appointed at Board level to provide organisational accountability for information risk. We also have a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. 

Why do we collect information about you? 

Doctors, nurses and teams of healthcare professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care.

Records are mainly kept electronically but some records are on paper. These records may include: 

• Personal details about you such as your name, home address and email address, date of birth, telephone number. 
• Basic details about people connected to you such as your spouse or partner, children, carers, relatives and next of kin.
• Contact we have had with you such as hospital admissions, outpatient and clinic appointments and home visits. 
• Notes and reports about your health, treatment and care.
• Test results, scans and prescriptions. 
• Relevant information provided by other health and care professionals involved in your care.

We may also hold information relating to your direct care from other NHS organisations such as NHS England and Integrated Care Boards (ICBs), your GP, other NHS trusts, social care providers, and other third parties such as opticians, dentists, pharmacists, private healthcare providers, or from other bodies such as universities or schools.

It is essential that your details are accurate and up to date. Please inform us of any changes as soon as possible. 

What are the lawful bases upon which we hold / process your information? 

We process personal data under Article 6(1)(e) UK GDPR – Public Task.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We process special category data under Article 9(2)(h) UK GDPR – Health or Social Care.

This includes processing necessary for medical diagnosis, the provision of health or social care or treatment, and the management of health or social care systems and services. Special categories of information include race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, and sexual orientation. 

Using your personal information

• Your information is used to provide you with safe, effective and coordinated care to ensure:
• Healthcare professionals involved in your care have accurate and up‑to‑date information to be able to assess your health needs, decide on the most appropriate care for you and monitor and improve the quality and safety of your care
• Concerns, complaints and legal claims can be properly investigated. 
• Information is available if you need to be referred to an NHS specialist or partner organisation. 

Your personal information is used to improve the NHS 

Your information will also be used to may also be used to support the wider NHS and protect the health of the public by: 

• Using statistical information for planning services to meet patient needs in the future. 
• Monitoring and improving the quality of care.
• Clinical audit and service development.
• Education and training of healthcare professionals.
• Financial management and statutory reporting.
• Contacting you to take part in surveys or consultations about our services. 

Where possible, information is used in anonymised or pseudonymised form.

Federated Data Platform

The Trust uses the Federated Data Platform to support activities such as operational planning, performance monitoring, service improvement and population‑level analysis.

Information is used under strict governance arrangements and access is limited to authorised users for approved purposes only. Where possible, data is anonymised or pseudonymised, and identifiable information is used only where there is a lawful basis and appropriate safeguards are in place.

Health Research and Planning

Patient information may be used to plan and improve health services and support research aimed at improving care and treatment.

Research

We rely on Article 6(1)(e) - Public Task and, where applicable, Article 9(2)(h) or Article 9(2)(j) UK GDPR for processing data for research purposes. All research conducted at the Trust is subject to Health Research Authority approvals and governance arrangements.

Our research teams may contact you about opportunities to take part in research. Participation is always voluntary.

National Data Opt-Out

Under the National Data Opt-Out, you have a choice about whether your confidential patient information is used for research and planning purposes.

The National Data Opt-Out only applies to research and planning purposes. It does not apply to your direct care and will not affect the care you receive.

To register your choice to opt out if you do not want your data to be used in this way, please visit Choose if data from your health records is shared for research and planning - NHS

Sharing your personal information 

Everyone working within the NHS has a legal duty to keep your information confidential. Any organisation with which we share information  is required to do the same.

We may share information with the following main partner organisations: 

• Other NHS Trusts and healthcare providers involved in your care. 
• Integrated Care Boards and other NHS bodies. 
• General Practitioners and ambulance services. 
• Social care organisations

We may also share your information, subject to strict agreement about how it will be used, with: 

• Local authorities 
• Voluntary and private sector providers working with the NHS 
• Community Pharmacies, care homes and hospices 

All information sharing is supported by appropriate contracts, agreements, and assurance checks to ensure your data is used lawfully and securely.

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, for example:

• To the Police for the prevention and detection of crime 
• Court Order 
• Overriding public interest to prevent abuse or serious harm 

Transfers of information outside the UK

We do not routinely transfer your personal information outside the United Kingdom. Where it is necessary to transfer information outside the UK, this will only be done where appropriate safeguards are in place and in accordance with UK data protection legislation. Safeguards include adequacy regulations or standard contractual clauses to protect your information.

Infected Blood Compensation Authority (IBCA)

If you have made a claim for compensation through the Infected Blood Compensation Authority (IBCA), the Trust may provide IBCA with relevant information from your medical records and, where relevant, the person who infected you to support your claim.

You can read more about how IBCA uses your information in their privacy notice.

Retention of Records 

We manage records in line with the NHS Records Management Code of Practice, which sets out how long records are retained before secure disposal or archiving. Guidance can be found at: Records Management Code of Practice - NHS Transformation Directorate

The Cheshire Care Record 

The Cheshire Care Record is a shared system that allows healthcare professionals in the Cheshire health and social care community to access the most up-to-date and accurate information about patients to deliver the best possible care. It can only be accessed by the health and social care providers with your consent.

For information about the Cheshire Care Record, go to: Cheshire Care Record | Countess of Chester Hospital

Your Rights as a Data Subject 

You have the right to:

• Be informed about how your information is used
• Access your personal information (subject access request)
• Request correction of inaccurate information (rectification request)
• Request restriction or object to certain types of processing in limited circumstances only

Some rights may not apply where we process data to deliver NHS services under Article (1)(e) UK GDPR - Public Task. Each request is considered on a case‑by‑case basis.

SMS text messaging 

When attending appointments, you may be asked to confirm your contact telephone numbers. Appointment details can be sent to your mobile via SMS text messages and automated calls to your mobile or landline to remind you of appointment times. 

Data Breaches 

The Trust has procedures to detect, investigate and report personal data breaches to the appropriate authorities. Where a breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay.

Data Protection Complaints

If you have any concerns about our use of your personal information, you can make a complaint to us at: ecn-tr.dataprotection@nhs.net

Contact Details

Data Controller:

East Cheshire NHS Trust
Macclesfield District General Hospital
Victoria Road
Macclesfield
Cheshire
SK10 3BL

Telephone: 01625 421000

Information Commissioner's Office Registration number: Z7573067

Data Protection Officer

Email: ecn-tr.dataprotection@nhs.net

Information Commissioner's Office

Telephone: 0303 123 1113

Advice services for members of the public | ICO