This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it.

Somerset NHS Foundation Trust is registered with the Information Commissioner’s Office (ICO) in the UK, as a Data Controller and to process personal and special categories of information under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 and our registration number is Z6696096.

For further information please refer to the ‘About us’ page on our website.

Personal data is information about a living, identifiable individual. Therefore, your personal data is any information that can be attributed to you personally, including your name, weight, height, date of birth, health conditions and treatments you receive. So long as you can be identified from that information, it becomes your personal data.

Organisations that use personal data must do so in line with the provisions of the General Data Protection Regulations and the Data Protection Act 2018. The Act applies to personal data held in both electronic and physical media.

The staff caring for you need to collect and maintain information about you, your health, and your treatment and care, so that you can be given the safest and highest quality care. This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

When you consent to treatment, we do not rely on that same consent to use your information as a ‘legal basis for processing’. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

The Trust has a legal duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided. Because of this there are limitations on your rights to object to the keeping of records or to ask for them to be deleted. For more information see the section on ‘What are your rights’.

This means we can use your personal information to provide you with your care without seeking your consent.

Other legal duties may require us to use your information for processing a complaint, for assessing, monitoring and improving the quality and safety of the services we provide, to seek feedback on the quality of services, or for the general management of the NHS. The NHS is supported by a complex network of statutory duties and powers. We have provided here an overview of the main provisions applying to the Trust. If you require specific information about the particular duty or power supporting any activity, please contact the Data Protection Officer.

Personal information about you is collected in several ways, including referral details from your GP or another health provider, or personal details directly from you or your authorised representative.

The data we hold includes basic personal information about you such as your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts and your GP details. We may also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.

In addition to the above, we may hold healthcare information about including:

• Health notes and reports, including details of treatment and care, Physical and Mental Health conditions, results of investigations and what future care you may require
• Personal information from people who are carers such as relatives, or health or social care professionals
• Other personal information such as smoking status, any learning disabilities, and your family, lifestyle and social circumstances
• Details of your religion and racial or ethnic origin
• Whether or not you are subject to any protection orders (safeguarding status), Offences, Criminal proceedings Outcomes and sentences.

It is important for us to have a complete picture of you because:

• Accurate and up to date information assists us in providing patients with the right care
• Full information will be readily available in the event you need to see another doctor, or are referred to a specialist or another part of the NHS
• Accurate and up to date information assists us in providing staff with the information and training required to carry out their role in the Trust
• It helps the NHS prepare statistics on its performance and audits of its services and enables better monitoring of public spending and planning and management of the health

It improves the Training of NHS healthcare professionals and employees, and assists the NHS in conducting its Research and Development activities.

Information about your computer hardware and software is automatically collected. This information can include your IP address, browser type, domain names, access times and referring website addresses. This information is used for the operation of the service, to maintain the quality and provide general statistics regarding use of the Trusts websites.

The Trust’s websites will disclose your personal information without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on Somerset NHS Foundation Trust or the sites; (b) protect and defend the rights or property of Somerset NHS Foundation Trust; and, (c) act under exigent circumstances to protect the personal safety of users of Somerset NHS Foundation Trust, or the public.

Please keep in mind that if you directly disclose personally identifiable information or personally sensitive data through The Trust’s public message boards, this information may be collected and used by others. The Trust does not read any of your private online communications.

Links to other websites: The Trust encourages you to review the privacy statements of websites you choose to link to from our site so that you can understand how those Web sites collect, use and share your information. The Trust is not responsible for the privacy statements or other content on Web sites outside The Trust’s family of Web sites. Therefore we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.

Collecting personal information on E forms: The Trust websites use electronic forms, and these forms enable you to give us feedback about the web site, to give feedback about specific activity the Trust is involved in; to give feedback as part of a formal consultation; to take part in fundraising activities or giving; to register for an event or activity; to register interest as a member or volunteer.

Where we are asking for personal information we will always ask you to acknowledge acceptance and understanding of this Fair Collection/Privacy Notice, before the electronic form can be submitted.

Direct Marketing: The Trust may also use your personally identifiable information to inform you of other products or services available from Somerset NHS Foundation Trust and its affiliates. The Trust may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered. The Trust keeps track of the websites and pages our patients visit in order to determine which of our services are the most popular. This data is used to deliver customised content and advertising within to customers whose behavior indicates that they are interested in a particular subject area. You have the right to refuse/withdraw consent to direct marketing at any time.

Use of Cookies: The Trust website uses “cookies” to help you personalise your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.

One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalise pages, or register with Somerset NHS Foundation Trust site or services, a cookie helps to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same Somerset NHS Foundation Trust Web site, the information you previously provided can be retrieved, so you can easily use the features that you customised.

You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of The Trust’s services or websites you visit. You can read more about the cookies used by The Trust’s web sites by clicking on the Cookie link at the bottom of the web page.

Your records are used to directly, manage and deliver healthcare to you to ensure that:

• Staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for
• Staff have information they need to be able to assess and improve the quality and type of care you

Appropriate information is available, should you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.

The personal information we collect about you may also be used to:

• Remind you about your appointments and send you relevant
• Review the care we provide to ensure it is of the highest standard and quality through audits or service
• Support funding of your care with commissioning
• Preparing NHS performance statistics required by The Department of Health or other regulatory
• Assist in training and education of healthcare professionals.
• Report and investigate complaints, claims and untoward incidents, report events to the appropriate authorities when required to do so by law.
• Review your suitability for research studies or clinical trials.
• Contact you with regards to patient satisfaction surveys relating to services you have used within The Trust, so as to further improve our services to patients in

Where possible, we will always look to minimize and anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis to act otherwise.

The Trust may share your information for health purposes with other NHS organisations, e.g. health authorities, NHS Trusts, general practitioners (GPs), ambulance services, NHS England, Public Health England and other NHS common services agencies such as primary care agencies. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs. Examples include:

• NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We have a legal duty under Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess, monitor and improve the quality and safety of the services provided (including the quality of the experience of service users in receiving those services). We may share your contact information with an NHS approved contractor as a data processor to be used for the purpose of the
• NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations and our legal duty under s259 Health and Social Care Act 2012. For further information about how NHS Digital looks after your data follow this link.
• Clinical Commissioning Groups Information may be shared with a Clinical Commissioning Group where it is necessary for them to comply with their legal duties. For example they have particular duties relating to the discharge of patients under the Care Act 2014 and for the provision of continuing care under s3 NHS Act 2006 including in some cases the authorisation of individual funding. Please also see the Somerset Clinical Commissioning Group’s Privacy Notice and Dorset Clinical Commissioning Group’s Privacy Notice.

For your benefit, we may also need to share information from your health records with non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. However, we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

A new service called SIDeR (Somerset Integrated Digital electronic Record) has been rolled out across Somerset to allow GP practices, hospitals and Social Care to securely view your health and care information. SIDeR will help us to link up our existing IT systems that record and securely store your information, so that medical and care staff can view your information to help them deliver better and safer care for you. For example, they will be able to see what medications you’re taking, what allergies you have and what appointments you have coming up. If you have a care plan in place, they will also be able to see this to understand what your exact needs are.

We may also be asked to share basic information about you, such as your name and address, which does not include sensitive information from your health records. Generally, we would do this to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection legislation.

Where patient information is shared with or processed by other non-NHS organisations, an information sharing agreement is drawn up to ensure information is managed in a way that complies with relevant legislation. These non-NHS organisations may include, but are not restricted to: social services, education services, local authorities, the Police, voluntary sector providers and private sector providers.

Somerset NHS Foundation Trust does not sell, rent or lease its customer lists to third parties. From time to time, we may contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party without your consent. In addition, Somerset NHS Foundation Trust may share data with trusted partners to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to Somerset NHS Foundation Trust, and they are required to maintain the confidentiality of your information under data processing agreements. Information may sometimes be shared with system suppliers for the purposes of maintenance.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, to prevent and detect fraud. There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements. We hold and process your information in accordance with the Data Protection Act 2018 and GDPR, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements. Under

the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. This will be noted in your records.

We have a duty to:

• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

The Trust is committed to securing your personal information from unauthorised access, use or disclosure, and secures it on computer servers in a controlled, secure environment, protected from unauthorised access, use or disclosure.

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Further information can be found in our Information Governance policies, which are available by contacting our Data Protection Officer.

Data Protection law gives you significant rights over the use of your personal data. The most important is the right to make a “Data Subject Access Request” for access to the information we hold, usually by being provided with a copy. Further details can be found on our website.

Your other rights include:

• Rectification: a right to ask us to change any personal data which is wrong
• Erasure: a right to ask us to delete any personal data we This is sometimes referred to as “the right to be forgotten”
• Restriction: a right to ask us not to process your information for certain purposes. There is also a specific right to ask us not to use your contact details for marketing
• Objection: a right to object to some types of processing based on your own individual circumstances

Data portability: the right to receive your information in a specific form so that it can be used by another organisation. However this right usually only applies where we are processing information by consent so it does not apply to medical records. For more information please see the Information Commissioner’s website.

These rights are not absolute (other than prevention of marketing) and will not apply in all circumstances. For example, you do not have a right to insist that we delete your medical records as we have a legal duty to keep them.

If you wish to exercise any of these rights please contact the Trust’s Data Protection Officer and we will tell you within one month what action we intend to take in response to your request.

For further information relating to your Data Subject Rights, can be found on the ICO website.

You also have a right to complain to the Information Commissioner if you are in any way unhappy with the way we have processed your personal information or allowed you to exercise your rights. Please see: www.ico.org.uk/concerns .

In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). This ‘National Data Opt- out’ initiative commenced in July 2022. Further information can be found on the following website: https://digital.nhs.uk/national-data- opt-out

If you wish to obtain a copy of the Trust’s Data Protection Policy which covers individual rights, raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

Louise Coppin is the Data Protection Officer for the Trust who can be contacted via email Louise.Coppin@Somersetft.nhs.uk or via post:

Data Protection Officer, Somerset NHS Foundation Trust, Musgrove Park Hospital, Taunton,

TA1 5DA

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:

Information Commissioner’s Office Wycliffe House

Water Lane Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 700 if you prefer to use a national rate number Email: casework@ico.org.uk

If you have a concern about any aspect of your care or treatment at this trust please contact: Patient Advice & Liaison Service (PALS)

Email: pals@somersetft.nhs.uk

Post: Patient Advice and Liaison Service (PALS), Block 51, Musgrove Park Hospital, Taunton, TA1 5DA

Somerset NHS Foundation Trust will occasionally update this Statement of Privacy to reflect the law and feedback received. You are encouraged to periodically review this Statement to be informed of how Somerset NHS Foundation Trust is protecting your information.

This Privacy Notice was last reviewed in February 2023