Privacy Notices

The Data Protection Act 2018 and UK General Data Protection Regulation (GDPR) gives individuals rights about how their personal data is used by organisations. One of the rights is the right to be informed, which means we have to give you information about the way in which we use, share and store your personal information.

The information below relates to the patients and services users.

Other bespoke privacy notices can be found at the bottom of this page.

What is a Privacy Notice

A privacy notice is a statement that describes how an organisation collects, uses, retains and discloses personal information.

Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and
  • Who it will be shared with

This information also explains what rights you have in controlling how we use your information.  The key laws are:

  • The Data Protection Act 2018 (DPA)
  • UK General Data Protection Regulations 2021 (UKGDPR)
  • The Human Rights Act 1998 (HRA)
  • The Common Law Duty of Confidentiality.

Within these pages we describe instances where the Trust is the ‘Data Controller’, for the purposes of the Data Protection Act 2018,
and where we direct or commission the processing of patient data to help deliver better healthcare, or to assist the management of healthcare services.

The Trust recognises the importance of protecting personal and confidential information in all that we do, whilst taking great care to ensure our legal obligations are met.

Who we are and what do we do

At Coventry and Warwickshire Partnership NHS Trust (the Trust) we are committed to protecting and respecting your privacy.

The Trust is part of the NHS and provides the following services across Coventry and Warwickshire, Solihull, Hereford and Worcestershire:

  • Inpatient mental health services
  • Community mental health services
  • Inpatient learning disability services
  • Community learning disability services
  • Inpatient and Community eating disorder services
  • Respite and residential care services
  • Community physical health services e.g. district nursing etc.

We keep our privacy notice under regular review and we will place any updates on this web page. This notice was last updated on 27/01/25.

Data Protection Notification

The Trust is a ‘Data Controller’ under the Data Protection Act 2018 (DPA18). We have notified the Information Commissioner that we process personal data.
The details are publicly available from:


Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
ico.org.uk
Registration number: Z9641870

What information we collect about you

As a public authority providing healthcare the Trust has a legal justification to collect and use information about our service users for direct healthcare purposes.

Personal information includes:

  • Your name
  • Your address and post code
  • Your telephone number
  • Your NHS number
  • Your marital status
  • Your employment status
  • Your preferred contact details e.g. relatives, friends and carers contact details
  • Your opinions and decisions about your contact with our services.

We also process special category data. This is personal data which the Data Protection Act 2018 (DPA18) says is more sensitive, and so needs more protection.

Special categories of data includes:

  • Racial and ethnic origin
  • Religious or other beliefs (if appropriate)
  • Sexual orientation
  • Health data
  • Records of your contact with our services
  • Diagnosis and/or the problems that you are experiencing with your health
  • Personal appearance and behaviour (relevant to your clinical presentation)
  • Results of test results, such as X rays/Laboratory results or other investigations or assessments
  • Any previous information about care and treatment that you have received
  • Relevant information from other health and/or social care organisations Domestic and social circumstances directly relevant to your care and treatment
  • Professional opinions on your current health status and future health care needs
  • Information about risks that may affect you or where you may pose a risk to others.

We may also collect and store information about previous convictions where this is relevant to the care and treatment we are providing to you and/or where this is relevant to the health and safety of our staff and other patients.

How we use the information about you

The Trust collects information from you in order to be able to provide you with direct health and social care and treatment.

The Trust collects information from you to be able to:

  • Confirm your identity
  • Contact you by post, email and telephone
  • Assess your health/social care needs
  • Deliver appropriate health/social care to you as our patient
  • Prevent harm or injury to you or another person
  • Ensure that up-to-date and relevant information is available to all staff caring and treating you
  • Ensure that the care and treatment that your receive is safe and effective
  • Review care and treatment to ensure that it is of the highest standard
  • Ensure that we meet our legal obligations to provide health care in certain circumstances
  • Review your care and treatment in the event of an untoward incident
  • Manage and investigate complaints made by you about your care and treatment
  • Respond to legal or other claims about your care and treatment
  • Meet various legal requirements including to provide information on notifiable diseases
  • Provide information to other NHS organisations as required by law or other directions
  • Ensure payments are made for Out of area care or other specific care packages
  • Prevent and detect fraud or crime
  • Provide statistical analysis of the use of services and so that we can plan future services.

National Data Opt-Out

The Trust is compliant with the National Data Opt-out policy.

How the NHS and care services use your information

The Trust is one of many organisations working in the health and care system to improve care for patients and public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information.
All these uses help to provide better health and care for you, your family and future generations.
Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way.
If you are happy with this use of information you do not need to do anything.
If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/yournhs-data-matters. 

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Who we share your information with

Sharing for Direct Care

As a patient of the Trust, your data will be shared within the health care team providing you direct health care; that could be doctors, nurses and other allied health professionals providing you with care and treatment. Authorised non health professionals will also have access to information about you as appropriate in order to manage your health records, write to invite you to appointments and generally manage your contacts with the Trust. All staff are bound by a contractual duty of confidentiality and are also subject to data protection legislation. Information will also be shared with your General Practitioner (GP) to ensure that there is one continuous record of all health care that you have received from any NHS provide or other health provider.
The Trust will also share relevant information with other NHS Trusts such as a
Hospital Trust where you are being referred for specialist or hospital-based treatment.
It is necessary for the Trust to use your information in order to provide you with direct health care.
Under the UK GDPR, the lawful basis we rely on to process your personal data is:

  • Article 6(1)(e) ‘the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
    Under the UK GDPR, the lawful basis we rely on to process your special category data is:
  • Article 9(2)(h) ‘processing is necessary for the purposes of preventive or occupational medicine….’

Integrated Care Record

The Trust works with other health and social care organisations to share information that will form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you.

The following organisations are involved in the ICR programme:

  • GP practices within Coventry and Warwickshire through their membership of the Integrated Care Board
  • Coventry and Warwickshire Partnership NHS Trust
  • University Hospitals Coventry and Warwickshire NHS Trust
  • George Eliot Hospital NHS Trust
  • South Warwickshire University NHS Foundation Trust
  • Coventry City Council
  • Warwickshire County Council
  • West Midlands Ambulance Service University NHS Foundation Trust

Health and social care organisations in the neighbouring areas of Birmingham and Solihull, and Herefordshire and Worcestershire, will be able to view your information for the purpose of giving you direct care should it be necessary.

Information we hold about you will be available, to read only to other health and care professionals when they are involved in your health or social care.
For more information on how your data is used on the Integrated Care Record and how to exercise your rights can be found here.

Section 75 Partnership Agreement

As a result of Section 75 of the National Health Services Act 2006, in some of our services we work in formal partnership working arrangements with other registered professionals, such as social workers. These are mainly within are community mental health teams where we have specialist registered social workers who are employed as part of the Community Teams. This is from the appropriate local authorities, such as Coventry City Council and Warwickshire County Council.
If you are a patient of a community mental health team your health records will have entries and information recorded within them by the whole care team including the registered social workers. These joint records will be managed in line with the current requirements as to security, confidentiality and how long we keep these records.

Information shared with your consent

Where the Trust receives a request for information about you including information from your health records, if this is not connected with your direct health/social care, the Trust would ask for your explicit i.e. written consent. For example, if a Solicitor or other external organisations asked for copies of your health records, the Trust would only provide this information about you when you have consented to share this information.
Under the UK GDPR, the lawful basis we rely on to process your personal data are:

  • Article 6 (1)(a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’
    Under the UK GDPR, the lawful basis we rely on to process your special category data are:
  • Article 9 (2)(a) ‘the data subject has given their explicit consent to the processing of their personal data for one or more specific purposes….’

 

Information shared in regard to Safeguarding

The Trust is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

Under the UK GDPR, the lawful basis we rely on to process your personal data are:

  • Article 6(1)(a) ‘the Data Subject has given consent…’
  • Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’
  • Article 6(1)(d) ‘processing is necessary in order to protect the vital interests of the Data Subject or another Natural Person
  • Article 6(1)(e) ‘the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Under the UK GDPR, the lawful basis we rely on to process your special category data are:

  • Article 9(2)(a) ‘the Data Subject has given explicit consent….’
  • Article 9(2)(c) ‘processing is necessary to protect the vital interests of the Data Subject or of another Natural Person….’
  • Article 9(2)(g) ‘processing is necessary for reasons of substantial public interest….’
  • Article 9(2)(h) ‘processing is necessary for the purposes of preventive or occupational medicine….’

In order to share information legally between organisations there must be a defined and justifiable purpose that references the appropriate underpinning legislation and the associated duties and/or powers. It is therefore the responsibility of all organisations that share information that exchanges are justified and in accordance with key legislations:

Data Protection Act 2018 Schedule 1, Section 18 & 19 – Safeguarding of children and of individuals at risk & Safeguarding of economic well-being of certain individuals

Care Act 2014 - This Act gives the Local Authority in each area a duty to put procedures in place to safeguard vulnerable adults who have care and support needs.

Children Act 2004

Common Law Duty of Confidence

Crime and Disorder Act 1998

Criminal Justice Act 2003

Mental Capacity Act (2005)

Domestic Violence, Crime and Victims Act 2004

Human Rights Act 1998

Immigration and Asylum Act 1999

Multi-agency Public Protection Arrangements (MAPPA)

National Health Service Act 2006

The data collected by Trust staff in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain, to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information).

The information is used by the Trust when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as local authorities, the police, healthcare professional (i.e. their GP or mental health team).

Information shared because of other legal bases

The Health and Social Care Act 2012 set up a new NHS organisation called NHS
Digital. NHS Digital is also known as the Health and Social Care Information Centre.
One of the specific legal responsibilities of NHS Digital is to be the safe haven of health and care information. NHS Digital collects data and information about people using health and care services in England and in some cases Wales, Scotland and Northern Ireland. This information is needed to run the health service.
The Secretary of State for Health and Social Care, and NHS England, can tell NHS Digital to collect and process information on specific topics, or set up information systems to collect information. This means they can see, for example, whether policies are working or which treatments are most effective. These orders are called 'directions'.
The Care Quality Commission (CQC), National Institute for Health and Care Excellence (NICE) and NHS Improvement (NHSI) can also tell NHS Digital to collect information. These are called 'mandatory requests'.
Other health and care organisations and local authorities can also ask NHS Digital to collect information for them, if they are legally allowed to view this information.
When NHS Digital is told or asked to collect certain information nationally, this means that Coventry and Warwickshire Partnership NHS Trust has a legal duty to share the required information or data sets with NHS Digital.
NHS Digital publishes 'data provision notices', telling the Trust what data we need to provide to NHS Digital.
Some of the information provided to NHS Digital is identifiable patient information. One of NHS Digital’s roles is to convert such data into nonidentifiable data or anonymised data for use within the local Health Service Commissioning bodies such as the Clinical Commissioning Groups. Where identifiable data is not required this will be anonymised.

International transfers

The Trust will ensure that any international transfers of confidential patient information will only be undertaken in accordance with the GDPR and with countries that can ensure an adequate level of protection for the rights and freedoms of our patients. Where applicable your consent will be sought.

How long we keep your information

The length of time we keep your information depends on what sort of information it is.
We use the guidance provided in the National Records Management Code of Practice for Health and Social Care to support our actions in relation to records management, including retention periods.
The code is based on current legal requirements and professional best practice. We retain our records for at least the minimum stated required retention period.

Healthcare
Physical health information is retained for a minimum period of 8 years following discharge or last attendance at the Trust.

Mental health information is retained for a minimum period of 20 years after the last treatment date or contact with the service.

Research
If you have chosen to take part in a research study, the retention period for the associated records will depend on the study and this will be explained as part of the joining process.

Your individual rights

Data Protection Law gives individuals rights in regard to the use of their personal
information. Individuals Rights are:-

The right to be informed: You have the right to be informed about the collection and use of your personal data. This privacy notice is one of the Trust’s key methods for providing you with this information. In addition to this notice, we will provide you with more specific information at the time we collect personal data from you, such as when you make a complaint to us.

The right of access: You have the right to ask us for confirmation of whether we process data about you and if we do, to have access to that data so you are aware and can verify the lawfulness of the processing.
You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf.  A child’s parent or guardian, a patient representative, or a person appointed by the court may also apply. If you wish to ask us for confirmation of whether we process data about you or access your personal data, then please contact:
MLCSU Access to Information team
mlcsusars@nhs.net 
01782 916875 

The right to rectification: You are entitled to have personal data that we hold about you rectified if it is inaccurate or incomplete. If we have passed the data concerned on to others, we will contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If this is the case, we will explain to you why.

The right to erasure: You have the right to have personal data we hold about you erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • If you withdraw your consent for us to process your data (if this was the legal basis on which it was collected).
  • The personal data was unlawfully processed (i.e. a breach of UK data protection laws).
  • The personal data has to be erased in order to comply with a legal obligation.

However, if we have collected and are processing data about you to comply with a legal obligation for the performance of a public interest task or exercise of official authority, i.e. because we have a legal duty to do so in our functioning as a Trust, then the right to erasure does not apply.

The right to restrict processing: You have the right to ‘block’ or suppress processing of your personal data which means that if you exercise this right, we can still store your data but not to further process it and will retain just enough information about you to ensure that the restriction is respected in future.
You can ask us to restrict the processing of your personal data in the following circumstances:

  • If you contest the accuracy of the data, we hold about you we will restrict the processing until the accuracy of the data has been verified.
  • If we are processing your data as it is necessary for the performance of a public interest task and you have objected to the processing, we will restrict processing while we consider whether our legitimate grounds for processing are overriding.
  • If the processing of your personal data is found to be unlawful but you oppose erasure and request restriction instead; or
  • If we no longer need the data we hold about you, but you require the data to establish, exercise or defend a legal claim.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.
We will inform you if we decide to lift a restriction on processing.

The right to data portability: The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability although it only applies where we are processing your personal data based on your consent for us to do so or for the performance of a contract and where the processing is carried out by automated means. This means that currently, the Trust does not hold any data which would be subject to the right to data portability.

The right to object: Where the Trust processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing.
You must have an objection on grounds relating to your particular situation.
If you raise an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

The right not to be subject to automated processing including profiling: The Trust does not currently use your personal and/or sensitive (special categories) data to make decisions about you without the intervention of a person, be that a health professional or other authorised member of staff.

Contact Us

Please contact us via our Data Protection Officer if you have any questions about our privacy notice or information we hold about you:
Hayley Gidman
Data Protection Officer
Tel: 01782 916875
Email: mlcsu.dpo@nhs.net
 
If you are not satisfied with how your information has been processed you can contact our Patient Advise and Liaison Service (PALS).
Patient Advice and Liaison Service
Coventry and Warwickshire Partnership NHS Trust
Wayside House
Wilsons Lane
Coventry
CV6 6NY
Tel: 0800 212 445 (Freephone) / 024 7653 6804
Email: PALS.Complaints@covwarkpt.nhs.uk 

If, however, you are not satisfied that your complaint has been resolved, you have the right to contact the Information Commissioner to lodge a complaint:
Information Commissioner's Office,
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/