What types of personal information do we process

We process personal information to enable NHS Dorset to support the provision of services to the population of Dorset.

The types of personal information we use include:

  • Personal details such as names, addresses, email addresses, telephone numbers, dates of birth

  • Details about family, lifestyle and social circumstances

  • Employment and education details

  • Financial details

  • Visual images, personal appearance and behaviour

  • Details of how you use our website, and where you have accessed it from

  • Details of how you interact with us on social media

  • Details of when you contact us and when we contact you (including voice recordings of telephone calls and copies of written communications such as emails or letters)

  • Any consents you have given us in relation to the processing of your information

  • Physical or mental health details in relation to requests for access to our services. Such information requires special protection by law – we will always explain what information we require and why it is needed when collecting this information. It will always be processed and stored securely

  • Details of your use of services offered by us

Where we collect personal information from

We may collect your personal information from the following sources:

Personal information you give to us:

  • When you contact NHS Dorset (for example by phone, email or letter)

  • In customer surveys or any other research activity we may conduct with you

  • When you use our services

  • When you update your personal information using our website, or by emailing or telephoning us

Personal information gathered from our website:

  • When you use or access our website

  • Details of staff payments from our payroll service provider

  • Details obtained from social media

  • Potential employee recruitment details

  • Details obtained from cookies on third party website (see our privacy policy for further information)

  • Details relating to internal audit investigations

  • Details relating to counter fraud investigations

  • Details of individual cases from legal authorities that we may work with

Why do we process your information

We process personal information to enable us to:

  • Provide health services to our patients

  • Maintain our accounts and records

  • Promote our services

  • Undertake research

  • Support and manage our employees

Who we process information about

We process personal information about:

  • Patients

  • Members of the public

  • Staff

  • Suppliers and service providers

  • Survey respondents

  • Business contacts

  • Professional experts and consultants

  • Offenders and suspected offenders

What do we use your information for

We use your information to plan health care services:

  • Check the quality and efficiency of the health services we commission

  • Prepare performance reports on the services we commission

  • Work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients

  • Review the care being provided to ensure it is of the highest standard

What information do we process and what is the legal basis

Classes of information processed

We process information relevant to the reasons/purposes outlined above. This information may include:

  • Personal details

  • Family, lifestyle and social circumstances

  • Goods and services

  • Financial details

  • Employment and education details

  • Visual images – personal appearance

NHS Dorset does not routinely hold medical records.

Format of information processed

We use information in the following formats:

Information containing details that identify individuals (such as name, address, NHS number, postcode, date of birth).

Information about individuals but with identifying details (such as name or NHS number) replaced with a unique code.

Information about individuals but with all identifying details removed to prevent identification of the individuals.

Information statistical, anonymised information about individuals that has been grouped together to show general trends without identifying individuals.

Special category information (sensitive)

There are some limited exceptions where we may hold and use sensitive personal information about you that may include:

  • Physical and mental health details

  • Sexual life

  • Racial or ethnic origin

  • Trade union membership

  • Religious or other beliefs of a similar nature

  • Offences and alleged offences

For example, NHS Dorset is required by law to perform certain services that involve the processing of sensitive personal information.

Specific purposes for use of special category personal information

The specific areas where we regularly use sensitive personal information include:

Purpose and details of activity

To process your personal information if it relates to a query or complaint where you have asked for our help or involvement, and to monitor the level of service we provide.

We usually have to disclose the complainant’s identity to whoever the complaint is about in order to investigate and respond. If a complainant does not want identifiable information to be disclosed, we will try and respect that. However, it may not be possible to handle a complaint on an anonymous basis.

Source of information

Data subject, primary care, secondary care, community care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a). Other (UK General Data Protection Regulation Article 9 (2) (a)).

Before we can respond to your complaint, our Complaints Officer will obtain your explicit consent to investigate.

Purpose and details of activity

To process your personal information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs), or where you have decided to appeal against a funding decision we have made. This is a national process using standard information collection tools. We will use the information you provide and may request further information from other care providers to identify eligibility for funding. If agreed, arrangements will be made to provide and pay for the agreed funding packages with appointed care providers.

Source of information

Data subject/family members/legal representative, primary care, secondary care, local authority, community care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e) to process the data for the claim. UK GDPR Article 6 (1) (a) to meet our obligations under the Common Law Duty of Confidentiality. Other (UK General Data Protection Regulation Article 9 (2) (h)).

When you submit your claim form, your information will be processed to determine eligibility. Your initial assessment will be carried out by a clinical professional who will obtain your consent to ensure we meet our obligations under Common Law.

Purpose and details of activity

To make an assessment for funding eligibility where you or your GP have requested special treatments that are not routinely funded by the NHS.

Source of information

Data subject, primary care and secondary care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a). Other (UK General Data Protection Regulation Article 9 (2) (a)).

The clinical professional who first identifies that you may need the treatment will obtain your explicit consent and will explain to you the information that we need to collect and process for us to assess your needs and commission your care.

Purpose and details of activity

To provide advice and guidance to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. This may mean accessing identifiable information in limited circumstances where it is required for the safety of the individuals concerned.

Source of information

Primary care, secondary care, community care, member of the public or staff member.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e). Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

  • Care Act 2012;
  • Data Protection Act 2018, Amendment 85

Purpose and details of activity

To process your information where you have asked us to keep you regularly informed and up to date on the work of NHS Dorset, or if you are actively involved in our engagement and consultation activities or patient participation groups.

Source of information

Data subject.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a).

We will ask for your consent before collecting and storing your contact details. You will be able to change your mind at any time by writing to us at the address provided or emailing us.

Purpose and details of activity

NHS Dorset will collaborate closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to a patient’s infection.

NHS Dorset will lead the post infection reviews in accordance with the circumstances set out in the Post Infection Review Guidance, issued by NHS England. They will then use the results of the post infection review to inform the mandatory healthcare associated infections reporting system.

Source of information

Primary care, secondary care, community care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e). Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

  • Health and Social Care Act 2008: Code of Practice for the NHS for the Prevention and Control of Healthcare Associated Infections (revised January 2015)
  • Section 251* NHS Act 2006

Purpose and details of activity

NHS Dorset is accountable for effective governance and learning from all serious incidents, and will work closely with staff and with provider organisations to ensure that serious incidents are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners, as well as providers, should have a primary responsibility for ensuring quality.

Source of information

Primary care, secondary care, community care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

  • Serious Incident Framework 2015

Purpose and details of activity

NHS Dorset pharmacists work with GP practices to provide advice on medicines and prescribing queries, and to review prescribing of medicines to ensure that it is safe and cost-effective. The NHS number is used by our pharmacists in order to review and authorise (if appropriate) requests for high-cost drugs which are not routinely funded. NHS Dorset pharmacists will also work with the risk team to provide advice on drug related deaths.

Source of information

Primary care, secondary care, community care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (a) (e). Other (UK General Data Protection Regulation Article 9 (2)(h)).

Statutory legal obligation:

  • Misuse of Drugs Act 1971, amended 2012
  • Medicines Act 1968
  • Human Medicines Regulations 2012

Where a request is made for a high-cost drug which is not routinely funded, consent will be obtained on a case by case basis in order to assess your needs and reach a funding decision.

Purpose and details of activity

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems. Your GP or staff within your GP Practice who are responsible for providing your care can see information that identifies you, but NHS Dorset staff will only be able to see information in a format that does not reveal your identity.

NHS England encourages health bodies and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Knowledge of the risk profile of our population helps NHS Dorset to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices. NHS Dorset does not currently use risk stratification tools but may at some point in the future.

Source of information

Primary care, secondary care, and community care.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e). Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

  • Section 251* NHS Act 2006.

Purpose and details of activity

Before paying an invoice for healthcare treatment, we will need to be sure that NHS Dorset is responsible for your treatment costs as well as checking to ensure that the amount that is being invoiced is correct. This process is known as invoice validation. We use the NHS number within a special secure area known as a Controlled Environment for Finance (CEfF) to validate the invoices, so that the organisations that have provided care for you can be paid.

Source of information

Primary care, secondary care, commissioned services, NHS Digital, South Central and West Commissioning Support Unit (CSU).

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

Statutory legal obligation:

  • Section 251* NHS Act 2006.  NHS Constitution (Health and Social Care Act 2012)

Purpose and details of activity

Hospitals and community organisations that provide NHS funded care must submit certain information to NHS Digital about services provided to our service users. This information is generally known as commissioning datasets. NHS Dorset obtains these datasets from NHS Digital via Data Services for Commissioners Regional Offices (DSCRO), and they relate to service users registered with GP Practices in Dorset.

These datasets include data from a variety of sources listed below:

  • Secondary Uses Services (SUS) for commissioners, this includes secondary care, community care and mental health providers in an inpatient, outpatient and emergency department setting;
  • National Data Sets for community and mental health services. Including mental health minimum data set, mental health and learning disabilities data set, improving access to psychological therapies data set, children and young people health, mental health services data set, community services data set;
  • National Performance Data Sets including cancer waiting times monitoring, referral to treatment monitoring, emergency department waiting times;
  • Local Provider Flows including acute, ambulance, community, demand for service, diagnostic services, emergency care, experience quality and outcomes, mental health, population data, primary care services, public health and screening services, diagnostic imaging, maternity services.

The data we receive does not include patients’ names, dates of birth or home addresses, but may include information such as your NHS number.

When analysing current health services and proposals for developing future services, it is sometimes necessary to link separate individual data sets to be able to produce a comprehensive evaluation.

In some cases, there may also be a need to link local data sets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc. as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

Source of information

NHS Digital via South Central and West Commissioning Support Unit.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (e).  Other (UK General Data Protection Regulation Article 9 (2) (h)).

You can choose to opt-out of your personal information being used for secondary uses such as planning of health services.

Purpose and details of activity

NHS Dorset is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds, to prevent and detect fraud. The Cabinet Office is responsible for carrying out the National Fraud Initiative and requires NHS Dorset to participate in any data matching exercise to assist in the prevention and detection of fraud.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how they match.  This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Source of information

Source of information National Fraud Initiative team at the Cabinet Office.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (c). Other (UK General Data Protection Regulation Article 9 (2) (b)).

Statutory legal obligation: part 6 of Local Audit and Accountability Act 2014.

Purpose and details of activity

To process potential and existing employee information for the purpose of staff recruitment, payroll, and pension.

To process employee information for the purposes of employee relations, including the use of employee photographs for identification purposes, monitoring staff performance through appraisals and personal development reviews, monitoring training records, managing absence and sickness, and ensuring fitness to return to work.

Source of information

Data subject, recruitment agencies, occupational health.

Lawful basis for use

UK General Data Protection Regulation Article 6 (1) (b). Other (UK General Data Protection Regulation Article 9 (2) (b)).

Performance of a contract: we need to share your personal data with our payroll provider to fulfil the employment contract and pay employees for work undertaken.

UK General Data Protection Regulation Article 6 (1) (c). Other (UK General Data Protection Regulation Article 9 (2) (b)).

Statutory legal obligation: we are legally required to auto-enrol eligible employees into our pension scheme. Additionally, we are required to process some employee data under employment law, health and safety legislation and tax legislation.

UK General Data Protection Regulation Article 6 (1) (a). Other (UK General Data Protection Regulation Article 9 (2) (a)).

Consent:  we will ask for your consent before collecting and storing your personal details or photographs and you will be provided with a privacy notice explaining why we need to collect your information.

Section 251

Section 251 of the NHS 2006 Act provides a mechanism which can enable to use of confidential information for certain purposes that would otherwise be unlawful, through and application made to the Confidentiality Advisory Group (CAG).

The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority and the Secretary of State for Health on whether an application to process patient information without consent should be approved. The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006. This includes medical research and the management of health and social care services. Where consent has been used, you can change your mind at any time and write to us at:

Data Protection Advisory Team
NHS Dorset,
Vespasian House,
Barrack Road,
Dorchester,
Dorset,
DT1 1TG

If you choose not to give us your personal information

We may need to collect personal information by law, or under the terms of a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. We will notify you if your choice not to give personal information to us would result in a delay or prevent us from meeting our obligations.

Keeping your information confidential and secure

Sharing your personal information

Your rights