Our core purpose is to work with people and lead communities in improving their mental and physical health and wellbeing for a better life; through delivering excellent and responsive prevention, diagnosis, early intervention, treatment and care.
The Trust is responsible for all the personal data it has and takes its responsibilities extremely seriously. It takes every measure possible to protect the information it has.
Sometimes, the Trust needs to share the data it has with third parties. The Trust will only share data for a few, very specific reasons. For example, it is possible that we might need to share data for a new IT system which will help patient care; we might need to share data with the local authorities or other healthcare providers, or that we might need to examine how we are performing as a Trust by comparing patient data against others.
For more information on the legal basis behind the information sharing, please see the privacy notice here
When we are approached with a request to share our data we will examine very carefully every request where the data will be shared with others outside the Trust.
What we share, and how we share it will differ with every request. As part of the Trust’s commitment to “data protection be design” the Trust has published the guidance below to clarify what steps will be taken every time we are asked to consider sharing data, and what we expect of the requesting organisation.
This process helps to balance the subject’s rights to privacy with the Trusts own requirements, both legal and operational.
We also hope staff members, and organisations who wish to use our data understand the steps required before the Trust will consider sharing the data.
There are several steps required for us to take before we can consider sharing data. To be transparent, this page sets out those steps we will undertake before we consider sharing data.
If we are asking another organisation to do something on our behalf, then we have a “controller-processor” relationship. There must be a written contract in place before we start.
The contract (or other legal act) sets out details of the processing including:
Contracts must set out:
We also need to see the following points covered, usually included as terms or clauses:
In addition to the contract, the Data Security & Protection team needs to evidence the following:
The contract should be produced by a supplier and the DS&P team will need to confirm that the Trust is happy with the contract from a data security perspective: the DS&P team needs to decide whether the certification provides sufficient assurances, and judge the risks appropriately.
Once the contract is agreed the DS&P team will:
If the relationship between the Trust and the third party is to share data then an Information Sharing Agreement (ISA) is required. There is a separate policy which details what is involved with the ISA. If we are approached by a third party looking to share data with us we would expect them to complete an ISA. There is a template here which can be used in its absence.
The Data Sharing Agreement will need to be approved by the Data Security & Protection (DS&P) Committee. No data sharing must take place without this agreement.
Once a completed ISA has been received, the DS&P team will perform the following checks on the third party:
The ISA will need to be approved by the DS&P Committee. The dates are published on Connect and any ISA will need to be added to the agenda at least 1 week before the date of the Committee.
Once the ISA has been agreed the data can be shared. The DS&P team will amend the data flow maps where relevant. The staff member responsible for bringing the sharing agreement to Committee will be responsible for signing the sharing agreement and will need to agree who will become the Information Asset owner.
First, decide whether the project is clinical audit, research or service evaluation:
In the first instance, contact the Clinical Audit Team on x31073 to discuss your project.
The clinical audit team will need a completed Clinical Audit Project Plan Template from you.
The project plan will be submitted for approval to the Trust R&D Governance Group which meets monthly (or directly to the Chair of the Committee when urgent).
We will also need your proposed audit tool (or questionnaire or data collection form).
Once approved, your project will now be registered on the Clinical Audit Programme.
The clinical audit can begin. The team require that the findings are:
On completion, the clinical audit team require:
If your project is Research then the Trust always follows this process:
Before the research project can begin the following will be considered and documented by the Trust in order to ensure the research project follows the appropriate safeguards:
The Trust needs to know what data is being collected, where it is being used, and for what purpose.
If the research project has approval it can begin. The Trust requires:
We recognise the data subject has rights regarding what happened to their data. These rights can be waived IF following them would seriously impair the achievement of the research. This decision is made by the Trust
Unlike clinical audit or research, a service evaluation is conducted solely to define or judge the current care or service provision. It answers the question ‘What standard does this service achieve?’
If you wish to evaluate a service then the Trust needs a protocol to be agreed by the local Research team.
The completed service evaluation will need to be reported back to the research team.
It is highly unlikely the Trust would share data outside of the above scenarios however if your requirements do not match any of the above scenarios then please contact the Data Security & Protection team on 01332 623700 x31121 or email@example.com
Children and young people's services
Learn about our services for people with a learning disability
Make an appointment
Information for members of the public and health professionals on requesting treatment and support
Learn about different ways to stay healthy and well