Privacy Notice
This privacy notice is for Forward Leeds service users. Forward Leeds is a service Waythrough and partners provide in Leeds. We are funded primarily by Leeds City Council to provide this service.
Waythrough adheres to the Data Protection Act 2018 in relation to how we collect and process information that identifies you as an individual. This type of information is called personal data.
Please note: If you started using our services prior to 1st October 2022, this privacy notice does not apply and you should request a copy of the information you received at the time from the service. You can also contact caldicott.guardian@waythrough.org.uk
Managing Your Information
Waythrough is the Data Controller for Forward Leeds, which means that we decide how data is processed and the purpose for the processing. We are accountable for ensuring that your rights are respected and that the data is processed lawfully. Should a breach occur, it is our responsibility to report it to the Information Commissioner’s Office (ICO) if there is a high risk to your rights or freedoms as per the UK General Data Protection Regulation (UK GDPR).
We sub-contract Data Processors who are our partners Barca-Leeds, St. Anne’s Community Services, Leeds and York Partnership NHS Foundation Trust to support people recovering from drug and alcohol addiction through prescribing, detox, mental health and general and community support services.
We subcontract St Martin’s as a Data Processor to provide prescribing services.
What We Use and Why
We use personal data like your name, address, date of birth, NHS number and contact details so that we can provide you with a service.
We also use more sensitive data about your health; and demographic data such as your gender, sex life (specifically relationships), sexual orientation, race and ethnicity and religious beliefs. This is called Special Category Data which requires extra protection.
If you are subject to the criminal justice system, we may process some criminal offence data about you so that we can provide you with our service and so that we can manage risks to you, to our team and to the public.
How We Collect Your Data
We receive your data from you and sometimes from other people like your GP, local authority/social care services, primary care services, hospital, police, probation, youth offending, schools, colleges (and other education providers), benefits agency/DWP/Job Centre Plus, and housing services. This list is not exhaustive, anyone (including yourself) can refer you into our service.
We may receive your data by telephone, email, outreach teams, electronic web form or by post.
Lawful Reasons for Processing
The lawful reasons (known as lawful bases) for processing are set out in the UK General Data Protection Regulation (UK GDPR). At least one of these must apply whenever we process personal data.
We use the lawful basis of Legitimate Interests to process your data, to provide you with the service. Where we deliver community orders (such as ATR, DRR, CBO or civil injunctions) we may also process your data upon a Public Task.
We process your health data using the Article 9 condition (h) Health or Social care. We only process what is necessary for the purpose; and processing is overseen by a health professional bound by the common law duty of confidentiality. This is further supported by Schedule 1 Condition 2; Health and Social Care Purposes.
In addition to health data, we process a minimal amount of other special category data such as; data about your racial or ethnic origin, religious or philosophical beliefs, sex life/relationships, sexual orientation and we use this data for two clear purposes. We have outlined these below and their relevant Article 9 conditions:
- For demographic purposes and statistical analysis. Upon condition ((j) Archiving, research and statistics (with a basis in law). This is further supported by Schedule 1 Condition 4; Research.
- To meet individual health and social care needs Article 9 condition (h) Health or Social care. This is further supported by Schedule 1 Condition 2; Health and Social Care Purposes.
Where we are processing criminal offence data, we rely on:
- the Schedule 1, Condition 2; Health and Social Care Purposes to work with the prison and probation to provide you with healthcare.
- the Schedule 1, Condition 10; Preventing or Detecting Unlawful Acts, if there is a high risk of reoffending and we need to manage risks in relation to the public.
- the Schedule 1, Condition 18; Safeguarding Children and Individuals of Risk, to manage risks where you may present a risk to the public and service users we work with.
Sharing Your Information with Others (also known as ‘Third Parties’)
There are times when we may share data in the public interests relying on the basis of Public Task or because it is our Legal Obligation to share your information with third parties (usually authorities) and we do not require your consent to be allowed to do this. Sometimes we do not need to make you aware that we are sharing. We will only share the information that is needed; and we only share the minimum information for the purpose.
Examples of this are:
- to report a crime to the police (this includes driving under the influence)
- to report abuse or neglect to social services
- to work in partnership with Safer Leeds where you may be at risk
- to let mental health crisis services know if you are at serious risk
- if you are on a criminal justice order we will inform your Offender Manager or Probation Officer of your engagement.
- to share information in multiagency settings should you be subject to Multi Agency Risk Assessment Conferences (MARAC: to prevent domestic abuse) and/or Multi Agency Tasking And Coordination Meetings (MATAC: to prevent domestic abuse), or Multi Agency Public Protection Arrangements (MAPPA: to prevent reoffending).
- to share information (if requested to by law) with the court of law.
- any other request where we are obliged to share data as per a legal obligation which is laid down in UK law.
- we must share data with the Care Quality Commission (CQC) who are a regulatory body. Wherever possible we anonymise data, but sometimes we are required to share personal data when a serious incident has occurred.
Where we deliver community orders (such as ATR, DRR, CBO or civil injunctions) we may also process your data upon a Public Task and Legitimate Interests when we share with the authorities. In all cases there is a legal requirement for us to use and share your data.
If you were in a life-or-death situation, we use the lawful basis Vital Interests to provide your personal data to the emergency services so that they may save your life.
We rely on the lawful basis of Legitimate Interests to share your personal data with:
- the local authority social care team to provide you with support through partnership working, where risks and vulnerabilities require us to do so in your best interests or in the best interests of others (particularly children, families and adults at risk).
- the local authority housing options team.
- your GP, in order to prescribe you medication.
- pharmacies, in order to prescribe you medication.
- we may share information to your GP where we make the decision that your life or someone else’s is at risk and we believe strongly that the GP is in a key position to help you/others. If we make this decision we will make all reasonable attempts to inform you.
- the prison, probation services, courts and police to share prescribing information and/or arrange ongoing support, if you have recently been released or are going into custody.
- Edward Myers Unit and Chapman Barker Unit (see Detox Beds Privacy Notice)
- MACE (West Yorkshire Police (Chair),Leeds City Council (including Children’s Social Work Services, Youth Justice Service, Early Help, Adults & Health, Leeds Community Health Trust, Leeds and York Partnership NHS Foundation Trust, Leeds Teaching Hospitals NHS Trust. Leeds Integrated Care Board, Flagship, Basis Yorkshire Ambulance Service
- Where we are providing treatment to service users who are patients with Bevan Healthcare we share information to Bevan Healthcare and add your data to their systems so that they may provide prescribing.
- research organisations and funders who carry out evaluation and statistical work. Your data is only shared for research and planning purposes with Caldicott Guardian Approval following our National Data Opt Out Policy. Please see the section below ‘You Can Opt Out of Your Personal Data Being Used For Research and Planning’ which explains this in more detail.
- we must share data with the Care Quality Commission (CQC) who are a regulatory body. Wherever possible we anonymise data, but sometimes we are required to share personal data when a serious incident has occurred.
If our project is decommissioned, we will transfer all your data to the new provider and notify you by letter. We transfer your data on the lawful basis of legitimate interests so that you continue to receive the service you are using. Although we transfer your data, we also keep a copy of your data in line with our retention period (see below “Keeping Your Information”).
All other third-party personal data sharing is decided by you with your explicit consent. You provide us with this information on the Sharing Consent Form. You should update us at any point if you wish us to change these consents.
The Sharing Consent Form will ask you if you wish us to share your data with NDTMS. NDTMS is the National Drug Treatment Monitoring System (NDTMS). It is used by the Office for Health Improvement and Disparities (OHID) to collect information about drug and alcohol treatment in England. If you consent, your treatment service will share some of your treatment information with NDTMS.
You Can Opt Out of Your Personal Data Being Used For Research and Planning
National Data Opt Out is a government policy overseen by the NHS. Waythrough is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as a Waythrough health or social care service, attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified, in which case your confidential patient information isn’t needed.
Where your data cannot be anonymised and Waythrough is not confident that you are aware that your personal data may be used for research or planning, Waythrough will generally seek to obtain your explicit consent. However, by providing you with this privacy notice and making you aware of National Data Opt Out, Waythrough is letting you know that we may on occasion use or share your data for research or planning purposes without your consent, based upon a legitimate interest.
Where Waythrough has your NHS number, we can check to see if you have applied an NHS Opt Out to your data being used for this purpose. Patients apply their Opt Out via the NHS National Data Opt Out process. If you have Opted Out, Waythrough will not use or share your data for purposes other than your treatment and care (i.e. Waythrough will not use or share your data for research or planning).
You have a choice about whether you want your confidential patient information to be used for research and planning. If you are happy with this use of information you do not need to do anything. If you do choose to Opt Out of your data being used for research or planning, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to Opt Out, please visit the NHS website www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Please Note: Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. There are also other exemptions when Waythrough does not need to apply Opt Out and these can be reviewed on the Understanding the national data opt-out website
Management Information Systems (MIS)
The service uses a third-party MIS called SystmOne. Your data is held securely and only those who need access, have access to it. This includes staff that support you and also staff who maintain the system. We have policies in place which our staff follow to ensure your data is only accessed appropriately and when necessary.
We also have an incident reporting system called the Hub. This is where we record incidents such as safeguarding, death in service, health and safety and information governance incidents. We would only add your personal data to this system if you were involved in an incident. Each incident has access restrictions. Only those who are interested parties can see it and some staff who maintain the system.
We store some of your personal data on our secure networks which are restricted to our service team and may be accessed under policy by our IT Team should there be a technical issue. All Waythrough workforce abide by data management policies, processes and training.
We cannot offer you a service without storing your details on these systems.
Confidentiality
Information about you may be shared between team members, and recorded on your file and in other records to enable us to give you the best service that we can and get the best possible support for you.
Only what is necessary and proportionate is shared and we are bound by the common law duty of confidentiality. In some circumstances, we may share your data in order to keep you or other people safe which is a legal obligation this is explained in the section above titled Sharing Your Information with Third Parties.
Transferring Your Data Outside of the UK
As part of our day-to-day operations, we do not transfer your data outside of the UK unless with your explicit consent to do so (right to portability).
When a service closes and we archive data in line with our data retention period, we use a third-party Processor called Iron Mountain. Iron Mountain may in some instances, use sub-processors who are based in other countries. Iron Mountain ensures that where required, Standard Contractual Clauses are in place to protect data where it is transferred to another country as per the EU’s adequacy decisions.
Keeping Your Information Safe
We keep your information safe by using secure ways to store it. We only keep what we need and no more than that. Everyone who handles data is trained on how to use it safely and only people who need to use it are able to.
We have a number of people who oversee that data is used safely (see ‘Relevant Contacts’).
Should an incident occur where we breach your data, causing a high risk to your rights or freedoms, we will inform you of this without delay and using the primary contact details you have provided. We will also report this to the Information Commissioner’s Office (ICO), who supervise organisations that handle data.
Keeping Your Information
We keep your personal data for the period stated in our records retention and destruction policy. The policy currently states that we will keep your information for 10 years from the date that the service contract ends which for this service is 31/6/23.
Our service is commissioned for the time period stated above. If we are recommissioned, our contract will be extended. If you stop using our service before we are recommissioned, we will retain your data for the time stated above. If we are recommissioned and you continue to use our service, we will extend the retention date to be 10 years after the end date of the recommissioned service. We will write to inform you of any changes to our retention period. If you do not have a postal address, we will attempt to inform you by other contact methods.
If we are decommissioned we will share your data as a legitimate interest to the new provider and we will delete your information 10 years from the contract end date.
In the event that we change the retention period in our policy, we will update our privacy notice and notify you of this change.
Destroying Your Information
Your data will be securely destroyed at the end of our retention period. It will be destroyed by us if it is electronic. Where we hold paper records, we will use a contractor who will destroy this data on our premises. If destruction is required after data has been archived with a third-party information management provider called Iron Mountain. Iron Mountain act as a Data Processor for Waythrough under contract.
Keeping in Touch With You
As part of your treatment we will contact you at various stages to discuss your progress, deliver interventions and provide reminders around upcoming appointments.
This is usually via the following methods; however this is not an exhaustive list:
- letters
- online platforms such as Zoom or WhatsApp
- phones calls
- home visits (when applicable)
- e-mails*
- text messages*
If you do not wish to be contacted via one or all of these methods or have specific communication needs then please tell us using the Contact Preferences form. You can request this from your worker.
*e-mail & text Messages should be used for non-urgent contact only. Recovery Coordinators have e-mail accounts and mobile phones but will not routinely access them throughout the day. We always recommend phoning the service if you require assistance urgently (for example cancelling / rearranging upcoming appointments).
Your Data Rights
Under the Data Protection Act 2018 and UK GDPR, you have the following rights:
- to be informed about the collection and use of your personal data.
- to access your personal data (known as Subject Access Request).
- to have inaccurate personal data rectified; or completed if it is incomplete.
- to have personal data erased (known as the right to be forgotten).
- to request the restriction or suppression of your personal data.
- to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.
- to object to the processing of your personal data in certain circumstances.
We do not use any automated decision making (decisions made by a computer) or profiling (when an automated system is used to assess certain things about you) when we use your data.
Please note that some of these rights only apply in certain situations and we may not be able to fulfil every request. Where we say no to a request, we will always explain our decision in full, within the timeframe that the law says. Should you request that your data is erased please be aware that we will be unable to continue offering you a service as we require your personal data to do this effectively and safely.
To request access to your data or to contact us about any of the rights we have listed, you can request this through the service or contact our Caldicott Guardian (see below; Relevant Contacts).
How To Complain
If you are unhappy about an issue relating to your data you can complain to us through the service you attend; or if you would feel more comfortable, you can contact the Waythrough Caldicott Guardian (see below; Relevant Contacts).
To make a formal complaint to the independent regulator for personal data in the UK about the way we have used your data, contact the Information Commissioner’s Office (ICO):
https://ico.org.uk/make-a-complaint/ or call ICO on 0303 123 1113
Relevant Contacts
Forward Leeds, 74 Kirkgate, LEEDS, LS2 7DJ or Tel: 0113 887 2477
You can write to us at Waythrough, Inspiration House, Unit 22 Bowburn North Industrial Estate DH6 5PF.
You can contact our Caldicott Guardian by email caldicott.guardian@waythrough.org.uk or by phone 01325 731 160.