NECU Data Protection Privacy Policy
About Our Work
The National Elective Co-Ordination Unit (NECU) was established to support the matching of available capacity within NHS Health boards to demand on a once for Scotland basis in order to support the recovery and management of waiting times across planned care.
Working collaboratively with NHS Scotland Health Boards, NECU is supporting health boards to ensure that planned care waiting lists are accurate. This ensures that patients are seen as soon as possible and in the most appropriate manner.
Patients who are currently on an NHS Scotland waiting list for treatment are being contacted by NECU to ensure that they still want to be on the waiting list. This is performed through both text messaging and telephone call by the NECU team.
The NECU team are based within the NHS Golden Jubilee National waiting times centre and are part of NHS Golden Jubilee Health Board.
In order to facilitate the process of ensuring patients still want to be on a planned care waiting list (waiting list validation), NECU are working with a digital supplier, DrDoctor.
About NHS Golden Jubilee
NHS Golden Jubilee is a public organisation created in Scotland under the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).
The NHS Golden Jubilee, which is the brand name for the National Waiting Times Centre Board, is a registered Data Controller on the Information Commissioner’s Office (ICO) website.
About DrDoctor
DrDoctor is a patient engagement portal used by NECU to manage the responses to send and ask patients questions and manage the responses received. This is a secure system, based in the UK which has been assessed and approved for use within the digital framework for NHS Scotland.
DrDoctor are a fully compliant supplier to the NHS and meet an extensive set of international and industry specific compliancy standards such as ISO 27001, HIPAA, FedRAMP and SOC 2.
About The Personal Information We Use
NHS Health Boards across Scotland will be supplying NECU with patient information in order to deliver this service. The information provided about patients involves the following information:
- Patient’s name
- Date of birth
- Community Health Index Number (CHI number)
- Telephone number
- Email address (where available)
- Which waiting list they are on
No clinical information about you (beyond which waiting list you are on) is shared with the NECU. The team at NECU are not provided with any access to any part of your medical records. Information will only be shared for patients who are currently waiting for treatment on a waiting list.
Our Purposes for Using Personal Information
Under the 1978 Act NHS Golden Jubilee has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the health and wellbeing of our patients and assist in operating a
comprehensive and integrated national health service in Scotland.
We use personal information to enable us to provide healthcare services for patients, data matching under the national fraud initiative; research; supporting and managing our employees; maintaining our accounts and records and the use of CCTV systems for crime prevention.
Our Legal Basis for Using Personal Information
NHS Golden Jubilee, as data controller, is required to have a legal basis when using personal information.
NHS Golden Jubilee considers that performance of our tasks and functions are in the public interest. So, when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
In some situations, we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services. Another example would be for compliance with a legal obligation to which NHS Golden Jubilee is subject to, for example under the Public Health etc (Scotland) Act 2008 we
are required to notify Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
- for the provision of health or social care or treatment or the management of health
or social care systems and services; or - for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research; or
- in order to protect the vital interests of an individual; or
- for the establishment, exercise or defence of legal claims or in the case of a court order
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this, we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.
Who Provides Personal Information
NECU receives personal information about patients on waiting lists from individual Health Boards.
The personal information shared with NECU is limited to only what is necessary for the purpose of contacting patients to confirm the appointment.
Sharing Personal Information With Others
The data will only be shared between the NHS Board of residence and NECU for the purposes of waiting list validation.
Transferring Personal Information Abroad
Personal data of patients will not be transferred outside of the United Kingdom.
Retention Periods of Information We Hold
The personal data will be destroyed by NECU upon return of the outcomes to the NHS Board of residence, or within 3 months of campaign completion, whichever is sooner.
How We Protect Personal Information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential.
The following security measures are in place to protect personal information:
- All staff undertake mandatory training in Data Protection and IT Security
- Compliance with NHS Scotland Information Security Policy
- Organisational policy and procedures on the safe handling of personal
information - Access controls and audits of electronic systems
Your rights
This section contains a description of your data protection rights within NHS Golden Jubilee.
The Right To Be Informed
NHS Golden Jubilee must explain how we use your personal information. We useseveral ways to communicate how personal information is used, including:
- This Data Protection Notice
- Our main Data Protection Notice
- Information leaflets
- Discussions with staff providing your care.
The Right Of Access
You have the right to access any data we may hold about you. Any request in relation to right of access for the national validation campaign will be managed by NHS Golden Jubilee following the standard processes already in place for right of access requests.
If you require to access the information we hold in relation to this campaign, the NECUteam will engage with the NHS Board of residence and the Data Protection Officer at both Boards to ensure the request is being managed by the appropriate organisation.
The first point of contact for this is IG@GJNH.SCOT.UK
The Right To Rectification
If you identify an error in the information we hold about you in relation to the national validation campaign, NECU will communicate this back to the NHS Board of residence for the information to be corrected.
For example, a patient may initially ask to remain on a waiting list, but subsequently change their response. In this instance, if NECU are the primary contact from the patient this information will be shared with the NHS Board of residence for updating of the patient waiting list entry.
The Right To Object
The right to object to your information being processed in this case does not apply as the validation of waiting lists to ensure timely care is considered a part of our ‘public task’ as it is essential to patient care.
Right To Restrict Processing (Where Applicable)
Requests to restrict the right to processing will be managed under the current NHS Golden Jubilee processes and will be assessed if such a request is made.
Right To Data Portability (Where Applicable)
Information can be supplied in different formats if requested.
Right To Erasure (Where Applicable)
This right does not apply in these circumstances involving health records.
Rights In Relation To Automated Decision-Making And Profiling (Where Applicable):
Although NECU employ automated systems to support decision making, the outcomes from responses by patients to these systems are actioned by individuals within the NHS Board of residence and are collated by NECU prior to this.
The Right To Complain
NHS Golden Jubilee employ a Data Protection Officer (DPO) to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information, please tell our Data Protection Officer using the contact details below.
Mrs Sharon Stott
Head of Digital Governance/DPO
eHealth Department
Golden Jubilee National Hospital
Agamemnon Street
Clydebank, G81 4DY
Tel: 0141 951 5765
Email: Sharon.stott@gjnh.scot.nhs.uk
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website. The Data Controller registration number on the ICO website is Z7996020.
Download the Waiting List Validation Data Protection Privacy Policy.