Viaduct Care CIC Privacy Notice

Who we are

Viaduct Care CIC are committed to ensuring that we’re transparent about the ways in which we use your personal information and that we have the right controls in place to ensure it is used responsibly and is kept safe from inappropriate access, theft or misuse.

This privacy notice is part of our programme to make transparent the data processing activities we carry out in order to deliver our services.

This privacy notice explains how we use your personal information and tells you about your privacy rights and how the law protects you.

Our Commitment to Data Protection and Confidentiality.

Viaduct Care CIC is committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998

Everyone working for Viaduct Care CIC has a legal duty to keep information about you confidential. The NHS Constitution contains pledges that the NHS is committed to achieve, including your rights concerning confidentiality. All NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing

If you are receiving services from Viaduct Care CIC, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;

OR

  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We require our service providers to implement appropriate industry standard security measures. We only permit them to process your personal information for specified purposes in accordance with our contractual instructions

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2021.

Personal information

Personal information can be anything that identifies and relates to a living person. This can include information that when linked with other information, allows a person to be uniquely identified. For example, this could be your name and contact details.

The law treats some types of personal information as ‘special’ because the information requires more protection due to its sensitivity. This information consists of:

  • racial or ethnic origin
  • sexuality and sexual life
  • religious or philosophical beliefs
  • trade union membership
  • political opinions
  • genetic and bio-metric data
  • physical or mental health
  • criminal convictions and offences

Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data. Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification (identification is not likely to take place)

Purposes of processing personal information

Viaduct Care CIC do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to keep you regularly informed and up-to-date about the work of the organisation, or if you are actively involved in our engagement and consultation activities or service user participation groups
  • it is in our legitimate interests (or those of a third party) provided your interests and fundamental rights do not override those interests
  • it’s necessary to protect public health
  • you, or your legal representative, have given consent
  • you have entered into a contract with us
  • it’s necessary for employment related purposes
  • it’s necessary to deliver health or social care services

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system. The types of information that we may collect and use include the following:

The Information we process and share.

Your personal information may also be shared with other organisations, such as those who assist us in providing services and those who perform technical operations on our behalf.

These practical arrangements and the laws governing the sharing and disclosure of personal information often differ from one service to another.

The following table lists the purposes and rationale for why we collect and process information.

Purpose for processing Legal Basis / Rationale
Complaints To process your personal information if it relates to a complaint where you have asked for our help or involvement
Safeguarding We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns
Human Resources We will collect and process identifiable information in relation to Viaduct Care CIC employees.
Invoice Validation A small amount of information that could identify you is used within a special secure area within the commissioning environment, known as a Controlled Environment for Finance (CefF), so that the organisations that have provided care for you can be paid

 

Closed Circuit Television (CCTV)

Closed circuit television (CCTV) is in operation at Merseyway Innovation Centre.

There will be clear signs outside the relevant buildings to advise you that CCTV is in operation.

Requests by individuals for images relating to themselves a “Subject Access Request” should be submitted in writing to Oxford Innovation via info@oxin.co.uk or by contacting (0)1865 261 480 or by writing to; Oxford Innovation Ltd. Oxford Centre for Innovation, New Road, Oxford OX1 1BY.

Confidentiality Advice and Support

Viaduct Care CIC has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information sharing.

The contact detail of our Caldicott Guardian is as follows:

Dr Viren Mehta, GP Chief Accountable Officer

Email: Via.viaductcarefeedback@nhs.net

Telephone: 0161 204 4675

Freedom of Information

Viaduct Care CIC is a Community Interest Company and is not subject to the Freedom of Information Act 2000, which applies to public authorities. However, we are committed to being open and transparent in our operations and may choose to respond to information requests on a discretionary basis where appropriate and lawful.

If you would like to request information about Viaduct Care CIC or our services, please contact us at:
via.viaductcarefeedback@nhs.net

Viaduct Care CIC, Office 25, Merseyway Innovation Centre, 21–23 Merseyway, Stockport, SK1 1PN

Detect and prevent fraud or crime

By law, we have to protect the public funds we administer. We may use any of the information you provide to prevent and detect fraud. We may share this information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police.

We may use data matching to identify errors and potential frauds and we take part in national data matching exercises undertaken by the Audit Commission where permitted under the Data Protection Act.

We may share the information we hold with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent the risk of harm to an individual.

Data Transfers beyond the United Kingdom

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Data Retention/criteria

We will only keep your personal information for as long as the law specifies. Where the law does not specify this, we will keep your personal information for the length of time determined by our business requirements, which are in line with the NHS Records Management Code of Practice.

How we keep your information safe

We are committed to ensuring your personal information is safe and protected from accidental loss or alteration, inappropriate access, misuse or theft.

As well as technical, physical and organisational controls, we recognise that a ‘well trained’, informed and security alert workforce minimises privacy risks from human error and/or threats.

We require our service providers to implement appropriate industry standard security measures. We only permit them to process your personal information for specified purposes in accordance with our contractual instructions.

Viaduct Care CIC has a Senior Information Risk Officer (SIRO) who  is responsible for overseeing the delivery of the organisation’s Information Governance agenda to ensure that all information used in the organisation, but especially that relating directly or indirectly to patient care, is managed carefully, responsibly, within current law and with due regard to considerations of privacy.

The contact details for our SIRO are as follows:

Graham Rose, Finance and Contracts Director

Email: Via.viaductcarefeedback@nhs.net

Telephone: 0161 204 4675

Your Rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal data we hold about you.

You may exercise the rights listed below in relation to our use of your personal information. Some rights are absolute and others are not.

To find out more about how these rights apply in particular circumstances, please refer to our Guide to exercising your rights, Data Subject Rights. For more information about your rights, visit the Information Commissioner’s web site at www.ico.org.uk

To raise a concern about the handling of your personal information by Viaduct Care CIC, please contact our Data Protection Officer (DPO)

Email: via.viaductcarefeedback@nhs.net

To request any of the following, please write to Viaduct Care CIC, Office 25, Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN.

Whether you are exercising your rights or raising a concern, you will normally need to include documents that prove your identity as well as a clear and precise description of your request/concern.

We will process requests in accordance with the legislative framework and the statutory time scales and inform you should an extension of time be necessary.

Access:

Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you, we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Let you have a copy of the information in an intelligible form.

To make a request to any personal information we may hold you need to put the request in writing to our contact address provided further below.

Rectification & Erasure:

You may request that we rectify or delete any of your personal information if you consider it is incomplete, factually incorrect, processed unlawfully or, is unnecessary or no longer needed.

Review of automated decision-making:

Our Guide to exercising you Rights [link] outlines the procedure to ask us for an automated decision to be reviewed by an appropriate officer.

Objection:

You may object, at any time, to your personal information being processed.

This applies to processing:

  • carried out in performance of our statutory functions or in the public interest, including ‘profiling’
  • For direct marketing purposes

Restriction of Processing:

You may request restriction of processing (quarantining) of your personal information reasons, such as, for example:

  • If you have objected to the processing or asked us for erasure and we need time to consider your request and let you know our decision
  • You require us to retain your information for the establishment, exercise or defence of your own legal rights

Data Portability:

In defined circumstances, either where the processing relies on your consent or arises out of a legal contract, you may request we supply a copy of personal information that you have provided to us in a portable and machine-readable format.

Right to Withdraw Consent / Opt-Out

NHS Digital has developed a system to support the national data opt-out that gives users more control over how identifiable health and care information is used. This will effectively opt out of confidential patient information being used for reasons other than their individual care and treatment. It will be available from 25 May 2018. To read more visit the website https://digital.nhs.uk/services/national-data-opt-out-programme

Viaduct Care Academy Website

Viaduct Care Academy may collect and process personal data from you when you book onto our events, purchase any services or memberships, sign up to our digital marketing or use any of our websites:

 

 

Personal information Viaduct Care Academy may collect and process from you includes:

 

Contact information – such as your name, address, telephone number and email address.

Financial information – such as your bank account details or payment-related data.

Technical information – this may include your IP address, browser details, location analytics, login details and any other technology information related with you using our site.

Information provided to us by our clients which enable us to provide our services to their staff – this could include email addresses, account details or device identifiers.

Any other personal information you may provide to us in the process of us providing you with our services.

 

Sensitive personal data

Under the UK General Data Protection Regulation 2021, and Data Protection Act 2018, sensitive personal data is data which includes information about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your physical and/or mental health, genetic data, and biometric data.

Viaduct Care Academy does not routinely collect sensitive personal data about you – if we were to require it for any reason, we would seek explicit consent from you to receive and process this.

 

Viaduct Care Academy will only use your personal data for the following reasons:

To provide you with the services we offer as a business.

To provide you with information you have requested from us.

To keep you updated on our business, events and any news we may have.

To manage our relationship with you as an existing or potential member.

To fulfil any legal or contractual obligations we may have which require the processing of personal data.

Viaduct Care Academy can collect data about you via a variety of methods:

From direct actions we may have with you by communicating via phone, email or post.

When you sign-up to services on our website – including our mailing list, contact forms, signing up for events, or purchasing a service/membership.

From automated technologies or interactions as you use our website from analytics engines and cookies – please see our section on cookies for more details.

When you sign-up to attend any events we may hold.

When you provide information to us as part of our sign-up process with you as a client.

Viaduct Care Academy may need to share your information with third parties in order to provide you with our services, or to market you, these third parties include:

  • Microsoft
  • Sage Cloud
  • Sponsors of our events

Where we do share your information with third parties, Viaduct Care Academy ensures that the highest levels of data protection are in place in accordance with the law. Third parties with whom we share data are only permitted to process this data for the specified purposes we stipulate with them.

Viaduct Care Academy does not sell your information onto third parties.

Cookies

Our website uses cookies to track the use of it. This allows us to better understand patterns on our website and how we can develop and improve it, as well as analysing the traffic on our site for marketing or advertising purposes.

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

The cookies we use:

  • Login related cookies:

We use cookies when you are logged in so that we can remember this fact. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.

  • Forms related cookies:

When you submit data to through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.

  • Site preferences cookies:

In order to provide you with a great experience on this site we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page is affected by your preferences.

  • Third Party Cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

  • This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

For more information on Google Analytics cookies, see the official Google Analytics page.

  • From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features, these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.

Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The method for doing so differs with each browser, the following guides for the most common internet browsers detail the processes for doing this:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Safari
  • Microsoft Edge

Blocking cookies may impact your experience on our website as you may not be able to make full use of the features on it.

Complaints (ICO)

If you are not satisfied with the way we have answered a request from you or handled your personal information, you have the right to make a complaint to the Information Commissioner https://ico.org.uk/global/contact-us/

This right is not dependant on you raising a complaint with us first but we would encourage you to contact us by emailing via.viaductcarefeedback@nhs.net so we can consider your concerns as quickly as possible.

Updates

We may update or revise this privacy notice at any time so please refer to the version published on our website for the most up to date details.