Privacy Policy
What personal data we collect on this website and why we collect it
Analytics
We use a company called Google to collect and analyse information about the use of our website. This information helps us to measure understand how visitors use our website. If you have an account with Google, manage your advertising settings, otherwise you can manage these settings through your web browser. Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.Privacy Notice for everyone who uses the New Vision Bradford service
This privacy notice is for New Vision Bradford service users. New Vision Bradford is a service Waythrough and partners provide across the Bradford. We are commissioned by Bradford Metropolitan District Council and the NHS West Yorkshire Integrated Care Board (through the Bradford District and Craven Health and Care Partnership). Waythrough adheres to the Data Protection Act 2018 in relation to how we collect and process information that identifies you as an individual. This type of information is called personal data. Please note: If you started using our services prior to 1st October 2022, this privacy notice does not apply and you should request a copy of the information you received at the time from the service. You can also contact caldicott.guardian@humankindcharity.org.ukManaging Your Information
Waythrough is the Data Controller for New Vision Bradford, which means that we decide how data is processed and the purpose for the processing. We are accountable for ensuring that your rights are respected and that the data is processed lawfully. Should a breach occur, it is our responsibility to report it to the Information Commissioner’s Office (ICO) if there is a high risk to your rights or freedoms as per the UK General Data Protection Regulation (UK GDPR). We sub-contract Data Processors who are our partners The Bridge Project, Airedale Voluntary Drug and Alcohol Agency trading as Project 6 and Create Strength Group to support people recovering from drug and alcohol addiction through prescribing, detox, mental health and general and community support services.What We Use and Why
We use personal data like your name, address, date of birth, NHS number and contact details so that we can provide you with a service. We also use more sensitive data about your health; and demographic data such as your gender, sex life (specifically relationships), sexual orientation, race and ethnicity and religious beliefs. This is called Special Category Data which requires extra protection. If you are subject to the criminal justice system, we may process some criminal offence data about you so that we can provide you with our service and so that we can manage risks to you, to our team and to the public.How We Collect Your Data
We receive your data from you and sometimes from other people like your GP, local authority/social care services, primary care services, hospital, police, probation, youth offending, schools, colleges (and other education providers), benefits agency/DWP/Job Centre Plus, and housing services. This list is not exhaustive, anyone (including yourself) can refer you into our service. We may receive your data by telephone, email, outreach teams, electronic web form or by post.Lawful Reasons for Processing
The lawful reasons (known as lawful bases) for processing are set out in the UK General Data Protection Regulation (UK GDPR). At least one of these must apply whenever we process personal data. We use the lawful basis of Legitimate Interests to process your data, to provide you with the service. Where we deliver community orders (such as ATR, DRR, CBO or civil injunctions) we may also process your data upon a Public Task. We process your health data using the Article 9 condition (h) Health or Social care. We only process what is necessary for the purpose; and processing is overseen by a health professional bound by the common law duty of confidentiality. This is further supported by Schedule 1 Condition 2; Health and Social Care Purposes. In addition to health data, we process a minimal amount of other special category data such as; data about your racial or ethnic origin, religious or philosophical beliefs, sex life/relationships, sexual orientation and we use this data for two clear purposes. We have outlined these below and their relevant Article 9 conditions:- For demographic purposes and statistical analysis. Upon condition ((j) Archiving, research and statistics (with a basis in law). This is further supported by Schedule 1 Condition 4; Research.
- To meet individual health and social care needs Article 9 condition (h) Health or Social care. This is further supported by Schedule 1 Condition 2; Health and Social Care Purposes.
- the Schedule 1, Condition 2; Health and Social Care Purposes to work with the prison and probation to provide you with healthcare.
- the Schedule 1, Condition 10; Preventing or Detecting Unlawful Acts, if there is a high risk of reoffending and we need to manage risks in relation to the public.
- the Schedule 1, Condition 18; Safeguarding Children and Individuals of Risk, to manage risks where you may present a risk to the public and service users we work with.
Sharing Your Information with Others (also known as ‘Third Parties’)
There are times when we may share data in the public interests relying on the basis of Public Task or because it is our Legal Obligation to share your information with third parties (usually authorities) and we do not require your consent to be allowed to do this. Sometimes we do not need to make you aware that we are sharing. We will only share the information that is needed; and we only share the minimum information for the purpose. Examples of this are:- to report a crime to the police (this includes driving under the influence)
- to report abuse or neglect to social services
- to work in partnership with Safer Leeds where you may be at risk
- to let mental health crisis services know if you are at serious risk
- if you are on a criminal justice order we will inform your Offender Manager or Probation Officer of your engagement.
- to share information in multiagency settings should you be subject to Multi Agency Risk Assessment Conferences (MARAC: to prevent domestic abuse) and/or Multi Agency Tasking And Coordination Meetings (MATAC: to prevent domestic abuse), or Multi Agency Public Protection Arrangements (MAPPA: to prevent reoffending).
- to share information (if requested to by law) with the court of law.
- any other request where we are obliged to share data as per a legal obligation which is laid down in UK law.
- we must share data with the Care Quality Commission (CQC) who are a regulatory body. Wherever possible we anonymise data, but sometimes we are required to share personal data when a serious incident has occurred.
- the local authority social care team to provide you with support through partnership working, where risks and vulnerabilities require us to do so in your best interests or in the best interests of others (particularly children, families and adults at risk).
- the local authority housing options team.
- your GP, in order to prescribe you medication.
- pharmacies, in order to prescribe you medication.
- we may share information to your GP where we make the decision that your life or someone else’s is at risk and we believe strongly that the GP is in a key position to help you/others. If we make this decision we will make all reasonable attempts to inform you.
- the prison, probation services, courts and police to share prescribing information and/or arrange ongoing support, if you have recently been released or are going into custody.
- research organisations and funders who carry out evaluation and statistical work. Your data is only shared for research and planning purposes with Caldicott Guardian Approval following our National Data Opt Out Policy. Please see the section below ‘You Can Opt Out of Your Personal Data Being Used For Research and Planning’ which explains this in more detail.
- we must share data with the Care Quality Commission (CQC) who are a regulatory body. Wherever possible we anonymise data, but sometimes we are required to share personal data when a serious incident has occurred.
You Can Opt Out of Your Personal Data Being Used For Research and Planning
National Data Opt Out is a government policy overseen by the NHS. Waythrough Charity is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as a Humankind health or social care service, attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
Management Information Systems (MIS)
The service uses a third-party MIS called SystmOne. Your data is held securely and only those who need access, have access to it. This includes staff that support you and also staff who maintain the system. We have policies in place which our staff follow to ensure your data is only accessed appropriately and when necessary. We also have an incident reporting system called the Hub. This is where we record incidents such as safeguarding, death in service, health and safety and information governance incidents. We would only add your personal data to this system if you were involved in an incident. Each incident has access restrictions. Only those who are interested parties can see it and some staff who maintain the system. We store some of your personal data on our secure networks which are restricted to our service team and may be accessed under policy by our IT Team should there be a technical issue. All Waythrough workforce abide by data management policies, processes and training. We cannot offer you a service without storing your details on these systems.Confidentiality
Information about you may be shared between team members, and recorded on your file and in other records to enable us to give you the best service that we can and get the best possible support for you. Only what is necessary and proportionate is shared and we are bound by the common law duty of confidentiality. In some circumstances, we may share your data in order to keep you or other people safe which is a legal obligation this is explained in the section above titled Sharing Your Information with Third Parties.Transferring Your Data Outside of the UK
As part of our day-to-day operations, we do not transfer your data outside of the UK unless with your explicit consent to do so (right to portability). When a service closes and we archive data in line with our data retention period, we use a third-party Processor called Iron Mountain. Iron Mountain may in some instances, use sub-processors who are based in other countries. Iron Mountain ensures that where required, Standard Contractual Clauses are in place to protect data where it is transferred to another country as per the EU’s adequacy decisions.Keeping Your Information Safe
We keep your information safe by using secure ways to store it. We only keep what we need and no more than that. Everyone who handles data is trained on how to use it safely and only people who need to use it are able to. We have a number of people who oversee that data is used safely (see ‘Relevant Contacts’). Should an incident occur where we breach your data, causing a high risk to your rights or freedoms, we will inform you of this without delay and using the primary contact details you have provided. We will also report this to the Information Commissioner’s Office (ICO), who supervise organisations that handle data.Keeping Your Information
We keep your personal data for the period stated in our records retention and destruction policy. The policy currently states that we will keep your information for 10 years from the date that the service contract ends which for this service is 31/6/23. Our service is commissioned for the time period stated above. If we are recommissioned, our contract will be extended. If you stop using our service before we are recommissioned, we will retain your data for the time stated above. If we are recommissioned and you continue to use our service, we will extend the retention date to be 10 years after the end date of the recommissioned service. We will write to inform you of any changes to our retention period. If you do not have a postal address, we will attempt to inform you by other contact methods. If we are decommissioned we will share your data as a legitimate interest to the new provider and we will delete your information 10 years from the contract end date. In the event that we change the retention period in our policy, we will update our privacy notice and notify you of this change.Destroying Your Information
Your data will be securely destroyed at the end of our retention period. It will be destroyed by us if it is electronic. Where we hold paper records, we will use a contractor who will destroy this data on our premises. If destruction is required after data has been archived with a third-party information management provider called Iron Mountain. Iron Mountain act as a Data Processor for Waythrough under contract.Keeping in Touch With You
As part of your treatment we will contact you at various stages to discuss your progress, deliver interventions and provide reminders around upcoming appointments. This is usually via the following methods; however this is not an exhaustive list:- letters
- online platforms such as Zoom or WhatsApp
- phones calls
- home visits (when applicable)
- e-mails*
- text messages*
Your Data Rights
Under the Data Protection Act 2018 and UK GDPR, you have the following rights:- to be informed about the collection and use of your personal data.
- to access your personal data (known as Subject Access Request).
- to have inaccurate personal data rectified; or completed if it is incomplete.
- to have personal data erased (known as the right to be forgotten).
- to request the restriction or suppression of your personal data.
- to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.
- to object to the processing of your personal data in certain circumstances.