In order to deliver services to our patients, service users and communities across Yorkshire and the Humber, it is necessary for the Trust to collect and process personal data about patients, staff and other individuals.
In compliance with the General Data Protection Regulations 2016 and the Data Protection Act 2018 the Trust is registered as a Data Controller with the Information Commissioners Office (ICO). This registration can be viewed on the ICO Website. Registration Number Z9548121.
As a Data Controller, the Trust determines the purpose and methods for processing information and ensures safeguards over any personal and/or sensitive information it handles.
The sections below explain the specific arrangements the Trust has in place to protect the information entrusted to it.
Contact Details for Yorkshire Ambulance Service NHS Trust:
Yorkshire Ambulance Service HQ
Wakefield 41 Business Park
Tel: 0845 120 0048
Data Protection Officer:
The Trust's designated Data Protection Officer is the Trust Solicitor, Caroline Balfour and can be contacted by email: YAS.DPO@nhs.net
Yorkshire Ambulance Service NHS Trust provides an emergency ambulance and non-emergency patient transport service throughout the Yorkshire region as well as an urgent (non-emergency) medical help and advice line (NHS 111).
When you contact us as a patient, we collect information about you and keep records about the service we provide. We may also record information about you if you contact us for any other reason. We are a data controller and process your personal data in accordance with the General Data Protection Regulations.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- General Data Protection Regulation 2016
- Human Rights Act
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality and Information Security
- Health and Social Care Act 2015
The General Data Protection Regulations (GDPR) state those who record and process personal information must be open about how the information is used, and must ensure personal data are:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific, lawful and legitimate purposes
- Adequate, relevant and limited to what is necessary for the purpose
- Accurate and up to date
- Kept for no longer than necessary
- Protected and processed securely
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
- for the provision of health or social care or treatment or the management of health or social care systems and services; or
- for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate and respect people's rights, for example research; or
- in order to protect the vital interests of an individual; or
- for the establishment, exercise or defence of legal claims or in the case of a court order.
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you. If consent is required, all patients have the right to withdraw their consent at any time.
What types of information will we record about you?
We log details electronically when we receive a call for help in an emergency, a call for urgent (non-emergency) medical help and advice through our NHS 111 service or a booking for the patient transport service that we operate.
If one of our ambulance crews attends you, or you are transferred between hospitals by ambulance, we will collect information about you to help us identify and treat you. This will be recorded on a patient clinical record along with details of your symptoms and condition, and any treatment we give you.
We are also required to record details of your ethnicity and other information to help us monitor the equality of the services we provide.
To provide you with urgent (non-emergency) medical help and advice through our NHS 111 service, we will collect information about you to help us identify you and provide you with appropriate medical help and advice. We will record information about your condition and the advice we have provided. This information will be recorded on a computer system.
To enable us to meet the needs of patients with complex health or emotional needs or who cannot manage their healthcare themselves, a patient’s GP or Urgent Care and Out-of-Hours Primary Medical Care Service may pass NHS 111 clinical advisors some specific information to enable us to provide the most appropriate medical help and advice. The GP or Urgent Care and Out-of-Hours Primary Medical Care Services should involve the patient in the decision to provide us with this information.
To provide you with a patient transport service, we will record details about where you live, where we will be taking you and some details about your circumstances for administration purposes. Your transport may be provided by our own staff and volunteers along with other transport providers working under contract to the Trust.
Where you have provided us with your mobile phone number, our Patient Transport Services operates a text message reminder service for patient transport. Our urgent (non-emergency) medical help and advice line (NHS111) also offers a text message reminder service for primary care appointments we book for you. If your mobile phone number changes or you no longer wish to receive a reminder message by text message, please let us know when you next contact us.
If you make a complaint or an enquiry about the service we have provided, or have contact with us on another matter, we will keep a record of all the relevant details in a file for reference purposes. In some cases, with your permission we may need to obtain information from the hospital we have taken you to in order to investigate a complaint.
We record all 999 calls, calls for non-emergency bookings and calls to the urgent (non-emergency) medical help and advice line (NHS 111) for the purposes of patient care, staff training and untoward incidents.
If an ambulance takes you to hospital, we will give the hospital staff a copy of the patient clinical record so that they have details of your condition and the treatment we have provided. We retain the master copy and store this electronically on a computer system.
The health and social care professional involved in your treatment or care may ask us for information about your use of our services or the treatment your received. We will be careful about sharing information in these circumstances and will only do so once we are satisfied that they need this information in order to provide care to you.
In some circumstances, particularly if we do not take you to hospital, with your consent we may share information or clinical records with other healthcare professionals. Most commonly, this will be your GP, but we may also pass your details to other specialist healthcare teams which might include people form other organisations, such as social services, to assess whether they can offer you support that may help to prevent a similar situation arising again.
If you ring our urgent (non-emergency) medical help and advice line (NHS 111) in order to provide you with appropriate care we may need to share some health information about you with your GP and additionally with other health or social care providers.
If you do not wish information about you to be shared we will give you the opportunity to say so, however this may impact on the services and support that can be provided to you.
Records of treatment and service we provide are retained securely for reference and will allow us to monitor how well we are providing our service.
We use relevant information about you to help improve NHS services and the health of the public. Your information may be used to:
Help staff review the care and advice they provide to ensure it is of the highest standard
- Teach and train staff
- Protect the health of the public
- Provide statistics, performance and planning information
- Find out how many people have a particular illness or disease
- Carry out health research and development
- Investigate complaints, legal claims or untoward incidents
When information is needed to manage the wider health service, careful measures are taken to ensure that individual patients cannot be identified. Your name, address and other information that identifies you is removed. Sometimes we may use information that does identify you. If we do this, we will explain how and why your information will be used and obtain your consent.
For health research we use anonymised data and all NHS research is approved by a group of ethics experts before being carried out. Exceptionally, the Secretary of State for Health can give permission for the NHS to pass on data which identifies you, but only after consideration by ethics experts, where there is a need to include your data, and where there are data security arrangements in place.
From time to time we may contact you and ask you to tell us about your experience of our service. We do this as part of our commitment to providing a service that is responsive to the needs of the patients and their families and carers. We may send you a paper survey in the post or call you on the telephone and ask if you would be willing to answer some questions. You can choose whether or not you want to take part in these surveys, and if you decide that you do not want to, then this will not affect your care in any way.
Use of Data Processors
Yorkshire Ambulance Service uses a small number of contractors (or data processors*) to carry out specific business functions on behalf of the Trust which involve the processing of personal data.
Yorkshire Ambulance Service as ‘data controller’ remains responsible for ensuring its processing complies with the General Data Protection Regulations 2016 and the Data Protection Act 2018.
We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
The Trust will only use an approved data processor where:-
- There is a written contract in place which stipulates that the data processor can only act in accordance with instructions from Yorkshire Ambulance Service. They are not able to do anything else with that data.
- The contract also creates a legal requirement for the data processor to act in accordance with the Principle F of the General Data Protection Regulations i.e. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- The Trust is satisfied that the data processor has provided sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out.
The Trust takes all reasonable steps to ensure our data processors continue to remain compliant with technical and organisational security measures.
* A data processor is a person or organisation who processes personal data on behalf of a data controller, rather than on their own behalf.
Is my information shared with anyone else?
Your personal health information may be given to other people who need to know relevant information about your health – for example a carer, a home help, or a social worker. Usually, it will only be given to them if:
- you have agreed, and
- they need it to be able to give you care and treatment
The NHS will not share your personal health information with people such as relatives, carer or friends without your permission. However, there are exceptions:
- If you are a child, and a health professional doesn’t think you can make decisions about your healthcare, someone with parental responsibility for you may be allowed to see your records and discuss your care.
- If you are an adult who cannot make decisions for yourself, or cannot tell others your decisions, the law allows someone to see your records and discuss your care, if:
- you have given them a power of attorney, or
- a court has appointed someone to deal with decision-making.
In these cases, the person allowed to see your health information:
- will only be able to see information that is necessary for them to make particular decisions for you about your health care, and
- will not receive information that staff feel would be harmful to your health or the health of others.
Sometimes the law allows the NHS to share your personal health information without your permission, for example, to investigate a serious crime or to protect a child.
Sometimes the law requires us to pass on information: for example, notification of births and deaths. This is only provided after formal permission has been given by a qualified health professional.
You may be receiving care from other service providers as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it as part of your care or we have your permission. Therefore, we may also share your information with:
- Social Care Services
- Education Services
- Local Authorities
- Voluntary and private sector providers working with the NHS.
We share information in line with the legislation from the Health and Social Care Act 2015 and we process/share your information under the Data Protection Act legislation and the new GDPR legislation.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. This is necessary to comply with a legal obligation (GDPR Article 6(1)(c)) and does not require consent under the data protection legislation. For further information, please see the full text fair processing notice.
How do you know your records will be kept confidential?
All NHS organisations have a legal duty of confidence to their patients and the Data Protection Act 1998 further defines how we can collect and handle personal information. The NHS also has an additional set of guidelines, known as the Caldicott principles, which apply to the use of patient information.
All NHS organisations are required to appoint a Caldicott Guardian to ensure patient information is handled in accordance with legal and NHS regulations.
We have appointed our Executive Medical Director as Caldicott Guardian in acknowledgement of how seriously we take the protection of your right to confidentiality. Our Executive Medical Director is a senior member of our Trust Board who understands the requirements for protecting the confidentiality of patient information as well as enabling appropriate information-sharing.
We will seek your consent before we release information that identifies you to any third party for any other reason than those set out in this guidance. We will not pass information that identifies you to another person or organisation (including friends or relatives) without your knowledge or permission unless we have an overriding legal duty to do so.
The NHS Care Record Guarantee is an NHS commitment that we will only use records about you in ways which respect your rights and promote your health and wellbeing.
The guarantee can be found on the NHS Digital website https://digital.nhs.uk/
How long do we keep your records?
We retain your clinical records and details of 999 calls and calls to NHS 111 for 10 years (25 years in relation to children's records). Other records that may contain information about you are kept for varying lengths of time.
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will only hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.
Your rights over your information
You have several rights with respect to information that is held about you by Yorkshire Ambulance Service NHS Trust. The full extent of your rights is detailed within the General Data Protection Regulations and in the specific Privacy Notices that can be found in the section above.
The Trust has a legal basis for gathering and processing personal information necessary for the delivery of essential services. You have the right to request the Trust to stop processing your personal data in relation to services provided by the Trust. However, this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with such requests but this may not be possible where the Trust is required to do so by law, for the performance of our public task, to safeguard public safety, where there is a risk of harm and/or in emergency situations.
You have a right to see all personal or clinical information we hold about you.
How to obtain your personal information or exercise your subject rights about the use of your information
The General Data Protection Regulations allows you to find out what information about you is held by Yorkshire Ambulance Service NHS Trust. This is known as the “right of subject access”. It applies to your health records and all other personal information relating to you held by the Service.
Please submit an enquiry, using the details below, if you would like to:
- View your information, known as a Subject Access Request
- Verify, correct or update your information
- Understand how we have arrived at a decision about you
- If you have a concern, complaint, objection or request a restriction on how we process your information
If you want to make a subject access request for personal data held in respect of any services provided by the Trust you should make a written request to:
Legal Services Department
Yorkshire Ambulance Service NHS Trust
Wakefield 41 Business Park
Tel: 01924 584032
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate), Website: ico.org.uk or email firstname.lastname@example.org
We also use functional cookies to ensure our website operates correctly (for example, the accessibility toolbar options) but these are not used for tracking.
You can find out more about Cookies here: www.allaboutcookies.org.