Privacy Policy

This policy sets out how, Coordinate My Care (CMC), processes and stores personal information in several types of scenarios. Coordinate My Care is an NHS service works on behalf of Health and Social Care organisations that care directly for patients, to share key clinical and non-clinical information about and from patients to ensure high quality and safe care is delivered across the health and social care system. CMC is hosted by the NHS South, Central and West Commissioning Support Unit.

We aim to be clear about when and how we facilitate collection and holding of your information and will not to do anything with it that you wouldn’t reasonably expect or which we have not made you aware of; so please read this policy carefully to understand how we facilitate collection, processing and storage of your information.

Contacting us

If you have any questions about this policy or the practices of this website, please email us at contact.scwcsu@nhs.net

Introduction

Coordinate My Care (CMC) is an NHS clinical service and was established in May 2012 to promote better care and outcomes for patients as they access support from urgent care support from the Ambulance Service, 111 and out-of-hours GPs and emergency departments.

This is achieved by enabling your day to day health and social care professionals to share information from you (care preferences) and about you (clinical information and perspectives) with those urgent care services. Typically, urgent care services do not know anything about the background or care needs of patients they are responding to, and therefore may not provide the best care to the patient. The provision, by health and social care teams involved in providing day to day care, of important information to the urgent care services in advance can help to facilitate a better and safer response to the patient’s needs in the context of deterioration or crisis. Through the CMC system, the teams (non-urgent care and urgent care teams) are ‘joined together’ around key information from and about the patient. CMC enables users to initiate, create, update, publish and view urgent care plans, according to the variable access rights of their role.  Shared information within a CMC care plan is the primary way that the health and social care teams who know patients on a day to day or week to week basis (GPs, District Nurse, Hospital teams), communicate high level useful information to the Urgent Care sector (Ambulance service, Emergency Departments, Out of Hours GPs and NHS111) who do not know the patient but who may be require support them suddenly. Sharing information is designed to improve the safety and quality of the care response the patient gets.

In doing this, Coordinate My Care adheres to the requirements of all applicable legislation including the General Data Protection Regulation (“GDPR”) as they apply to any personal information we hold that relates to you.  Reassurance is given to all users that in line with the GDPR guidance only minimum necessary data is collected.

Our lawful basis for sharing your data through the CMC care planning service is Consent. That means that a clinician or healthcare worker must explain to you about our service and get your explicit agreement to share information through it. You have the right to withdraw consent at a later time and your care plan can be easily deleted.

Coordinate My Care as a hosted NHS service within The Royal Marsden NHS Foundation Trust is a data processor in respect of your personal information which is held within a Coordinate My Care Urgent Care plan. CMC is a data processor who holds and shares your personal information on behalf of a data controller who will be the teams that deliver direct care to you and create and update your CMC urgent care plan. This relationship between the Data Controllers (those who care for you and access and input data into the CMC care plan) and CMC, as the Data Processor, and our obligations form the basis of the CMC Information Sharing Agreement. For clarity, a controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller.

However, in certain defined circumstances, CMC is also a data controller of personal information which you share with us if you access our resources website on the internet  e.g. asking us a question etc. For clarity, our resources website is our everyday website available to all on the internet and is not our secure platform with very restricted access where all the care plans are safely held.

The majority of the storing and sharing of patient information carried out by CMC is done through our holding information within our CMC care plan platform and allowing verified persons only to access it. In allowing this access, we are sharing information with them. They will have been verified, given access credentials and all access is monitored and audited. These persons will typically be nurses or doctors, social workers, hospital teams, clinician supporting administrators, out of hours doctors, 111 service call advisers and ambulance services. Also, they can be patients themselves or their nominated ‘proxy’ (personal or professional supporter) who can be given access to view the care plan. We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.

We recommend to the clinical teams supporting you to keep your information accurate and up to date and if it is found to be wrong by us, we will work with your clinical team to make it right, where appropriate, as soon as we can.

Scenarios where we collect, store or share your information

Scenarios where CMC stores or shares information are provided below. There are some substantial differences and some different arrangements about storage and deletion depending on the scenario.

The scenarios are:

  • Where NHS patients have a CMC urgent care plan on our CMC urgent care plan platform
  • Where NHS patients participate in initiating their own CMC care plan (in the myCMC Patient Portal)
  • Where a patient sets up a ‘proxy’ care plan viewer (a personal or professional supporter)
  • Where information is shared with CMC by any person who interacts with our CMC resources website.
  • Where you interact with any of our online training resources.

Scenario 1: Where NHS patients have consented to having a CMC urgent care plan supporting their care and it is stored on our CMC urgent care plan platform. To fulfil the task of supporting improved outcomes for patients and their families as they use Urgent Care Services (out-of-Hour GPs, NHS111, Ambulance Services, Emergency Departments and Urgent Treatment Centres), when the patient consents, CMC holds and shares personal information that is placed in a patient specific CMC care plan.  The information is placed within this CMC care plan on the secure CMC platform by clinicians and carers who care directly for patients. This information is stored in the same way as a medical record – securely and for a considerable length of time. This care plan can be deleted easily and at any time if the patient withdraws consent to sharing information through a CMC care plan. A patient can opt out from having a CMC care plan at any time by withdrawing their consent. All data processing activities will be stopped.

However, this lack of shared information may make it more difficult for urgent care services to provide you with the right care but none the less they will do their best.

In enabling urgent care services to know you have the support of a CMC care plan, we automatically and safely electronically share basic identifiers – name, date of birth, address with the urgent care services so that when you ring them and give your basic details, their system alerts the call handler to the valuable information which can support them to provide you with the best care.

What personal information do we collect?

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – may ask you to consent to the creation a CMC urgent care plan which will have some information about your health, about care and treatment you may have received in the past, and yours and your clinical team’s thoughts and preferences about future care if you experience a deterioration in health. This may include:

  • Name, address, date of birth, gender/ethnicity, phone number, and email address where you have provided it.
  • Your next of kin or key supporter and contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Your preferences about future care
  • Results of your tests and diagnosis.
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Information on medicines and allergies
  • Information about what is important for you and what others should know about you as a person

You can be given a print out of this information, or see the care plan on a computer, tablet or smart phone.

Right to refuse or withdraw consent: You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care.  If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care, (when you call urgent care services for support they may have less information available to them), your clinician will explain this to you so that you can make a fully informed choice.  Whether you consent to a CMC urgent care plan or not, urgent care services will always do their best for you.

Scenario 2: Where NHS patients participate in initiating their own CMC care plan (in the myCMC Patient Portal). Sometimes patients themselves initiate the creation of a CMC care plan through the CMC Patient Portal. Through using this route to initiate a CMC care plan you are agreeing to the sharing of your data with urgent and non-urgent care services.

What personal information do we collect?

  • NHS number
  • Postcode,
  • Email address (if needed)
  • Preferences for place of care
  • Current level of physical health and functioning
  • Thoughts about future care
  • Key supporter contact details

This information is stored for a limited period only on the myCMC Patient Portal. Once submitted by the patient for the next stage, it is transferred into the CMC care plan platform for completion by the involved clinician. At that point of transfer, the information on the myCMC platform is deleted.

When you see your clinician to discuss the CMC care plan, the clinician will ask for your consent to share your data through the CMC care plan.

When a member of the public starts but does not complete a myCMC Care Plan Initiation, CMC may use the email provided by them to contact them to offer support to complete the myCMC Initiate care plan work. Only the email will be used.

Scenario 3: Where a patient sets up a ‘proxy’ care plan viewer (a personal/professional supporter).

What personal information do we collect?

  • The intended proxy’s person’s email address and date of birth

You should get the permission of the proxy to share their email address and date of birth with us. These details will be stored continually within the CMC Patient Portal. The ‘proxy’ when gaining access to the appropriate care plan through the CMC Portal will share their date of birth and confirm the patient’s NHS number as validation to gaining access to the patient’s CMC care plan.

Scenario 4: Where information is shared with CMC by any person who interacts with our CMC resources website.

Coordinate My Care is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then we will ensure that information is stored securely and not shared for any other purpose.

What personal information do we collect?

We may collect the following information:

  • Name and job title
  • Contact information including email address
  • Demographic information such as postcode, preferences and interests
  • Other information relevant to customer surveys and/or offers

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.
  • We may use the information to improve our products and services.
  • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.

    Also you may contact the CMC service with a query from the CMC resources website. You must provide a name and contact number. Your information is stored within a secure nhs.net email account until we answer your query.

    Scenario 5: Where you interact with any of our online training resources. We may ask for your name, job title, organisation work email address.  We may store these safely within our files within the CMC service as validation of training.

    What personal information do we collect?

    • Name, job title and organisation
    • Contact information including email address

    Other information relevant to customer surveys and/or offers CMC care plan can be created for a child age 0-17. Such a care plan will only be created with the consent form a parent/legal guardian. A clinician can make a best interest decision, but in consultation with parent/legal guardian. In the unlikely event of a child’s data being collected without parent/legal guardian’s consent the user can report this via CMC website: Report incidents & excellence – Coordinate My Care | Urgent Care Plan or by calling  020 7811 8513 (open to patients Monday to Friday, 9am – 5pm). A formal Information Governance investigation will be launched and the data will be removed.

    Sensitive data

    Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. 

    As a healthcare service, Coordinate My Care will at times but not routinely hold some of the sensitive data as defined above. This will be placed within the CMC urgent care plan by yourself or by the clinical team providing you with direct care. For example:

    • When you or your care team provide information within the CMC care plan about your personal, religious or philosophical beliefs
    • When submitting your story to Coordinate My Care to be considered as a case study for educational or promotional purposes.

    However, it should be noted that the data fields within the CMC urgent care plan do not request information on political opinions, trade union activities, sexual life, or details of criminal offences.

    Retention

    We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory or reporting requirements. 

    To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.  In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code).The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

    Details of retention periods for different aspects of your personal information are in line with our NHS host, The Royal Marsden NHS Foundation Trust and you can request the relevant retention policy by contacting us).

    Security

    InterSystems, who provide the CMC IT solution as a hosted managed service, is responsible for the confidentiality and security measures used to store CMC IT solution data, including myCMC. These robust measures are defined by the Coordinate My Care Service Agreement between InterSystems and The Royal Marsden NHS Foundation Trust – the trust hosting the CMC service. These include but are not limited to:

    • Quality management and certification, e.g. ISO9001.
    • ISO/IEC 27001: 2005: Information Security Management Systems: Requirements.
    • ISO/IEC 27002: 2005: Code of Practice for Information Security Management.
    • NHS Digital Data Security and Protection Toolkit compliance.
    • Royal Marsden Hospital Trust’s IT Acceptable Use Policy and IT Security Policy conformance.
    • System Security Plan (SSP) provision, including a Data Protection approach.· Best practice Operational Security Plan for CMC system live operation.

    The CMC IT solution is a collaborative, integrated web-based system, with all care providers accessing a single, shared urgent care plan; data is not explicitly transferred outside the system. All user connections to CMC are by a secure network connection (Health and Social Care Network) – or via the internet using a 2 factor authentication method. All users access the system using a username and password or smartcard access. The patient or their proxy access to MyCMC is via a secure web link and is controlled by username and password. The MyCMC patient portal is connected to the CMC system via a secure API (Application Programme Interface).

    The InterSystems’ CMC Patient Data Retention and Destruction Policy outlines the policy and standards relating to the retention and destruction of patient data, and associated records, held within the InterSystems hosted service provided to Coordinate My Care (CMC). The policy covers all CMC patient data and care plans stored in the hosted service together with associated audit logs.  InterSystems implements and maintains this the policy to ensure that CMC Patient Data is retained and destroyed in a way that is consistent with their legal, contractual and ethical obligations.

    We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

    We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those health and social care employees, who have a legitimate need to view your information for the provision of direct care to you. We will only process your personal information with those health and social care organisations who fulfil the NHS Data Security & Protection Toolkit or similar and they are subject under the law to a duty of confidentiality. All accesses to your personal data on the CMC care plan are fully audited.

    We have put in place procedures to deal with any suspected personal information breach. Typically, because your care provider enters your information into the CMC care plan, we will liaise with them first and they will contact you if there is a breach of your data within CMC. This is because you have an established relationship with them and may never directly relate to Coordinate My Care as an NHS organisation. Also we will notify any applicable regulator of a breach where we are legally required to do so within 72 hours where feasible.

    Your rights

    Under certain circumstances, you have rights under information protection laws in relation to your personal information.

    These rights include:

    • Requesting access to your personal information
    • Requesting correction of your personal information
    • Requesting erasure of your personal information
    • Objecting to processing of your personal information
    • Requesting they are not subject to a decision based solely on automated processing, including profiling. The CMC IT solution does not include automated processing
    • Requesting restriction of processing your personal information
    • Requesting transfer of your personal information
    • Right to withdraw consent

    If you wish to exercise any of the rights set out above, please contact us. Your request will be processed within 48 hours.

    If you have any questions about this policy or the ways in which we may process your personal information, please contact us.

    If the privacy policy is updated and the purpose of data collection changes then the users will be notified and consent will be re-obtained.

    Accessibility Statement

    Under certain circumstances, you have rights under information protection laws in relation to your personal information.

    This accessibility statement applies to www.coordinatemycare.co.uk. This website is run by Coordinate My Care and Top Left Design. We want as many people as possible to be able to use this website. For example, that means that you should be able to:

    • Zoom in up to 200% without the text spilling off the screen
    • Translate each page on the website in 108 languages using the Google Translate widget at the bottom of the page
    • Use the Chat with Us box to communicate with the helpdesk directly for help and support or contact us via the phone or email, clearly displayed on top banner of every page.

    We know some parts of this website are not fully accessible:

    • You cannot modify the line height or spacing of text
    • Our videos do not have captions
    • Some of our online forms are difficult to navigate using just a keyboard

    Reporting accessibility problems with this website

    We’re always looking to improve the accessibility of this website. If you find any problems not listed on this page or think we’re not meeting accessibility requirements, contact: coordinatemycare@nhs.net or call us on 0207 811 8513

    Enforcement procedure

    The Equality and Human Rights Commission (EHRC) is responsible for enforcing the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 (the ‘accessibility regulations’). If you’re not happy with how we respond to your complaint, contact the Equality Advisory and Support Service (EASS).

    We’re always looking to improve the accessibility of this website. If you find any problems or think we’re not meeting accessibility requirements, contact: Report incidents & excellence – Coordinate My Care | Urgent Care Plan or by calling  020 7811 8513 (open to patients Monday to Friday, 9am – 5pm).

    Our website uses cookies to give you the best possible browsing experience whilst you’re here. If you continue without changing your settings, we’ll assume that you are happy to receive all cookies on our website. However, you can change your cookie settings at any time. To read more about cookies and how to manage them please take a look through our cookie policy.