Coordinate My Care Privacy Policy

This policy sets out how, in our day to day activities, Coordinate My Care (CMC), an NHS service hosted by The Royal Marsden NHS Foundation Trust, processes and stores personal information in a number of types of scenarios. Coordinate My Care is an NHS service that works on behalf of health and social care organisations that care directly for patients. It shares key information about and from patients in order to ensure high quality and safe care is delivered across the health and social care system particularly as patients use urgent care services.

 

We aim to be clear about when and how we facilitate collection and holding of your information. We will not to do anything with your information that you wouldn’t reasonably expect or which we have not made you aware of; so please read this policy carefully to understand how we facilitate collection, processing and storage of your information.

Contacting us

If you have any questions about this policy or the ways in which we may process your personal information, please contact us:

Data Protection Officer
The Royal Marsden NHS Foundation Trust
Fulham Road
London
SW3 6JJ

Switchboard number: 0207 352 8171

 

Introduction

Coordinate My Care (CMC) is an NHS clinical service and was established in August 2010 to promote better care and outcomes for patients as they access support from urgent care support from the Ambulance Service, 111 and out-of-hours GPs and emergency departments. This is achieved by enabling your day to day health and social care professionals to share information from you (care preferences) and about you (clinical information and perspectives) with those urgent care services. Typically, urgent care services do not know anything about the background or care needs of patients they are responding to, and therefore may not provide the informed care to the patient that they would like. The provision, by health and social care teams involved in providing day to day care, of important information to the urgent care services in advance can help to facilitate a better and safer response to the patient’s needs in the context of deterioration or crisis. Through the CMC system, the teams (non-urgent care and urgent care teams) are ‘joined together’ around key information the patient. CMC enables users to initiate, create, update, publish and view urgent care plans, according to the variable access rights of their role.  Shared information within a CMC care plan is the primary way that the health and social care teams who know patients on a day to day or week to week basis (GPs, district nurse, hospital teams), communicate high level useful information to the urgent care sector (ambulance service, Emergency Departments, Out of Hours GPs and NHS 111) who do not know the patient but who may be required to support them suddenly. Sharing information is designed to improve the safety and quality of the care response the patient gets.

 

In doing this, Coordinate My Care adheres to the requirements of all applicable legislation including the General Data Protection Regulation (“GDPR”) as they apply to any personal information we hold that relates to the patient.

 

Our lawful basis for sharing your data through the CMC care planning service is consent. That means that a clinician or healthcare worker must explain our service to you and get your explicit agreement to share information through it. Our leaflet ‘Information for Patients and Carers’ should be made available to you during a consent discussion and is also available here. You have the right to withdraw consent at a later time and your care plan can be easily deleted.

 

Coordinate My Care as a hosted NHS service within The Royal Marsden NHS Foundation Trust is a data processor in respect of your personal information which is held within a Coordinate My Care urgent care plan. CMC is a data processor that holds and shares your personal information on behalf of a data controller who will be the teams that deliver direct care to you and create and update your CMC urgent care plan. This relationship between the Data Controllers (those who care for you and access and input data into the CMC care plan) and CMC, as the Data Processor, and our obligations, form the basis of the CMC Information Sharing Agreement (ISA). For clarity, a controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller.

 

However, in certain defined circumstances, CMC is also a data controller of personal information which you share with us if you access our resources website on the internet – e.g. asking us a question etc. For clarity, our public website www.coordinatemycare.co.uk is our resources website available to all and is not our secure CMC platform with very restricted access where all the care plans are safely held.

 

The majority of the storing and sharing of patient information carried out by CMC is done through CMC holding information within our care plan platform and allowing verified persons only to access it. In allowing this access, we are sharing information with them. They will have been verified, given access credentials and all access is monitored and audited. These persons will typically be nurses or doctors, social workers, hospital teams, clinician supporting administrators, out of hours doctors, 111 service call advisers and ambulance services. Also they can be patients themselves or their nominated ‘proxy’ (personal or professional supporter) who can be given access to view the care plan. We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.

 

We recommend to the clinical teams supporting you to keep your information accurate and up to date and if it is found to be inaccurate by us, we will work with your clinical team to make it right, where appropriate, as soon as we can.

 

Scenarios where we collect, store or share your information

Scenarios where CMC stores or shares information are provided below. There are some substantial differences and some different arrangements about storage, sharing and deletion of information depending on the scenario.

The scenarios are:

  1. Where NHS patients have a CMC urgent care plan on the CMC urgent care plan platform
  2. Where NHS patients participate in initiating their own CMC care plan (in the myCMC patient portal)
  3. Where a patient sets up a ‘proxy’ care plan viewer (a personal or professional supporter)
  4. Where information is shared with CMC by any person who interacts with our CMC public website
  5. Where a health and social care professional or anyone interacts with any of our online training resources

 

Scenario 1: Where NHS patients have consented to having a CMC urgent care plan supporting their care and it is stored on the CMC urgent care plan platform. To fulfil the task of supporting improved outcomes for patients and their families as they use urgent care services (Out-of-Hour GPs, NHS 111, ambulance services, Emergency Departments and Urgent Treatment Centres), with the patient’s consent, CMC holds and shares personal information that is placed in a patient specific CMC care plan.  The information is placed within the CMC care plan on the secure CMC platform by clinicians and carers who care directly for patients. This information is stored in the same way as a medical record – securely and for a considerable length of time. This care plan can be deleted easily and at any time if the patient withdraws consent to sharing information through a CMC care plan. However not sharing your information may make it more difficult for urgent care services to provide you with the right care, but none the less they will do their best.

 

So that urgent care services know you have the support of a CMC care plan, upon clinical sign-off of the care plan, we electronically share basic identifiers – name, date of birth, address with the urgent care services so that when you ring them and give your basic details, their system alerts the call handler to the valuable information which can support them to provide you with the best care. This is all done automatically and safely.

 

What personal information do we collect?

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – may ask you to consent to the creation a CMC urgent care plan. This will have some information about your health, about care and treatment you may have received in the past, and you and your clinical team’s thoughts and preferences about future care if you experience a deterioration in health. This may include:

  • Name, address, date of birth, phone number, and email address where you have provided it
  • Your next of kin or key supporter and contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Your preferences about future care
  • Results of your tests and diagnosis
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Information on medicines and allergies
  • Information about what is important for you and what others should know about you as a person

 

You can be given a print out of this information, or see the care plan on a computer, tablet or smart phone.

 

Right to refuse or withdraw consent: You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care.  If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care, (when you call urgent care services for support they may have less information available to them), your clinician will explain this to you so that you can make a fully informed choice.  Whether you consent to a CMC urgent care plan or not, urgent care services will always do their best for you.

 

Scenario 2: Where NHS patients participate in initiating their own CMC care plan (in the myCMC patient portal). Sometimes patients themselves initiate the creation of a CMC care plan through the CMC patient portal. Through using this route to initiate a CMC care plan you are agreeing to the sharing of your data with urgent and non-urgent care services.

 

What personal information do we collect?

  • NHS number
  • Postcode
  • Email address (if needed)
  • Preferences for place of care
  • Current level of physical health and functioning
  • Thoughts about future care
  • Key supporter contact details

 

This information is stored for a limited period only on the myCMC patient portal. Once submitted by the patient for the next stage, it is transferred into the CMC care plan platform for completion of key medical information by the involved clinician. At that point of transfer, the information on the myCMC platform is deleted.

 

When you see your clinician to discuss the CMC care plan, the clinician will ask for your consent to share your data through the CMC platform.

 

Scenario 3: Where a patient sets up a ‘proxy’ care plan viewer (a personal/professional supporter).

 

What personal information do we collect?

  • The intended proxy person’s email address and date of birth

You should get the permission of the proxy to share their email address and date of birth with us. These details will be stored continually within the CMC patient portal. The proxy when gaining access to the appropriate care plan through the myCMC patient portal will share their date of birth and confirm the patient’s NHS number as validation to gaining access to the patient’s CMC care plan.

 

Scenario 4: Where information is shared with CMC by any person who interacts with our CMC public website.

Coordinate My Care is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using our public website www.coordinatemycare.co.uk, we will ensure that information is stored securely and not shared for any other purpose.

 

What personal information do we collect?

We may collect the following information:

  • Name and job title
  • Contact information including email address
  • Demographic information such as postcode
  • Other information relevant to market research or your reasons for getting in touch with CMC

 

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping
  • We may use the information to improve our service.
  • If appropriate we may periodically send emails about our service or other information which we think you may find interesting using the email address which you have provided.
  • We may also use your information to contact you for market research purposes and in the interests of improving our service. We may contact you by email, phone or mail.

 

Also you may contact the CMC service using our email coordinatemycare@nhs.net with a query from the CMC public website. You must provide a name and contact number. Your information is stored within a secure nhs.net email account until we answer your query.

 

Scenario 5: Where you interact with any of our online training resources. We may ask for your name, job title, and organisation work email address.  We will store these safely within our files within the CMC service as validation of training.

 

What personal information do we collect?

  • Name, job title and organisation
  • Contact information including email address
  • Other information relevant to market research or your relevant interest in CMC

 

Sensitive data

Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

 

As a healthcare service, Coordinate My Care will at times, but not routinely, hold some of the sensitive data as defined above. This will be placed within the CMC urgent care plan by yourself or by the clinical team providing you with direct care. For example:

  • When you or your care team provide information within the CMC care plan about your personal, religious or philosophical beliefs

 

However, it should be noted that the data fields within the CMC urgent care plan do not request information on political opinions, trade union activities, sexual life, or details of criminal offences.

 

Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory or reporting requirements.

 

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, whether we can achieve those purposes through other means, and the applicable legal requirements.  In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code).The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

 

Details of retention periods for different aspects of your personal information are in line with our NHS host, The Royal Marsden NHS Foundation Trust and you can request the relevant retention policy by contacting us).

 

Security

We have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

 

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those health and social care employees, who have a legitimate need to view your information for the provision of direct care to you. We will only process your personal information with those health and social care organisations who fulfil the NHS Data Security & Protection Toolkit or similar and they are subject under the law to a duty of confidentiality. All accesses to your personal data on the CMC care plan are fully audited.

 

We have put in place procedures to deal with any suspected personal information breach. Typically, because your care provider enters your information into the CMC care plan, we will liaise with them first and they will contact you if there is a breach of your data within CMC. This is because you have an established relationship with them and may never directly relate to Coordinate My Care as an NHS organisation. Also we will notify any applicable regulator of a breach where we are legally required to do so within 72 hours where feasible.

 

Your rights

Under certain circumstances, you have rights under information protection laws in relation to your personal information. These rights include:

  • Requesting access to your personal information
  • Requesting correction of your personal information
  • Requesting erasure of your personal information
  • Objecting to processing of your personal information
  • Requesting restriction of processing your personal information
  • Requesting transfer of your personal information
  • Right to withdraw consent

 

If you wish to exercise any of the rights set out above, please contact us.

 

If you have any questions about this policy or the ways in which we may process your personal information, please contact us:

Data Protection Officer
The Royal Marsden NHS Foundation Trust
Fulham Road
London
SW3 6JJ

Switchboard number: 0207 352 8171

 

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire. SK9 5AF

 

Telephone: 03031231113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email casework@ico.org.uk

Website: www.ico.org.uk