Privacy

We aim to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you.

Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection Laws.

Our staff are trained to handle your information correctly and protect your privacy.  We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected for direct marketing purposes, and is not sold on to any other third parties.

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations.

We routinely collect information from the initial contact when we receive a call in the 999 Emergency Operations Centre (EOC) through to completing an electronic patient record (EPR) with information about the patient and care we provide, when we attend an incident. Some of this information goes on to form part of the Ambulance Data Set (ADS).

If a patient is transferred from ambulance services to the care of an Emergency Department, information within the Ambulance Data Set is subsequently linked with key information collected in Emergency Departments as part of the Emergency Care Data Set (ECDS).

The purpose of this is to fully understand the patient’s journey from the ambulance service to other urgent and emergency healthcare settings. This will enable clinicians, ambulance services and the NHS to learn from patient journeys and further improve the care they provide in the future.

Data collected by ambulance services and emergency departments is securely linked and transferred to us. Data collected as part of the Ambulance Data Set is shared with NHS Digital – a section of NHS England specialised in data and IT systems – where it is linked with key relevant information in the Emergency Care Data Set and securely returned to us.

This linked information includes a unique number generated by us during the initial 999 call, as well as a unique vehicle reference which will help us re-identify the original care record for the incident and the patient.

Appropriate access to this information will enable us to help develop the skills of our clinicians to improve the care they provide and support us in delivering service improvements to improve patient experience.

Patients will be able to opt out from this process if they so wish and data about their emergency care will remain with the ambulance service and / or the Emergency Department. To opt out of this process, please see the section entitled National data opt-out below.

For more information about the National Data Opt-Out, please visit www.nhs.uk/your-nhs-data-matters

The lawful basis for the ambulance service to process this information under UK General Data Protection Regulation (UK GDPR) is Article 6 (1)(e) – “…exercise of official authority” and for processing special categories (health) data the basis is: Article 9(2)(h) – ‘…health or social care…’ of the UK GDPR Regulations.

For the data collected by ambulance services (ADS) to be linked with relevant data items collected at Emergency Departments (ECDS) the lawful basis is the Sections 254(1), (3), (5) and (6), section 260(2)(d), section 261(2)(e) and section 304(9), (10) and (12) of the Health and Social Care Act 2012, as per the Ambulance Data Set.

To lawfully process information in the manner described, NHS England on behalf of ambulance services have obtained a section 251 approval, as required by the NHS Act 2006 and Health Service (Control of Patient Information) Regulations 2002. This provides a legal basis for patient information to be processed for these purposes.

NHS Digital officially merged with NHS England on 1st Feb 2023, therefore the organisation previously known as NHS Digital is legally known as NHS England and data held by NHS Digital is now held within NHS England.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care.

Information collected about you to deliver your health care is also used to assist with:

• Making sure your care is of a high standard.
• Using statistical information to look after the health and wellbeing of the general public and planning services to meet the needs of the population.
• Assessing your condition against a set of risk criteria to ensure you are receiving the best possible care.
• Preparing statistics on our performance for the Department of Health and other regulatory bodies.
• Helping train staff and support research.
• Supporting the funding of your care.
• Reporting and investigation of complaints, claims and untoward incidents.
• Reporting events to the appropriate authorities when we are required to do so by law.

The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health and Data Protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.

If we need to use your personal information for any reason beyond those stated above, we will discuss this with you.  You have the right to ask us not to use your information in this way. However, there are exceptions to this which are listed below.

• the public interest is thought to be of greater importance for example:
• if a serious crime has been committed
• if there are risks to the public or our staff
• to protect vulnerable children or adults.
• we have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders
• we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority)

Data Protection laws gives individuals rights in respect of the personal information that we hold about you.  These are:

1. To be informed why, where and how we use your information.
2. To ask for access to your information.
3. To ask for your information to be corrected if it is inaccurate or incomplete.
4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
7. To object to how your information is used.
8. To challenge any decisions made without human intervention (automated decision making)

Should you have any further queries on the uses of your information or you wish to lodge a complaint about the use of your information please contact [email protected].

If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/.

During the course of its employment activities, West Midlands Ambulance Service (WMAS) collects, stores and processes personal information about prospective, current and former staff.

This Privacy Notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What types of personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:

• Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
• Contact details such as names, addresses, telephone numbers and Emergency contact(s)
• Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
• Bank details
• Pension details
• Medical information including physical health or mental condition (occupational health information)
• Information relating to health and safety
• Trade union membership
• Offences (including alleged offences), criminal proceedings, outcomes and sentences
• Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes.

COVID – 19

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak.

Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.

COVID–19 Testing

In such circumstances where you tell us you’re experiencing COVID-19 symptoms, we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Data may be shared with laboratories both government run and increasingly in the private sector under the guidance of PHE. This data is limited to that which is required to ensure test results can be communicated back to the individual. Normally this will be a phone number, home address and email address linked to a named individual with date of birth and where available NHS number.

COVID-19 Test and Trace Service

Due to the COVID-19 outbreak the Trust was asked to establish a Test and Trace cell to support the Public Health England (PHE) Tier 1 contact tracing level (referred to as complex cases) of the service through the implementation of a local contact tracing policy of their employees when a staff member* is confirmed as COVID-19 positive.

*This caveat also includes CFRs, Volunteers, Contractors and Patients which the Trust has provided care to as an emergency service.

Positive cases may be identified internally or passed to the Trust via secure email from Public Health England. The Trust needs to accurately record details of confirmed or suspected COVID-19 cases and staff who may have been exposed to COVID-19 through contact with those individuals.

Information will be held and retained in line with the Records Management Code of Practice for Health and Social Care 2016.

*In the event of a declared outbreak by Public Health England this data will be held for an indefinite period and until all investigations are completed.

The information (data collection) recorded is kept to a minimum, with associated role-based access controls in place.

This includes the following personal data:

1. Operating unit or department
2. Full name and address
3. Date of birth
4. Payroll number
5. Preferred contact number
6. Preferred email address
7. NHS number
8. CAD Reference (where applicable)
9. COVID-19 test location, date and results (where required)
10. Additional notes

The information is hosted within WMAS secure systems. Access to records is recorded, ensuring a log of who has viewed records can be pulled.

There are defined role-based access controls in place. These roles are assigned by the COVID-19 Management Team who will ensure that only those individuals who require access to data are assigned. There is also a process in place to ensure the closure of system access when required. The system allows records to be altered by authorised personnel with validations in place to ensure correct information is entered where possible.

GDPR Legal Basis

Article 6 (1) (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law

Article 9 (2) (h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems

 What is the purpose of processing data?

• Staff administration and management (including payroll and performance)
• Pensions administration
• Business management and planning
• Accounting and Auditing
• Accounts and records
• Crime prevention and prosecution of offenders
• Education
• Health administration and services
• Information and databank administration
• Sharing and matching of personal information for national fraud initiative

We have a legal basis to process this as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes following data protection and employment legislation.

Sharing your information

There are a number of reasons why we share information. This can be due to:

• Our obligations to comply with legislation
• Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies

To enable effective staff administration WMAS may share your information with external companies to process your data on our behalf In order to comply with our obligations as an employer.

Employee Records; Contracts Administration (NHS Business Services Authority)

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

 Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

Individuals Rights

Data Protection laws gives individuals rights in respect of the personal information that we hold about you.  These are:

1. To be informed why, where and how we use your information.
2. To ask for access to your information.
3. To ask for your information to be corrected if it is inaccurate or incomplete.
4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
7. To object to how your information is used.
8. To challenge any decisions made without human intervention (automated decision making)

Should you have any further queries on the uses of your information, please speak to the Human Resources Department or contact [email protected].

Should you wish to lodge a complaint about the use of your information, please contact our Human Resources Department via [email protected] or telephone 01384 215555.

If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/

Directors privacy notice

West Midlands Ambulance Service is a Foundation Trust. A Foundation Trust has more freedom from central government control, though it remains fully part of the NHS. Foundation Trusts are duty-bound to deliver free care, based on need, not ability to pay, but they are more accountable to the local community. This is because local people and staff can become members of the Trust and elect representatives to serve on the Council of Governors or even stand for election as a governor themselves.
Foundation Trusts are:
Part of the NHS and subject to NHS standards, performance ratings and inspections.  They must also work in partnership with other NHS organisations and co-operate with local partners
Accountable to Monitor (the independent regulator of NHS Foundation Trusts) and the CQC (Care Quality Commission), who oversee and monitor them against their terms of their licence and have powers to intervene.
More information about being a Foundation Trust can be found here

Public Membership

During the course of our activities, West Midlands Ambulance Service collects, stores and processes personal information in relation to its staff and those who have signed up to be a public member (a member must be at least 16 years old). We recognise the need to treat all personal data in a fair and lawful manner.

What types of personal data do we handle?

In order to carry out our activities and obligations as a Foundation Trust we handle membership data in relation to:
Personal demographics (including gender, ethnicity, sexual orientation, date of birth)
Details of involvement preferences such as attending events, responding to surveys or becoming a governor.
Contact details such as names, addresses, telephone numbers and email addresses.
Medical information (any declared disability)
Our staff are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.

Processing Personal Data

To enable effective administration of its membership, West Midlands Ambulance Service NHS Foundation Trust membership register is held securely with an external company. Their full privacy notice is below:
https://secure.membra.co.uk/Documents/MESPrivacyStatement.pdf
The company is compliant with ISO27001 (the international standard for best practice for an information security management system).
Data Protection laws gives individuals rights in respect of the personal information that we hold about you.  These are:
To be informed why, where and how we use your information.
To ask for access to your information.
To ask for your information to be corrected if it is inaccurate or incomplete.
To ask for your information to be deleted or removed where there is no need for us to continue processing it.
To ask us to restrict the use of your information.
To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
To object to how your information is used.
To challenge any decisions made without human intervention (automated decision making)
Should you have any further queries on the uses of your information please contact the Foundation Trust team on [email protected] or you wish to lodge a complaint about the use of your information please contact [email protected].
If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/

West Midlands Ambulance Service University NHS Foundation Trust (WMAS) utilises surveillance cameras (CCTV and Body Worn Cameras) in and around the Trust’s sites, on our emergency vehicles as well as body worn cameras being trialled by operational crews.

Please note, our surveillance cameras inside our vehicles and our body worn cameras are only activated by the crew should they feel there is a risk to safety. Should they be activated, you will be advised by the crew and/or an audio message will be played inside the vehicle or a recording light will flash on the body worn cameras.

The legal basis for collection of CCTV and body worn camera images is Article 6(1)f under the General Data Protection Regulation (GDPR) 2016, that processing is necessary for the purpose of the legitimate interests pursued by the controller (WMAS). Our legitimate interest in doing so, is in order to;

• Protect staff, patients, visitors and Trust property
• Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts
• Provide a deterrent effect and reduce unlawful activity
• Help provide a safer environment for our staff
• Assist with the verification of claims

You have a right to request personal information which may have recorded yourself and ask for a copy of this. For details on how to make a subject access requests please click here. Please be aware, you will need to provide sufficient information to identify you and assist us in finding any images on our systems and any third party will be redacted. We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Camera data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.

Should you have any further queries on the uses of your information or you wish to lodge a complaint about the use of your information please contact [email protected].

If you are still unhappy with the outcome of your enquiry you can contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/