Pennine Care NHS Foundation Trust will process the personal data you have provide in line with the General Data Protection Regulation (GDPR) (2016) and the Data Protection Act (2018), and in accordance with our full privacy notice which can be found here.
Our Freedom of Information Policy and our Environmental Information Regulation Policy outline our internal processes which we undertake in relation to requests. They can be found here.
We will act as “Controller” (in line with Article 4(7) of the GDPR) for the personal data you provide.
If you have any questions, comments or concerns about the handling of your personal data, these can be raised with us, or with our Data Protection Officer who can be contacted on email@example.com.
To process your request under the Freedom of Information (FOI) Act (2000) or the Environmental Information Regulations (EIR) (2004), we will need the following personal data:
We may ask for further personal data, particularly if we have concerns that you have failed to provide your real name.
By providing this information, you are allowing us to use this information to provide you with a response to your request.
We will also need to process your information if you request an internal review, or make an appeal to the Information Commissioner.
We also use your information to verify your identity, where required, to contact you by post, email or telephone, and to maintain our records in line with our retention schedule - Retention of all Clinical and Corporate Records Guidance (which can be found here).
The Trust will process the personal data you provide under the legal basis outlined in Article 6(1)(e) of the GDPR which states the information is necessary for performance of our public task.
As a public authority captured by both the Freedom of Information (FOI) Act (2000) and the Environmental Information Regulations (EIR) (2004), we are required to comply with both pieces of legislation. To correspond with you, we will require the personal data set out above. Furthermore, S.8 of the FOI Act obliges you to provide your real name. Failure to provide your real name invalidates your request, and could mean the Information Commissioners Office will not assist you regarding your request. As such, the Trust take care to ensure you are aware of your obligations and your rights. If we have concerns you have not provided your real name, we may request further personal data to ensure your request is valid.
If you choose to provide further personal data, or more sensitive information, as part of the request process this will be stored with your correspondence, and processed in line with our full privacy notice which can be found here.
The personal data you provide will received by the FOI Team in Pennine Care. The FOI Team sit within the Information Governance Team. For resilience and staff cover, other members of the Information Governance Team are able to access this information.
If you make a request via social media, the FOI Team will be required to liaise with the team who received your request to provide a response. But otherwise, your personal data is not shared outside of the Information Governance team, unless:
Where you request an internal review, your personal data may be shared with a senior staff member outside the Information Governance team to independently manage the review.
Where you make an appeal to the Information Commissioner’s Office, we are lawfully required to share your information with them.
Lastly, the Trust stores our FOI requests on a third party system – Ulysses (https://www.ulysses.co.uk/). Your personal data will be stored on a secure Trust server. Ulysses may access this server for the purposes of system support, maintenance and upgrade. Ulysses are a trusted provider, and a contract is in place. Please contact our Data Protection Officer - firstname.lastname@example.org -if you would like more information.
Your personal data will be stored on the Trust’s IT network which may be copied for testing, back up, archiving, or disaster recovery purposes.
As outlined above, routine access to your personal data is limited to those who require it to assist you.
All data is held within the UK.
We will only keep your personal information for as long as necessary to process your information request and to safeguard us in the event of any claims, complaints, litigation, enquiries or investigations following.
Unless you ask us not to, we will delete the personal information relating to your request in accordance with our retention schedule - Retention of all Clinical and Corporate Records Guidance. For more information please see here.
Our retention schedule taken from the NHS Records Management Code of Practice for Health and Social Care 2016, however this does not impact your rights as a data subject, for example to have your personal data deleted or rectified. Please contact our Data Protection Officer on email@example.com for more information, or to make such a request.
For a full outline of your rights as a data subject, please see the Trust Privacy Notice which can be found here.
Our privacy notices are regularly kept up to date.
This version was updated on 31st July 2019.
You will always be able to view our current FOI privacy notice on our website. For access to previous copies, please contact the team via 0161 716 3146 or via email at firstname.lastname@example.org.