When you contact us as a patient, we collect information about you and keep records about the service we provide you. We may also record information about you if you contact us for any other reason. The Northern Ireland Ambulance Service Patients and Public Privacy Notice explains the type of information we record about you, why this is necessary, and the ways in which this information may be used by the Service.

What is the legal basis for processing my information?

Under the EU General Data Protection Regulation and the Data Protection Act 2018, the legal basis for the processing of your data is:

• the HSC is an official authority with a public duty to care for its patients, as guided by the Department of Health
• Data protection legislation states that it is appropriate to do so for the health and social care treatment of patients, and the management of health or social care systems and services.

If we need to use your personal information for any reason beyond those stated above and below, we will discuss this with you. You have the right to ask us not to use your information for certain purposes but there are exceptions to this which are listed below under ‘Disclosure to third parties’.

With the onset of GDPR the professionals involved in your individual care (or direct care) will be using implied consent from you to see your shared medical records. In order for the sharing of Personal Data to comply with Article 5 of the General Data Protection Regulation it must be fair and lawful and one of the Article 6 conditions must be met. Article 9 conditions must also be met if Sensitive Personal Data or special category data is being shared. The following articles are the ones that apply for sharing of data for the professionals involved in your care:

• A) Article 6 condition – The sharing of Personal Data is permitted under Article 6 paragraph (c) (processing for legal obligation); paragraph (d) (processing for vital interests of data subject); and/or paragraph (e) (public interest or in the exercise of official authority).
• B) Article 9 condition – The sharing of Sensitive Personal Data or Special Category Data is permitted under Article 9 (h) (processing for medical purposes); and/or paragraph (i) (public interest in the area of public health). For the vast majority of sharing we will be relying on article (h) with an implied consent model for direct individual care (more detail below where we talk about the Common Law Duty of Confidentiality). In certain instances, however, we may also rely on paragraph (a) (explicit consent) or paragraph (c) (vital interests) but these will be specified in any sharing agreements or data processing contracts related to those special cases.

What type of information will we record about you?

We log details electronically when we receive a call for help at our emergency control centres, or book a non-emergency transport service that we operate.

If one of our ambulances attends you, or you are transferred between hospitals by ambulance, we will collect information about you to help us identify and treat you. This will be written on a patient clinical record along with details of your symptoms, condition, and any treatment we give you. We are also required to record details of your ethnicity and other information to help us monitor the equality of the services we provide.

If you speak to one of our 999 call handlers or clinical advisors we will record your details and access your clinical information in order to provide the advice or care you need, which may include transferring you to the out-of-hours service, requesting an ambulance or, if it is in hours, putting you in touch with your dentist or GP.

If you receive non-emergency transport services, we will record details about where you live, where we will be taking you and some details about your circumstances.

If you make a complaint or an enquiry about the service we have provided, or have contact with us on another matter, we will keep a record of all the relevant details in a file for case management purposes. In some cases, we may need to obtain information from the hospital we took you to in order to investigate a complaint or deal with an enquiry.

In conjunction Air Ambulance NI, we are exploring the use of a facility to obtain a secure live-stream video from callers’ mobile phones at certain incidents, to help our control room clinicians more accurately and rapidly assess patient injuries. This will only be done when clinically necessary with patient and caller consent, or when a patient is unable to consent it will be done in a patient’s best interests. No footage is stored and privacy controls and protocols are in place in connection with this tool.

Update: The Northern Ireland Ambulance Service utilises surveillance cameras (Static/Vehicle based CCTV and Body Worn Cameras) in and around the Trust’s sites, on our emergency vehicles, as well as body worn cameras used by operational crews which is currently being piloted.

Please note: Our surveillance cameras inside our vehicles and our body worn cameras are only activated by the crew when they feel there may be a risk to safety. Should these systems be activated, the crew will advise you and/or an audio message will be played inside the vehicle with a recording flashing light on the body worn cameras.

What happens to your clinical records?

If an ambulance takes you to hospital, we will share a copy of the patient clinical record so that they have details of your condition and the treatment we have provided.

In addition to sharing your data with other clinicians, we can access your data from other health and care organisations across Northern Ireland to ensure we are providing you with the best possible care.

Where necessary, we use a limited number of private contractors to supplement our emergency and non-emergency transport services. In these cases, they are under contract to us and must comply with data protection legislation in the same way we do. Their performance is monitored and all the information they collect about you is transferred securely to us.

Other health and social care professionals involved in your treatment or care may ask us for information about your use of our services or the treatment you received. Provided we are satisfied that they need this information for your care, or you have given your permission, we will provide this to them.

In some circumstances we may share information or clinical records with other healthcare professionals – most commonly your GP but also specialist healthcare teams such as social service – even if we have not taken you to hospital or provided advice. We do this to help them assess whether they can offer you support that may help to prevent a similar situation arising again.

We are sometimes also asked by the Clinical Commissioning Groups (CCGs) that fund our services to provide information about incidents attended so they can identify and provide more appropriate care pathways for patients. The information we provide will not identify you.

Where another HSC organisation is funding a non-emergency transport service journey, we have to confirm personal information – although we will provide only the details that are needed.

Helping us train our staff and do their work

Clinicians may need a copy of the patient clinical records they have completed for their training, but they will blank out information which could identify you before they do this.

Sometimes, our staff and other third parties listen to calls for training and learning purposes. All requests for third parties will be approved by the Caldicott Guardian who is the Medical Director and who will consider the application of Caldicott Principles in such cases.

Monitoring the standard of care we provide and undertaking research

Anonymised information from patient clinical records is used for internal audit purposes and details of the emergency treatment and care we provide is sometimes used for research. We make sure ethical approval has been obtained in accordance with HSC guidelines before we release any information outside the organisation for research purposes and do not release information that could identify patients unless there is a legal basis for doing so.

On occasion we may need to view records that contain personal information and use this information to link records to allow us to get a full picture of the care provided to you.  If you do not wish for us to use your data for research, please contact the Information Governance Team at NIAS.  Informatics.department@nias.hscni.net

We pass information to other HSC organisations as part of regional initiatives to monitor the standard of care provided within the HSC as a whole. In all cases, we supply only the details that are needed for these purposes and, wherever possible, the information will be anonymised.

Disclosure to third parties

We will not disclose your information to third parties outside the HSC without your permission unless it is required for your direct care or there are exceptional circumstances, such as when it is justified in the public interest; for example:

• When a serious crime has been committed.
• If there are risks to the public or HSC staff.
• To protect vulnerable children or adults who are not able to decide for themselves whether their information should be shared.
• We have a legal duty, for example reporting some infectious diseases, wounding by firearms and court orders.
• We need to use the information for medical research. We have to ask permission from the Northern Ireland there is the Privacy Advisory Committee.

Or where the law requires information to be passed on; for example-

• Where a formal court order has been issued.

We will seek your consent before we release information that identifies you to any third party for any other reason than direct patient care and those set out in this guidance and the regulations.

Your information is never collected for direct marketing purposes, and is not sold on to any other third parties. Your information is not processed overseas.

Please note, anonymised or redacted information shall be shared to third parties such as, but not limited to, research bodies and media outlets. To ensure anonymity and possibilities of re-identification, the Northern Ireland Ambulance Service undertakes relevant appropriate privacy and security assessments before any disclosure.

How do you know your records will be kept confidential?

All HSC organisations have a legal duty to maintain the confidentiality of their patients and Data Protection legislation further defines how we can collect and handle personal information. The HSC also has an additional set of guidelines, known as the Caldicott principles, which apply to the use of patient information. All HSC organisations are required to appoint a Caldicott Guardian to ensure patient information is handled in accordance with legal and HSC regulations, the Caldicott Guardian for the Northern Ireland Ambulance Service is the Medical Director.

When we pass on any information we will ensure that the recipient is aware that it must be kept confidential and secure.

How long do we keep your records?

Information is held for specified periods of time as set out in the Good Management, Good Records (GMGR).

We retain medical records for 25 years and clinical details of 999 calls made by adults for 10 years. Other records that may contain information about you are kept for varying lengths of time, up to ten years.

Your rights over your information

Data Protection legislation gives individuals rights in respect of the personal information that we hold about you. These are:

1. Right of access – you have the right to request a copy of the information that we hold about you.
2. Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
3. Right to erasure (does not apply to medical records) or restriction of processing, such as for research purposes.
4. Right of portability – you have the right to have the data we hold about you transferred from one IT system to another in a safe and secure way, without impacting the quality of the information.
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
7. Right to object – you have the right to object to certain types of processing such as direct marketing.
8. Right to object to any decisions made without human intervention (automated decision making).

Data Sharing

The sharing of information has always happened (to a lesser degree) with paper processes but electronic systems are allowing us to share more relevant information about you amongst your Direct Care Team helping them to be more efficient and support theirs and your decision making on your care.

All of the people accessing and sharing your information (your Direct Care Team) will have some form of direct interaction with you otherwise they will not be accessing your information.

The reason they want to access your information is that this can improve the quality of care that you receive from them. Imagine the information or data that is held about you are pieces of a jigsaw and these pieces are held on different systems by the providers of your care.

If one of your Direct Care Team wants to make a decision on the best course of action for you, the more pieces of the jigsaw they have, the more they can know about you and your history of care and therefore they can make the most appropriate decision based on you and your needs.

The Organisations involved in your Direct Care Team

The local organisations involved in your Direct Care Team include any clinician across Northern Ireland with a legitimate relationship to you and the right level of access to view your record.

How it works

Data sharing securely connects different medical and care computer systems together. When your record is requested by an authorised system user, the system collects the information from different systems and shows the information to the requestor. None of the information it collects is stored and none of it can be changed. Because it collects the information only when it is needed, the information is always accurate and as up to date as possible.

Before any information is collected or displayed to a care professional, they must be involved in your individual or direct care. Not everyone can see your shared data, nor should they. It will only be accessed by the people involved in looking after you directly. The Business Services Organisation uses the secure HSC network to retrieve the information that has been approved to be shared with that care setting and displays a read only view for the care professional to use to support the delivery of care at that specific point in time.

No information is stored or saved so there is no need to worry about what could happen to your information without your knowledge or permission. There is one major way that Data Sharing is taking place in Northern Ireland.

The Northern Ireland Electronic Care Record – This Summary Care Record contains information about your allergies, medications and reactions you have to medications, so that in an emergency or when your GP practice is closed this information is available so that you can be cared for. This is a regional programme for sharing your information. For more information please click here.

Data Sharing FAQ

Why do you need to share my information?

Data sharing will provide health and social care professionals directly involved in your care access to the most up-to-date information about you.

This allows the professionals caring for you to more fully understand your needs. Information is already shared by phone and paper records, data sharing simply allows this to happen more efficiently. It does this by sharing appropriate information from your medical and care records between health and social care services involved in your care.

Can anybody see my records?

Definitely not. Only care professionals directly involved in your care will see your personal care information through data sharing.

How do I know my records are secure?

All staff must respect your privacy and keep your information safe. Your information is stored on secure computer systems connected on a private health and social care network.

Can I access my records?

Yes. Under the GDPR you can request access to all information that organisations hold about you. Please contact the organisations directly to request the information.

Can I object to my records being shared?

You can object to your information being shared by talking to your providers of care. For direct care the people viewing your records are the people directly looking after you and are doing so to give you the best quality care they can.

If you do however still want to object, please contact the organisation who holds the records you do not want to be shared. It is worth noting that not sharing vital information about you with other organisations involved in your care could affect the quality of care that you receive and there may be circumstances where your objection may not be upheld.

For example:

• If it is in the public interest for data to still be shared. For example, if there is a safeguarding issue, or in the case of a mental health patient who might be at risk from harming themselves or a member of the public.
• If clinical care cannot be provided. For example, in referring a patient to hospital and data needs to be shared for the hospital clinician to do their job properly. In this instance obviously the patient can then choose not to have the treatment and therefore not have their data shared.
• If systems are not well developed enough to not share the information. For example, GP Systems are relatively well developed and can handle objections a lot more easily than other providers but they still may be asked not to share something which the system cannot do. In this instance points 1 and 2 above would apply.

What information will be shared?

Your shared record will contain a summary of your most up-to-date, relevant health information which includes things such as:

• Your recent diagnosis and test results.
• What allergies you have; what medications and treatment you currently receive.
• Any Current or Past (and significant) illnesses Encounters and Referrals.

Can everybody see everything on my medical and care records?

No. We are working very carefully, supported by health and social care professionals, to make sure only relevant information is shared into specific care settings.

Can my records be accessed by health and social care professionals outside of my trust area?

Yes, they can but only with other professionals who are caring for you directly. On top of the programmes mentioned above there is also the Northern Ireland Electronic Care Record which is a regional programme and as such means that it is available to care organisations outside of these trust areas (but again only for direct care purposes).

The Northern Ireland Electronic Care Record contains important health information such as:

• Any prescription medication a patient is taking.
• Any allergies a patient may have.
• Any bad reaction to any medication a patient may have previously had.

More information about the Northern Ireland Electronic Care Record can be found at https://www.nidirect.gov.uk/. If you have any queries or want to know more about data sharing or our fair processing, please contact your local provider that holds the information you wish to discuss.

Enquiries and complaints about the use of your personal data

Any questions, comments or complaints about the use of your personal information, please contact our Information Governance Team:

Information Governance Team
Northern Ireland Ambulance Service HSC Trust
Site 30 Knockbracken Healthcare Park

Saintfield Road

Belfast

BT8 8SG

Email: informatics.department@nias.hscni.net

If you are still unhappy with the outcome of your enquiry you can write to:

The Information Commissioner

Wycliffe House, Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 01625 545700.