Skip to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. Hide this message

About us

Out of hours GP service privacy notice

York and Scarborough Teaching Hospitals NHS Foundation Trust have commissioned Nimbuscare Ltd to provide an out of hours GP service on the Trust’s behalf. This privacy notice explains each providers role and what we do with your personal data.

Why are we collecting your information?

This Privacy Notice has been written to inform you that Nimbuscare Ltd and York Teaching Hospital NHS Foundation Trust (the Trust) processes information about you in order to provide health care services. Your clinical care team and other health and care professionals caring for you, keep records about your health and any treatment and care you receive from the NHS. These help ensure that you receive the best possible care from us. We may also use information to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Ensure our services can meet service user needs in the future
  • Investigate service users’ queries, complaints and legal claims
  • Prepare statistics on the service performance

Who do we collect your information from?

Much of the information we use will be collected directly from you or your family members. We also use information received from:

  • GPs
  • Other NHS bodies
  • Other Care Providers, such as private sector providers
  • Ambulance trusts

Who are we?

The Trust and Nimbuscare act as joint controllers to manage your data. This means that together we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The Trust has appointed Rebecca Bradley (Head of Information Governance) to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the Trust is compliant with Data Protection legislation and to oversee data protection procedures. The DPO contact details are:

York and Scarborough Teaching Hospital NHS Foundation Trust
York Hospital
Wigginton Road
York
North Yorkshire
YO31 8HE
yhs-tr.Information.Governance@nhs.net

Nimbuscare have appointed an external NHS approved Data Protection Officer (DPO), they are contactable via the Corporate Affairs Team, who alongside the DPO are responsible for ensuring Nimbuscare are compliant with Data Protection Legislation.

Acomb Garth,
2 Oak Rise,
York,
North Yorkshire,
YO24 4LJ
01904 943 690
Nimbuscare.feedback@nhs.net

Nimbuscare’s privacy notice can be found here.

What Information are we collecting?

  • Basic information about you, such as name, address, date of birth, NHS number and next of kin details
  • Notes and reports about your health and any treatment and care you need
  • Details and records about the treatment and care you receive

We may also process special categories of information that may include:

  • Nationality, racial and/or ethnic origin
  • Religious or philosophical beliefs
  • Health information: e.g. results of x-rays, scans and laboratory tests
  • Notes and reports about your health, treatment and care.
  • Sex life or sexual orientation

What is our lawful basis for processing your information?

Any personal data we process is done so in accordance with the UK GDPR. The Health and Social Care Act 2012 and the Care Act 2014 are the laws that tell us we have to keep records about the care and treatment you receive. Our lawful basis for processing are:

  • Article 6(1)(d) Vital Interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Article 6(1)(e) Public Task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law.

Where we process your special category information our lawful basis are:

  • Article 9(2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • Article 9(2)(h) Health and Social Care purposes; Schedule 1, Part 1 (c) medical diagnosis, (d) the provision of health care or treatment, or (f) the management of health care systems or services or social care systems or services.
  • Article 9(2)(i) The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or high quality and safety of health care and medicinal products or devices.

We do not need your consent to use your personal information for the delivery of direct care because we have a public task to do this. We use personal information because it is necessary for us to use this to carry out our activities as an NHS organisation.

How long do we keep your information for?

The Trust follows NHS Digitals recommended retention schedule which can be found in the Records Management Code of Practice for Health and Social Care

Who do we share your information with?

We will share information with the following main partner organisations:

  • Other NHS trusts, hospitals that are involved in your care
  • other NHS bodies
  • General practitioners (GPs)

You may be receiving care from other service providers as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit as part of your care.

Therefore, we may also share your information with:

  • Social Care services
  • Local Authorities

We also share with National Auditing bodies

Do we transfer your information outside the UK?

The majority of the information we collect is held in the UK. In some circumstances we may transfer your information outside of the UK, for example where servers are held in the EU. We will take all reasonable steps to make sure your data is not processed in a country that the UK government does not see as ‘safe’. If we do need to send your data out of the EU we will ensure that necessary safeguards are in place.

What rights do you have over your data?

Under GDPR data subjects have the following rights in relation to the processing of their personal data:

  • to be informed about how we process your personal data. This notice fulfils this obligation
  • to request access to your personal data that we hold, and be provided with a copy of it
  • to request that your personal data is amended if inaccurate or incomplete
  • to request that your personal data is erased where there is no compelling reason for its continued processing
  • to request that the processing of your personal data is restricted
  • to object to your personal data being processed

In this arrangement Nimbuscare are solely responsible for managing your rights requests. If you have any concerns about the way we have handled your personal data or would like any further information, then please contact Nimbuscare’s DPO on the address provided above. To put in a Subject Access Request please contact: Nimbuscare.feedback@nhs.net

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the Trust has handled your personal data. You can do so by contacting:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
casework@ico.org.uk // 0303 123 1113

Looking down a long bright hospital corridor with treatment rooms on the left and windows on the right. At the bottom of the corridor is one member of staff in a blue nursing uniform

Our Hospitals

Chinese Poland

View all languages >