Who we are
West Midlands Ambulance Service University NHS Foundation Trust is the data controller responsible for your personal information it processes. This means we decide how and why your information is used.
If you have any questions about this notice or how we use your information, you can contact:
The Data Protection Officer (DPO) – Matt Brown, Head of Risk and Information Governance
Email: [email protected]
What is personal information?
Personal information is information about a living person such as name, address, date of birth and National Insurance number that can identify that person.
There is also personal information that is more sensitive (known as special category data) under the UK General Data Protection Regulation (UK GDPR). This includes details of race, ethnic origin, political opinion, religious beliefs, sex life, sexual orientation, trade union membership, health data and biometric and genetic data.
To process personal information, we must make sure we comply with a specific section of the UK GDPR, (Article 6); however, when we process the sensitive information, we must also comply with another section of the law (Article 9). Further information can be found in the ‘what legal basis do we have for processing personal information’ section.
What information we collect
We may collect and process the following categories of personal information and special category data:
- Personal details (e.g. name, date of birth, NHS number, address)
- Contact information
- Clinical and health information
- Call recordings and incident details
- Location and operational data relating to emergency responses
Why we collect information about you?
We aim to provide you with the highest quality care. To do this, we need to collect and keep records about you and the care we provide.
These records may be held in paper or electronic format and include information recorded during:
- Calls to the 999 Emergency Operations Centre (EOC)
- Attendance at incidents
- Completion of electronic patient records (EPR)
How we use your information?
We will share your information with other NHS and social care organisations to support your care and treatment. For example, if you call 999 and we take you to hospital, we will pass on your information to the nurse or doctor there so they can see what treatment or medicines we may have given. We also have a legal obligation to share with Coroners in certain circumstances. As we are unable to remove or blank out any of the details, this information may include other individuals’ personal information that may be included in a ‘disclosure bundle’ prepared by the coroner.
There are other circumstances where we will share your information with other third parties. However, we will ensure that there is a legal reason for doing so and that the correct processes have been followed before we do so. This sharing will be supported by an information sharing agreement, where necessary, that will be signed by the relevant organisations. This agreement will provide details about why the information is being shared, making sure that it is legal, what information is being shared and how it will be protected. If we are introducing a new service or system, we will conduct a Data Protection Impact Assessment which will identify any areas of concern before any sharing is carried out. This allows us to put steps in place to protect your information. We keep a log of all assessments completed which can be made available on request.
We proactively share details of your treatment with your GP. This is to ensure we provide the best possible care and treatment to you.
If we are sharing your information for research purposes, we will ask for your consent to do this. Even if you do consent, you are allowed to withdraw this consent at any time if you change your mind.
In order to continually improve our service and support our staff, we may use phone calls made to our Emergency Operations Centre for training and monitoring purposes.
We will always try to remove any information that may identify you if it is not necessary. Statistical information often only requires anonymised data, and this will always be used whenever possible.
We can also share your personal information with law enforcement agencies, such as the police or His Majesty’s Revenue and Customs. Disclosures to these would be made under certain laws that we must comply with and would not require consent. Included in this would be CCTV footage showing assaults on our staff that may have been recorded inside or outside one of our vehicles.
We are also legally required to share your information to support the National Fraud Initiative (NFI). View the NFI Privacy notice.
Your personal information may be transferred outside of the UK, for example if a cloud service is hosted in the United States. If it is transferred, this will be done so under a contract. This will state that it will need to give the same level of protection as the UK GDPR provides to information remaining within the UK.
We will never share or sell your personal information for marketing purposes including with marketing, insurance companies, etc.
Ambulance Data Set (ADS) and Emergency Care Data Set (ECDS)
When you receive ambulance care, information about your treatment is recorded. If you are taken to hospital, this information may be linked with hospital records to help the NHS understand and improve patient care.
- Your data is used to improve services, safety, and patient experience
- Your information is shared securely with NHS England
- You have the right to opt out of this data being linked
To opt out: [email protected]
We collect information about your care during ambulance treatment as part of the Ambulance Data Set (ADS).
If you attend an Emergency Department, this information may be linked with hospital data recorded in the Emergency Care Data Set (ECDS).
We use this information to:
- Understand your full care journey
- Improve patient safety and outcomes
- Support training and clinical development
- Improve NHS services and patient experience
Your information is:
- Collected by ambulance services and hospitals
- Securely shared with NHS England (formerly NHS Digital)
- Linked using identifiers such as a 999-call reference number and vehicle reference number
- Returned securely to ambulance services for analysis and improvement
All processing is carried out securely and in line with data protection law.
National Data Opt-Out
The NHS wants to make sure you and your family have the best care now and in the future. Your health and care information supports your individual care. It also helps us to research, plan and improve health and care services in England.
There are very strict rules on how your data can and cannot be used, and you have clear data rights. We are committed to keeping patient information safe and will always be clear on how it is used. You can choose whether or not your confidential information is used for research and planning by using the National Data Opt-Out service
Our lawful basis for using your information
Under UK GDPR, we rely on the following legal bases:
- Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- Article 9(2)(h): Processing is necessary for the provision of health or social care
Where applicable, processing is also supported by:
- Health and Social Care Act 2012
- Section 251 approval under the NHS Act 2006
- Health Service (Control of Patient Information) Regulations 2002
When we may share your information without consent
In some circumstances, we may share your information without your consent, for example:
- Where there is a legal obligation
- To prevent or detect serious crime
- To protect vulnerable individuals
- Where there is a risk to public safety
- For approved medical research
Where appropriate, we will inform you of such uses.
How long we keep your information
We retain your information in line with the NHS Records Management Code of Practice for Health and Social Care.
This sets out how long different types of records must be kept before they are securely destroyed.
How we protect your information
We take your privacy seriously and use a range of technical and organisational measures to protect your information, including:
- Staff training and confidentiality requirements
- Access controls and secure systems
- Regular monitoring and audits
Your rights
Under data protection law, you have the right to:
- Be informed about how your information is used
- Access the personal information we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion of your information in certain circumstances
- Request restriction of processing
- Object to how your information is used
- Request transfer of your data (data portability)
- Challenge decisions made without human involvement
Please note: Some of these rights may be limited where your information is required for your care or to meet legal obligations.
We will respond to requests within one calendar month.
How to make a request or complaint
If you wish to exercise your rights or have any concerns about how your information is used, please contact:
Data Protection Officer, Matt Brown – Head of Risk and Information Governance
Email: [email protected]
If you are not satisfied with our response, you have the right to complain to the:
Information Commissioner’s Office (ICO)
https://ico.org.uk/global/contact-us/
Updates to this notice
We may update this privacy notice from time to time. The latest version will always be available on our website.
Who we are
West Midlands Ambulance Service University NHS Foundation Trust is the data controller responsible for your personal information it processes. This means we decide how and why your information is used.
If you have any questions about this notice or how we use your information, you can contact:
The Data Protection Officer (DPO) – Matt Brown, Head of Risk and Information Governance
Email: [email protected]
What is personal information?
Personal information is information about a living person such as name, address, date of birth and National Insurance number that can identify that person.
There is also personal information that is more sensitive (known as special category data) under the UK General Data Protection Regulation (UK GDPR). This includes details of race, ethnic origin, political opinion, religious beliefs, sex life, sexual orientation, trade union membership, health data and biometric and genetic data.
To process personal information, we must make sure we comply with a specific section of the UK GDPR, (Article 6); however, when we process the sensitive information, we must also comply with another section of the law (Article 9). Further information can be found in the ‘what legal basis do we have for processing personal information’ section.
What information we collect
We may collect, store, and use the following categories of personal data about you:
Personal and employment details
- Name, address, date of birth, contact details
- National Insurance number, payroll information
- Employment contracts, job role, salary and benefits
Recruitment and pre-employment data
- Application forms and CVs
- References from previous employers
- Disclosure and Barring Service (DBS) checks
Work-related data
- Attendance and absence records
- Performance appraisals and training records
- Disciplinary and grievance records
Special category data
We may also process sensitive personal data, including:
- Health information (e.g. Occupational Health)
- Equality and diversity information (e.g. ethnicity, religion)
- Trade union membership
This data is processed with additional safeguards.
How we collect your information
We collect personal information from:
- You directly (e.g. during recruitment or employment)
- Recruitment agencies
- Previous employers (for references)
- Occupational Health providers
- DBS and other regulatory bodies
- NHS systems and other public sector organisations
Why we use your information
We use your personal data for the following purposes:
- Recruitment and onboarding
- Managing your employment contract
- Paying you and administering benefits
- Managing attendance, performance, and conduct
- Ensuring health, safety, and wellbeing at work
- Providing Occupational Health support
- Monitoring equality and diversity
- Complying with legal and regulatory obligations
- Workforce planning and service delivery
- Preventing fraud and protecting Trust systems
Lawful basis for processing
Under UK GDPR, we rely on the following lawful bases:
Article 6 (general processing)
- 6(1)(b) – Performance of a contract (employment contract)
- 6(1)(c) – Compliance with a legal obligation
- 6(1)(e) – Public task (delivery of healthcare services)
- 6(1)(f) – Legitimate interests (where applicable and balanced)
Article 9 (special category data)
- 9(2)(b) – Employment, social security and social protection law
- 9(2)(h) – Occupational health and social care
- 9(2)(g) – Substantial public interest (where required)
Who we share your information with
We may share your information where necessary with:
- NHS England and other NHS organisations
- Payroll and pension providers (e.g. NHS Pensions)
- HM Revenue & Customs (HMRC)
- Disclosure and Barring Service (DBS)
- Occupational Health providers
- Regulators (e.g. CQC, professional bodies)
- IT system providers and service partners
- Law enforcement or safeguarding authorities where required
We only share information that is necessary and ensure appropriate safeguards are in place.
International transfers
Your personal data is not routinely transferred outside the UK.
If this becomes necessary, appropriate safeguards will be implemented in accordance with UK GDPR.
How long we keep your information
We retain your information in line with the NHS Records Management Code of Practice for Health and Social Care.
This includes:
- Personnel files (typically up to Keep until 75th birthday or 6 years after the staff member leaves whichever is sooner)
- Occupational health records (longer retention where required)
Records are securely disposed of when no longer required.
How we protect your information
We take the security of your data seriously and use appropriate technical and organisational measures, including:
- Role-based access controls
- Secure IT systems
- Multi-Factor Authentication
- Staff confidentiality training
- Regular audits and monitoring
Your rights
Under data protection law, you have the right to:
- Be informed about how your data is used
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request erasure in certain circumstances
- Restrict processing
- Object to processing
- Data portability (where applicable)
- Not be subject to solely automated decision-making
Please note: These rights are not absolute and may be restricted where processing is necessary for employment, legal obligations, or public interest purposes.
We will respond to requests within one calendar month.
Is providing your data madatory?
In most cases, you are required to provide personal data:
- Under your employment contract
- To comply with legal obligations (e.g. tax, right to work checks)
Failure to provide required information may affect your employment.
Automated decision-making
We do not make decisions about you solely using automated processing that have a legal or similarly significant effect.
Complaints
If you wish to lodge a complaint about the use of your information, please contact our Human Resources Department via [email protected] or telephone 01384 215555.
You also have the right to lodge a complaint with the: Information Commissioner’s Office (ICO).
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk
Privacy notice – fit and proper person test (FPPT) Trust Board Members
West Midlands Ambulance Service University NHS Foundation Trust is the data controller for the purposes of UK GDPR and the Data Protection Act 2018 and is committed to protecting the privacy and security of personal information.
This notice explains how we collect, use and protect personal data relating to Trust Board Members.
The FPPT in ESR is commissioned by NHS England.
Contact: Carla Beechey, Director of People
Address: Millennium Point HQ
Phone Number: 01384 215555
Email: [email protected]
The type of personal information we collect is in relation to the FPPT for board members and is described below, much of which is already collected and processed for other purposes than the FPPT:
- Name, position title (unless this changes).
- Employment history – This would include detail of all job titles, organisation, departments, dates, and role descriptions.
- References.
- Job description and person specification in their previous role.
- Date of medical clearance.
- Qualifications.
- Record of training and development in application/CV.
- Training and development in the last year.
- Appraisal incorporating the leadership competency framework has been completed. However, this can be shared with external partners, as required.
- Record of any upheld, ongoing or discontinued disciplinary, complaint, grievance, adverse employee behaviour or whistle-blow findings.
- DBS status.
- Registration/revalidation status where required.
- Insolvency check.
- A search of the Companies House registers to ensure that no board member is disqualified as a director.
- A search of the Charity Commission’s register of removed trustees.
- A check with the CQC, NHS England and relevant professional bodies where appropriate.
- Social media check.
- Employment tribunal judgement check.
- Exit reference completed (where applicable).
- Annual self-attestation signed, including confirmation (as appropriate) that there have been no changes.
Processing of this data is necessary on the lawful basis set out in Article 6(1)(e) UK GDPR as the foundation for the database. This is because it relates to the processing of personal data which is necessary for the performance of the fit and proper person test which is carried out in the public interest and/or in the exercise of official authority vested in the controller.
As a CQC-registered provider, ensuring directors are fit and proper is a legal requirement for the purposes of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and West Midlands Ambulance Service are required to make information available connected with compliance to the CQC.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you as part of your application form and recruitment to satisfy recruitment checks and the FPPT requirements.
[If applicable] We collect, receive and also process personal information indirectly, from the following sources in the following scenarios:
- References when we have made a conditional offer to you.
- Publicly accessible registers and websites for our FPPT.
- Professional bodies for FPPT to test registration and or any other ‘fitness’ matters shared between organisations.
- Regulatory bodies, e.g. CQC and NHS England.
We use the information that you have given us to:
- conclude whether or not you are fit and proper to carry out the role of board director
- inform the regulators of our assessment outcome.
We may share this information with NHS England, CQC, future employers (particularly where they themselves are subject to the FPPT requirements), and professional bodies.
Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for processing this information are:
- We need it to perform a public task.
International transfers
Your personal data is not routinely transferred outside the UK.
If this becomes necessary, appropriate safeguards will be implemented in accordance with UK GDPR.
How we store your personal information
Your information is securely stored. We keep the ESR FPPT information including the board member reference, for a career long period. We will then dispose of your information in accordance with our policies and procedures.
We retain personal data in accordance with the Trust’s Records Management Policy and NHS Records Management Code of Practice.
Board Member records are typically retained for a minimum of 6–10 years after your term ends, unless a longer retention period is required by law.
Lawful basis for processing
We rely on the following lawful bases under UK GDPR:
- Article 6(1)(c) – Legal obligation
- Article 6(1)(e) – Public task (NHS governance functions)
- Article 6(1)(f) – Legitimate interests (effective corporate governance)
Where we process special category data, we rely on:
- Article 9(2)(b) – Employment/social protection law
- Article 9(2)(g) – Substantial public interest
How we protect your information
We take the security of your data seriously and use appropriate technical and organisational measures, including:
- Role-based access controls
- Secure IT systems
- Multi-Factor Authentication
- Staff confidentiality training
- Regular audits and monitoring
Your data protection rights
Under data protection law, you have the following rights:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
- You are not required to pay a fee for exercising your rights (unless the request is manifestly unfounded or excessive).
- We will respond to your request within one calendar month.
Please contact us at [email protected] if you wish to exercise these rights.
Is providing your data mandatory?
In most cases, you are required to provide personal data:
- Under your employment contract
- To comply with legal obligations (e.g. tax, right to work checks)
Failure to provide required information may affect your employment.
Automated decision-making
We do not make decisions about you solely using automated processing that have a legal or similarly significant effect.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to the Data Protection Officer, Matt Brown – Head of Risk and Information Governance at [email protected]. You can also complain to the Information Commissioners Office if you are unhappy with how we have used your data.
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk
We may update this notice from time to time. The latest version will always be available.
West Midlands Ambulance Service University NHS Foundation Trust is a Foundation Trust which has more freedom from central government control, though it remains fully part of the NHS. Foundation Trusts are duty-bound to deliver free care, based on need, not ability to pay, but they are more accountable to the local community. This is because local people and staff can become members of the Trust and elect representatives to serve on the Council of Governors or even stand for election as a governor themselves. Foundation Trusts are:
Part of the NHS and subject to NHS standards, performance ratings and inspections. They must also work in partnership with other NHS organisations and co-operate with local partners
Accountable to NHS E and the CQC (Care Quality Commission), who oversee and monitor them against their terms of their licence and have powers to intervene.
Find out more information about being a Foundation Trust.
Public membership
During the course of our activities, West Midlands Ambulance Service collects, stores and processes personal information in relation to its staff and those who have signed up to be a public member (a member must be at least 16 years old). We recognise the need to treat all personal data in a fair and lawful manner.
What types of personal data do we collect?
In order to carry out our activities and obligations as a Foundation Trust we collect membership data in relation to:
- Personal demographics (including Name, Gender, Ethnicity, Sexual Orientation, Date of Birth)
- Contact details such as names, addresses, telephone numbers and email addresses.
- Medical information (any declared disability)
- Membership Number, Status and Eligibility
- Engagement Activities such as attending events, responding to surveys or becoming a governor.
Our staff are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
Processing Personal Data
To enable effective administration of its membership, West Midlands Ambulance Service University NHS Foundation Trust membership register is held securely with an external company. Read Civica’s full privacy notice.
The company is compliant with ISO27001 (the international standard for best practice for an information security management system).
Data protection laws give individuals rights in respect of the personal information that we hold about you. These are:
- The right to be informed – To be told why, where and how we use your information.
- The right of access – To ask for access to your information.
- The right to rectification – To ask for your information to be corrected if it is inaccurate or incomplete.
- The right to erasure – To ask for your information to be deleted or removed where there is no need for us to continue processing it.
- The right to restrict processing – To ask us to restrict the use of your information.
- The right to data portability – To ask us to copy or transfer your information from one IT system to another in a safe and secure way, where applicable.
- The right to object – To object to how your information is used.
- Rights in relation to automated decision making and profiling – To challenge any decisions made without human intervention.
How long we keep your information
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, and governance requirements.
Retention periods are determined in accordance with the NHS Records Management Code of Practice for Health and Social Care and the Trust’s Records Management Policy.
For Foundation Trust Members, records relating to membership, engagement, and governance activities will typically be retained for a defined period after membership ceases, in line with the NHS Records Management Code of Practice, unless there is a legal requirement to retain them for longer.
At the end of the retention period, your information will be securely deleted or destroyed in accordance with Trust policies and data protection legislation.
Your data protection rights
Under data protection law (UK GDPR and the Data Protection Act 2018), you have the following rights in relation to your personal data:
- The right to be informed – You have the right to be informed about how and why your personal data is collected and used.
- The right of access – You have the right to request access to the personal information we hold about you.
- The right to rectification – You have the right to request that we correct any personal information that is inaccurate or incomplete.
- The right to erasure – You have the right to request that we delete or remove your personal data where there is no lawful basis for us to continue processing it.
- The right to restrict processing – You have the right to request that we restrict the processing of your personal data in certain circumstances.
- The right to data portability – You have the right to request that we transfer the personal data you have provided to us to another organisation, or directly to you, in a secure manner, where applicable.
- The right to object – You have the right to object to the processing of your personal data where we rely on legitimate interests or for direct marketing purposes.
- Rights in relation to automated decision-making and profiling – You have the right not to be subject to decisions based solely on automated processing (including profiling) where this produces legal or similarly significant effects.
You are not required to pay a fee for exercising your rights (unless your request is manifestly unfounded or excessive). We will respond to your request within one calendar month.
Should you have any further queries on the uses of your information please contact the Foundation Trust team on [email protected] or you wish to lodge a complaint about the use of your information please contact the Trust Data Protection Officer, Matt Brown – Head of Risk and Information Governance via email: [email protected].
If you are unhappy with how your personal data has been handled, you have the right to complain to the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk
Telephone: 0303 123 1113
West Midlands Ambulance Service University NHS Foundation Trust (WMAS) uses surveillance cameras (CCTV, vehicle cameras and body worn cameras) across its sites and services to support the safety and security of staff, patients and the public.
Please note: Body Worn Cameras and in-vehicle cameras are only activated where staff believe there is a risk to safety or a potential incident situation. Where recording is taking place, individuals will be made aware through verbal communication, audio alerts or visible recording indicators.
Lawful basis
We process personal data captured by surveillance systems under:
- Article 6(1)(e) – Public task (processing necessary for the performance of tasks carried out in the public interest)
Where special category data is captured, processing is carried out under:
- Article 9(2)(g) – Substantial public interest (with reference to Schedule 1, Data Protection Act 2018 – safeguarding and prevention/detection of unlawful acts)
Purpose of processing
We use surveillance systems to:
- Protect staff, patients, visitors and Trust property
- Prevent and detect crime and anti-social behaviour
- Support investigations and legal proceedings
- Provide evidence to law enforcement agencies
- Promote a safe working and care environment
Sharing your information
Information may be shared where appropriate with:
- Law enforcement agencies (e.g. police)
- Courts and legal representatives
- Internal teams responsible for investigations
All disclosures are made in accordance with data protection legislation.
Retention
Surveillance recordings are typically retained for [e.g. 30 days], unless required for an ongoing investigation, legal proceedings, or where longer retention is necessary and lawful.
Your Rights
You have the right to:
- Request access to your personal data (Subject Access Request)
- Request restriction of processing
- Object to processing (where applicable)
Please note, rights may be limited where data includes third parties or is required for legal purposes. Any third-party information will be redacted.
Find out more about how to make a subject access request. Please be aware, you will need to provide sufficient information to identify you and assist us in finding any images on our systems and any third-party information will be redacted. We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Camera data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection.
Security
We apply appropriate technical and organisational measures to ensure surveillance data is securely stored and only accessed by authorised individuals.
How to make a complaint
If you wish to exercise your rights or have any concerns about how your information is used, please contact:
Data Protection Officer, Matt Brown – Head of Risk and Information Governance
Email: [email protected]
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO).
We may update this privacy notice from time to time. The latest version will always be available on our website.
Introduction
- Patients have fundamental legal and ethical rights in determining what happens to their own bodies and in securing their privacy and freedom. Valid consent to treatment is therefore absolutely central to all forms of healthcare, from providing personal care to more invasive interventions.
- Seeking consent is also a matter of common courtesy between health professionals and patients. Relevant discussion regarding proposed assessment or treatment should be documented, this must include the patients’ decision around which treatment is accepted and declined. A good level of communication will facilitate informed consent through to the management of non-consent.
- It is not uncommon in pre-hospital situations for patients to refuse care or treatment. Although patients may refuse, there may remain, in certain circumstances, an ongoing moral duty and legal responsibility for staff to provide further intervention. This policy provides guidance on how these situations should be managed.
- This policy reflects a range of national guidance and legislation including, but not limited to:
- Human Rights Act 1998
- Mental Capacity Act 2005
- The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
- Childrens Act 1989
- Equality Act 2010
- Mental Capacity Act Code of Practice (2007)
- National Institute for Clinical Excellence Clinical Guidelines and Quality Statements
- Joint Royal Colleges Ambulance Liaison Committee Clinical Practice Guidelines
5. A healthcare provider who does not adhere to the principles of consent may be liable to legal action from the patient and where appropriate their registering body.
Purpose and Scope
- To state the legal, professional and ethical basis for consent within the healthcare setting and to ensure that patients are informed and treated appropriately and with due consideration to their wishes and best interest.
- To state the legal, professional and ethical basis for the assessment of mental capacity, making decisions and undertaking acts on behalf of a patient who is unable to make a decision for themselves.
- This policy applies to all personnel working for West Midlands Ambulance Service University NHS Foundation Trust (the Trust) in relation to all patient contact.
Accountabilities and Responsibilities
- The Chief Executive Officer has:
- Overall responsibility for the implementation of this policy throughout the trust
- Overall responsibility for the compliance of the trust with UK statute, including Regulation 11 of The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
- Delegated responsibility to the Paramedic Practice and Patient Safety Director
2. The Executive Medical Director is responsible for all clinical care provided by the trust and is responsible as Caldicott Guardian in respect of confidentiality and consent given for data sharing.
3. The Head of Clinical Practice (Mental Health) will provide expert advice on Consent and the application of the Mental Capacity Act. They will also be responsible for:
- Ensuring education and training needs relating to consent and the application of the mental capacity act are reviewed and reassessed annually and advice is provided to the trust in the development of training plans.
- Ensuring relevant national guidelines, legislations changes and case law relating to consent and capacity are reviewed and expert advice is provided on their application within the trust.
- Ensuring appropriate clinical engagement with partner agencies and trusts relating to matters of consent, mental capacity and deprivation of liberty.
- Providing robust review of incidents relating to consent, mental capacity and/or deprivation of liberty in consultation with the trust patient safety team.
- Providing educational and clinical information to support the operational implementation of this policy and any related clinical procedures.
- Auditing the performance of the trust against all relevant legislation, guidance, policies and procedures.
4. The Head of Education and Training is responsible for:
- Undertaking a training needs analysis for any change in clinical guidance
- Ensuring the training recommendations are undertaken
- Ensuring the earliest possible resolution for those unable to complete scheduled training
- Ensuring adequate education in relation to aspects of consent and mental capacity as they apply within the CQC regulatory framework.
5. All Managers within the trust will ensure that staff have access to the policy such that they are able to familiarise themselves with its application.
6. All WMAS Staff are responsible for following:
- Ensuring compliance in the application of this policy, associated procedures, relevant legislation and statutory and professional guidelines.
- Maintaining knowledge and competency relating to Consent and Mental Capacity
- Supporting and upholding patient autonomy and human rights
7. The Professional Standards Group will be responsible for reviewing audit reports relating to consent and mental capacity and monitoring any subsequent recommendations and action plans arising from such audits.
8. The Learning Review Group will be responsible for reviewing learning and recommendations relating to and involving consent and mental capacity.
Definitions
The definitions are:
- Valid Consent:
The voluntary and continuing permission of the patient to be given a particular examination, to access clinical records, treatment, operation, or examination. Consent is only valid where it is given by an appropriately informed person who has the capacity to consent to the intervention in question
- Informed Consent:
A patient’s consent to a clinical procedure (or to participation in a research study) after being advised of all relevant facts and all risk involved (see below).
- Capacity to Consent:
All persons 16 years and above must in law be presumed to possess the capacity to make decisions in line with the Mental Capacity Act 2005 (MCA). Should an individual’s capacity to make a decision (including consent for assessment or treatment) be in question then the MCA sets out the framework for formal assessment of this.
- Duration of Consent:
The length of approval gained by valid consent being given. This generally remains valid unless it is withdrawn by the patient, however, new information should be given to the patient as it arises, and consent gained for any new assessment, treatment or intervention proposed.
Duty of Care, Consent and Human Rights
- There is a legal, professional, and ethical consensus about the clinical duty to obtain informed consent. Patients may, however, have cognitive and emotional limitations in understanding clinical information. Social and economic variations are also important variables in understanding the practical difficulties in obtaining informed consent. It is the duty of ambulance clinicians to act in a patient’s best interest by overcoming such difficulties so that the patient has a clear, unbiased, and informed view of the care that is being proposed.
- ‘Duty of care’ may be defined as the absolute responsibility of a health care professional to treat and care for a patient with a reasonable degree of skill and care within their scope of practice.
- Any health care provider who does not treat a patient because valid consent was not gained, could be deemed to be negligent if a genuine effort was not made to gain such consent.
3. The Human Rights Act 1998 provides a framework for the fundamental rights of every person. WMAS will seek to promote an uphold such rights
- Article 2 of the Human Rights Act 1998 places a positive duty upon those acting for and on behalf of the state to protect and uphold the right of an individual to life. WMAS staff will promote and uphold this duty and always seek to act to sustain the lives of its patients.
- The European Court of Human Rights has ruled that –
‘Treatment without consent, invasive treatment contrary to a patient’s best interest, and withholding medical care’ can all be deemed ‘inhumane or degrading treatment’ in extreme cases. Such treatment would be considered contrary to Article 3 of the Human Rights Act 1998
- WMAS staff will ensure the rights of individuals to liberty and security and protect the right to private and family life in accordance with article 5 and article 8 of the Human Rights Act 1998. Any breach of such rights are required to shall be done in accordance with the appropriate procedure set out in legislation such as Mental Health Act 1983 and Mental Capacity Act 2005.
Seeking Consent
- Before examining, treating or caring for patients, consent will be obtained. Valid consent can only be given by the patient (or, where relevant, someone with parental responsibility for a child or young person). Where valid consent is withheld this must be respected.
- Patients can change their mind and withdraw consent at any time. If there is any doubt, you should always check that the patient still consents to your caring for or treating them. Consent should be continuous – if previously unexplained treatment is carried out, further consent should be gained.
- Three basic tests are used to ensure that consent is valid:
- Does the patient have capacity?
In law all persons 16 years or over must be presumed to possess the capacity to
make decisions. In circumstances where there is reasonable justification to doubt this then the Mental Capacity Act 2005 sets out the legal framework to undertake a formal assessment. This includes a diagnostic assessment, functional test and where necessary best interest decision making.
- Is the consent given voluntarily?
Staff should ensure that valid consent is gained from the patient without undue pressure, influence or duress from staff, family members or any other person or circumstance. Staff must challenge and record any instance where attempts to exert such pressure influence or duress are identified along with actions taken to mitigate and respond to this as part of the patient record. Where this involves a vulnerable individual, consideration must be given to making appropriate safeguarding referrals in line with the Safeguarding Policy.
- Has the patient received sufficient information?
The patient should understand, in broad terms, the nature and purpose of the procedure. Failure to provide all relevant information may render the healthcare provider liable to an action for negligence
4. The type of information that needs to be given by the ambulance clinician will vary depending on circumstance and urgency. Information should be provided by somebody with the necessary knowledge and understanding of the care. The following is a useful guide to the type of information the patient should receive prior to treatment:
- Description and method of treatment, removal and ongoing care.
- Purpose and reason for treatment, removal and ongoing care.
- Possible complications and side effects of treatment.
- Treatment options: including the option not to treat and the likely consequences.
- Explanation of likely benefits of treatment.
- A reminder that the patients can change their mind about consent at any time.
5. Staff should take all steps that are reasonable and practicable in the circumstances to facilitate communication with the patient in a way that the patient can understand, using interpreters or communication aids as appropriate, whilst allowing for the urgency of the situation. Patients also need to be able to communicate their decision. Care should be taken not to under-estimate the ability of a patient to communicate, whatever their condition. Often people with learning disabilities have the capacity to consent (and presumption should be maintained) if time is spent explaining to the individual the issues in simple language, considering the use of visual aids.
6. In an emergency/time critical situation, where consent cannot be obtained, emergency clinicians should undertake an assessment of capacity and provide treatment that is in the patient’s best interests and is immediately necessary to save life or prevent a significant deterioration in the patient’s health.
7. Staff should ensure that valid consent is gained from the patient without undue pressure, influence or duress from staff, family members or any other person or circumstance. Staff must challenge and record any instance where attempts to exert such pressure influence or duress are identified along with actions taken to mitigate and respond to this as part of the patient record. Where this involves a vulnerable individual, consideration must be given to making appropriate safeguarding referrals in line with the Safeguarding Policy.
Children and Young People
- The legal position concerning consent and refusal of treatment by those under the age of 18 is different from the position for adults, in particular where treatment is being refused.
- Young people aged 16 and 17 years are presumed in law to have sufficient understanding and intelligence to be able to consent to their own medical treatment. As with adults, staff should ensure that consent is valid, i.e. given voluntarily by an appropriately informed patient, capable of consenting to the particular intervention. It is, however, good practice to involve the young person’s family in the decision-making process, unless the young person specifically wishes to exclude them from the decision making process, this needs to be documented on the clinical record PRF/EPR
- With patients under the age of 16, those who have sufficient understanding and intelligence to fully understand what is proposed also have the ability to consent to the intervention (Gillick Competancy). This means that the level of competence of children varies with the complexity of the treatment/refusal and its consequences. There is no particular age when a child gains capacity to consent. In emergency care, consequences of non-treatment are usually evident – but should be fully explained to ensure that a refusal to give consent is fully informed. The Mental Capacity Act 2005 framework does not apply for persons under 16 years of age.
- For patients under the age of 16 who do not have the sufficient understanding or intelligence to fully understand the nature of the treatment or care proposed, consent should be sought from somebody with parental responsibility for the patient. This includes parents, legal guardians or agencies holding parental responsibility (e.g. Social Services). Where possible, the child or young person should be given the opportunity to express their wishes.
- For patients under the age of 16 who do not possess sufficient understanding and intelligence to consent to treatment and where it is not reasonably practicable to obtain parental consent (e.g. to deliver urgent interventions in the absence of an individual with parental responsibility), clinicians should act in the best interest of the child
- As is the case where are giving consent for themselves, those with parental responsibility and giving consent on behalf of young patients should have the capacity to consent to the intervention in question, be acting voluntarily, and be appropriately informed and be acting in the best interests of the child.
- It is only necessary to gain consent from one person with parental responsibility for the patient. Where a dispute arises between two parties with parental responsibility or between a competent child and a person with parental responsibility and the circumstances do not involve the need for time-critical interventions, clinicians should seek support (e.g. OM, TIC, CVT, MHRV, Police). Where agreement about the best interests of a child cannot be reached, best practice is to refer such cases to the Court of Protection. This may not, however, be practical in the context of delivering urgent and emergency care and staff should consider involving the patient’s General Practitioner or other relevant health and social care practitioners with a pre-existing and ongoing care responsibility for the patient should such a circumstance arise.
- Critical situations involving children and young person’s involving a life-threatening emergency may arise during a consultation with a person with parental responsibility that refuses consent, despite such emergency treatment appearing to be in the best interests of the child to prevent grave and irreversible mental or physical harm. Similarly where there is disagreement between two persons with parental responsibility or between a child considered to have competence to consent or refuse care and a person with parental responsibility. In such cases the courts have stated that doubt should be resolved in favour of the preservation of life and it will be acceptable for all health care providers to undertake treatment to preserve life or prevent serious damage to health. This MUST be clearly documented, and advice sought from i.e., Operational Managers if required. It is paramount that if there is an escalation of conflict or immediate safeguarding concern that Police are requested.
Mental Capacity Act 2005 – Assessing Capacity
- The Mental Capacity Act 2005 (MCA) provides a framework to protect and uphold the rights of individuals who may lack the mental capacity to make decisions about their health and treatment. It applies to those aged 16 and over.
- The MCA outlines five statutory principles which should be considered at all times when addressing issues relating to Mental Capacity. These are:
- A person must be presumed to have capacity unless it has been established that they lack capacity.
- A person cannot be treated as unable to make a decision unless all practicable steps have been taken to help them to do so.
- A person is not to be treated as unable to make a decision merely because they make an unwise decision
- An act done, or decision made, under the MCA for or on behalf of a person who lacks capacity must be done, or made, in their best interests
- Before the act is done, or the decision is made, regard must be had to whether the purpose for which it is needed can be as effectively achieved in a way that is less restrictive of the person’s rights and freedom of action
3. An assessment of capacity should be made where any doubt exists, or where concerns are raised as to the capacity of the patient to make a decision.
4. The MCA defines a person as lacking capacity as follows:
“a person lacks capacity in relation to a matter if at the material time he is unable to make a decision for himself in relation to the matter because of an impairment of, or a disturbance in the functioning of, the mind or brain” (Mental Capacity Act, 2005)
5. Assessments of capacity should be both decision and time specific. Where a different decision is required a further assessment of capacity should be made. Similarly, if circumstances change or a significant period of time elapses, reassessment of capacity should be undertaken.
6. WMAS staff will assess the capacity of an individual to make a specific decision at a given time in line with WMAS procedures for the assessment of capacity, with due regard for legislation, statutory guidance and national guidelines.
7. WMAS staff assessing and determining the capacity of an individual to make a decision will document this assessment and evidence any finding of incapacity on the balance of probabilities within the patient record.
8. WMAS staff will assess the needs of any patient lacking capacity in order to make a determination of treatment or care to be delivered in their best interest. This will be done in accordance with WMAS procedures for the assessment of best interests, with due regard for legislation, statutory guidance and national guidelines. This will take into account the wishes and views of the patient and any family, carers or other appropriate persons. All reasonably ascertainable relevant circumstances and information will be documented clearly alongside the decisions made or acts undertaken as part of the patient record.
9. Section 5 of the MCA provides protection from liability for Acts undertaken in connection with the care or treatment of patients but does not provide protection arising from negligence. Such acts can be undertaken where the patient lacks capacity, the acts are reasonably believed to be in the best interest of the patient and do not amount to a deprivation of liberty. Examples of such acts may include:
- Carrying out an assessment or examination of the patient
- Providing medical treatments
- Giving medication
- Taking someone to hospital for assessment or treatment
- Providing care in an emergency
10. The definition of a deprivation of liberty is not defined within the MCA. However, case law from both the European Court of Human Rights and within the UK has established an acid test. A deprivation of liberty arises where the person is subject to continuous supervision or control and is not free to leave. This applies where such restrictions are for a not negligible period of time. Consideration as to what constitutes a ‘not negligible period of time’ will be dependent on the nature, duration and intensity of any restriction or force applied. A deprivation of liberty may only be considered in order to provide life-sustaining treatment, or to prevent a serious deterioration in the condition of the patient and must take into consideration the criteria set out in section 4b of the MCA.
11. In circumstances where the need for a deprivation of liberty arises, staff should seek senior advice wherever practicable. At all times, staff will have regard for considering less restrictive interventions, ensuring acts are in the best interest of the patient and will ensure all relevant information is documented as part of the patient record.
12. Restraint by WMAS staff should be utilised only as a last resort to prevent serious harm occurring in the absence of any other appropriate means or resources to do so. This policy should be read in conjunction with the WMAS Assessment of Capacity, Decision Making and Best Interests and Restraint and Deprivation of Liberty Procedures which outline processes to support the application of the Mental Capacity Act 2005
Advance Refusals of Treatment
- Patients may have a “living will”, “advance directive” or advance decision to refuse treatment (ADRT) specifying how they would like to be treated in the case of future incapacity. These may be formal legal documents, written informally or expressed verbally to family, friends, carers and attending clinicians. Case law has determined that refusal of treatment under a living will or advance directive that is valid, made voluntarily by an appropriately informed person with capacity and applicable to subsequent circumstances in which the patient lacks capacity, is legally binding. WMAS should respect the wishes stated in such a document, when the crew are made aware of its existence. The responsibility for making provision to make ambulance staff aware of such wishes lies with the patient.
- In a pre-hospital emergency environment, there may be situations where there is doubt about the validity or applicability of a living will, advance directive or ADRT, often as a result of not being previously aware of its existence. If ambulance clinicians are not satisfied that the patient had made a prior and specific request to refuse treatment, or that the advanced directive does not apply specifically to the presenting clinical circumstances, they should continue to provide all clinical care in the normal way until further information can be provided.
- Where such a refusal relates to life-sustaining treatment (e.g. Resuscitation) an ADRT must be in writing, signed and dated by the person and witnessed. Where these criteria are not met, WMAS staff must provide care in line with the patient’s best interests.
Mental Health, Overdose and Self-Harm
- Where a patient with a mental health need presents, consideration should be given to whether making a referral for assessment under the Mental Health Act 1983 would be more appropriate to the use of the mental capacity act 2005.
Consent for Patients whose First Language is not English
- The Trust is committed to ensuring that patients whose first language is not English receive the information they need and are able to communicate appropriately with healthcare staff. It is not best practice to use family members to interpret for the patient who does not speak English, however it is recognised that this may be the only option available, staff should use the ‘Pre Hospital Communication Guide’ to assist in communicating with the patient. This is available on the WMAS intranet and via the EPR/Kit Bag. If language still remains a barrier to effective communication, then staff should contact the Emergency Operations Control Centres requesting ‘Language Line’ or contact ‘Language line’ directly.
Clinical Photography and Conventional or Digital Photography
- Photography (involving patients themselves) intended to benefit the patient’s treatment is seen as ‘treatment’ in itself and requires valid consent. Photographs should be retained in the patient’s hospital file and no other copies are permissible. Only Trust photographic equipment can be used by authorised persons for this purpose. No photographs are to be taken using personal media devices.
- All other photography and motion pictures for purposes such as media promotion require patient and staff consent, which needs to be sought in writing. Care should be taken to ensure the patient does not unduly pressured into giving such consent as a condition of receiving care.
Exceptions to the Principle of Consent
- An unborn foetus has no rights under consent law. A pregnant mother has every right to refuse treatment for herself or her foetus, irrespective of the potential harm that may arise to the foetus however the requirements of Safeguarding the unborn child under the Children Act 1989 come into play and a safeguarding referral must be instigated without delay and a request made for support from a senior officer.
- The Public Health (Control of Disease) Act 1984 provides that, on an order made by the magistrate or sheriff, persons suffering from certain notifiable infectious diseases can be medically examined, removed to, and detained in hospital without their consent. Similarly, Section 47 of the National Assistance Act 1948 provides for the removal to suitable premises of persons in need of care and attention without their consent. Such persons should either be suffering from grave chronic disease or be aged, infirm or physically incapacitated and living in unsanitary conditions. These situations are extremely rare and ambulance clinicians should request an incident officer or clinical supervisor to attend such incidents.
- If a patient refuses decontamination treatment, for example following a chemical, biological, radiological or nuclear (CBRN) incident, ambulance clinicians should liaise with the Police, Health Protection Agency and Public Health laboratories to decide on an appropriate course of action. Powers lie within these groups to take action for the public good.
- Treatment involving mentally ill patients is covered by the Mental Health Act 1983, provided that the patient is formally detained under that Act. Exceptions under the Act only relate to treatment for the mental disorder itself, and not for other illnesses or conditions. This means that any patient detained under the Mental Health Act 1983 has every right to impart and deny consent for treatment for physical disorders not directly related to his/her mental illness. It is very likely that specialist advice will be available in such circumstances from the Approved Mental Health Practitioner (AMHP) who has coordinated the Section.
Consent and Research
- Involvement in a research project requires that valid consent is obtained beforehand with certain exceptions. The requirements for consent as they apply to research are set out in the WMAS Trust research strategy.
Consent and Data Protection
Subject Access Requests
- Requests by an individual to access their own data will be processed under the legal basis of consent, in accordance with the Data Protection Policy and any other relevant trust Policies or Procedures. As such, it is incumbent upon those processing this information to ensure that the principles of consent have been adhered to. In addition when dealing with data subjects remotely, there is an expectation of due diligence in establishing the identity of the person giving consent to the release of information.
Consent to process information as part of care delivery
- In line with the recommendation of the information commissioner, Consent should not be considered as the primary legal basis for processing information as part of the delivery of direct health and care service, as it is difficult to deliver care without processing information and as such it is difficult for such consent to be freely given. This may apply both to the remote delivery of care by the Emergency Operations Centre, or in respect of on-scene care.
- In such cases the trust will consider the following elements of GDPR/Data Protection Act 2018 as they apply to the given situation:
- GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation
- GDPR Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- GDPR Article 9(2)(h): processing is necessary for the purposes of preventative or occupational medicine…medical diagnosis, the provision of health or social care or the management of health or social care systems and services…’
- GDPR Article 9(2)(i): processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
- GDPR Article 9(2)(j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Data Protection Act 2018, Schedule 1: Part 1 describes conditions for processing personal data for health, public health, social care and research purposes; Part 2 sets out the conditions for processing personal data on the grounds of substantial public interest
3. In most circumstances these provisions will provide an appropriate framework for the processing of information relevant to the delivery of care.
4. This does not preclude the giving of consent where this is appropriate in such scenarios, but these provisions may provide a more robust legal basis for the processing of personal information and sensitive data (including health related data).
5. In general terms, access to supplementary information and shared care records should be on the basis of consent. In specific circumstances, it may be appropriate to rely on other legal basis justifications as defined by GDPR/DPA 2018.
Consent to process information as part of central trust functions
- Various functions within the trust also process information outside of care delivery. This includes but is not limited to HR, the Patient Experience Team, the High Intensity Service Users Team, the Safeguarding and Patient Safety Team.
- Across such functions, each team will ensure it has appropriate processes in place where it is processing information on the legal basis of consent that such consent is recorded appropriately. Any such consent given should algin with the definition of consent within this policy.
Processing Information Under a Legal Basis other than Consent
- The Data Protection Act 2018 sets out the lawful basis for the processing/sharing of information. Whilst one basis is the consent of the individual, there are others for which consent might not be required, or where, despite the refusal/withdrawal of consent, data is processed in any case.
- The Trust will act in accordance with the Data Protection Act 2018, WMAS Data Protection Policy and all relevant policies and procedures when processing and sharing information. Where relevant and appropriate it will have due regard to the National Data Opt Out as described in WMAS’s National Data Opt Out Policy.
- Section 251b of the Health and Social Care Act 2012 imposes a positive duty to share information to other health or social care providers where “likely to facilitate the provision to the individual of health services or adult social care in England, and it is in the individuals best interests”.
- Where the individual objects (i.e refuses or withdraws consent), or is considered likely to object to this, the Trust ‘need not’ comply with this duty. The legislation does not however note that the trust ‘must not’ or ‘should not’ and so the sharing of information in these circumstances should be balanced on the basis of the benefit and risk associated with processing/sharing the information and in light of any other relevant provision of the Data Protection Act 2018, the Trusts Data Protection Policy/ Procedure or any other relevant policy procedure.
Key Points – Consent
- Gaining valid consent is central to all forms of healthcare.
- Consent is only valid if it is given freely by a person who has all the relevant facts, is able to assimilate them, and can fully understand the implications of their decision. (i.e. has capacity)
- Patients can change their minds and withdraw consent at any time.
- Young persons who have the intelligence to fully understand the proposed treatment also have the capacity to consent to such treatment.
- The rules of consent do not absolve clinicians of their duty of care responsibility, nor do they affect the human rights of patients. Valid refusal of consent by a capacitious patient will however satisfy the duty of the staff member in most cases, excepting where there are other legal duties e.g. Safeguarding.
Should you have any further queries on the uses of your information please contact [email protected].
How we use cookies
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Under the GDPR (General Data Protection Regulation), DPIAs should be used to evaluate risks to the rights and freedoms of data subjects that result from data processing. They are particularly relevant when introducing new data processing processes, systems or technologies.
DPIAs also support the GDPR’s accountability principle, helping organisations prove that they have taken appropriate technical and organisational measures, as required.
Here’s copies of the Trusts completed and approved Data Protection Impact Assessments.