Mindworks Surrey – Privacy Notice

Mindworks Surrey is the Emotional Well-being and Mental Health (‘EWMH’) service which aims to support children and young people’s emotional wellbeing and mental health in Surrey. It is delivered by an alliance of organisations of which Surrey and Borders Partnership NHS Foundation Trust is the lead organisation in the alliance.

Established on 1st April 2021, the service is delivered by Surrey and Borders Partnership NHS Foundation Trust as the main contractor, in partnership with a consortium of other health and social care providers and third-sector agencies.

Based on current data protection legislation, which includes the Data Protection Act 2018 and UK General Data Protection Regulation 2016 (UK-GDPR) as well as Access to Health Records 1990, SABP has a legal duty to inform what data we may collect and how we may use that data. 

This privacy statement is part of our communication to ensure that SABP (which is a statutory public benefit corporation established under the National Health Service Act 2006 (as amended)) processes personal information fairly and lawfully. Another part of our communication is a young person friendly version of this document which is currently being written and will be added to our webpage on completion.

SABP and Alliance partners process personal information to support healthcare activities as set out in the National Health Service and Community Care Act 1990. This is the Trust’s source of “official authority.”

SABP is joint data controller together with Alliance partners (SWP, NAS and Barnardo’s) under the terms detailed in UK-GDPR, which means we have a lawful basis to process personal data under Article 6, and Special Category data under Article 9.

You have a right to see all the records we hold about you (paper and digital), unless:

  • It has been provided by someone else and we don’t have their permission to share it
  • It relates to criminal offences, or the detection/prevention of crime
  • It could cause harm (physical or mental harm) to you or someone else.

Under current data protection legislation, you have rights regarding your data:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to restrict processing
  • The right to object

Further details about your data rights are available from the Information Commission’s Office or from our website (search for the ‘Data rights’).
If you would like further information on how we use the information we keep about you, please ask the person you are working with.

We are subject to a common law duty of confidentiality. This means that your information should not be shared further or used except in agreement with you  or as originally understood by you.

Gillick Competence: For children and young people under the age of 16, we follow the principle of Gillick competence when considering consent for sharing information or making decisions about care. This means that if a young person has sufficient understanding and intelligence to fully comprehend the proposed intervention or information sharing, they can provide their own consent without parental involvement. Where a young person is not deemed Gillick competent, consent will be sought from a person with parental responsibility, unless there is a legal or safeguarding requirement to act without consent. 

There are circumstances where we will share relevant health and care information. These are where:

  • The individual has provided us with consent (we have taken it as implied to provide individual with care, or the individual has given it explicitly for other uses). Where the individual has provided explicit consent to use information, the individual has the right to withdraw that consent at any time;
  • It is appropriate to rely on implied consent for confidentiality purposes when contacting individuals and service users about their individual care or requesting they complete a friends and family test survey. For further information visit: Email and text message communications - NHS Transformation Directorate (england.nhs.uk);
  • SABP has a legal requirement (including court orders) to collect, share or use the data;
  • on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
  • the requirements of The Health Service (Control of The individual Information) Regulations 2002 are satisfied.

Common law duty of confidence (confidentiality) is not affected by Consent as a lawful basis.

Mindworks is committed to actively promote the health and wellbeing of children and adults and to prevent harm wherever possible through effective risk assessment, risk management, staff training and supervision processes. We work in partnership with other agencies through the use of approved multi-agency procedures to refer and investigate known or suspected abuse

  • Article 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject..’

Where there is a concern of safeguarding and a need to act upon this we will be obliged to share information with other agencies with the purposes of keeping children and young people safe.

Only the people working with you which can include professionals and volunteers, with a legitimate relationship to your individual care or treatment can view or access your records. 

When this involves more than one service within Mindworks, a summary of key information from your health and care record is shared with other authorised health and care professionals and volunteers across Mindworks.

The information we share includes basic information such as your name, address, postcode, NHS Number, age and GP practice details as well as:

  1. Your referral information – whether you are open to us or not;
  2. Your diagnosis, if you have one;
  3. The start, end and review dates of your care;
  4. Your care plan and your risk assessment

Other organisations also submit limited information from the health and social care records held by your GP Practice, hospitals and social services such as test results, medications and allergies to create one shared digital record.

All organisations involved with the Shared Care Record are legally required to explain how, why and with whom they share your health and care information, through a privacy statement and provide details if you would like use your right to object to sharing your data. You can read ours in our Privacy Notices section below.

Right to Object: If you do not want your information to be shared you can express your right to object at any time. To do please contact your GP practice. You can also speak to your care co-ordinator or named professional about what this may mean for your care with us.

We are a member of Surrey Multi-Agency Information Sharing Protocol.

This is set of principles about sharing personal or confidential information that each organisation has signed up to. It sets out the circumstances when we should share information and what our responsibilities are.

See the Surrey County Council website for more information.

Sharing information with the police and the criminal justice system

There may be times when we must share information with the police or law enforcement agencies without your consent. Such as:

  • If there is a concern you are putting yourself, or another person, at risk of serious harm
  • Where we have been instructed to do so by a court or
  • As part of the investigation of a serious crime

You can find more about how we share information with the criminal justice system in Surrey's Crime and Disorder Information Sharing Protocol.
 

The information we collect about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments preventing illness and diseases
  • monitoring safety
  • planning services

All these uses help to provide better health and care for you, your family and future generations.

Confidential the individual information about your health and care is only used like this where allowed by law, when there is a clear legal basis to use this information.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential the individual information isn’t needed.

You have a choice about whether you want your confidential information to be used in this way.

If you are happy with this use of information you do not need to do anything. If you do choose to opt-out, your confidential information will still be used to support your individual care.

To find out more or to opt out, visit www.nhs.uk/your-nhs-data-matters. You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

We only record the key items for your health care; this will include details about you such as:

  • Your NHS number
  • Your name and address
  • When you were born

Notes on care, treatment and support you are getting or had, as a  individual, appointment or visit (such as from a carer)
And who you have told us we can contact in the event of an emergency.

We only keep your details for as long as necessary, which is set out under NHS guidelines: ‘Records Management Code of Practice for Health and Social Care 2016’. A copy may be downloaded from our website.

Data is collected from a variety of sources, e.g. referral forms, requests for service or Third Party sources
 

We have a duty under UK data protection legislation and NHS codes of practices to keep data records in a confidential and secure manner, and only for as long as they are required. This applies to our electronic records as well as any archived historic paper records held.

SABP maintains healthcare and staff records within secure and accredited databases, with access strictly controlled and managed.

  • For information on how long we keep personal information.
  • Under the terms of Access to Health Records Act 1990, which covers accessing information about someone who is deceased, we keep records for 10 years after someone has passed away.  

Your care co-ordinator may be able to help.

You can also e mail Mindworks on: Mindworks@sabp.nhs.uk and you will be directed to the most appropriate service for support.

Our website contains more information on data protection and your personal information.

Our Patient Advice and Liaison Service (known as ‘PALS’) has advice and support to help resolve any concerns you may have about our services.You can contact them at:

For details on accessing your records, please refer to our Access to Health Records Guidance and Application form which may be accessed by:

If you are still not satisfied with the outcome, you can contact:

Help us improve our website

Please take a moment to share your thoughts and help us enhance our website by completing our short survey here.