Purposes for processing
From October 2017 NHS England, and NHS Improvement (incorporating Monitor and the Trust Development Authority) have had in place joint Regional Directors for the South East and South West regions. This arrangement is designed to promote more collaborative and joined-up ways of working between the NHS Improvement and NHS England in these regions. The key aim is to help ensure the most efficient and effective use of NHS resources for the benefit of local health economies and the patients they serve. The development of Sustainability and Transformation Partnerships (STPs) and Accountable Care Systems (ACSs) strengthens the case for a more joined-up approach between NHS England and NHS Improvement.
Both organisations process personal data relating to people raising complaints, whistleblowing and similar concerns. Where these matters are of appropriate severity one of the joint directors may have access to this information. Their private office staff, who may be employed by either organisation, may also have access to the information.
Sources of the data
NHS England receives complaints and whistleblowing data from members of the public, our own staff and staff of other health and social care organisations. Information about our workforces is collected at recruitment and generated throughout the course of employment.
Categories of personal data
The personal data that relates to complaints, whistleblowing and similar concerns will include personal details such as names and addresses, and may include information about diagnosis and treatment, and statements of witnesses. Each organisation may request relevant information from data subjects/third parties that is proportionate to discharging their statutory functions.
Categories of recipients
Personal data relating to whistleblowing, complaints and similar concerns may be received by the jointly appointed senior management posts in NHS Improvement and NHS England, and their administrative teams. Line managers receive data about staff they manage across the organisations.
Legal basis for processing
For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is Article 6(1)(b) – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
For other processing of personal data about our employees, people raising complaints, whistleblow and similar concerns, our legal basis is Article 6(1)(e) – ‘…exercise of official authority…’.
Where we process special categories data for employment purposes the condition is: Article 9(2)(b) – ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.
For the processing of information about the health of our workforce, and about those who raise complaints or whistleblow the legal basis is: Article 9(2)(h) – ‘ …processing is necessary for the purposes of preventive or occupational medicine…assessment of the working capacity of the employee…the provision of health or social care…’.