Shared patient tracking list (PTL) Federated Data Platform (FDP) product privacy notice

Product description

NHS trusts use this product to support and improve their waiting list times for planned treatment and to provide you with the best care within the most appropriate timeframe in relation to the procedure or treatment you are being provided by the hospital.

The product enables care teams across hospitals who are working together to identify the actions they can take to ensure that your procedure or treatment can be scheduled and carried out smoothly. Only members of the team responsible for arranging your care will have access to your personal information in the product to help organise your care.

What are the purposes for processing my personal data in this product?

This product processes personal information (called ‘personal data’ under data protection laws) about patients who require planned treatment in a hospital to support the better coordination of your treatment. This includes information about your health, medical condition and the procedure or treatment. The product enables the care teams in the hospitals to more effectively coordinate your treatment and care to improve the speed of access to treatment.

The use of the product by NHS trusts working locally together will improve the delivery of treatment through using the information to put the right patient in the right location, through understanding their care needs. This will include bringing together all required information into one place to support arranging your treatment.

The product enables the care team to identify the actions they can take to improve and speed up your care pathway. Hospitals who work together locally will use this product to provide you with the best care within the most appropriate timeframe. This will also help hospitals to improve their waiting lists times for planned treatment for all patients, following the increase in waiting times caused by the Covid-19 pandemic.

What personal data about me is processed in this product?

Personal data which directly identifies you (we call this directly identifiable data) will be processed by NHS trusts about patients who are having planned treatment scheduled, for the purposes above. Data that is processed by hospitals that use this product may include your:

  • name
  • address
  • telephone number (mobile and home)
  • date of birth
  • age
  • gender identity
  • NHS number or hospital record number
  • health information, including information about your medical condition, symptoms, diagnosis and treatment

Personal data about members of staff involved in the delivery of care may also be processed when using this product, including the names of staff involved in providing care, their email address, their role/profession and planned absence information, so that your treatment can be scheduled.

Who is my personal data shared with?

Your personal data is accessed and used by health care professionals in the hospital who are providing you with individual care and treatment, and support staff who need to support health care professionals to administer your care journey.

Your personal data will not be shared with any other organisations as part of this product. The product will enable the NHS trust to share anonymous aggregated data with other organisations. This is statistical counts of data that don’t identify you. It is therefore not personal data. Anonymous aggregated data will be shared through a dashboard in the product and reports to the local integrated care board in your local area and NHS England to help plan and improve services.

UK General Data Protection Regulation (GDPR) information

Controllers of your personal data

Under data protection law the NHS trusts using the product [insert NHS trust names here] are the legal joint controllers of your personal data under data protection laws. The specific NHS trusts using the product are listed on the product description page of the NHS England website.

Legal grounds for processing your personal data

The processing of personal data by NHS trusts for the purposes explained above is permitted under the following legal grounds under data protection law (this is UK GDPR and the Data Protection Act 2018 (DPA 2018)):

  • Public taskArticle 6(1)(e) of UK GDPR ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
  • Health careArticle 9(2)(h) of UK GDPR ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” In addition, the legal grounds under paragraph 2 of part 1 of the DPA 2018 apply (health care purposes).

The personal data processed about patients by the NHS trusts locally working together for the purposes above is also confidential data. As the NHS trusts involved are processing your confidential data to provide you with individual care, it is relying on your implied consent to do this, as you would reasonably expect the hospital to process your personal information this way to provide you with care. The NHS trusts involved will keep your personal data confidential and only use and share it with other members of the care team to provide you with care, where you would reasonably expect them to, and subject to strict confidentiality controls to ensure your information remains confidential.

Processor acting on behalf of NHS trusts

The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of the NHS trusts who are using this product. They provide the data platform and the technology that the product uses and only act on the instructions of the NHS trust.

Your rights under UK GDPR

You have the following rights under UK GDPR in relation to the processing of your personal data by the NHS trust for the purposes above:

  • right to be informed
  • right of access
  • right to rectify
  • right to object

Further information about these rights is in the NHS Federated Data Platform privacy notice. Your NHS trust will also have a privacy notice on its own website which will explain more about how the trust processes your personal data, your rights and how to exercise them.

Contact details for data protection officers in the NHS trusts using this product are available on the NHS England website.

Does the national data opt out or any other opt out apply to this product?

The national data opt out and type 1 opt outs do not apply to the processing of your personal data by the NHS trust for the purposes explained above. This is because the NHS trust is processing your personal data to provide you with individual care and treatment and these opt-outs don’t apply in these circumstances.

More information

For more information about how personal data is processed within the Federated Data Platform please see the NHS Federated Data Platform privacy notice.