Privacy Notice

Security of information

Confidentiality affects everyone: the Pennine MSK Partnership collect’s, stores and uses large amounts of personal and sensitive personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.


​Legal basis for the processing of your data

Data Protection legislation (GDPR/DPA2018) requires the Organisation to process:

Sensitive personal data (Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and occasionally 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”

Personal data under 6(1)(f) “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Why do we collect information about you?

All clinicians and health and social care professionals caring for you keep records about your health and any treatment and care you receive. These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

  • Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.

  • Contact we have had with you such as appointments or clinic visits.

  • Notes and reports about your health, treatment and care – A&E visits, in patient spells or clinic appointments

  • Details of diagnosis and treatment given

  • Information about any allergies or health conditions.

  • Results of x-rays, scans and laboratory tests.

  • Relevant information from people who care for you and know you well such as health care professionals and relatives.


It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes to your contact details or GP Practice as soon as possible. This minimises the risk of you not receiving important correspondence.

By providing the Organisation with their contact details, patients are agreeing to the Organisation using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).


How your personal information is used

In general your records are used to direct, manage and deliver the care you receive to ensure that:

  • The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.

  • Health or social care professionals have the information they need to be able to assess and improve the quality and type of care you receive.

  • Your concerns can be properly investigated if a complaint is raised.

  • Appropriate information is available if you see another clinician, or are referred to a specialist or another part of the NHS or social care.


Clinical staff directly involved in your care will, on occasion, view your GP ( primary care) record. This is done to effectively manage and ensure appropriateness of care. If you do not wish this to happen please speak to your GP who can record your preference.


Research and Planning

Your health records contain confidential patient information, which can be used to help with research and planning. If you would like this to stop, you can opt out of this yourself or on behalf of someone else. For example, if you are a parent or guardian of a child under the age of 13.

If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations.

When required by law

Your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order.

When you have given consent

Your confidential patient information may still be used when you have given your consent. Such as, for a medical research study.

Where there is overriding public interest

Your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis. In these situations, the safety of others is most important.

When information that can identify you is removed

Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first.

Where there is a specific exclusion

Your choice does not apply to a small number of specific exclusions. In these cases, your confidential patient information may still be used at any time. For example, when information is used to collect official national statistics, like the Population Census.

To find out more visit:


​The Care Record

The Care Record is a shared system that allows Health or social care professionals within Organisation and Social Care community to appropriately access the most up-to-date and accurate information about patients to deliver the best possible care.

The NHS Care Record Guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:


The Records Management Code of Practice

This Records Management Code of Practice for Health and Social Care 2016 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS.

The Code is based on current legal requirements and professional best practice. It will help organisations to implement the recommendations of the Mid Staffordshire NHS Foundation Trust Public Inquiry1 relating to records management and transparency.


How long health records are retained

All patient records are destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

The Organisation does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Organisation has made the decision that the records are no longer required.


When do we share information about you?

We share information about you with others directly involved in your care; and also and also share more limited information for indirect care purposes, both of which are described below:

Everyone working within our Organisation and the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.


Direct Care Purposes:

  • NHS Trusts and hospitals that are involved in your care.

  • NHS Digital and other NHS bodies.

  • General Practitioners (GPs).

  • Ambulance Services.


You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • Social Care Services.

  • Education Services.

  • Local Authorities.

  • Voluntary and private sector providers working with the NHS.


We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.


Indirect Care Purposes:

We also use information we hold about you to:

  • Review the care we provide to ensure it is of the highest standard and quality

  • Ensure our services can meet patient needs in the future

  • Investigate patient queries, complaints and legal claims

  • Ensure the hospital receives payment for the care you receive

  • Prepare statistics regarding NHS performance

  • Audit NHS accounts and services

  • Undertake heath research and development (with your consent – you may choose whether or not to be involved)

  • Help train and educate healthcare professionals


Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites:


When other people need information about you

Everyone working in Health and Social Care has a legal duty to keep information about you confidential and anyone who receives information from us is also under a legal duty to keep it confidential.There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent.


From time to time we may need to share information with other professionals and services concerned in your care. This may be for instance, when your healthcare professional needs to discuss your case with other professionals (who do not work for the Organisation) in order to plan your care. We do this in order to provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.


Examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm

  • If there is a concern that you are putting another person at risk of serious harm

  • If there is a concern that you are putting a child at risk of harm

  • If we have been instructed to do so by a court

  • If the information is essential for the investigation of a serious crime

  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object

  • If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases


Data subjects rights

Under the Data Protection Act – 6th Principle:

  • a right of access to a copy of their personal data;

  • a right to object to processing that is likely to cause or is causing damage or distress;

  • a right to object to decisions being taken by automated means;

  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and

  • a right to claim compensation for damages caused by a breach of the Act


Under the General Data Protection Regulation (GDPR)

  • a right to confirmation that their personal data is being processed and access to a copy of that data which in most cases will be Free of Charge and will be available within 1 month (which can be extended to two months in some circumstances)

  • Who that data has or will be disclosed to;

  • The period of time the data will be stored for

  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;

  • Data Portability – data provided electronically in a commonly used format

  • The right to be forgotten and erasure of data does not apply to an individual’s health record or for public health purposes

  • The right to lodge a complaint with a supervising authority (see Raising a concern section)


Your right to object

You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.

Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.


Refusing or withdrawing consent

The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.

In those instances where the legal basis for sharing of confidential personal information relies on the patient’s explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.

In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Organisation is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.

SMS text messaging

When attending the Organisation for an appointment or a procedure you may be asked to confirm that the organisation has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages to advise you of appointment times.


How you can access your records

Data Protection legislation (GDPR/DPA2018) gives you a right to access the information we hold about you on our records. Requests must be made in writing to Pennine MSK Partnership. The Organisation will provide your information to you within one month (this can be extended dependent on the complexity of the request) from receipt of your application:

  • A completed application form, containing adequate supporting information (such as your full name, address, date of birth, NHS number, etc.) to enable us to verify your identity and locate your records.

  • Information will be provided free of charge except where requests are unfounded or excessive, in particular repeat requests then the Organisation may either charge a reasonable fee or refuse to act on the request.


Pennine MSK Partnership 
Integrated Care Centre
New Radcliffe Street


Data controller

The Data Controller responsible for keeping your information confidential is:

Pennine MSK Partnership 

Integrated Care Centre

New Radcliffe Street



Telephone: 0161 357 5270 press option 4


Data Protection Officer Contact –


Raising a concern

Patients who have a concern about any aspect of their care or treatment at this Organisation, or about the way their records have been managed, should contact –


Pennine MSK Partnership 

Integrated Care Centre

New Radcliffe Street



Telephone: 0161 357 5270 press option 4



If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.

Data Protection legislation (GDPR/DPA2018) requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information. These details are publicly available from:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF

Telephone: 08456 306060

Privacy notice for call recording



This privacy notice explains how we use recordings of phone calls within Pennine MSK Partnership


Personal data


Not all locations where we could make calls from have the facility to record calls but for the locations that do - when a call is recorded we collect:


  • a digital recording of the telephone conversation

  • the telephone number of both parties (internal and external) 


Personal data revealed during a telephone call will be digitally recorded for example name and contact details to deliver appropriate services.


Occasionally 'special category' personal information may be recorded where an individual voluntarily discloses health, religious, ethnicity or criminal information to support their request for advice and/or services.


Collecting personal data


The recordings will be stored on a secure server hosted by our phone provider CISCO which will only be accessible by senior members of the management team, who will be issued with a username and password.


Call recordings will be used:


  • to assist in the quality monitoring of staff performance

  • to investigate and resolve complaints

  • to identify training needs

  • to ensure the Company is able to monitor and adhere to quality standards


Sharing personal data


We may share a call recording with an Investigating Officer in order for them to respond to a complaint or issue.


Sharing data under Data Protection legislation


We may be required or permitted, under Data Protection legislation, to disclose a call recording including your personal data without your explicit consent, for example if we have a legal obligation to do so, such as for:


  • Law enforcement

  • Safeguarding investigations

  • Regulation and licencing

  • Criminal prosecutions

  • Court proceedings


What is the legal basis that permits us to use your information?


Under data protection legislation we are only permitted to use your personal data if we have a legal basis for doing so as set out in the data protection legislation. We will process your personal data for the purposes of providing you with work-finding services. The legal bases we rely upon to offer these services to you include at least one of the following:


  • Consent

  • Contractual obligation

  • Legal obligation

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests


Retaining personal data


Recordings are kept securely and confidentially. They will be held for no more than 12 months, unless required to be retained for an investigation, legal reasons or a potential safeguarding concern.


Your rights in relation to your information


You have a number of rights in relation to your personal data, these include the right to:


  • be informed about how we use your personal data;

  • obtain access to your personal data that we hold;

  • request that your personal data is corrected if you believe it is incorrect, incomplete or inaccurate;

  • request that we erase your personal data in the following circumstances:


  • if we are continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected;

  • if we are relying on consent as the legal basis for processing and you withdraw consent;

  • if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing;

  • if the personal data has been processed unlawfully (i.e. in breach of the requirements of the data protection legislation);

  • if it is necessary to delete the personal data to comply with a legal obligation.

  • ask us to restrict our data processing activities where you consider that:

  • personal data is inaccurate;

  • our processing of your personal data is unlawful ;


  • where we no longer need the personal data but you require us to keep it to enable you to establish, exercise or defend a legal claim;

  • where you have raised an objection to our use of your personal data;


  • request a copy of certain personal data that you have provided to us in a commonly used electronic format. This right relates to personal data that you have provided to us that we need in order to take steps to enter into a contract with you and personal data where we are relying on consent to process your personal data;

  • object to our processing of your personal data where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal data;

  • not be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you.


If you would like to exercise any of your rights or find out more, please contact




If you have any complaints about the way we use your personal data please contact who will try to resolve the issue. If we cannot resolve your complaint, you have the right to complain to the Information Commissioner.


Covid-19 and your information - Updated on 8th April 2020


Privacy note on Covid-19 for Patients


This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.


The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant



Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak.  Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19

outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on here.


During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs - view here. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.


In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.


During this period of emergency we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.


We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.


NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.


In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.


We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.


0161 357 5270

CSE report 2019

©2019 by Pennine MSK Partnership Ltd.