Lawful Basis for Processing
All personal data processed by Navigo Health and Social Care CIC is collected under at least one of the Data Protection Act 2018’s lawful bases. We use the following:
Consent: You have given informed consent for Navigo to process your personal data for a specific purpose. Consent may be withdrawn at any time by contacting us.
Contract: Processing your personal data is necessary for Navigo to perform services in the interests of public health.
Legal Obligation: Processing your personal data is necessary for Navigo to comply with the law. For instance, for staff, our Workforce Department must verify your identity documents to ensure you have the right to work in the UK before we make a job offer.
Vital Interests: Processing your personal data is necessary for Navigo to protect someone’s life. For example, contacting emergency services in exceptional circumstances when staff consider there will be a risk of serious harm to self or another person. UK GDPR Article 6(1)(e), states that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
Legitimate Interests: Processing your personal data is necessary for Navigo’s legitimate interests. For example, providing a confidential advice and support service for our service users and staff.
Service users and the public
Mental health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about your health and any care and treatment you receive.
This may include:
- Basic details such as name, address, date of birth, phone number, and email address – where you have provided it to enable us to communicate with you by email
- Your next of kin and contact details
- Notes and reports about your physical or mental health and any treatment, care or support you need and receive
- Results of your tests and diagnosis
- Relevant information from other professionals, relatives or those who care for you or know you well
- Any contacts you have with us such as home visits or outpatient appointments
- Information on medicines, side effects and allergies
- Patient experience feedback and treatment outcome information you provide
- One of our methods of evaluating diagnosis is video recordings. If you have any objections, please let us know.
Most of your records are electronic and are held on a computer system and secure IT network. We may receive information about you from other people e.g. from your GP practice, a friend or relative or another health or care professional.
We may also collect information from you following feedback given and from surveys you complete regarding your care, for example via Microsoft Forms. This information will be held in accordance with the NHS Records Management Code of Practice 2023, Appendix 2, Retention Schedule.
Your information is used to provide you with health and care services and is necessary for us to:
- have all the information necessary for assessing your needs and for making decisions with you about your care
- have details of our contact with you, such as referrals and appointments and can see the services you have received
- can assess the quality of care we give you
- can properly investigate if you and your family have a concern or a complaint about your healthcare
Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:
- Move to another area
- Need to use another service
- See a different healthcare professional
Mental Health and Social Care Professionals: Your information will be shared with the team who are caring for you and are providing treatment to you. As part of health & safety, our staff may carry a works mobile phone or a lone working device which may store location data when activated.
However, the NHS and other agencies, including social services and private healthcare organisations work together, so we may need to share information about you, with other professionals and services involved in your care.
This includes Humber, Coast and Vale Health and Care Partnership. The Humber, Coast and Vale Health and Care Partnership is a collaboration of health and care organisations who are striving to improve the health and wellbeing of the population, as well as the quality and effectiveness of the services provided.
We do this in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved. We will only share your information outside of NAViGO if we have your consent and it is considered necessary.
We may also use your personal information if you make a complaint or are involved in an incident whilst receiving care or treatment from us. This will be in order for us to investigate your complaint or the incident.
If translation services are required then they will be performed by HE WORDS and your personal data will be sent to them by secure email for translation. More details on their privacy policy can be found on their website.
Our Doctors use an app called S.12 solutions in order to arrange appointments with patients at various locations, which may include a hospital setting if you are an inpatient. Your name, address, NHS Number, GP Practice name and location (e.g. Hospital name and address) will be held on the app in order for the Doctor or other professional to be allocated to you for your care or assessment at a particular date and time. No medical data about you is held by S.12 solutions or on the app. S. 12 Solutions Privacy Notice can be found on their website.
Electronic Palliative Care Co-ordination System (EPaCCS): The health and care providers, who are involved in the care of a service user at the end of their life, will be able to share / access information, as part of the Humber Coast and Vale wider project. More details on their privacy notice can be found here.
Suicide Prevention Real-Time Surveillance: Real Time Surveillance (RTS) allows us to be alert to suicide clusters, monitor new and emerging trends in suicide and plan suicide prevention activity accordingly. In addition it allows us to ensure people affected by suicide are supported through the local suicide bereavement service.
RTS requires Public Health partners providing details about deceased persons to inform Suicide Learning Panels to ensure we can prevent suicide and support people appropriately.
The RTS system will request information and collate reports to allow us to do this across Humber. Information regarding criminal convictions and offences will be gathered from the Probation Service.
The Tavistock Institute of Human Relations: We have a legal gateway for the sharing of information between Navigo and the Tavistock Institute, for community mental health care research. This information is detailed in the ‘What Information do we collect from you?’ section of the NAViGO Privacy Policy. If you are participating in the Tavistock Relationships Service, you will have been given privacy information when you agreed to participate. To understand how your data will be used as part of this service, please refer here.
Humber Long Covid Triage and Assessment Service: In November 2020, NHSEI requested that all areas set up Long Covid assessment provision for individuals who have had Covid for 12+ weeks. Across the Humber, commissioners and clinicians have taken a joint approach to developing the Humber Long Covid Triage & Assessment Service which will be hosted by City Health Care Partnership (CHCP). Patient-level data is used to improve the direct care of patients.
The Health and Social Care (Quality and Safety Act) 2015 actively puts a duty on organisations to share information for direct care. Sharing for direct care can take place across departmental and organisational boundaries. CHCP CIC will ensure that patients are made aware that their information is shared for the purpose of any future direct care. More information can be found here
Compass Go: Information may be shared between NAViGO and Compass as part of the mental health care provision to children and young people in North East Lincolnshire. NAViGO will seek consent to share this data as their lawful basis but information may be shared without consent in accordance with the law such as for safeguarding reasons. Only necessary data will be shared and medical and other special category data will be processed on a public task or provision of mental health services basis. The reason for sharing data is to ensure a clinical referral is made in a timely fashion and appropriate mental health services can be accessed for individuals. NAViGO will keep the data on your records in accordance with NHS retention guidelines. For more information about Compass’s Privacy Policy please visit their website.
Special Perinatal Mental Health Service
To make sure you receive the best possible care, records are kept about your health and social care needs and any treatment or services we provide. These can be kept both electronically and on paper. This information will be used to manage the care you receive within the Specialist Perinatal Mental Health Service and may include information from other health organisations such as your GP. Others in the NHS may also need to use information about you to:
- review the care we provide to ensure it is of the highest standard and quality
- protect the health of the general public
- manage the health service and ensure services can meet future patient needs
- investigate patient queries, complaints and legal claims
- ensure the Trust receives payment for the care you receive
- prepare statistics on NHS performance
- audit NHS accounts and services
- undertake health research and development
- helping to train and educate healthcare professionals
For these purposes we use anonymous data wherever possible.
Everyone working within the health and social care service has a legal duty to keep information about you confidential. We will not share information unless:
- you give us specific permission
- we have to share by law
- we have good reason to believe that failing to share the information will put your or someone else at risk of serious harm or abuse
- we hold information that is essential to prevent, detect, investigate or punish a serious crime.
The Trust shares information with National Records Locator Service (NRLS) and the Yorkshire and Humber Care Record. Both initiatives help to provide staff involved in your care access to the most up to date information about you. Please visit the Humber Teaching NHS Foundation Trust for more information.
If you would like to know more about how we use your information or if you do not wish to have your information used in any of the ways described, please raise with a member of staff involved in your care. Your care will not be affected if you wish to do this.
North East Lincolnshire Council (NELC) Homeless Team: We may share your information with the local council to provide support to you and assist their activity within the Homelessness Prevention Service.
National Confidential Inquiry into Suicide and Safety in Mental Health’s (NCISH) - exemption from applying the National Data Opt-Out (NDO).
Information about patients and care received from mental health services can now be collected even where people have chosen not to have their health data shared for reasons other than individual treatment and care. Exemption has been recommended by the Confidentiality Advisory Group (CAG) at the Health Research Authority (HRA), an independent body who provide expert advice on the use of confidential patient information. CAG have decided it is in the public interest for NCISH to continue to collect patient data even when someone has opted out of sharing their health records. This is because we were set up with the overall aim of improving safety for all mental health patients. To do so, we must examine the deaths by suicide of all people under the recent care of specialist mental health services. Learning can then feed into improvements in the quality and safety of care offered by services. It is in the interest of patients and the public for this work to continue. NCISH makes every effort to ensure our standards are high in handling specialist categories information as part of our patient safety research. Further information can be found here and here.
Child and Adolescent Mental Health Services (Young Minds Matter)/OWL Therapy Centre
NAViGO are working with OWL Therapy for children and young people aged 3-18 years who are currently on the waiting list to receive a specialist assessment for Autistic Spectrum Disorder (ASD). The child’s name, parent’s name and parent's contact details will be shared so that an appointment can be offered. This data will be stored securely by OWL Therapy, treated confidentially according to UK General Data Protection Regulations (UK GDPR) and retained under the retention periods set out in the national NHSX Records Management Framework.More information can be found in the OWL privacy notice.
Parents/young people will be written to in order to inform them of this initiative and be given the option to opt out of assessment by OWL Therapy. If they choose to opt out, their data will be deleted from OWL systems.
National data sharing - GP Connect and Summary Care Record Additional Information
The Control of Patient Information (COPI) Notice, which enabled the sharing of patient information nationally across GP practices during the COVID-19 pandemic, ceased on 30 June 2022.
However, the legal basis under which GP Connect and SCRai operated before the pandemic is unaffected by COPI and will remain in place. This has been identified by the Information Commissioner’s Office as good practice. The legal basis for both GP Connect and Summary Care Record Additional Information is , Article 6(1)(e) and Article 9(2)(h) of the UK GDPR (General Data Protection Regulation). For Common Law Duty of Confidentiality, implied consent with opt out is used.
If patients have previously opted-out of sharing their data via GP Connect, having a Summary Care Record, or declined to provide consent to share their Additional Information, their preference will continue to be respected and applied. Patients can also continue to express a Summary Care Record consent preference and can change their mind at any time.
Thalamos
The eMHA system is a digital workflow tool for administering the Mental Health Act (MHA). Thalamos stores personal data relating to patients on behalf of Navigo. The nature of the data depends on the MHA form being completed but forms must include a patient’s name and address of the person who is subject to that form as a minimum together with the necessary data required under the Mental Health Act.
For children
Your school or doctor has asked for you to have an assessment for ASD and your name and parent/guardian's details have been given to us. We will pass these to OWL Therapy so they can contact your parent/guardian to make an appointment for you. You can ask us or OWL Therapy about what we do with your data and your rights over your data by contacting us here: info.navigo@nhs.net.
Confidentiality: A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent. Examples of this are:
- If there is a concern that you are putting yourself or another person at risk of serious harm
- If we have been instructed to do so by a Court
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
We will not share your data for Insurance or Marketing purposes.
NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP.
Further information: If you need further information, you can email our Data Protection Officer on NAViGO.DPO@nhs.net
To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups.
The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.
In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally within NAViGO.
NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly• funded services – we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires, on a regular basis to meet our NHS contract obligations.
Most of the time, NHS digital use anonymised data for planning. So your confidential patient information isn’t always needed.
However, you do have a choice about whether you want your confidential patient information to be used.
To read further details about the wider use of your confidential patient information and to register your choice to opt out of it being used for the planning and improvement of health and care services in England, please click here. If you are happy with the use of your information for planning and research purposes you do not need to do anything. However, you can change your choice at any time.
For more information about how NHS Digital use your data please visit:
NHS - How We Look After Your Health and Care Information
Care Quality Commission (CQC) and Accessing Data
As part of their role as the Regulator of Health and Social Care Services in England, the CQC may access care records and other personal data we hold on you. For further details, please see CQC privacy notice.
Navigo actively promotes research to provide better health and care for you, your family and future generations. Researchers can improve how physical and mental health can be treated and prevented.
As a data controller NAViGO rely upon
- Article 6(1)(e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller’
- Article 9(2)(j) ‘…scientific or historical research purposes’
as our lawful basis for processing your information under the UK General Data Protection Regulation. This means we do not rely upon your consent for our Researchers to access information we have collected about you.
However, we do rely upon your consent for you to actively take part in a research study.
We would never publish the outcome of our research studies in a way that would personally identify you.
Whilst actively taking part in a research study you would have the right to withdraw your consent at any point but you would not have the right to the information already collected as part of the research study to be erased.
If you are happy for your personal confidential information to be used for your individual care and treatment and also be used for research and planning you do not need to do anything.
However, if you do not want your personal confidential information used in this way you have the right to object/Opt out to your information being used for research and planning by registering your choice via Your NHS Data Matters.
If you do choose to opt out you can still consent to your data being used for specific individual research and or planning purposes.
For further details on how your information is used in research please visit the NAViGO Website or you can contact our Research and Development (R&D) Department.
Professor Zaffer Iqbal – Head of Psychology
Telephone: (01472) 808503
Email: z.iqbal1@nhs.net
Information about our current research studies and sponsor details can be found on our Research web page.
As a healthcare provider we use and store large volumes of personal information every day and have appropriate technical and organisational measures in place to protect your information whether it is in paper or electronic format.
NAViGO is registered to the Information Commissioner’s Office; registration number ICO:ZA032286
All of the Information Systems used by NAViGO, including CCTV and call recording at our inpatient units, which are hosted by F4 IT, are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by NAViGO are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other Government standards.
F4 IT is accredited to Industry Standard IS027001 which is an internationally recognised information security framework; registration number IMS UK/01/0715403363
All employees and our partner organisations are legally bound to respect your confidentiality and all staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal.
If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.
If you need further information, you can email our Data Protection Officer NAViGO.DPO@nhs.net
We are legally required to keep your health records for certain periods and all records held by the NHS in accordance with the Records Management Code of Practice for Health and Social Care 2021.
The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.
CCTV cameras operate in some of our sites. This is to ensure the safety of staff, service users and the security of our buildings and car parking areas. CCTV images are recorded and held for a two-week period, before being erased for disposal. Images that are stored on, or transferred to, removable media are erased or destroyed once the purpose of the recording is no longer relevant. This will be for a period of two months unless a crime is being investigated.
The NHS Records Management Code of Practice 2023 can be found here.
You have a right to see the information we hold about you, both on paper or electronic, except for information that:
- Has been provided about you by someone else if they haven’t given permission for you to see it
- Relates to criminal offences
- Is being used to detect or prevent crime
- Could cause physical or mental harm to you or someone else
Your request must be made either in writing, through email or via phone call and we will request proof of identity before we can disclose personal information.
Access To Records Lead
Telephone: (01472) 583040
Email: NAViGO.PALS@nhs.net
You also have the right to have inaccurate information corrected but this usually only applies to factual information about you and not to the medical opinions or diagnoses of professionals, even if you disagree with them.
To get further advice or report a concern directly to the UK’s independent authority you can do this by making contacting with: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113. Website: https://ico.org.uk/concerns/handling/
NAViGO is a Data Controller and can be contacted at: NAViGO Health & Social Care CIC, NAViGO House, 3-7 Brighowgate, Grimsby, DN32 0SW or on telephone number 01472 583000. The Data Protection Officer can be emailed on NAViGO.DPO@nhs.net
We are collecting your personal data in order to process your membership of our group. Our lawful basis for collecting your personal information and contact details is legitimate interests for both NAViGO in providing a wider service to you and for yourself in engaging in the group. This means that we can use your data for running the group and contacting you about it.
Your data will not be shared with anyone outside of NAViGO but we may be permitted to use your data for some other purposes, such as to prevent or detect crime, to protect public funds or where we are required or permitted to share data under other legislation. If we do this, we will not need your consent, as we will rely on an exemption in the data protection legislation. We will not sell your data to any third parties.
We will keep your data for as long as you are a member of the group or whilst you are on the waiting list. If you wish to be taken off the waiting list please let us know and we will delete your information.
You have the right to access your data and to rectify mistakes, erase, restrict, object or move your data in certain circumstances. Please contact the Data Protection Officer for further information or go to our website where your rights are explained in more detail. If you would like to receive an explanation of your rights in paper format please contact the Data Protection Officer.
Any complaints regarding your data should be addressed to the Data Protection Officer in the first instance. If the matter is not resolved, you can contact the Information Commissioner’s Office at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF on tel: 0303 123 1113.
Using our website
This privacy policy sets out how NAViGO uses and protects any information that you give NAViGO when you use this website.
NAViGO is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
NAViGO’s telephone calls may be recorded for training and monitoring purposes. NAViGO may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 01/01/2019.
We may collect the following information:
- name and job title
- contact information including email address
- demographic information such as postcode, preferences and interests
- other information relevant to customer surveys and/or offers
A printed copy of our Privacy Notice is available upon request.
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
- Internal record keeping.
- We may use the information to improve our products and services.
We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site.
Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Our website may contain links to other websites of interest.
However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement.
You should exercise caution and look at the privacy statement applicable to the website in question.
You may choose to restrict the collection or use of your personal information in the following ways:
- whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
- if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at navigo.dpo@nhs.net.
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
You may request details of personal information which we hold about you under the Data Protection Act 2018.
If you would like a copy of the information held on you please write to NAViGO.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
The Data Controller
NAViGO Health and Social Care CIC
Telephone: (01472) 583000
Caldicott Guardian
Dr Aamer Sajjad – Medical Director/Consultant Psychiatrist
Telephone: (01472) 252366 ext. 14319
Email: aamer.sajjad1@nhs.net
Data Protection Officer
Email: NAViGO.DPO@nhs.net
Senior Information Risk Officer
Anna Morgan – Executive Director of Corporate Services
Telephone: (01472) 583063
Email: anna.morgan4@nhs.net
Staff privacy notice
We collect, store and process information about prospective, current and former staff. This notice explains how we use your information, and your right to control how we use it.
NAViGO Health and Social Care CIC is registered as a data controller with the Information Commissioner’s Office (ICO) as part of the Data Protection Act 2018. We’re committed to collecting, storing and processing personal information in line with UK Data Protection Law and the UK General Data Protection Regulation (GDPR).
For the purposes of this privacy notice, the term ‘staff’ includes:
- applicants
- employees
- workers, including agency, casual and contracted staff
- volunteers
- trainees
- Students
- apprentices
- work experience placements
We reserve the right to update this privacy notice at any time, and we’ll notify you with a new privacy notice if we make any substantial updates. From time to time, we may also let you know about the processing of your personal information in other ways.
Personal information
This is information that identifies you, like your name or contact details.
It’s important that the personal information we hold about you is accurate and up to date. Please let us know if your personal information changes during your working relationship with us.
If any changes are required please let us know by contacting your line manager in the first instance or emailing the Workforce Team.
We may collect information from you following feedback given and from surveys you complete for example, via Microsoft Forms. NHS have authorised the use of Microsoft Forms as part of the Microsoft O365 suite. Regular reviews will take place so that data is not kept longer than necessary once it has been collated.
Special category personal information
Some of the information we collect is special category data, or sensitive data, which can include:
- your race or ethnicity
- religious beliefs
- trade union membership
- health, including physical and mental health and general immunisation history
- sexual orientation
- gender identity
- criminal convictions
- disabilities
Extra safeguards are applied to special category information, and we must be able to demonstrate a legitimate reason to hold and use it.
Coronavirus (COVID-19)
In addition to information relating to your health, NAViGO may also collect and process information relating to coronavirus (COVID-19) self-isolation status, COVID vaccination status and Flu vaccination status, to help with workforce planning and ensure continuity of services.
The lawful basis will be GDPR Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. The conditions in paragraphs 2 (management of health care systems) and 3 (public health) are engaged.
Microsoft Teams Recordings
You may attend an event, meeting or training session that may be recorded using Microsoft Teams.
Recording a training session, meeting or event means you have your picture or video image on screen or might include whatever you have in the background if you are working from home. These will be recorded. Please ensure you are aware that anything else that may be in the background could be recorded. You can display a background on Microsoft Teams to stop any additional pictures of your home being recorded. The processing of data is governed by the UK General Data Protection Regulation 2016/679.
You are under no statutory obligation to agree to attend training/meetings/events that are being recorded. If you do not wish to attend any training/meeting/event that is being recorded, you do not have to.
Any recordings will be held in accordance with NHS Data Retention Guidelines.
Laws on information processing
NAViGO will only process your personal information where we are able to do so by law, under the legal basis available through the Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR).
The legal bases we use most often to collect information are:
- entering into and managing our employment contract
- legal obligations where processing is necessary for compliance, for example, informing HMRC of your tax and National Insurance contributions
- when considering employees’ rights as potential members
- on the legitimate interests of NAVIGO as a company, where a formal assessment has been made and recorded
Where we process sensitive personal or special categories of data about you, we will ensure this is done only where one of the following conditions applies:
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller, or the data subject, in the field of employment and social security and social protection law
- processing is necessary for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, or the provision of health or social care
If you require further information about the legal basis for any specific aspect of processing please email the Data Protection Officer.
If you apply for a job
When you apply for a position with NAViGO, you will give us relevant information about you which includes:
- personal contact details
- details of your skills, qualifications, employment history, experience, and professional membership (if relevant), and training history
- referee details
If you are invited to interview
During recruitment and selection, we will collect additional information such as:
- correspondence, interview notes, and results of any tests you’re asked to complete as part of the selection process
- copies of qualifications and certificates
- pre-employment checks, including referees
- your nationality and immigration status, to confirm your eligibility to work in the UK
- your national insurance number, tax and bank details
- details of your pension
- remuneration, including salary and entitlement to benefits
- trade union membership
- criminal record
- ethnicity, gender/ gender reassignment, health, religion or sexual orientation
- medical history relevant to your employment, including physical health, mental health
- publicly available information, like your social media presence
If you become an employee
If you are employed by us, we may collect additional information like:
- your image, for security and ID badges
- education and training history
- appraisal and performance reviews
- security and audit data when you use NAViGO IT equipment and systems, including the use of NHS smart cards
- your performance, sickness absence and other work related matters
- CCTV recordings when you’re on NAViGO premises
- personal data recorded as a normal part of your work activity
- data relating to employee relations, like disciplinary proceedings or complaints
Why we collect your information
We will use your information to administer your employment and associated functions. Your information may be shared between relevant colleagues who need the information to carry out their duties, like your line manager or Workforce teams.
We use staff data to meet our legal obligations as an employer, which include:
- recruitment and selection
- compliance with visa requirements
- maintaining staff records, including payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, conduct, management progress, disciplinary and grievance process and complaints, pensions administration, and other general admin and human resource and membership related processes
- monitoring equal opportunities
- payment of trade union membership fees
- providing facilities, like IT systems access, library services and car parking
- preventing and detecting crime, like using CCTV and photo ID badges
- communicating about the Trust, including news and events
- maintaining patient health records, in line with records keeping standards
- managing safe environments and fitness to work
- managing human resources process, like sick pay, managing absence, parental leave, and workforce planning
- occupational health and wellbeing services
- service quality monitoring
- maintaining contact with former employees
We maintain electronic and paper records that relate to your recruitment and employment. This information is held by the workforce team and locally, with your line manager. All paper files are securely stored and only relevant staff will be able to access this information.
Electronic information is accessed on a need to know basis, using NAViGO’s ESR and other systems such as the NAViGO data warehouse. Some information may be held on NAViGO’s secure electronic drives, where access is only granted to appropriate individuals.
24/7 Helpline
When you call the helpline they may record your contact details, and information about the issues you have raised and about any advice or support you have been given, or referred to.
They record this information in order to provide advice and to manage the service, including any future contact with you.
The information will be kept confidential and access will only be available to authorised staff within the care service. The information provided to NAViGO is a summary of the number of calls.
The legal basis for processing is our legitimate interest in providing a confidential advice and support service for the welfare of our staff.
Physical Health Checks in conjunction with Primary Care
NAViGO is working closely with GP Practices to undertake physical health checks for people who are on the GP Severe Mental Illness (SMI) register.
If you are on this register and also a NAViGO employee you may be contacted by NAViGO to offer you a physical health check each year. NAViGO has information sharing agreements in place with all GP Practices. In North East Lincolnshire we have a shared electronic patient record (SystmOne) which also includes links to GP Practices who use EMIS as their electronic patient record.
The legal basis for sharing this information has been defined as:
The processing is necessary for health or social care purposes and is for the provision of health care or treatment Articles 6(1)(e) and 9(2)(h) UK GDPR
Section 10 and Schedule 1 Part 1 para 2 Special categories of personal data.
Consent to share health care records with other health and social care organisations within North East Lincolnshire is set by the GP based around their information sharing protocols. Should NAViGO employees that are registered with an NEL Practice not want their GP to share their record with NAViGO or any other organisation for the purposes of healthcare (including the NAViGO Physical Health Service (WHISe) they can contact their GP and ask for their consent to share their record with NAViGO to be withdrawn. This will ensure that they are not contacted by NAViGO as their employer to offer a physical health check if this is something they do not feel comfortable with.
Data sharing with third parties
We may disclose personal and sensitive information to a variety of recipients when:
- there’s a legal obligation to share
- it’s necessary for the performance of your employment contract
- you have consented to the sharing
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances, and with the appropriate security controls in place. Information is only disclosed to those agencies and bodies who have a need to know, when there is a lawful basis to do so.
Your contact details may be shared where there is a legitimate reason to do so and this is appropriate to your role and responsibilities, and recipients may include:
- our employees, agents and contractors where there is a valid reason for them receiving the information
- professional and regulatory bodies in relation to the confirmation of conduct, including complaints, job description and information provided as part of the recruitment process
- government departments and agencies where we have a statutory obligation to provide information, like HMRC and the Department of Health
- third parties who work with us to provide staff support services, like counselling
- crime prevention or detection agencies, like the police and security organisations
- the Parliamentary and Health Service Ombudsman
- internal and external auditors
- courts and tribunals
- trade union and staff associations
- relatives or guardians of an employee
- NHS Business Services Authority
NHS Business Service Authority
NAViGO also shares employee records information with the NHS Business Services Authority, which acts as a data processor.
The information you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records. It’s stored on the national NHS Electronic Staff Record (ESR) system.
Electronic staff record (ESR)
When you start your employment with NAViGO , your personal data will be uploaded into the ESR system. IBM, who provide ESR, and its partners as service providers will be responsible for maintaining the system. This means that they may occasionally need to access your staff record, but only to ensure that the ESR works correctly.
Where this happens, access will be limited and is only to allow any problems with the computer system to be investigated and fixed as necessary. IBM and its partners will not have the right to use this data for their own purposes, and contracts are in place with the Department of Health to ensure that the data is protected and that they only act on appropriate instructions.
IBM and the ESR Central Team may access anonymised data about transactions on the ESR system in order to support the development and optimal use of the system.
Data Warehouse
Some of your personal information from ESR will be transferred to a separate database, known as the Data Warehouse. This will be used by NAViGO to report on compliance on statutory/mandatory training, sickness, PDR compliance rates, turnover and occupational health vaccination programme compliance.
The NAViGO workforce, performance teams and your line manager and operational workforce secretary will be given the appropriate access to this information which is stored confidentially and accessible via security groups using individuals’ windows authentication.
NHS flu and COVID -19 vaccination programmes
NAViGO will provide data on all staff to NHS Digital as required by the Secretary of State for Health exercising the public health functions under section 2 of The National Health Services Act 2006.
This will include:
- name
- address
- employee number
- date of birth
- gender
- NHS Number
The purpose is to administer and implement a National Immunisation Vaccination Service (NIVS) (flu and COVID-19) immunisation programmes for NHS staff.
The implementation of this service will deliver a centralised data capture tool for clinical teams delivering the seasonal flu and COVID-19 immunisation and is an essential component of NHS England’s response to the COVID-19 pandemic.
Particulars of staff receiving immunisation will also be provided to NIVS as part of the program. For further information see the NHS England and NHS Digital Privacy Notices.
Other processors
NAViGO use specialist processors for tasks like:
- workforce planning and analytics
- expenses claims
Information may also be processed on behalf of NAViGO by Northumberland Payroll services.
This will always be carried out using a contractor compliant with Article 28 of the GDPR, and with appropriate guarantees of confidentiality.
When it comes to personal data held about you, you have the right to:
- request access
- request the correction of inaccurate or incomplete information, subject to certain safeguards
- request that your information is deleted or removed where there is no need for us to continue processing it, and when the retention time has passed
- to ask that we restrict the use of your information, based on personal circumstances
- to withdraw your consent for the collection, processing and transfer of personal information for a specific purpose
- to object to how your information is used
- to challenge automated decision making
Further information about these rights can be obtained from the Information Commissioner's Office.
If you require copies of personal information, speak to your line manager.