Independent thematic review of incidents relating to maternity care at the Nottingham University Hospitals
This notice explains how the Independent thematic review of incidents relating to maternity care at the Nottingham University Hospitals (‘the Review’) collects and uses personal information.
The Review was established by National Health Service England and National Health Service Improvement (NHSE/I) and National Health Service Nottingham and Nottinghamshire Clinical Commissioning Group (CCG) to conduct an independently led thematic review of maternity services at Nottingham University Hospitals Trust. It exercises functions in the public interest under the National Health Service Act 2006 (as amended by the Health and Social Care Act 2021), and National Health Service Trust Development Authority Directions and Revocations and the Revocation of the Imperial College Healthcare National Health Service Trust Directions 2016. The Review is registered with the Information Commissioner’s Office (ICO) as a data controller and can be contacted as follows: email@example.com
The purposes for processing personal information
The Review is investigating the matters set out in its Terms of Reference. It processes personal information for the purposes of its investigations and to enable it to carry out its work. Personal information is used by the Review in a number of ways – for example, to gather evidence as part of the Review’s investigation, to facilitate access to the Review, and to communicate with you and keep you updated on the progress of the Review’s work. Personal information may also be used by the Review to comply with the law and contracts that the Review has entered into.
How the Review collects personal information
Most of the personal information the Review processes is provided to it directly by you for one or more of the following reasons:
- You wish to give information to the Review
- You have been asked to provide information to the Review
- You have provided information to the Review
- You have provided information prior to the Review’s set up, or in relation to the Terms of Reference
- You have contacted the Review, for example by email, telephone or letter
- You or your family wish to attend, or have attended, a meeting with the Review team
- You are representing an organisation in engaging with, or providing services to, the Review.
The Review may also receive information about you in other ways. For example, as part of its investigation the Review will request access to records from a range of sources, but mainly healthcare providers. Other individuals may also include information about you in their information provided to the Review. Information will be provided to the Review on a voluntary basis, and/or through agreements with organisations. The Review has committed to looking in detail only at those individual cases for which consent is granted to access the records pertaining to the case.
What sort of information does the Review collect?
The Review collects information about women, people who require medical terminations, people who give birth and their families, and other matters within the Terms of Reference of the Review. The Review will also collect and retain contact details. The records the Review holds include personal information, including special category (sensitive) personal information relating, for example, to health, racial or ethnic origin, religious beliefs, and criminal offences.
The legal basis for processing personal information
The Review processes personal information fairly and lawfully in compliance with data protection legislation. Personal, special category, and criminal offence information is processed because the processing is necessary to enable the Review to carry out its work, which is a task carried out in the public interest and in the exercise of a function conferred by an enactment – the National Health Service Act 2006 as amended by the Health and Social Care Act 2012, and the National Health Service Trust Development Authority Directions and Revocations and the Revocation of the Imperial College Healthcare National Health Service Trust Directions 2016.
The authority of the Review is derived from its Terms of Reference and delegation and/or direction from NHSE/I (the NHS Trust Development Authority) and the CCG.
The Review also has in place a policy document setting out its compliance with the requirements of the GDPR Article 5 principles.
How does the Review share personal information?
The Review keeps your personal information secure and only shares it with those who need to see it. To facilitate the Review’s work, personal information may be shared with third party data processors who supply electronic review software and other services to the Review. The Review’s contracts with its data processors prevent them from doing anything with your personal information without the Review’s instruction. The Review’s data processors will not share your personal information with any organisation unless directed by the Review. They will hold your data securely and retain it for the period the Review instructs.
The Review may have to disclose personal information on a confidential basis to organisations that hold records which could assist the Review with its investigations (such as organisations which provided healthcare or support services). As your personal information is stored on the Review’s IT infrastructure, and shared with our data processors who provide email, and information management and storage services, it may be transferred and stored securely outside the United Kingdom (and European Union). If that happens, your information will be subject to equivalent legal protection through the use of Model Contract Clauses.
If required by law, the Review may need to share information for legal or regulatory purposes.
For how long will the Review keep personal information?
The Review will securely store information provided to it, including personal information, and will generally retain it for the duration of the Review depending on the purpose of gathering and using that personal information.
Following the completion of the Review’s work, information gathered by the Review may be selected to be archived by NHSE/I. Some of this information may be retained indefinitely. Information subject to storage in this manner may be processed in line with the Review’s policy on redaction prior to being transferred from the Review and will be held with strict security arrangements and handled according to the safeguards in data protection legislation for archiving in the public interest, and in line with the Public Records Act 1958.
What are your rights?
You are entitled to request information about how your personal data is processed, and to request a copy of that personal data, subject to some exemptions. You have the right in certain circumstances (for example, where the accuracy of the information held by the Review is queried) to request that the processing of your personal data is restricted, or to object to the processing of your personal data. You may also request that the Review corrects or deletes your personal data.
Links to other websites
Further information and complaints
If you have comments or queries about this privacy notice, please contact the Review at firstname.lastname@example.orgIf you are unhappy about the way that the Review uses your personal data, you may contact the Review’s Data Protection Officer by emailing email@example.com
If you wish to make a complaint, or have concerns about the way the Review handles your personal data, you can contact the Information Commissioner’s Office at:
Email to: firstname.lastname@example.org
Telephone: 0303 123 1113
The ICO’s advice on raising concerns about personal information processing can be viewed by clicking here.
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
This policy is subject to review
Last updated 04 Jan 2022