We provide high quality healthcare services primarily to the residents of East Lancashire and Blackburn with Darwen, which have a combined population in the region of 530,000.
We need information about you so that we can give you the best possible care. When you come into contact with the health service provided at East Lancashire Hospitals NHS Trust, you will be asked to provide details about yourself. This information will help us provide the following:
For processing to be lawful under the General Data Protection Regulations (GDPR), which comes into force 25th May 2018, the Trust will need to identify a lawful basis before it can process personal data. These are often referred to as the ‘conditions for processing’. The identified legal basis for East Lancashire Hospitals NHS Trust to process healthcare data under GDPR is Article 6(1)e and Article 9(2)h.
Article 9(2)(h), that:
“Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.”
Article 6(1)(e), that:
“Processing is necessary for the performance of a task carried out in the public interest or on the exercise of official authority vested in the controller ” and occasionally
“When it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘No’ to our use of your information but this could have an impact on our ability to provide you with care.
We will collect and process personal data which means any information relating to an identifiable person, whether this person can be identified directly or indirectly. In this notice where it refers to data, it should be interpreted as relating to personal data unless otherwise specified.
Health and social care professionals working with you keep records about your health and any care and treatment you receive. This may include:
We also use Pseudonymised data, which takes the most identifying fields within a database and replaces them with artificial identifiers or pseudonyms. For example a name is replaced with a unique number. Pseudonymised data is not the same as anonymised data. When data has been pseudonymised it still retains a level of details in the replaced data that should allow tracking back of the data to its original state.
Where possible we will use anonymised data. This is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.
By providing the Trust with their contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by e mail (e mail address).
Every NHS organisation has to collect information on the ethnic origins of its patients. You will be asked to select the group which best describes the ethnic group you belong to. We only use it to make sure our services meet the needs of all members of the community.
You don’t have to give us information about your ethnic origin if you do not want to.
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This will be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
Telephone calls to East Lancashire Hospital NHS Trust are routinely recorded for the following purposes:
We employ surveillance cameras (CCTV and Body Worn Video) on and around the hospital site in order to:
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems. For more information please email, SubjectAccessrequest@elht.nhs.uk.
We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Video data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.
The legal basis for collection of CCTV and body worn camera images is Article 6(1)f under GDPR, that processing is necessary for the purpose of the legitimate interests pursued by the controller. In this case the controller is East Lancashire Hospitals NHS Trust.
We will use the information you provide in a manner that conforms to the Data Protection Act and General Data Protection Regulation. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances the law sets the length of time information has to be kept. The recommended minimum retention periods set within the NHS are contained in the Records Management Code of Practice for Health and Social Care. NHS records retention schedules
We will process your information for the following purposes:
In addition to supporting the care you receive, your information may also be used to help us:
If you do not want certain information recorded or shared with others, please talk to the person in charge of your care. There are however some aspects of your care which we are obliged to record.
Is any information transferred outside the European Economic Area.
We do not transfer any information to countries outside the UK. If you are outside the UK and would like to see a copy of your records, please request these through the subject access team. By email to: SubjectAccessrequest@elht.nhs.uk
We understand the personal and sensitive nature of your information. In addition to the Data Protection Act 1998 everyone working for the NHS is subject to the Common Law Duty of Confidence. All staff are required to protect your information under the NHS Confidentiality Code of Conduct and must inform you how your information will be used and allow you to decide if and how your information can be shared.
Only authorised staff are given access to patient’s records.
We may use external companies to process personal information such as for archiving or destruction of data. These organisations will be bound by contractual agreement to ensure information is kept confidential and secure in compliance with the Data Protection Act 2018 and General Data Protection Regulations.
The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, and may disclose information to:
Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:
Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.
In such cases, the shared data must always identify the patient for safety reasons.
For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local Clinical Commissioning Group (CCG), and the Health & Social Care Information Centre (part of NHS England).
In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included.
For the benefit of the patient, the Trust may also need to share patient health information with non-NHS organisations which are also providing care to the patient.
These may include social services or private healthcare organisations.
However, the Trust will not disclose confidential health information, other than for direct care, to third parties without the patient's consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.
Where patient information is shared with other non-NHS or social care organisations, or for reasons other than direct patient care, it will be supported by best Information governance practice including a data protection impact assessment and where appropriate an information sharing agreement to ensure that information is shared in a way that complies with all relevant legislation and best practice.
We may be required to share your information with, for example: (please note this list is not exhaustive):
The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.
In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.
In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.
In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.
You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. You have a right to opt-out of the NHS or other organisations using your information. If you wish to do this please contact the Trust via the contact details highlighted below:
Data Protection Officer,
East Lancashire Hospitals NHS Trust
Royal Blackburn Hospital,
Or email the Trust Data Protection Officer on; Igemail@example.com or Tel 01254734488.
Or by filling in the complaint form on the Trust internet site;
We do however need to remind you that we may not be able to provide you with a service or be able to undertake the appropriate care needed unless we have enough information, or your permission to use that information.
You have rights under the common law duty of confidentiality. This says that data provided in confidence should not be shared without consent. GDPR will not replace this duty. This requires that ELHT be clear what legal basis is used to set aside this duty and therefore allow the Trust to collect and process your data. This will be achieved by East Lancashire Hospitals NHS Trust under GDPR by ensuring it will be transparent about why information is collected, what information is collected and how the Trust process the information collected. GDPR provides many new rights for individuals. These and how these rights, what they mean for you and how they can be exercised are set out in a separate document “Service Guide for Users on GDPR Rights”.
We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you. If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention. If you wish to have any inaccurate information corrected please raise this with clinical staff treating you.
You have the right to access information about you as service user. This right extends to knowing why East Lancashire Hospitals NHS Trust hold and process your data, how long the data is held and who it may be shared with. Additionally you have the right to be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust. Requests should be addressed to the Trust and we will aim to respond to your request within one month from receipt of your request. For more information please email, SubjectAccessrequest@elht.nhs.uk
The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days. For more details on submitting a Freedom of Information request please click here: FOI
If you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described, please contact:
Or email the Trust Data Protection Officer on; Igfirstname.lastname@example.org or Tel 01254734488
For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner:
The Information Commissioner
Telephone number 0845 306 060 or 01625 545 745
Although we work hard to offer high standards of service and care, things can sometimes go wrong. Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again. If you would like to know more information on complaints or wish to make a complaint, please Tel 01254734488. Or filling in the complaint form on the Trust internet site; http://www.elht.nhs.uk/contact-us/
Should you have any concerns about how your information is to be used having read this Privacy Notice, you wish to request the notice in another accessible format or if you do not wish your information to be shared by East Lancashire Hospitals NHS Trust then please contact the Trust Data Protection Officer
Patients can choose whether your confidential patient information is used for research and planning. Further details on opt out and your personal information choices can be found here: National Data opt-out
There may be circumstances where we are legally obliged to share your personal data with other third parties, for reasons such as safeguarding purposes or a court order. In such cases you will not be able to opt out of data sharing.
If you are not happy with our responses and have exhausted all the avenues in the East Lancashire Hospitals NHS Trust’s process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office. Contact details can be found below in the contact information and further advice tab.
The Trust has a nominated Caldicott Guardian to oversee all patient confidentiality and safeguarding issues. The Caldicott Guardian ensures that all seven principles highlighted in the Caldicott Review are implemented effectively across the Trust with respect to the handling of patient confidential data. These principles are as follows:
Justify the purpose(s) of using or transferring patient confidential information
Use patient data when absolutely necessary
Only use the minimum amount of data necessary
Allow access to data on a strict need to know basis
Ensure that everyone is aware of their responsibilities in processing patient data
Understand and comply with the law
Understand that the duty to share information can be just as important as the duty to protect patient confidentiality
The Caldicott Guardian is readily available to give advice on any concerns you may have about your case or activity. Our Caldicott Guardian is:
Chief Medical Officer
East Lancashire Hospital NHS Trust
Royal Blackburn Teaching Hospital
Tel. No. 01254 732845
At Trust Board level, we have an appointed Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents. The appointed Caldicott Guardian oversees the management of patient information and patient confidentiality.
Privacy notice for children
Data protection impact assessments (25-05-2018 to 01-01-2019)