As East Lancashire Hospitals NHS Trust we process (collect, store, use and delete) personal information about service users, it is a registered “Data Controller” with the Information Commissioner Office (ICO), registration Z8049565.
This notice describes how East Lancashire Hospitals NHS Trust uses and manages the information it holds about its patients, including how the information may be shared with other NHS organisations and with non-NHS organisations, and how the confidentiality of patient information is maintained. Information may be collected in the following formats - paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.
The Trust collects and holds personal data about its patients for the purposes of providing them with appropriate care and treatment.
The Trust keeps records about the health care and treatment it provides to its patients.
This helps to ensure that there is a sound basis for all health decisions made by a healthcare professional, that the care provided is safe and effective and that the Trust can work effectively with other providing patients with care.
Patients have the right to access personal information about them held by the Trust, either to view the information in person, or to be provided with a copy (see below).
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.
Why we collect personal information about service users
We need information about you so that we can give you the best possible care. When you come into contact with the health service provided at East Lancashire Hospitals NHS Trust, you will be asked to provide details about yourself. This information will help us provide the following:
- To look after the health of the general public eg screening programmes
- Delivery of high quality health care services
- Confirm your identity to ensure accurate, up to date information to provide the best possible care and treatment for you.
- Support the provision of joined up services that meet your holistic health and social care needs.
- Plan, manage and work out what care services are needed where and when.
- It will enable the hospital to be paid for your treatment
- To support audits of NHS services and accounts
- Contributes to national NHS statistics
- Finding better ways to prevent illness and treat conditions
- Enable high quality research
- We may not be able to provide you with a service unless we have enough information, or your permission to use that information.
The legal basis of processing service user information
For processing to be lawful under the General Data Protection Regulations (GDPR), which comes into force 25th May 2018, the Trust will need to identify a lawful basis before it can process personal data. These are often referred to as the ‘conditions for processing’. The identified legal basis for East Lancashire Hospitals NHS Trust to process healthcare data under GDPR is Article 6(1)e and Article 9(2)h.
Article 9(2)(h), that:
“Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.”
Article 6(1)(e), that:
“Processing is necessary for the performance of a task carried out in the public interest or on the exercise of official authority vested in the controller ” and occasionally
“When it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘No’ to our use of your information but this could have an impact on our ability to provide you with care.
What information do we collect and process about service users
We will collect and process personal data which means any information relating to an identifiable person, whether this person can be identified directly or indirectly. In this notice where it refers to data, it should be interpreted as relating to personal data unless otherwise specified.
Health and social care professionals working with you keep records about your health and any care and treatment you receive. This may include:
- Basic details such as name, address, date of birth, phone number, mobile phone number and email address - where you have provided it to enable us to communicate with you by email and text.
- Your next of kin and contact details
- Notes and reports about your physical or mental health and any treatment, care or support you need and receive
- Details of your treatment, results of your tests/scans and diagnosis
- Relevant information from other professionals, relatives or those who care for you or know you well
- Any contacts you have with us such as home visits or outpatient appointments
- Information on medicines, side effects and allergies
- Patient experience feedback and treatment outcome information you provide
- Details of any contact the Trust have had with a patient, such as A&E visits, in-patient spells or clinic appointments
- Notes and reports about a patient's health and treatment received, including clinic and operational visits.
We also use Pseudonymised data, which takes the most identifying fields within a database and replaces them with artificial identifiers or pseudonyms. For example a name is replaced with a unique number. Pseudonymised data is not the same as anonymised data. When data has been pseudonymised it still retains a level of details in the replaced data that should allow tracking back of the data to its original state.
Where possible we will use anonymised data. This is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.
By providing the Trust with their contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by e mail (e mail address).
Why do we collect information about ethnicity
Every NHS organisation has to collect information on the ethnic origins of its patients. You will be asked to select the group which best describes the ethnic group you belong to. We only use it to make sure our services meet the needs of all members of the community.
You don’t have to give us information about your ethnic origin if you do not want to.
SMS texting and call recording
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This will be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
Telephone calls to East Lancashire Hospital NHS Trust are routinely recorded for the following purposes:
- To prevent crime or misuse.
- To make sure that staff act in compliance with the Trusts policies and procedures.
- To ensure quality control
Surveillance Cameras (CCTV & Body Worn Video)
We employ surveillance cameras (CCTV and Body Worn Video) on and around the hospital site in order to:
- protect staff, patients, visitors and Trust property
- apprehend and prosecute offenders, and provide evidence to take criminal or civil action in the courts
- provide a deterrent effect and reduce unlawful activity
- help provide a safer environment for our staff
- assist in traffic management and car parking schemes
- monitor operational and safety related incidents
- help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
- assist with the verification of claims.
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems. For more information please email, SubjectAccessrequest@elht.nhs.uk.
We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Video data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.
The legal basis for collection of CCTV and body worn camera images is Article 6(1)f under GDPR, that processing is necessary for the purpose of the legitimate interests pursued by the controller. In this case the controller is East Lancashire Hospitals NHS Trust.
How we use your information
We will use the information you provide in a manner that conforms to the Data Protection Act and General Data Protection Regulation. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances the law sets the length of time information has to be kept. The recommended minimum retention periods set within the NHS are contained in the Records Management Code of Practice for Health and Social Care. NHS records retention schedules
We will process your information for the following purposes:
- Staff caring for you have accurate and up to date information to help them decide the best possible care and treatment needed for you
- We can contact you in relation to your appointments, care and treatment
- Information is available should you need another form of care, for example if you are referred to a specialist or another part of the NHS
- There is a good basis for looking back and assessing the type and quality of care you have received
- Your concerns can be properly investigated should you need to complain
In addition to supporting the care you receive, your information may also be used to help us:
- Look after the health of the general public
- Review the care we provide to ensure it is of the highest standard
- Teach and train health care professionals (if you do not want your information to be used in this way, please let us know. It will not affect your treatment in any way)
- Conduct research approved by the Local Research Ethics Committee (your personal details will not be disclosed outside of the Trust without your consent)
- Conduct audits
- Investigate complaints, legal claims or untoward incidents
- Make sure our services can meet patient needs in the future
- Prepare statistics on NHS performance
- Ensure treatments and services meet the needs of local communities
- Monitor the way public money is spent
If you do not want certain information recorded or shared with others, please talk to the person in charge of your care. There are however some aspects of your care which we are obliged to record.
Is any information transferred outside the European Economic Area.
We do not transfer any information to countries outside the UK. If you are outside the UK and would like to see a copy of your records, please request these through the subject access team. By email to: SubjectAccessrequest@elht.nhs.uk
How we protect your information
We understand the personal and sensitive nature of your information. In addition to the Data Protection Act 1998 everyone working for the NHS is subject to the Common Law Duty of Confidence. All staff are required to protect your information under the NHS Confidentiality Code of Conduct and must inform you how your information will be used and allow you to decide if and how your information can be shared.
Only authorised staff are given access to patient’s records.
We may use external companies to process personal information such as for archiving or destruction of data. These organisations will be bound by contractual agreement to ensure information is kept confidential and secure in compliance with the Data Protection Act 2018 and General Data Protection Regulations.
Information sharing in the NHS
The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, and may disclose information to:
- GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration
- Social workers or to other non-NHS staff involved in providing healthcare
- Specialist organisations for the purposes of clinical auditing
- Medical researchers for research purposes (subject to explicit consent, unless the data is anonymous)
- NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
- Bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman
- National generic registries - e.g. the UK Association of Cancer Registries.
Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:
- When there is a Court Order or a statutory duty to share patient data
- When there is a statutory power to share patient data
- When the patient has given consent to the sharing
- When sharing for the purpose of the direct provision or management of healthcare
- When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006.
Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.
In such cases, the shared data must always identify the patient for safety reasons.
For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local Clinical Commissioning Group (CCG), and the Health & Social Care Information Centre (part of NHS England).
In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included.
Information sharing with non-NHS organisations
For the benefit of the patient, the Trust may also need to share patient health information with non-NHS organisations which are also providing care to the patient.
These may include social services or private healthcare organisations.
However, the Trust will not disclose confidential health information, other than for direct care, to third parties without the patient's consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.
Where patient information is shared with other non-NHS or social care organisations, or for reasons other than direct patient care, it will be supported by best Information governance practice including a data protection impact assessment and where appropriate an information sharing agreement to ensure that information is shared in a way that complies with all relevant legislation and best practice.
We may be required to share your information with, for example: (please note this list is not exhaustive):
- Carers/guardians with parental responsibilities
- Carers/guardians without parental responsibility (subject to explicit consent, unless data is anonymous)
- Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
- Disclosure to bodies with statutory investigative powers – eg, the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman
- Disclosure, where necessary and appropriate, to non-statutory investigations – eg, Members of Parliament
- Disclosure, where necessary and appropriate, to government departments other than the Department of HealthDisclosure to solicitors, to the police, to the courts (including a Coroner's court), and to tribunals and enquiries
- Disclosure to the media (the minimum necessary disclosure subject to explicit consent)
Refusing or withdrawing consent for using patient information
The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.
In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.
In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.
In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.
Patient control of information
You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. You have a right to opt-out of the NHS or other organisations using your information. If you wish to do this please contact the Trust via the contact details highlighted below:
Data Protection Officer,
East Lancashire Hospitals NHS Trust
Royal Blackburn Hospital,
Or email the Trust Data Protection Officer on; Igfirstname.lastname@example.org or Tel 01254734488.
Or by filling in the complaint form on the Trust internet site;
We do however need to remind you that we may not be able to provide you with a service or be able to undertake the appropriate care needed unless we have enough information, or your permission to use that information.
You have rights under the common law duty of confidentiality. This says that data provided in confidence should not be shared without consent. GDPR will not replace this duty. This requires that ELHT be clear what legal basis is used to set aside this duty and therefore allow the Trust to collect and process your data. This will be achieved by East Lancashire Hospitals NHS Trust under GDPR by ensuring it will be transparent about why information is collected, what information is collected and how the Trust process the information collected. GDPR provides many new rights for individuals. These and how these rights, what they mean for you and how they can be exercised are set out in a separate document “Service Guide for Users on GDPR Rights”.
Correcting inaccurate information
We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you. If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention. If you wish to have any inaccurate information corrected please raise this with clinical staff treating you.
Accessing your information held by East Lancashire Hospitals NHS Trust
You have the right to access information about you as service user. This right extends to knowing why East Lancashire Hospitals NHS Trust hold and process your data, how long the data is held and who it may be shared with. Additionally you have the right to be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust. Requests should be addressed to the Trust and we will aim to respond to your request within one month from receipt of your request. For more information please email, SubjectAccessrequest@elht.nhs.uk
Freedom of Information Requests (FOI)
The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days. For more details on submitting a Freedom of Information request please click here: FOI
Contact information and further advice
If you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described, please contact:
Data Protection Officer,
East Lancashire Hospitals NHS Trust
Royal Blackburn Hospital,
Or email the Trust Data Protection Officer on; Igemail@example.com or Tel 01254734488
For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner:
The Information Commissioner
Telephone number 0845 306 060 or 01625 545 745
Although we work hard to offer high standards of service and care, things can sometimes go wrong. Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again. If you would like to know more information on complaints or wish to make a complaint, please Tel 01254734488. Or filling in the complaint form on the Trust internet site; http://www.elht.nhs.uk/contact-us/
Should you have any concerns about how your information is to be used having read this Privacy Notice, you wish to request the notice in another accessible format or if you do not wish your information to be shared by East Lancashire Hospitals NHS Trust then please contact the Trust Data Protection Officer
Patients can choose whether your confidential patient information is used for research and planning. Further details on opt out and your personal information choices can be found here: National Data opt-out
There may be circumstances where we are legally obliged to share your personal data with other third parties, for reasons such as safeguarding purposes or a court order. In such cases you will not be able to opt out of data sharing.
If you are not happy with our responses and have exhausted all the avenues in the East Lancashire Hospitals NHS Trust’s process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office. Contact details can be found below in the contact information and further advice tab.
The Trust has a nominated Caldicott Guardian to oversee all patient confidentiality and safeguarding issues. The Caldicott Guardian ensures that all seven principles highlighted in the Caldicott Review are implemented effectively across the Trust with respect to the handling of patient confidential data. These principles are as follows:
Justify the purpose(s) of using or transferring patient confidential information
Use patient data when absolutely necessary
Only use the minimum amount of data necessary
Allow access to data on a strict need to know basis
Ensure that everyone is aware of their responsibilities in processing patient data
Understand and comply with the law
Understand that the duty to share information can be just as important as the duty to protect patient confidentiality
The Caldicott Guardian is readily available to give advice on any concerns you may have about your case or activity. Our Caldicott Guardian is:
Chief Medical Officer
East Lancashire Hospital NHS Trust
Royal Blackburn Teaching Hospital
Tel. No. 01254 732845
At Trust Board level, we have an appointed Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents. The appointed Caldicott Guardian oversees the management of patient information and patient confidentiality.