In this section

Your information, your rights

For statutory legal purposes, we must inform you that Liverpool University Hospitals NHS Foundation Trust is the Data Controller processing your personal data.

The following information explains what information the Trust collects about you, why we collect it, how we use it, and your rights under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).

This is broken down into:

The Trust collects personal and confidential information primarily to provide medical services, in accordance with its obligations under the NHS Act 2006 and Health and Social Care Act 2012.

In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to ensure you receive the right care to meet your individual needs.

Information collected for medical purposes includes:

  • Preventative medicine
  • Medical diagnosis
  • Medical research
  • Provision of care and treatment
  • Management of healthcare services

This information is collected so that clinical teams have accurate and up-to-date information on which to base your treatment options.

To ensure we can provide you with the best possible care, the information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through appointments, attendances and home visits
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of x-rays, scans, blood tests, etc.
  • Other relevant information from people who care for you and know you well, such as health professionals, relatives and carers

We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).

This list is not exhaustive but indicative of the information recorded.

The Trust will use your contact details to communicate with you about your healthcare i.e. by post, email, telephone or text message.

By providing the Trust with your contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).

Most of the information the Trust collects about you is received directly from you.

This will be checked with you to ensure that your name, address, telephone number and next of kin, for example, are accurate and up-to-date.

The Trust will, however receive information from other healthcare providers about you. This typically will be from a referral. For example, when you see your GP, if they decide you need an appointment with the Trust, your GP will provide the Trust with your identifiers, contact details, summary of your current complaint and any relevant medical history. If you have been treated at another Hospital and referred to the Trust, the same information would be provided to the Trust.

If you do not provide us with the most relevant information, or it is inaccurate or incomplete, this could significantly affect the medical care you receive and adversely affect your health.

If any of the information recorded about you is incorrect, please inform your health care team at the earliest opportunity.

Everyone working for the NHS is subject to the Common Law Duty of Confidence.

We work with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be securely shared.

Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.

Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.

Under the Confidentiality Code of Conduct, all Trust staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.

Access to information is restricted to those who have a need-to-know. Within the Trust, your information may be shared with the following people when there is a medical need:

  • Doctors, nurses and therapists directly caring for you
  • Health care assistants and therapy assistants, supporting your direct care and part of your care team
  • Pharmacists, radiologists and other clinical support services
  • Secretaries, receptionists, Patient Access Centre and other clerical support teams, who require access to carry out administrative tasks, such as booking appointments, typing letters or managing services
  • Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc. 

In such cases, the shared data must always identify the patient for safety reasons.

The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration;
  • Disclosure to social workers or to other non-NHS staff involved in providing healthcare;
  • Disclosure to specialist organisations for the purposes of clinical auditing;
  • Disclosure to those with parental responsibility for patients, including guardians;
  • Disclosure to carers without parental responsibility (subject to explicit consent);
  • Disclosure to medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
  • Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services;
  • Disclosure to bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman;
  • Disclosure to National Generic Registries - e.g. the UK Association of Cancer Registries;
  • Disclosure, where necessary and appropriate, to non-statutory investigations - e.g. Members of Parliament;
  • Disclosure, where necessary and appropriate, to government departments other than the Department of Health;
  • Disclosure to solicitors, to the police, to the courts (including a Coroner's Court), and to tribunals and enquiries;
  • Disclosure to the media (normally the minimum necessary disclosure subject to explicit consent)

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.

This helps to provide better health and care for you, your family and future generations.

Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about how you want your confidential patient information to be used. If you’re happy for us to use your information, you do not need to do anything.

If you choose to opt out, your confidential patient information will still be used to support your individual care.  

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the National Data Opt Out Programme. If you do choose to opt out you can still consent to your data being used for specific purposes.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subject to.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

  • When there is a Court Order or a statutory duty to share patient data;
  • When there is a statutory power to share patient data;
  • When the patient has given his/her explicit consent to the sharing;
  • When the patient has implicitly consented to the sharing for direct care purposes;
  • When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006 

This list is not exhaustive but indicative of the information recorded.

We outsource a limited number of administration and IT support services to external organisations.

These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.

All of your information is kept in accordance with the Records Management Code of Practice for Health and Social Care 2021. This is available from -

In general terms, medical information is retained for at least 10 years after treatment; or for children until they reach at least 25years old. There are exceptions to this.

Any enquiries should be made directly to the Data Protection Officer.

You have a number of rights under Data Protection Legislation.

In short, your rights are:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to object
  • Right to restrict processing
  • Right to data portability.

Right to be informed

You have a right to be informed about uses of your information with an emphasis on transparency. This notice, in support of other privacy notices published by the Trust, ensures that your right to be informed is achieved.

Right of access

You have a right to receive:

  • Confirmation of what information is recorded about you
  • Confirmation of how your information is used
  • Access to your information.

You will be required to provide proof of identification and may be asked to specify exactly what information you require.

If you would like access to your health records please submit your request in writing to the Subject Access Request Department or telephone 0151 529 2023 for more information.

Right to rectification

Rectification refers to correcting inaccuracies or incomplete data which is held by the Trust. This applies to factual information only – such as identifiers and next of kin. The Trust is unable to remove or alter professional opinions which you may disagree with. You do however; have the right to include your own statements alongside professional opinions.

To request rectification of information held about you, or to add your own statement, please contact the Subject Access Request Department on 0151 529 2906.

If you disagree with a professional opinion and wish to add your own statements, please contact the Data Protection Officer.

Right to erasure

In some circumstances you can request that your information is deleted.

This right will apply if the processing has been undertaken on the basis of consent which is withdrawn, the processing of data is determined not to be lawful or the information is no longer required. You will be informed of activities to which this right applies.

There are exceptions to this right. Any enquiries should be made directly to the Data Protection Officer.

Generally, the Trust is legally required to maintain your records in accordance with the retention guide referenced above.

Right to object

There is no general right to object to processing; however, you can object if there are grounds relating to your own particular situation, or if information is likely to be used for:

  • Marketing
  • Scientific or historical research
  • Statistical purposes
  • Purposes in the public interest or under an official authority (e.g. NHS Act 2006)

To object to processing, please contact the Data Protection Officer.

Right to restrict processing

The right to restrict processing means that if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but no other uses are then permitted until the dispute is settled.

To request restriction to processing, please contact the Data Protection Officer.

Right to data portability

The right to data portability is unlikely to apply to information held by the Trust; but you will be informed when the right does apply.

However, the Trust will cooperate with other health care providers and transfer your information, where appropriate, if you are being treated by other organisations.

Under the General Data Protection Regulation you have the right to request from us a copy of your medical records and in some cases, records of other people as an authorised representative. This is known as a Subject Access Request.

If you are applying for access to your own records you will need to send proof of identity. Please send a copy of your passport, photo driving licence or equivalent identification.

If you are applying for records on behalf of a patient you will need to send proof of your identity and proof of identity for the patient together with written authorisation from the patient.

Click here to complete a form to obtain your medical records from either the Royal Liverpool University Hospital, Broadgreen Hospital or Aintree University Hospital.

Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making.

The Trust does not use automated decision making as all decisions have human intervention. 

To use your information for direct health care purposes, the Trust does not require your consent. This is because consent may not be possible in many circumstances and the Trust has a legal duty to provide care.

Activities which are optional will be conducted with consent. You will have the option of withdrawing that consent at any time..

This does not affect the consent process for operations and treatments.

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information.

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding your privacy, please contact our Data Protection Officer:

Post: Lower Lane, Liverpool, L9 7LJ


This address should not be used for clinical or general complaints about the Trust 

Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information. The Information Commissioner’s Office is the UK's independent body set up to uphold information rights.

The Information Commissioner's Office (ICO)

Wycliffe House

Water Lane




Further information about their work and the legislation they cover is available from or by contacting them on the helpdesk number 0303 123 1113.

The Data Protection Act 2018  (DPA 2018) and the General Data Protection Regulations (GDPR) legislate how personal information is used by the Trust and any other organisations, businesses or the government.

The Principles.

Information should be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and all current Data Protection Legislation.

For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.

Data controllers and organisations that process personal data must be able to demonstrate compliance with provisions under Data protection Legislation. This involves publishing our basis for lawful processing.  As personal data is processed for purposes of the Trusts statutory functions, we have considered our lawful basis for processing personal data and have deemed:


  • Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party.

Legal Obligation – (Commissioning, planning, regulatory and public health functions):

  • Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the data controller is subject.

Vital Interests:

  • Article 6(1)(d) – processing is necessary in order to protect the vital interests of the data subject (or of another natural person).

Direct care and administrative purposes including safeguarding and employment:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (this includes recruiting to all types of roles).

Legitimate Interests – (Research):

  • Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the data controller, and for medical purposes and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality

This is also relevant where the Trust may seek to recover debts from individuals.

The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.

Special Category Data

Where the Trust processes special categories of personal data, there is an additional legal basis for processing such data as listed below:


  • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, the provisions of the Children’s Acts 1989 and 2004, and the Care Act 2014.

Vital Interests:

  • Article 9(2)(c) – processing is necessary in order to protect the vital interests of the data subject (or of another natural person); where the data subject is physically or legally incapable of giving consent.

Legitimate Interest:

  • Article 9(2)(d) - processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Healthcare, Commissioning and Planning:

  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Public Interest in Public Health

  • Article 9(2)(i) – processing is necessary for reasons of public interest in public health – such as protecting against serious cross border threats to health.

Research, regulatory and public health functions:

  • Article 9(2)(j) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Regulatory and public health functions:

The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.

If your information will be used for any secondary service, you will be notified of these. Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller (schedule 2 (6) (1)), where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.

Any processing which relies on consent will be based on explicit consent under GDPR. You will be asked to make a definite decision; there will be no presumption of consent from silence, inaction or pre-selected choices.

If your information will be used for any secondary service, you will be notified of these.

Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.

If you would like to receive a printed version of any privacy notices available for download below, please contact the Data Protection Officer on:

Data Protection Officer

Liverpool University Hospitals NHS Foundation Trust

2nd Floor, Aintree Lodge

Lower Lane


L9 7AL

0151 529 8878

Email address:

Data Controller

The organisation which determines the processing of Personal Data.


The Data Controller is the legally responsible organisation.

Data Processor

An organisation which the Data Controller appoints to provide a service on its behalf. The Data Processor must follow the legal instruction of the Controller.


Data Subject

The individual who personal data is about.

The individual must be identifiable from the data.


Data Protection Officer

The person appointed by the Data Controller as the single point of contact for data protection enquiries.

The Data Protection Officer acts independently and monitors compliance with data protection obligations


Data Processing

The activities which relate to Personal Data.

Data Processing includes:

·         Obtaining, recording or holding the information

·         Organisation, adaption or alteration

·         Retrieval, consultation or use

·         Disclosure by transmission, dissemination or otherwise making available

·         Alignment, combination, blocking, erasure or destruction of the information or data;


Information Commissioner’s Office

The regulator of information rights in the United Kingdom. The ICO website is -


Personal Data

Data which relates to an individual and enables them to be identified

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals.  To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered.  High risk could result from either a high probability of some harm, or a lower possibility of serious harm.  It is also good practice to carry out a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.

Liverpool University Hospitals NHS Foundation Trust have been carrying out Privacy Impact Assessments on new projects and initiatives for several years prior to the enactment of the General Data Protection Regulation and have refined our processes to ensure they meet the requirements of the new legislation and the GDPR Article 29 Working Party criteria for an acceptable DPIA.

In summary the Trust will:

  • Describe the nature, scope, context and purposes of the processing
  • Ask data processors to help us understand and document their processing activities and identify any associated risks
  • Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
    We will ask for the advice of our Data Protection Officer
  • Check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance
  • Carry out an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests and identify measures we can put in place to eliminate or reduce high risks
  • Record the outcome of the DPIA, including any difference of opinion with our Data Protection Officer or individuals consulted
  • Implement the measures identified, and integrate them into our project plan
  • Consult the Information Commissioners Office (ICO) before processing if we cannot mitigate “high risks”
  • Keep all DPIAs under review and revisit them if necessary.

Here at Liverpool University Hospitals NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.

Below you will find a summary of all DPIAs carried out since 25th May 2018 when this became a data protection requirement. 

The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact:

Data Protection Impact Assessments

Privacy Notices

The NHS Constitution

  • You have the right of access to your own records and to have any factual inaccuracies corrected
  • You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure
  • You have the right to be informed about how your information is used
  • You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

The NHS also commits:

  • To ensure those involved in your care and treatment have access to your health information so they can care for you safely and effectively (pledge)
  • To anonymise the information collected during the course of your treatment and use it to support research and improve care for others (pledge)
  • Where identifiable information has to be used, to give you the chance to object wherever possible (pledge)
  • To inform you of research studies in which you may be eligible to participate (pledge) and
  • To share with you any correspondence sent between clinicians about your care (pledge). 

How Your Information Is Used - Privacy Notice

Who are we?

On 1st October 2019, the Trust was created, through the merger of Aintree University Hospital NHS Foundation Trust and Royal Liverpool and Broadgreen University Hospitals NHS Trust.

The Trust is a major NHS Trust providing healthcare services across Merseyside and beyond. As well as providing general and specialist health care, it plays an important role in the teaching and education of health care professionals and in healthcare research and innovation.

We are monitored by a number of different organisations including:

  • NHS England
  • The Information Commissioners Office (ICO)
  • Care Quality Commission (CQC)
  • Department of Health
  • NHS Improvement

Our consultants, doctors, nurses and healthcare professionals are also regulated and governed by professional bodies.

To safeguard your information and support your rights, the Trust has appointed a Data Protection Officer (‘DPO’) as your single point of access. The DPO can be contacted on:

Data Protection Officer

Liverpool University Hospitals NHS Foundation Trust

2nd Floor, Aintree Lodge

Lower Lane


L9 7AL

Email address:

The Trust is registered with the Information Commissioner's Office as a Data Controller reference Z9553640, as required by the Data Protection Act 2018.