
For statutory legal purposes, we must inform you that Liverpool University Hospitals NHS Foundation Trust is the Data Controller processing your personal data.
The following information explains what information the Trust collects about you, why we collect it, how we use it, and your rights under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).
The Trust collects personal and confidential information primarily to provide medical services, in accordance with its obligations under the NHS Act 2006 and Health and Social Care Act 2012.
In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to ensure you receive the right care to meet your individual needs.
Information collected for medical purposes includes:
This information is collected so that clinical teams have accurate and up-to-date information on which to base your treatment options.
To ensure we can provide you with the best possible care, the information that we collect about you may include details such as:
We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).
This list is not exhaustive but indicative of the information recorded.
The Trust will use your contact details to communicate with you about your healthcare i.e. by post, email, telephone or text message.
By providing the Trust with your contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).
Most of the information the Trust collects about you is received directly from you.
This will be checked with you to ensure that your name, address, telephone number and next of kin, for example, are accurate and up-to-date.
The Trust will, however receive information from other healthcare providers about you. This typically will be from a referral. For example, when you see your GP, if they decide you need an appointment with the Trust, your GP will provide the Trust with your identifiers, contact details, summary of your current complaint and any relevant medical history. If you have been treated at another Hospital and referred to the Trust, the same information would be provided to the Trust.
If you do not provide us with the most relevant information, or it is inaccurate or incomplete, this could significantly affect the medical care you receive and adversely affect your health.
If any of the information recorded about you is incorrect, please inform your health care team at the earliest opportunity.
Everyone working for the NHS is subject to the Common Law Duty of Confidence.
We work with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be securely shared.
Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.
Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.
Under the Confidentiality Code of Conduct, all Trust staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.
Access to information is restricted to those who have a need-to-know. Within the Trust, your information may be shared with the following people when there is a medical need:
In such cases, the shared data must always identify the patient for safety reasons.
The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:
For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.
This helps to provide better health and care for you, your family and future generations.
Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about how you want your confidential patient information to be used. If you’re happy for us to use your information, you do not need to do anything.
If you choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the National Data Opt Out Programme. If you do choose to opt out you can still consent to your data being used for specific purposes.
You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subject to.
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:
This list is not exhaustive but indicative of the information recorded.
We outsource a limited number of administration and IT support services to external organisations.
These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.
All of your information is kept in accordance with the Records Management Code of Practice for Health and Social Care 2021. This is available from - https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/
In general terms, medical information is retained for at least 10 years after treatment; or for children until they reach at least 25years old. There are exceptions to this.
Any enquiries should be made directly to the Data Protection Officer.
You have a number of rights under Data Protection Legislation.
In short, your rights are:
Right to be informed
You have a right to be informed about uses of your information with an emphasis on transparency. This notice, in support of other privacy notices published by the Trust, ensures that your right to be informed is achieved.
Right of access
You have a right to receive:
You will be required to provide proof of identification and may be asked to specify exactly what information you require.
If you would like access to your health records please submit your request in writing to the Subject Access Request Department or telephone 0151 529 2023 for more information.
Right to rectification
Rectification refers to correcting inaccuracies or incomplete data which is held by the Trust. This applies to factual information only – such as identifiers and next of kin. The Trust is unable to remove or alter professional opinions which you may disagree with. You do however; have the right to include your own statements alongside professional opinions.
To request rectification of information held about you, or to add your own statement, please contact the Subject Access Request Department on 0151 529 2906.
If you disagree with a professional opinion and wish to add your own statements, please contact the Data Protection Officer.
Right to erasure
In some circumstances you can request that your information is deleted.
This right will apply if the processing has been undertaken on the basis of consent which is withdrawn, the processing of data is determined not to be lawful or the information is no longer required. You will be informed of activities to which this right applies.
There are exceptions to this right. Any enquiries should be made directly to the Data Protection Officer.
Generally, the Trust is legally required to maintain your records in accordance with the retention guide referenced above.
Right to object
There is no general right to object to processing; however, you can object if there are grounds relating to your own particular situation, or if information is likely to be used for:
To object to processing, please contact the Data Protection Officer.
Right to restrict processing
The right to restrict processing means that if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but no other uses are then permitted until the dispute is settled.
To request restriction to processing, please contact the Data Protection Officer.
Right to data portability
The right to data portability is unlikely to apply to information held by the Trust; but you will be informed when the right does apply.
However, the Trust will cooperate with other health care providers and transfer your information, where appropriate, if you are being treated by other organisations.
Under the General Data Protection Regulation you have the right to request from us a copy of your medical records and in some cases, records of other people as an authorised representative. This is known as a Subject Access Request.
If you are applying for access to your own records you will need to send proof of identity. Please send a copy of your passport, photo driving licence or equivalent identification.
If you are applying for records on behalf of a patient you will need to send proof of your identity and proof of identity for the patient together with written authorisation from the patient.
Click here to complete a form to obtain your medical records from either the Royal Liverpool University Hospital, Broadgreen Hospital or Aintree University Hospital.
Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making.
The Trust does not use automated decision making as all decisions have human intervention.
To use your information for direct health care purposes, the Trust does not require your consent. This is because consent may not be possible in many circumstances and the Trust has a legal duty to provide care.
Activities which are optional will be conducted with consent. You will have the option of withdrawing that consent at any time..
This does not affect the consent process for operations and treatments.
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information.
If you have any queries or concerns regarding the information that we hold about you or you have a question regarding your privacy, please contact our Data Protection Officer:
Post: Lower Lane, Liverpool, L9 7LJ
Email: dpo@liverpoolft.nhs.uk
This address should not be used for clinical or general complaints about the Trust
Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information. The Information Commissioner’s Office is the UK's independent body set up to uphold information rights.
The Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Further information about their work and the legislation they cover is available from www.ico.org.uk or by contacting them on the helpdesk number 0303 123 1113.
The Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulations (GDPR) legislate how personal information is used by the Trust and any other organisations, businesses or the government.
The Principles.
Information should be:
All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and all current Data Protection Legislation.
For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.
Data controllers and organisations that process personal data must be able to demonstrate compliance with provisions under Data protection Legislation. This involves publishing our basis for lawful processing. As personal data is processed for purposes of the Trusts statutory functions, we have considered our lawful basis for processing personal data and have deemed:
Contract:
Legal Obligation – (Commissioning, planning, regulatory and public health functions):
Vital Interests:
Direct care and administrative purposes including safeguarding and employment:
Legitimate Interests – (Research):
This is also relevant where the Trust may seek to recover debts from individuals.
The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.
Special Category Data
Where the Trust processes special categories of personal data, there is an additional legal basis for processing such data as listed below:
Safeguarding:
Vital Interests:
Legitimate Interest:
Healthcare, Commissioning and Planning:
Public Interest in Public Health
Research, regulatory and public health functions:
Regulatory and public health functions:
The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.
If your information will be used for any secondary service, you will be notified of these. Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller (schedule 2 (6) (1)), where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.
Any processing which relies on consent will be based on explicit consent under GDPR. You will be asked to make a definite decision; there will be no presumption of consent from silence, inaction or pre-selected choices.
If your information will be used for any secondary service, you will be notified of these.
Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.
If you would like to receive a printed version of any privacy notices available for download below, please contact the Data Protection Officer on:
Data Protection Officer
Liverpool University Hospitals NHS Foundation Trust
2nd Floor, Aintree Lodge
Lower Lane
Liverpool,
L9 7AL
0151 529 8878
Email address: DPO@liverpoolft.nhs.uk
Data Controller |
The organisation which determines the processing of Personal Data.
The Data Controller is the legally responsible organisation. |
Data Processor |
An organisation which the Data Controller appoints to provide a service on its behalf. The Data Processor must follow the legal instruction of the Controller.
|
Data Subject |
The individual who personal data is about. The individual must be identifiable from the data.
|
Data Protection Officer |
The person appointed by the Data Controller as the single point of contact for data protection enquiries. The Data Protection Officer acts independently and monitors compliance with data protection obligations
|
Data Processing |
The activities which relate to Personal Data. Data Processing includes: · Obtaining, recording or holding the information · Organisation, adaption or alteration · Retrieval, consultation or use · Disclosure by transmission, dissemination or otherwise making available · Alignment, combination, blocking, erasure or destruction of the information or data;
|
Information Commissioner’s Office |
The regulator of information rights in the United Kingdom. The ICO website is - https://ico.org.uk/
|
Personal Data |
Data which relates to an individual and enables them to be identified |
A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals. To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is also good practice to carry out a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.
Liverpool University Hospitals NHS Foundation Trust have been carrying out Privacy Impact Assessments on new projects and initiatives for several years prior to the enactment of the General Data Protection Regulation and have refined our processes to ensure they meet the requirements of the new legislation and the GDPR Article 29 Working Party criteria for an acceptable DPIA.
In summary the Trust will:
Here at Liverpool University Hospitals NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.
Below you will find a summary of all DPIAs carried out since 25th May 2018 when this became a data protection requirement.
The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact: dpo@liverpoolft.nhs.uk.
Who are we?
On 1st October 2019, the Trust was created, through the merger of Aintree University Hospital NHS Foundation Trust and Royal Liverpool and Broadgreen University Hospitals NHS Trust.
The Trust is a major NHS Trust providing healthcare services across Merseyside and beyond. As well as providing general and specialist health care, it plays an important role in the teaching and education of health care professionals and in healthcare research and innovation.
We are monitored by a number of different organisations including:
Our consultants, doctors, nurses and healthcare professionals are also regulated and governed by professional bodies.
To safeguard your information and support your rights, the Trust has appointed a Data Protection Officer (‘DPO’) as your single point of access. The DPO can be contacted on:
Data Protection Officer
Liverpool University Hospitals NHS Foundation Trust
2nd Floor, Aintree Lodge
Lower Lane
Liverpool,
L9 7AL
Email address: DPO@liverpoolft.nhs.uk
The Trust is registered with the Information Commissioner's Office as a Data Controller reference Z9553640, as required by the Data Protection Act 2018.