For statutory legal purposes, we must inform you that Liverpool University Hospitals NHS Foundation Trust is the Data Controller processing your personal data.

The following information explains what information the Trust collects about you, why we collect it, how we use it, and your rights under the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR).

The Trust collects personal and confidential information primarily to provide medical services, in accordance with its obligations under the NHS Act 2006 and Health and Social Care Act 2012.

In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to ensure you receive the right care to meet your individual needs.

Information collected for medical purposes includes:

  • Preventative medicine
  • Medical diagnosis
  • Medical research
  • Provision of care and treatment
  • Management of healthcare services.

This information is collected so that clinical teams have accurate and up-to-date information on which to base your treatment options.

To ensure we can provide you with the best possible care, the information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through appointments, attendances and home visits
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of x-rays, scans, blood tests, etc.
  • Other relevant information from people who care for you and know you well, such as health professionals, relatives and carers.

We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).

This list is not exhaustive but indicative of the information recorded. The Trust will use your contact details to communicate with you about your healthcare i.e. by post, email, telephone or text message.

By providing the Trust with your contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).

Most of the information the Trust collects about you is received directly from you.

This will be checked with you to ensure that your name, address, telephone number and next of kin, for example, are accurate and up-to-date.

The Trust will, however, receive information from other healthcare providers about you. This typically will be from a referral. For example, when you see your GP, if they decide you need an appointment with the Trust, your GP will provide the Trust with your identifiers, contact details, summary of your current complaint and any relevant medical history. If you have been treated at another hospital and referred to the Trust, the same information would be provided to the Trust.

If you do not provide us with the most relevant information, or it is inaccurate or incomplete, this could significantly affect the medical care you receive and adversely affect your health.

If any of the information recorded about you is incorrect, please inform your health care team at the earliest opportunity.

Everyone working for the NHS is subject to the Common Law Duty of Confidence.

We work with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be securely shared.

Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.

Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.

Under the Confidentiality Code of Conduct, all Trust staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.

Access to information is restricted to those who have a need-to-know. Within the Trust, your information may be shared with the following people when there is a medical need:

  • Doctors, nurses and therapists directly caring for you
  • Health care assistants and therapy assistants, supporting your direct care and part of your care team
  • Pharmacists, radiologists and other clinical support services
  • Secretaries, receptionists, Patient Access Centre and other clerical support teams, who require access to carry out administrative tasks, such as booking appointments, typing letters or managing services
  • Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.

In such cases, the shared data must always identify the patient for safety reasons.

The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration;
  • Disclosure to social workers or to other non-NHS staff involved in providing healthcare;
  • Disclosure to specialist organisations for the purposes of clinical auditing;
  • Disclosure to those with parental responsibility for patients, including guardians;
  • Disclosure to carers without parental responsibility (subject to explicit consent);
  • Disclosure to medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
  • Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services;
  • Disclosure to bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman;
  • Disclosure to National Generic Registries - e.g. the UK Association of Cancer Registries;
  • Disclosure, where necessary and appropriate, to non-statutory investigations - e.g. Members of Parliament;
  • Disclosure, where necessary and appropriate, to government departments other than the Department of Health;
  • Disclosure to solicitors, to the police, to the courts (including a Coroner's Court), and to tribunals and enquiries;
  • Disclosure to the media (normally the minimum necessary disclosure subject to explicit consent).

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.

This helps to provide better health and care for you, your family and future generations.

Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about how you want your confidential patient information to be used. If you are happy for us to use your information, you do not need to do anything.

If you choose to opt out, your confidential patient information will still be used to support your individual care.  

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the national data opt-out programme. If you do choose to opt out, you can still consent to your data being used for specific purposes.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subject to.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

  • When there is a Court Order or a statutory duty to share patient data;
  • When there is a statutory power to share patient data;
  • When the patient has given his/her explicit consent to the sharing;
  • When the patient has implicitly consented to the sharing for direct care purposes;
  • When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006 

This list is not exhaustive but indicative of the information recorded.

We outsource a limited number of administration and IT support services to external organisations.

These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.

All of your information is kept in accordance with the Records Management Code of Practice for Health and Social Care 2021. Please visit the NHS England website.

In general terms, medical information is retained for at least 8 years after treatment; or for children until they reach at least 25 years old. There are exceptions to this.

Any enquiries should be made directly to the Data Protection Officer.

You have a number of rights under Data Protection Legislation.

In short, your rights are:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to object
  • Right to restrict processing
  • Right to data portability.

Right to be informed

You have a right to be informed about uses of your information with an emphasis on transparency. This notice, in support of other privacy notices published by the Trust, ensures that your right to be informed is achieved.

Right of access

You have a right to receive:

  • Confirmation of what information is recorded about you
  • Confirmation of how your information is used
  • Access to your information.

You will be required to provide proof of identification and may be asked to specify exactly what information you require.

If you would like access to your health records please submit your request in writing to the Subject Access Request Department or telephone 0151 706 2681 for more information.

Right to rectification

Rectification refers to correcting inaccuracies or incomplete data which is held by the Trust. This applies to factual information only – such as identifiers and next of kin. The Trust is unable to remove or alter professional opinions which you may disagree with. You do however; have the right to include your own statements alongside professional opinions.

To request rectification of information held about you, or to add your own statement, please contact the Subject Access Request Department on 0151 706 2681.

If you disagree with a professional opinion and wish to add your own statements, please contact the Data Protection Officer.

Right to erasure

In some circumstances you can request that your information is deleted.

This right will apply if the processing has been undertaken on the basis of consent which is withdrawn, the processing of data is determined not to be lawful or the information is no longer required. You will be informed of activities to which this right applies.

There are exceptions to this right. Any enquiries should be made directly to the Data Protection Officer.

Generally, the Trust is legally required to maintain your records in accordance with the retention guide referenced above.

Right to object

There is no general right to object to processing; however, you can object if there are grounds relating to your own particular situation, or if information is likely to be used for:

  • Marketing
  • Scientific or historical research
  • Statistical purposes
  • Purposes in the public interest or under an official authority (e.g. NHS Act 2006)

To object to processing, please contact the Data Protection Officer.

Right to restrict processing

The right to restrict processing means that if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but no other uses are then permitted until the dispute is settled.

To request restriction to processing, please contact the Data Protection Officer.

Right to data portability

The right to data portability is unlikely to apply to information held by the Trust; but you will be informed when the right does apply.

However, the Trust will cooperate with other health care providers and transfer your information, where appropriate, if you are being treated by other organisations.

Under the General Data Protection Regulation you have the right to request from us a copy of your medical records and in some cases, records of other people as an authorised representative. This is known as a Subject Access Request.

If you are applying for access to your own records you will need to send proof of identity. Please send a copy of your passport, photo driving licence or equivalent identification.

If you are applying for records on behalf of a patient you will need to send proof of your identity and proof of identity for the patient together with written authorisation from the patient.

Can Liverpool University Hospital withhold any information?

Yes. There are circumstances where LUHFT is entitled to withhold information:

• If third party data is included in the personal data being requested this will be redacted unless we have the consent from the third party to release their personal data

• The Trust may on occasion be unable to provide access to personal data held if the release is likely to be detrimental to health or cause harm. These circumstances would be reviewed on a case-by-case basis

• If the disclosure would put at risk a criminal investigation or catching an offender.

Click here to complete a form to obtain your medical records from Aintree University Hospital, Broadgreen Hospital, Liverpool University Dental Hospital or The Royal Liverpool University Hospital.

Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making.

The Trust does not use automated decision making as all decisions have human intervention.

To use your information for direct health care purposes, the Trust does not require your consent. This is because consent may not be possible in many circumstances and the Trust has a legal duty to provide care.

Activities which are optional will be conducted with consent. You will have the option of withdrawing that consent at any time..

This does not affect the consent process for operations and treatments.

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information.

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding your privacy, please contact our Data Protection Officer:

Post: Liverpool University Hospitals, 2nd Floor, Aintree Lodge, Lower Lane, Liverpool, L9 7AL


This address should not be used for clinical or general complaints about the Trust 

Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information. The Information Commissioner’s Office is the UK's independent body set up to uphold information rights.

The Information Commissioner's Office (ICO)

Wycliffe House

Water Lane




Further information about their work and the legislation they cover is available from or by contacting them on the helpdesk number 0303 123 1113.

The Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulations (UK GDPR) legislate how personal information is used by the Trust and any other organisations, businesses or the government.

The Principles

Information should be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful basis for processing data

All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and all current Data Protection Legislation.

For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.

Data controllers and organisations that process personal data must be able to demonstrate compliance with provisions under Data protection Legislation. This involves publishing our basis for lawful processing.  As personal data is processed for purposes of the Trusts statutory functions, we have considered our lawful basis for processing personal data and have deemed:


Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party.

Legal Obligation – (Commissioning, planning, regulatory and public health functions)

Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the data controller is subject.

Vital Interests

Article 6(1)(d) – processing is necessary in order to protect the vital interests of the data subject (or of another natural person).

Direct care and administrative purposes including safeguarding and employment

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (this includes recruiting to all types of roles).

Legitimate Interests – (Research)

Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the data controller, and for medical purposes and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality

This is also relevant where the Trust may seek to recover debts from individuals.

The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.

Special Category Data

Where the Trust processes special categories of personal data, there is an additional legal basis for processing such data as listed below:


Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, the provisions of the Children’s Acts 1989 and 2004, and the Care Act 2014.

Vital Interests

Article 9(2)(c) – processing is necessary in order to protect the vital interests of the data subject (or of another natural person); where the data subject is physically or legally incapable of giving consent.

Legitimate Interest

Article 9(2)(d) - processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

Healthcare, Commissioning and Planning

Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Public Interest in Public Health

Article 9(2)(i) – processing is necessary for reasons of public interest in public health – such as protecting against serious cross border threats to health.

Research, regulatory and public health functions

Article 9(2)(j) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Regulatory and public health functions

The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing.

If your information will be used for any secondary service, you will be notified of these. Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller (schedule 2 (6) (1)), where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.

Any processing which relies on consent will be based on explicit consent under UK GDPR. You will be asked to make a definite decision; there will be no presumption of consent from silence, inaction or pre-selected choices.

If your information will be used for any secondary service, you will be notified of these.

Under the Data Protection Legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are in supporting the running of the day-to-day operations of the organisation.

If you would like to receive a printed version of any privacy notices available for download below, please contact the Data Protection Officer on:

Data Protection Officer
Liverpool University Hospitals NHS Foundation Trust
2nd Floor, Aintree Lodge
Lower Lane
L9 7AL

Telephone: 0151 529 8878

Email address:


Why and how we process your data contained within CCTV and BWV footage, and your rights

Data Controller

Liverpool University Hospital NHS Foundation Trust

Does this contain sensitive (special category) data such as health information?


How can you withdraw your consent?

Consent is not the lawful basis used for processing this data.

How long the data is kept

Automatically deleted after 30 days. May be retained, if necessary, to assist with crime prevention and detection.

How we use the information (processing activities)

Personal data is collected for prevention of crime, investigation of security incidents and to assist with the safety of staff, service users and security of Trust premises.

Is data transferred outside the UK?


Is the data subject to decisions made solely by computers? (automated decision making)


Our lawful basis for processing this data

Public Task - 6(1)(e)

Legitimate Interest - 6(1)(f)

Health and Social Care Act (2012) – Schedule 18, part 10 (1)

Where does this data come from?

CCTV and Body Worn Videos (BWV).

Do we share this data with anyone else?

Access to recorded CCTV/BWV footage is restricted dependent on role. All requests for disclosure should be submitted to the Data Protection Office.

CCTV/BWV footage may only be accessed or disclosed to the extent necessary to deal with an incident which falls within the purpose identified above or in order to respond to a request made by a data subject under data protection legislation.

CCTV/BWV footage will not be accessed or used for any other purpose.

CCTV/BWV will only be released, if necessary, in line with Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulations (GDPR).

Disclosures are considered on a case-by-case basis and limited to what is necessary.

Unless there is a valid reason permitted by law, or there are exceptional circumstances (such as a likely risk to the safety of you or others), we will not disclose any information to third parties which can be used to identify you without your consent.

Your rights

✔ Be Informed

✔ Get access to it

✔ Rectify or change it

X Erase or remove it

✔ Restrict of stop processing it

X Move, copy or transfer it

✔ Object to it being process or used

✔ Know if a decision was made by a computer rather than a person


Data Controller

The Data Controller is the legally responsible organisation

Data Processor


An organisation which the Data Controller appoints to provide a service on its behalf. The Data Processor must follow the legal instruction of the Controller.


Data Subject


The individual who personal data is about.

The individual must be identifiable from the data.


Data Protection Officer


The person appointed by the Data Controller as the single point of contact for data protection enquiries.

The Data Protection Officer acts independently and monitors compliance with data protection obligations


Data Processing


The activities which relate to Personal Data.

Data Processing includes:

  • Obtaining, recording or holding the information
  • Organisation, adaption or alteration
  • Retrieval, consultation or use
  • Disclosure by transmission, dissemination or otherwise making available
  • Alignment, combination, blocking, erasure or destruction of the information or data.


Information Commissioner’s Office


The regulator of information rights in the United Kingdom. The ICO website is -



Personal Data


Data which relates to an individual and enables them to be identified

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals. To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is also good practice to carry out a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.

Liverpool University Hospitals NHS Foundation Trust have been carrying out Privacy Impact Assessments on new projects and initiatives for several years prior to the enactment of the General Data Protection Regulation and have refined our processes to ensure they meet the requirements of the new legislation and the UK GDPR Article 29 Working Party criteria for an acceptable DPIA.

In summary the Trust will:

  • Describe the nature, scope, context and purposes of the processing
  • Ask data processors to help us understand and document their processing activities and identify any associated risks
  • Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
  • We will ask for the advice of our Data Protection Officer
  • Check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance
  • Carry out an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests and identify measures we can put in place to eliminate or reduce high risks
  • Record the outcome of the DPIA, including any difference of opinion with our Data Protection Officer or individuals consulted
  • Implement the measures identified, and integrate them into our project plan
  • Consult the Information Commissioners Office (ICO) before processing if we cannot mitigate “high risks”
  • Keep all DPIAs under review and revisit them if necessary.

Here at Liverpool University Hospitals NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this UK GDPR obligation is carried out, recorded and regularly reviewed.

Below you will find a summary of all DPIAs carried out since 25th May 2018 when this became a data protection requirement. 

The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact:


  • You have the right of access to your own records and to have any factual inaccuracies corrected
  • You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure
  • You have the right to be informed about how your information is used
  • You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

The NHS also commits:

  • To ensure those involved in your care and treatment have access to your health information so they can care for you safely and effectively (pledge)
  • To anonymise the information collected during the course of your treatment and use it to support research and improve care for others (pledge)
  • Where identifiable information has to be used, to give you the chance to object wherever possible (pledge)
  • To inform you of research studies in which you may be eligible to participate (pledge) and
  • To share with you any correspondence sent between clinicians about your care (pledge). 

On 1st October 2019, the Trust was created, through the merger of Aintree University Hospital NHS Foundation Trust and Royal Liverpool and Broadgreen University Hospitals NHS Trust.

The Trust is a major NHS Trust providing healthcare services across Merseyside and beyond. As well as providing general and specialist health care, it plays an important role in the teaching and education of health care professionals and in healthcare research and innovation.

We are monitored by a number of different organisations including:

  • NHS England
  • The Information Commissioners Office (ICO)
  • Care Quality Commission (CQC)
  • Department of Health
  • NHS Improvement

Our consultants, doctors, nurses and healthcare professionals are also regulated and governed by professional bodies.

To safeguard your information and support your rights, the Trust has appointed a Data Protection Officer (DPO) as your single point of access. The DPO can be contacted on:

Data Protection Officer

Liverpool University Hospitals NHS Foundation Trust

2nd Floor, Aintree Lodge

Lower Lane


L9 7AL

Email address:

The Trust is registered with the Information Commissioner's Office as a Data Controller reference Z9553640, as required by the Data Protection Act 2018.

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, and sometimes provide useful information to the owners of the site. 

There are some cookies necessary to this site functioning, such as interacting with our accessibility toolbar. These cookies will usually remove themselves when you close your browsing session. More information can be found in the ‘Necessary cookies’ section. 

We use some additional cookies, such as Google Analytics, to help us gather information and improve the website. You have the option to deny use of these cookies; more information can be found in the ‘Additional cookies’ section. 

You can find more information on managing and deleting cookies on the Information Commissioners Office website.

Necessary cookies

The following cookies are necessary to our site functioning.

Cookie Purpose Expiry
cookieconsent_status Persistently records your option regarding additional cookies. 1 year
__cf_bm Cloudflare layer to read and filter requests from bots. 30 minutes

Necessary accessibility cookies

The following necessary cookies allow the functions within our accessibility toolbar to work optimally.

Cookie Purpose Expiry
accessibility-controls Records option regarding additional cookies. End of browsing session
saveFontSize Allows the website (CMS) to record if the user’s font size selection. End of browsing session
contrast-mode Allows the website (CMS) to record the user’s contrast mode selection. End of browsing session
googtrans Allows the language of page content to be changed and records the language selected. End of browsing session

Additional cookies

The following third-party cookies are used for analytical and media purposes. 

If you do not accept use of these additional cookies, some third-party media content – such as YouTube, Vimeo or Google Maps – may not load on this website.

Analytics cookies

In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the using Google Analytics.

You can read Google’s extensive information on data practices in Google Analytics.

You can opt-out of Google Analytics on our website by denying additional cookies or by using the Google Analytics Opt-out Browser Add-on.

Cookie Purpose Expiry
_ga Distinguishes user for Google Analytics. 2 years
_gid Distinguishes user for Google Analytics. 1 day
_gat Throttles request rate for Google Analytics. 1 minute
_ga_ZGQHGBEB11 Persists session state for newer versions of Google Analytics. 2 years
__utma Distinguishes user and session for Google Analytics. 2 years
__utmb Determines new session or visit for Google Analytics. 30 minutes
__utmc Determines new session or visit for Google Analytics. End of browsing session
__utmz Stores traffic source for Google Analytics. 6 months

Embed cookies 

We may use embeds from YouTube, Google Maps or Vimeo on our site to display content. That content uses the following third-party cookies. Where possible, we will use privacy-oriented settings to ensure as few cookies as possible require consent. 

These additional cookies that remain, and the content from which they stem, will not display on the site unless you choose to ‘Accept additional cookies’. 

Cookie Source Purpose Expiry
CONSENT YouTube (  Google cookie tracking consent with analytics and/or ad integration.  2 years 
CONSENT Google Maps (  Google cookie tracking consent with analytics and/or ad integration. 2 years 
__cf_bm Vimeo (  Vimeo ClouldFlare layer which filters out requests from bots.  30 minutes

Miscellaneous cookies

The following cookies are not necessary to our site functioning but can aid bespoke functionality.

Cookie Purpose Expiry
tablist-location Remember location option from tablist popup 1 hour


Captcha cookies 

We use Google reCAPTCHA in order to verify whether or not you are a human when submitting data to the website. Most of the time, this will only be present on pages containing forms.

Cookie Source Path Purpose Expiry




Provides risk analysis to Google spam protection. 6 months


Version 1.5 March 2023

The privacy of all our Users at Liverpool University Hospital NHS Foundation Trust (the Trust) is very important to us. When you, as an App-user, use the Service the App Provider uses (Chapelcroft Limited) to deliver the App to you and therefore will need to process your Personal Data. This Privacy Statement describes how we safeguard and process your Personal Data. We recommend you read it carefully.

Who we are:

We, Liverpool University Hospitals NHS Foundation Trust (the Trust), are a data controller. Our address for communications is:

Royal Liverpool Hospital

Mount Vernon Street


L7 8YE

Our telephone number is 0151 706 2000

The Trust is registered with the Information Commissioner's Office as a Data Controller reference Z9553640, as required by the Data Protection Act 2018.

If you want to contact us about this application and how we use your information in the first instance, please email:

Complaints and Your Rights to complain to the Regulator

If you feel that we have not adequately dealt with your complaint regarding how we process your information you can raise the issue with the Information Commissioner who is the supervisory authority for the United Kingdom (the Regulator) at the address below:

Information Commissioner's Office:

By phone: 0303 123 1113

By letter 

Wycliffe HouseWater LaneWilmslowCheshireSK9 5AF

Link to Contact Form:

Website: (opens in a new window)

Purpose of Processing

In order to provide you with the Staff App and associated services, we need to process some personal information, where possible the App collects unidentifiable information.

The Lawful bases for the Trust to process your information is your consent. By downloading and using the App, you signify your consent for us to process your information

What is stated in this Privacy Statement?

Parties inform you in this Privacy Statement about:

  • The kinds of Personal Data processed;
  • Permissions;
  • The purposes for which Personal Data is processed;
  • Where the Personal Data are processed;
  • The security measures in place to protect Personal Data;
  • Limits of responsibility concerning third parties;
  • Viewing, changing and deleting your Personal Data;
  • Data Subject Rights
  • Changes to this Privacy Statement;
  • What to do if you have any questions or remarks.

The kinds of personal data processed

Personal data by using our Service

In order to deliver the Service

Automatically generated information

Like most other websites and online services, the App gathers and process automatically generated information about how you use the App.

The information gathered includes:

  • Your IP-address
  • Unique device ID.
  • Location (optional)*

Location information is used for push messaging; however, the user has the option to turn off push notification, but IP addresses and device ID will still be collected. The option to opt in or out is presented at the initial download set up. If you specifically opt-in, the App may collect your geo-location information. In any event, you can block geo-location collection through the settings of your mobile device.

To provide the App-owner (the Trust) with information about the usage of the app we are also collecting the following (anonymous) information:

  • The moment you open the app;
  • The blocks (Sections of the App); you've opened inside the app and the amount of time you've spend in this block
  • Actions such as , opening URLs (links), viewing pages etc.
  • The moment you leave the app.

Specific information

We may use push notifications (we send information to you) to ask you to engage in certain activities via the App, such as for example loyalty-card schemes, newsletters, advertising, however we will not ask for any personal information.

You can Turn off Push notifications under settings within the App.


In general, and for specific functionality built in the App, our service asks for Permissions. These Permissions are asked of the App user when the App is installed from your APP store and / or when a specific functionality is used.

  • Location
  • Camera
  • Notifications
  • Open Supported Links
  • Application Data Usage.

​​​​​​​The purposes for which Personal Data is processed

Purposes - to enable you to use the service

  • To keep you updated with relevant information about our service
  • To improve and/or customise the service
  • To identify your use /or customise the service
  • To provide advertising via the app.

The Trust processes personal data for the following purposes

  • To identify your device and to prevent fraud
  • To provide support
  • To pass your personal data to third parties, if you requested us to do so or if we are legally obliged to do so.

Transmission of Personal Data to third parties

The Trust and its App supplier do not sell, trade, or rent your Personal Data to third parties without your prior consent.

We may provide “aggregated anonymous data” about the usage of the Service to third parties for, as it deems to be appropriate for example to improve the APP and the services provided.

“Aggregated anonymous data” is data that cannot be traced back to you and which therefore does not count as Personal Data. For instance, we may use aggregated anonymous data to better understand how Users use the Service.

If the Trust App supplier (ARK Ltd) is transferred to a third party, or that the App supplier is merged with a third party, or undergoes a re-organisation, your Personal Data may also be disclosed and/or transferred to that third party. This third party will have the right to continue to use Personal Data and other information that you provided to us or the App Supplier.

The Trust and its App Supplier may disclose your Personal Data where it is believed, in good faith, that it is necessary to comply with a court order, ongoing judicial proceeding, criminal or civil subpoena, or other legal process or request by law enforcement authorities or to exercise its legal rights or defend themselves against legal claims.

Where are the Personal Data processed?

The Service is provided by using hosting services of Microsoft Azure, in the US Area.

The Personal Data processed by the App-publisher may be transferred to, and stored on, servers maintained by Microsoft Azure located in or outside a country in the UK such as the United States of America.

Microsoft adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, although Microsoft does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data considering the judgment of the Court of Justice of the EU in Case C-311/18 (Facebook Ireland Vs Schrems)

You agree to this transfer and processing outside the UK. The App-publisher will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this privacy policy. For more information about Microsoft Azure and the EU-US Privacy Shield look at

What security measures are in place to protect Personal Data?

The security of your data and that of other Users is very important to us.

The App Supplier has implemented technical and organisational measures to protect your Personal Data against loss or any form of unlawful processing. The App Supplier has implemented the following measures: protection of the servers by firewalls, SSL connections and encryption of sensitive data. This list is not exhaustive.

Limits of responsibility concerning third parties

Our Service may contain services and products offered by third parties, and/or hyperlinks to the websites or services of partners, advertisers and other third parties.

We the Trust have no control or influence over the content, websites, or services of these third parties. Different privacy policies may apply to the use of third-party websites and services. This Privacy Statement only relates to Data which have been obtained by the Trust through your use of the ‘the App’ for its own purposes. We the Trust do not accept any responsibility or liability for the content, practices or operation of third-party websites and services.

Viewing and deleting Personal Data

You may send a request to access or delete the personal information collected through your use of the App, by contacting us via email. You may be asked to provide additional information to verify your identity.

As we are not able to identify specific users, as we do not have access to the linkage between user and IP Address. It will not be possible to provide you with a the data we may hold about you, however if we are required by law to provide the information held in the App system, it maybe possible by a third party, such as Law enforcement, to link IP address and Geo-location to a user.

Can be done by emailing *Email address*

Children’s privacy

Personal information about children is not knowingly or intentionally collected. Children must not use this service.


Measures are implemented to secure your personal information, to minimise the risks of damage, loss of information and unauthorised access or use of information. However, these measures are unable to provide absolute information security. Therefore, although efforts are made to secure your personal information, it is not guaranteed and you cannot reasonably expect that the App and its related databases will be immune from any wrongdoings, malfunctions, unauthorised interceptions or access, or other kinds of abuse and misuse.

Data Subject Rights

You have the right to see, or have a copy, of your personal information.

You do not need to give a reason, and there will be no charge.

Email: 01253 781444

We will normally provide your information within one month (four weeks) of receiving all the information we need to respond to your request. It maybe that we have to extend the time period by a further two months (eight weeks) if your request is complex, numerus, or large. We will inform you within the month of receipt if this is the case and explain why the extension is necessary.

Please be as detailed as possible when requesting information, for instance stating date ranges, appointment types, or specific letters.

Before records are released we will seek the advice of the consultant in charge of the patient care to ensure that no information about an individual's physical or mental health or condition will be released if it would be likely to cause harm to either them or another person's physical or mental health condition. We will also withhold information provided by third parties where we don't have consent to release it or where the patient has made it clear that they did not want the information disclosed.

Before providing any information we will need to verify your identity and may request further information from you so we may progress your query as quickly as possible. 

Your right to be informed

This means you have a right to be informed about the way we collect and use your data. 

Your right to rectification

This means you have the right to have inaccurate (incorrect or misleading as to any matter of fact) personal data corrected or completed. 

Your right to have your personal information erased

This right is not absolute and only applies in certain circumstances. 

You have the right to restrict the processing of your information in any one of the following circumstances:

  • You contest the accuracy of your personal data and we are verifying the accuracy of the data.
  • We no longer need the personal data but you need to keep it in order to establish, exercise, or defend a legal claim
  • You have objected to the Chapelcroft (ARK) processing your data under Article 21(1) of UK GDPR, and Chapelcroft (ARK) is considering whether Company’s legitimate grounds override yours (the individual).

 Your right to object

This means that you have the right to object to the Company processing your data where the processing is based on all of the following:

  • legitimate interests or the performance of a task in the public interest / exercise of official authority (including profiling)
  • direct marketing (including profiling)
  • processing for purposes of scientific / historical research and statistics
  • You must have an objection on "grounds relating to your particular situation"

Your right to withdraw your consent

This means that once you have given your explicit consent for your information to be processed you have the right to both:

  • withdraw your explicit consent for the processing of your information
  • withdraw your consent by informing the department / team that took your consent (you can do this in writing or verbally).

Changes to this Privacy Statement

This Statement may be updated at any time. The Trust and App Supplier will publish any updated version of the Privacy Statement via the Service. The Trust and App Supplier encourage you to check this page from time to time to be aware of any changes to this Privacy Statement and to stay informed about how parties protect your Personal Data. You acknowledge and agree that it is your responsibility to review this Privacy Statement periodically and familiarise yourself with any updates.

You agree to be bound by any of the changes made to this Statement. Your continued use of the App after the changed take effect will indicate your acceptance of the amended Statement. If you do not agree with the amended Statement, you must uninstall the App and avoid any further use of it.

Retention Period

Your information is retained while the app is live or the APP provider is in contract with the Trust. All that is identifiable about the user is the device used, IP address, device type, an android or apple device and Geo Location information if you choose to provide it

What to do if you have any questions or remarks

If you have any questions or remarks about this Privacy Statement, please email:

This Privacy and Statement was last updated: August 2023