Your information, your rights
The information in this section explains what information the Trust collects about you, why we collect it, how we use it, and your rights under the Data Protection Act 2018 and the UK General Data Protection Regulations (GDPR).
What is a Privacy Notice?
UK GDPR requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information.
This is sometimes referred to as a fair processing notice.
So that we can provide you with the best possible service, a variety of information is collected about you from a range of sources, such as your GP. This information is used to support your healthcare.
Under the UK GDPR information about your physical and mental health, racial or ethnic origin and religious belief is considered to be special category personal information and is subject to strict laws governing its use.
Mersey and West Lancashire Teaching Hospitals NHS Trust is a data controller under the UK GDPR and the Data Protection Act 2018.
The Trust is legally responsible for ensuring its processing of personal information is in compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.
The NHS Constitution
- You have the right of access to your own records and to have any factual inaccuracies corrected
- You have the right to privacy and confidentiality and to expect the NHS to keep your confidential information safe and secure
- You have the right to be informed about how your information is used
- You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis
The NHS also commits:
- To ensure those involved in your care and treatment have access to your health information so they can care for you safely and effectively (pledge)
- To anonymise the information collected during the course of your treatment and use it to support research and improve care for others (pledge)
- Where identifiable information has to be used, to give you the chance to object wherever possible (pledge)
- To inform you of research studies in which you may be eligible to participate (pledge)
- To share with you any correspondence sent between clinicians about your care (pledge)
Urgent Care Self-Service Tool
The urgent care self-service tool, also known as the NHS streaming and redirection tool, is a kiosk-based service. It is provided as a web application by NHS Digital for use by patients who arrive at accident and emergency (A&E) departments or other urgent care settings with no pre-booked arrival time.
Patients answer questions about any symptoms they have arrived with so that the service can direct them to the most appropriate care.
For further information see: Privacy statement for the urgent care self-service tool – NHS Digital
- Access your medical records
You have the right to access the information we hold about you, such as your medical information.
Requests must be made in writing to the Access to Medical Records department.
The Trust will provide your information to you within one month from receipt of your application. This can be extended dependent on the complexity of the request.
Please note that some or all of the information requested may be withheld in reliance on exemptions contained within the UK GDPR and Data Protection Act 2018.
You must complete a request form to see your records using the form above. A copy of a form of photo identification is required for all access requests (e.g. passport, driving license NUS card).
For all requests, a copy of a utility bill or bank statement no more than three months old will also be required to confirm address. You must provide your identity documents with the request form. (These will be destroyed once the request is closed.)
The application form and identification It should then be sent to: Access to Health Records, Mersey and West Lancashire Teaching Hospitals NHS Trust, Town Lane, Kew, Southport, PR8 6PN or email@example.com
If you require assistance, please call 01704 704616 or email firstname.lastname@example.org.
Access to records of a deceased person
Records of the deceased are governed by the Access to Health Records Act and are usually kept for eight years after the patient’s death.
Only the person with an absolute right of access is the personal representative, who is the executor or administrator of the deceased persons’ estate.
Other individuals with a claim may request information and will be required to define on what grounds the request is being made.
- How long we keep your information
All patient records are retained and ultimately destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS record should be retained.
The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
Employment records are also retained and ultimately destroyed in accordance with this Schedule.
- How your information is used
In general your records are used to direct, manage and deliver the care you receive to ensure that:
- The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
- Health or social care professionals have the information they need to be able to assess and improve the quality and type of care you receive
- Your concerns can be properly investigated if a complaint is raised
Appropriate information is available if you see another clinician, or are referred to a specialist or another part of the NHS or social care.
Confidentiality affects everyone.
The Trust collects, stores and uses large amounts of personal and special category personal data every day, such as medical records, personal records, and computerised information. This data is used by many people in the course of their work.
We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
The Trust is committed to looking after your personal data and it is the responsibility of all staff throughout the organisation to make sure of this.
The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.
These roles include:
The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional, appointed to ensure that the data, about those who use its service, is handled in a confidential manner by the Trust and enables appropriate data / information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.
Our Caldicott Guardian is Dr Kate Clark.
Senior Information Risk Owner (SIRO)
The SIRO is an Executive Director at the Trust with overall responsibility for managing organisational information risk, security of information and putting strategies in place to control the identified risks.
Our SIRO is John McLuckie
Data Protection Officer (DPO)
Under the UK GDPR all large public authority organisations like ourselves are legally required to employ a Data Protection Officer. This person is an expert in data protection and can therefore inform and advise the Trust and its staff about their obligations to comply with the UK GDPR and other Data Protection laws. Where there are data protection concerns the DPO will look into the matter on your behalf and will also act as the main contact for communication with the Information Commissioner’s Office.
Our Trust Data Protection Officer (DPO) is Camilla Bhondoo.
Our DPO can be contacted at DPO@midmerseyda.nhs.uk
- Lawful basis for processing data
The UK General Data Protection Regulation (GDPR) 2018 requires the Trust to have a legal basis under Article 6 (and in the case of special category data Article 9) of the UK GDPR for the processing of personal data. In the main, the following legal bases apply to the Trust’s processing of personal data:
Special category personal data
Article 9(2)(b) – “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”
Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
Article 9(2)(f) – “processing is necessary for the establishment, exercise or defence of legal claims”
Article 9(2)(g) – “processing is necessary for reasons of substantial public interest”
Article 9(2)(h) – “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”
Article 6(1)(e) – “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Article 6(1)(b) – “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
Article 6(1)(d) – “processing is necessary in order to protect the vital interests of the data subject or of another natural person”
Article 6 (1) (f) – “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party” – this basis might be applicable for example in our use of CCTV (see further below) or in the way we process data for car parking management.
- My NHS number
A service is available on the NHS.UK website to receive a reminder of your NHS number.
You should also be able to find your NHS number on any letter or document you have received from the NHS, including prescriptions, test results, and hospital referral or appointment letters.
If you cannot find your NHS Number in these ways, you can ask your GP practice to help you. They should be able to provide the number for you as long as you are registered with them. To protect your privacy, you may be asked to show a passport, driving licence or some other proof of identity.
- Raising a concern
Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should email the Patient Experience and Complaints Service or telephone 01704 704958.
If you have any concerns about how we handle your information you have a right to complain to the Information Commissioner’s Office.
The UK GDPR requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information.
These details are publicly available from: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. Telephone: 0303 123 1113
- SMS text messaging
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you.
This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
- Surveillance cameras (CCTV)
We employ surveillance cameras (CCTV) on and around our sites in order to:
- Protect staff, patients, visitors and Trust property
- Apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
- Provide a deterrent effect and reduce unlawful activity
- Help provide a safer environment for our staff
- Assist in traffic management and car parking schemes
- Monitor operational and safety related incidents
- Help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
- Assist with the verification of claims
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it.
Requests should be directed to the address below and you will need to provide further details as contained in the section Accessing Your Records and Exercising Your Rights.
The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.
We reserve the right to withhold information where permissible by the UK General Data Protection Regulation (GDPR) and/or the Data Protection Act 2018 and we will only retain surveillance data for a reasonable period or as long as is required by law.
In certain circumstances (high profile investigations, serious or criminal incidents), we may need to disclose CCTV data for legal reasons.
When this is done there is a requirement for the organisation that has received the images to adhere to the UK GDPR.
- What rights do I have?
The UK GDPR includes a number of user rights that must be respond to requests in relation to your rights within one month, although there are some exceptions to this.
The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.
Right to be informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.
Right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the UK GDPR although there are exceptions to what we are obliged to disclose.
A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.
Right to rectification
You have the right to ask us to rectify any inaccurate data that we hold about you.
Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.
Right to restriction of processing
You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.
Right to data portability
This right is only available where the legal basis for processing under the UK GDPR is consent, or for the purposes of a contract between you and the Trust. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.
Right to object
You have the right to object to processing of personal data about you on grounds relating to your situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
Rights in relation to automated individual decision-making, including profiling
You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of the Trust’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.