Patient/Service User Privacy Notice

Introduction

Lancashire Teaching Hospitals NHS Foundation Trust (LTH) is situated in the heart of Lancashire and we provide care from three main facilities:

• Chorley and South Ribble Hospital
• Royal Preston Hospital
• the Specialist Mobility and Rehabilitation Centre

We serve the local population and provide a number of specialised services across Lancashire and South Cumbria. We are one of the largest and highest performing trusts in the country, providing district general hospital services to around 400,000 people in Preston and Chorley, and specialist care to 1.6m people across Lancashire and South Cumbria.

We were established in 2005 and were the first trust in the country to be awarded ‘teaching hospitals’ status.

Lancashire Teaching Hospitals NHS Foundation Trust is a registered “Data Controller”, Information Commissioner Office (ICO) registration Z6929649 as we collect and process personal information about you. This notice explains how we use and share your information. Information may be collected in the following formats - paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.  

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the “last updated” date as documented in the version control section.

• Coronavirus/COVID19: Information on how we process your personal data

  The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. Lancashire Teaching Hospitals NHS Foundation Trust (the ‘Trust’) is working to ensure that the spread of the Covid19 Coronavirus is minimised.

  Legal basis

  Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. This direction was given under s254 and 255 of the Health and Social Care Act 2012 (2012 Act). Under the Control of Patient Information Notice (COPI Notice) the Trust has been given legal notice to act under the same direction as NHS Digital and this is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the Covid-19 response.

  The Trust's legal requirement to share this sensitive information in this current health crisis, without your consent, is outlined in the General Data Protection Regulation (GDPR). Article 9 2(i) of the GDPR details that  "processing [of personal data, including the sharing of information] is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care". This is in addition to the requirement for the Trust to work in line with the Direction from the Secretary of State for Health and Social Care referenced above (Sections 259(1)(a), 259(5) and 259(8) of the 2012 Act).

  Sharing your personal data in this way is not normal for the Trust and will take place only as long as Covid-19 is a threat to public health. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information is available on the GOV.UK website, and FAQs on this law are available via NHSx.

  For further details on the COPI Notice please visit the following link - Control of patient information (COPI) notice - NHS Digital

  With whom we may share your information

  In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email. We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.

  When you tell us you’re experiencing Covid-19 symptoms, we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

  During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt[1]outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

  Conducting video consultations

  During this period of emergency we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

  This Trust participates in a joint programme to support the delivery of remote/virtual outpatient appointments. Currently, this uses a system called Attend Anywhere. To enable us to deliver this service in the most efficient way possible, patients may be seen over a video call consultation by specialists from any of these Lancashire and South Cumbria Hospital Trusts:

  • Blackpool Teaching Hospitals NHS Foundation Trust
  • East Lancashire Hospitals NHS Trust
  • Lancashire Teaching Hospitals NHS Foundation Trust
  • University Hospitals of Morecambe Bay NHS Foundation Trust

  To deliver services in this way, it will be essential for your personal details (relevant to the appointment) to be shared with the consultant/specialist seeing you. If you do not wish your details to be shared with consultants and specialists in more than one Hospital Trust, please let your GP or referring doctor know as soon as possible.

  This section provides you with details of our privacy practices in connection with the Attend Anywhere video consulting system and website and what we do to maintain your right to privacy.

  Lancashire Teaching Hospitals NHS Foundation Trust does not collect any personal data about you on this system and the associated Attend Anywhere website, apart from: information that you volunteer by completing the online form to enter your name, phone number and date of birth; and your IP address and access device type. Information that is submitted via the online form is encrypted and securely transferred to us. It is used solely for the purpose of identifying you to your clinical team. At the end of the video call this information is deleted from the system. Your IP address and access device type are used to process your call effectively and are deleted from the Attend Anywhere system within 12 months. Your IP address is also sent to Google Analytics for web access statistical reporting.

  Any information, which you provide via this website is not made available to any third parties. Any information provided is used by Lancashire Teaching Hospitals NHS Foundation Trust solely for the purpose of processing your information request or video consultation. Information entered to facilitate your video consultation is not retained at the end of your consultation. The video and audio elements of your call are not recorded in the Attend Anywhere system. However, details of your consultation 3 may be entered into your medical or care record. These systems are subject to the appropriate policies.

  Technical details in connection with visits to this website are logged, collected and used by our host, Amazon Web Services and Google Analytics. This includes your IP address and device type. This information cannot be combined with other details you provide to identify you. Lancashire Teaching Hospitals NHS Foundation Trust will make no attempt to identify individual users. You should be aware, however, that access to web pages will generally create log file entries in the systems of your Internet Service Provider (ISP) or network services provider. These entities may identify the client and device used to access a page. Such monitoring would be done by the provider of network services and is out with the responsibility or control of Lancashire Teaching Hospitals NHS Foundation Trust and Attend Anywhere.

• Why do we collect information about you

  We need information about you so that we can give you the best possible care. When you come into contact with the health service provided at Lancashire Teaching Hospitals NHS Foundation Trust, you will be asked to provide details about yourself.  This information will help us provide the following:

  • Delivery of high quality health care services
  • Confirm your identity to ensure accurate, up to date information to provide the best possible care and treatment for you.
  • Support the provision of joined up services that meet your holistic health and social care needs.
  • Plan, manage and work out what care services are needed where and when
  • It will enable the hospital to be paid for your treatment
  • To support audits of NHS services and accounts
  • Contributes to national NHS statistics.
  • Finding better ways to prevent illness and treat conditions

  We may not be able to provide you with a service unless we have enough information about you.

  For processing to be lawful under the General Data Protection Regulations (GDPR) we need to identify a legal basis before we can process personal data. These are often referred to as the ‘‘lawful basis for processing’. The identified legal basis for Lancashire Teaching Hospitals NHS Foundation Trust to process healthcare data is:

  ‘6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’

  The type of data we process (health data) is known as a ‘special category data’. 9(2)(h) ‘Necessary for the purposes of preventative or occupational medicine, for medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under supervision of health professionals  who in the circumstances owes a duty of confidentiality under an enactment of rule of law’.

• What information do we collect about you

  What are the different types of data

  According to the General Data Protection Regulations, personal data means any information relating to an identified or identifiable natural person. An identifiable person may be someone who can be identified directly or indirectly.

  Sensitive Personal Data relates to information concerning a data subjects racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.

  Pseudonymised data takes the most identifying fields within a database and replaces them with artificial identifiers or pseudonyms. For example a name is replaced with a unique number. Pseudonymised data is not the same as anonymised data. When data has been pseudonymised it still retains a level of details in the replaced data that should allow tracking back of the data to its original state.

  Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.

  CCTV/surveillance

  We have installed CCTV systems in some of our premises used by members of the public, for the purposes of public and staff safety and crime prevention and detection. CCTV is also installed on the outside of some of our buildings for the purposes of monitoring building security and crime prevention and detection.

  Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner.

  Why do we collect information about ethnicity

  Every NHS organisation has to collect information on the ethnic origins of its patients. You will be asked to select the group which best describes the ethnic group you belong to. We only use it to make sure our services meet the needs of all members of the community.

  You don’t have to give us information about your ethnic origin if you do not want to.

• How do we use your information

  We will use the information you provide in a manner that conforms to the General Data Protection Regulations which is supported by the Data Protection Act 2018. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances the law sets the length of time information has to be kept. The retention periods set within the NHS are contained in the Records Management Code of Practice for Health and Social Care.

  We will process your information for the following purposes:

  • Staff caring for you have accurate and up to date information to help them decide the best possible care and treatment needed for you
  • We can contact you in relation to your care and treatment
  • Information is available should you need another form of care, for example if you are referred to a specialist or another part of the NHS
  • There is a good basis for looking back and assessing the type and quality of care you have received
  • Your concerns can be properly investigated should you need to complain
• How your information is used for other purposes

  In addition to supporting the care you receive, your information may also be used to help us:

  • Look after the health of the general public
  • Review the care we provide to ensure it is of the highest standard
  • Teach and train health care professionals (if you do not want your information to be used in this way, please let us know.  It will not affect your treatment in any way)
  • Conduct research approved by the Local Research Ethics Committee (Conduct audits
  • Investigate complaints, legal claims or untoward incidents
  • Make sure our services can meet patient needs in the future
  • Prepare statistics on NHS performance
  • Ensure treatments and services meet the needs of local communities
  • Monitor the way public money is spent

  If you do not want certain information recorded or shared with others, please talk to the person in charge of your care.  There are however some aspects of your care which we are obliged to record.

  If you are outside the UK and would like to see a copy of your records, please request these through the Access To your records section of this web site:

• How we maintain your records

  We understand the personal and sensitive nature of your information. In addition to the General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA18) everyone working for the NHS is subject to the Common Law Duty of Confidence. Staff are required to protect your information under the NHS Confidentiality Code of Conduct and must inform you how your information will be used and allow you to decide if and how your information can be shared.

  We may use external companies to process personal information such as for archiving or destruction of data. These organisations will be bound by contractual agreement to ensure information is kept confidential and secure in compliance with the GDPR / DPA18.

  We will keep your records safe and secure and store them for the period outlined in the NHS Records Management Code of Practice retention schedule.  In some instances there may be a need for us to store medical records off site.  In such instances we will ensure that any companies we use to store records off site meet the strict criteria required.

• Who else might see your information

  You may be receiving care from other people as well as the NHS so we may be required to share your information with them for example with:

  • Other healthcare professionals eg, doctors, nurses, ambulance services
  • Partner organisations who contribute to your long term care eg, GPs, social services, private sector providers
  • Other services eg, cancer registries, complaints, auditing, research purposes etc (anonymised/pseudonymised or your consent will be sought).

  We may also need to share your information for other purposes for example with (please note this list is not exhaustive):

  • Carers/guardians with parental responsibilities
  • Carers/guardians without parental responsibility (subject to explicit consent, unless data is anonymous)
  • Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
  • Disclosure to bodies with statutory investigative powers – eg, the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman
  • Disclosure, where necessary and appropriate, to non-statutory investigations – eg, Members of Parliament
  • Disclosure, where necessary and appropriate, to government departments other than the Department of Health
  • Disclosure to solicitors, to the police, to the courts (including a Coroner's court), and to tribunals and enquiries
  • Disclosure to the media (the minimum necessary disclosure subject to consent)

  We may therefore need to share your information with these individuals to ensure the best possible care is provided. We will only ever pass information about you if they have a genuine need for it, on a need to know basis, if there is a court order, there is a statutory power to share patient data or we have your consent. We will not disclose your information to a third party unless there are exceptional circumstances, such as when the health and safety of others is at risk or if the law requires us to pass on such information.

  Information sharing in the NHS

  Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of service users.

  The NHS co-ordinates the sharing of information through the use of agreements to ensure data is handled in accordance with the framework.

  Patient control of information

  You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. You have a right to opt-out of the NHS or other organisations using your information. If you wish to do this please contact the Trust via the contact details highlighted below:

  Data Protection Officer

  Lancashire Teaching Hospitals NHS Foundation Trust

  Sharoe Green Lane

  Fulwood

  Preston

  Lancashire

  PR2 9HT

  Telephone number 01772 716565

  Website: http://www.lancsteachinghospitals.nhs.uk/

  Email: DPO@lthtr.nhs.uk

• Your rights

  Correcting inaccurate information

  We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you.   If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention. If you wish to have any inaccurate information corrected please click here.

  Accessing your information held by Lancashire Teaching Hospitals NHS Foundation Trust

  You have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust. Requests should be addressed to the Trust and we will aim to respond to your request within one month from receipt of your request.  For more information please click here.

  Freedom of Information Requests (FOI)

  The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days.  For more details on submitting a Freedom of Information request please click here.

  Complaints

  Although we work hard to offer high standards of service and care, things can sometimes go wrong.  Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again.  If you would like to know more information on complaints or wish to make a complaint, please contact our PALS team here.

  Should you have any concerns about how your information is to be used having read this Privacy Notice, you wish to request the notice in another accessible format or if you do not wish your information to be shared by Lancashire Teaching Hospitals NHS Foundation Trust then please contact the Trust here or email: DPO@lthtr.nhs.uk

  There may be circumstances where we are legally obliged to share your personal data with other third parties, for reasons such as safeguarding purposes or a court order.  In such cases you will not be able to opt out of data sharing.

  If you are not happy with our responses and have exhausted all the avenues in the Lancashire Teaching Hospitals NHS Foundation Trust’s process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office. Contact details can be found below in the contact information and further advice tab.

• National data opt out

  National Data Opt-Out was introduced in May 2018, following recommendations from the National Data Guardian. The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

  The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care. This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

  Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

  You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

  How do I opt out or find more information?

  To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

  You can also find out more about how patient information is used at:

  https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research)

  Our organisation is currently compliant with the National Data Opt-Out policy.

• Data protection impact assessment

  As detailed in the Data Security & Protection Toolkit the Trust is required to ensure that as part of the data protection transparency agenda, details of all DPIAs that have been through the Trust approval process are published. To access this list of approved DPIAs please click on the following link: Data Protection Impact Assessment (1st April 20 - 30th March 21)

• Contact information and further advice

  If you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described, please contact:

  Data Protection Officer

  Lancashire Teaching Hospitals NHS Foundation Trust
  Sharoe Green Lane
  Fulwood
  Preston
  Lancashire
  PR2 9HT
  Telephone number 01772 716565
  Website: https://www.lancsteachinghospitals.nhs.uk/
  Email: DPO@lthtr.nhs.uk

  For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner:

  The Information Commissioner
  Wycliffe House
  Water Lane
  Wilmslow
  Cheshire
  SK9 5AF
  Telephone number 0845 306 060 or 01625 545 745
  Website: www.ico.org.uk