Patient/Service User Privacy Notice

Introduction

Lancashire Teaching Hospitals NHS Foundation Trust (LTH) is situated in the heart of Lancashire and we provide care from three main facilities:

• Chorley and South Ribble Hospital
• Royal Preston Hospital
• The Specialist Mobility and Rehabilitation Centre

We serve the local population and provide a number of specialised services across Lancashire and South Cumbria. We are one of the largest and highest performing trusts in the country, providing district general hospital services to around 400,000 people in Preston and Chorley, and specialist care to 1.6m people across Lancashire and South Cumbria.

We were established in 2005 and were the first trust in the country to be awarded ‘teaching hospitals’ status.

Lancashire Teaching Hospitals NHS Foundation Trust is a registered “Data Controller”, Information Commissioner Office (ICO) registration Z6929649 as we collect and process personal information about you. This notice explains how we use and share your information. Information may be collected in the following formats - paper, online, telephone, email, CCTV or by a member of our staff, or one of our partners.

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the “last updated” date as documented in the version control section.

This privacy notice tells you what to expect us to do with your personal information when you contact us or use our services.

• Why do we collect information about you

  We need information about you so that we can give you the best possible care. When you come into contact with the health service provided at Lancashire Teaching Hospitals NHS Foundation Trust, you will be asked to provide details about yourself. This information will help us provide the following:

  • Delivery of high-quality health care services
  • Confirm your identity to ensure accurate, up to date information to provide the best possible care and treatment for you.
  • Support the provision of joined up services that meet your holistic health and social care needs.
  • Plan, manage and work out what care services are needed where and when.
  • It will enable the hospital to be paid for your treatment.
  • To support audits of NHS services and accounts.
  • Contributes to national NHS statistics.
  • Finding better ways to prevent illness and treat conditions.

  We may not be able to provide you with a service unless we have enough information about you.

  For processing to be lawful under the UK General Data Protection Regulations (UKGDPR) we need to identify a legal basis before we can process personal data. These are often referred to as the ‘‘lawful basis for processing’. The identified legal basis for Lancashire Teaching Hospitals NHS Foundation Trust to process healthcare data is:

  ‘6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’

  The type of data we process (health data) is known as a ‘special category data’. 9(2)(h) ‘Necessary for the purposes of preventative or occupational medicine, for medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under supervision of health professionals who in the circumstances owes a duty of confidentiality under an enactment of rule of law’.

• What information do we collect about you

  What are the different types of data

  According to the General Data Protection Regulations, personal data means any information relating to an identified or identifiable natural person. An identifiable person may be someone who can be identified directly or indirectly.

  Sensitive Personal Data relates to information concerning a data subjects racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.

  Pseudonymised data takes the most identifying fields within a database and replaces them with artificial identifiers or pseudonyms. For example, a name is replaced with a unique number. Pseudonymised data is not the same as anonymised data. When data has been pseudonymised it still retains a level of details in the replaced data that should allow tracking back of the data to its original state.

  Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.

  CCTV / Surveillance

  We have installed CCTV systems in some of our premises used by members of the public, for the purposes of public and staff safety and crime prevention and detection. CCTV is also installed on the outside of some of our buildings for the purposes of monitoring building security and crime prevention and detection.

  Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner.

  Why do we collect information about ethnicity

  Every NHS organisation has to collect information on the ethnic origins of its patients. You will be asked to select the group which best describes the ethnic group you belong to. We only use it to make sure our services meet the needs of all members of the community.

  You don’t have to give us information about your ethnic origin if you do not want to.

• How do we use your information

  We will use the information you provide in a manner that conforms to the UK General Data Protection Regulations which is supported by the Data Protection Act 2018. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances, the law sets the length of time information has to be kept. The retention periods set within the NHS are contained in the Records Management Code of Practice for Health and Social Care.

  We will process your information for the following purposes:

  • Staff caring for you have accurate and up to date information to help them decide the best possible care and treatment needed for you.
  • We can contact you in relation to your care and treatment.
  • Information is available should you need another form of care, for example if you are referred to a specialist or another part of the NHS.
  • There is a good basis for looking back and assessing the type and quality of care you have received.
  • Your concerns can be properly investigated should you need to complain.
• How your information is used for other purposes

  In addition to supporting the care you receive, your information may also be used to help us:

  • Look after the health of the general public.
  • Review the care we provide to ensure it is of the highest standard.
  • Teach and train health care professionals (if you do not want your information to be used in this way, please let us know. It will not affect your treatment in any way).
  • Conduct research approved by the Local Research Ethics Committee (Conduct audits.
  • Investigate complaints, legal claims or untoward incidents.
  • Make sure our services can meet patient needs in the future.
  • Prepare statistics on NHS performance.
  • Ensure treatments and services meet the needs of local communities.
  • Monitor the way public money is spent.

  If you do not want certain information recorded or shared with others, please talk to the person in charge of your care. There are however some aspects of your care which we are obliged to record.

• How we maintain your records

  We understand the personal and sensitive nature of your information. In addition to the General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA18) everyone working for the NHS is subject to the Common Law Duty of Confidence. Staff are required to protect your information under the NHS Confidentiality Code of Conduct and must inform you how your information will be used and allow you to decide if and how your information can be shared.

  We may use external companies to process personal information such as for archiving or destruction of data. These organisations will be bound by contractual agreement to ensure information is kept confidential and secure in compliance with the GDPR / DPA18.

  We will keep your records safe and secure and store them for the period outlined in the NHS Records Management Code of Practice retention schedule. In some instances, there may be a need for us to store medical records off site. In such instances we will ensure that any companies we use to store records off site meet the strict criteria required.

• Who else might see your information

  You may be receiving care from other people as well as the NHS so we may be required to share your information with them for example with:

  • Other healthcare professionals e.g., doctors, nurses, ambulance services
  • Partner organisations who contribute to your long-term care e.g., GPs, social services, private sector providers
  • Other services e.g., cancer registries, complaints, auditing, research purposes etc (anonymised/pseudonymised or your consent will be sought).

  We may also need to share your information for other purposes for example with (please note this list is not exhaustive):

  • Carers/guardians with parental responsibilities
  • Carers/guardians without parental responsibility (subject to explicit consent, unless data is anonymous)
  • Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services.
  • Disclosure to bodies with statutory investigative powers – eg, the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman
  • Disclosure, where necessary and appropriate, to non-statutory investigations – eg, Members of Parliament
  • Disclosure, where necessary and appropriate, to government departments other than the Department of Health
  • Disclosure to solicitors, to the police, to the courts (including a Coroner's court), and to tribunals and enquiries
  • Disclosure to the media (the minimum necessary disclosure subject to consent)

  We may therefore need to share your information with these individuals to ensure the best possible care is provided. We will only ever pass information about you if they have a genuine need for it, on a need to know basis, if there is a court order, there is a statutory power to share patient data or we have your consent. We will not disclose your information to a third party unless there are exceptional circumstances, such as when the health and safety of others is at risk or if the law requires us to pass on such information.

  Information sharing in the NHS

  Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of service users.

  The NHS co-ordinates the sharing of information through the use of agreements to ensure data is handled in accordance with the framework.

  National Disease Registration Service (NDRS)

  The National Congenital Anomaly and Rare Disease Registration Service (NCARDRS) is part of the National Disease Registration Service (NDRS), which is part of Public Health England and records people with congenital abnormalities and rare diseases across the whole of England. To identify those patients who have received specific high-cost drugs for the treatment of a rare disease, patient information submitted to NHS England and NHS

  Improvement on the prior approval system (currently Blueteq) will be shared with the NCARDRS.

  Data supplied for rare disease patients will support future NHS England and NHS Improvement commissioning decisions for these and future drugs as well as current work being undertaken to understand the impact of Covid19 on rare disease patients. From the 1st October 2021 the National Disease Registration Service will move to NHS Digital and permission to process confidential patient information will be directed by the Secretary of State through Section 254 of the Health and Social Care Act.

  Patient control of information

  You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. You have a right to opt-out of the NHS or other organisations using your information. If you wish to do this, please contact the Trust via the contact details highlighted below:

  Data Protection Officer
  Lancashire Teaching Hospitals NHS Foundation Trust Sharoe Green Lane
  Fulwood Preston Lancashire PR2 9HT
  Telephone number 01772 716565
  Website: lancsteachinghospitals.nhs.uk 
  Email: DPO@lthtr.nhs.uk

   

• How do we store your personal information

  Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

  • Securely dispose of your information for example by utilising confidential waste for paper records, or wiping hard drives to legal standards of destruction.
  • Archive your information
• Your rights

  Correcting inaccurate information

  We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you. If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention. If you wish to have any inaccurate information corrected, please click here: https://www.lancsteachinghospitals.nhs.uk/access-your-health-record

  Accessing your information held by Lancashire Teaching Hospitals NHS Foundation Trust

  You have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to the Trust. Requests should be addressed to the Trust, and we will aim to respond to your request within one month from receipt of your request. For more information please click here: https://www.lancsteachinghospitals.nhs.uk/access-your-health-record

  Freedom of Information Requests (FOI)

  The Freedom of Information Act (2000) gives every Individual the right to request information held by the Trust. Your request for information must be made in writing and you are entitled to a response within 20 working days. For more details on submitting a Freedom of Information request please click here: https://www.lancsteachinghospitals.nhs.uk/freedom- of-information

  Complaints

  Although we work hard to offer high standards of service and care, things can sometimes go wrong. Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again. If you would like to know more information on complaints or wish to make a complaint, please click here: https://www.lancsteachinghospitals.nhs.uk/complaints

  Should you have any concerns about how your information is to be used having read this Privacy Notice, you wish to request the notice in another accessible format or if you do not wish your information to be shared by Lancashire Teaching Hospitals NHS Foundation Trust then please contact the Trust here: https://www.lancsteachinghospitals.nhs.uk/contact-us or email: DPO@lthtr.nhs.uk

  There may be circumstances where we are legally obliged to share your personal data with other third parties, for reasons such as safeguarding purposes or a court order. In such cases you will not be able to opt out of data sharing.

  If you are not happy with our responses and have exhausted all the avenues in the Lancashire Teaching Hospitals NHS Foundation Trust’s process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office. Contact details can be found below in the contact information and further advice tab.

• National data opt out

  The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

  This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

  Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

  You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

  To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

  You can change your mind about your choice at any time. Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

  Our organisation is currently compliant with the National Data Opt-Out policy.

• Data protection impact assessment

  As detailed in the Data Security & Protection Toolkit the Trust is required to ensure that as part of the data protection transparency agenda, details of all DPIAs that have been through the Trust approval process are published. 

  Access the list below:

  List of Data Protection Impact Assessments (DPIA) – from 1st April to 31st December 2023

  Click to view and/or download the file in PDF format

• Contact information and further advice

  If you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described, please contact:

  Data Protection Officer

  Lancashire Teaching Hospitals NHS Foundation Trust Sharoe Green Lane

  Fulwood Preston Lancashire PR2 9HT

  Telephone number 01772 716565

  Website: https://www.lancsteachinghospitals.nhs.uk/ Email: DPO@lthtr.nhs.uk

  For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner:

  The Information Commissioner
  Wycliffe House
  Water Lane
  Wilmslow
  Cheshire
  SK9 5AF
  Telephone number 0845 306 060 or 01625 545 745
  Website: www.ico.org.uk

  This privacy notice was reviewed in November 2023.

  Next review date in November 2024.