Privacy Notice
1. Introduction
1.1 This Privacy Notice applies to personal information processed by or on behalf of Leicester University Hospitals NHS Trust (“the Trust”). It explains:
2) Who we are and contact details for our Data Protection Officer (DPO)
3) What kinds of personal information about you we collect and process, how we process it, and what the legal grounds for processing are
4) How we keep the information safe and how long we keep it for
5) What your rights are under Data Protection law
6) What you should do if your information changes
7) Who you can speak to for further information or to make a complaint
1.2 Version Control: This is Version 1.2, Revised September 2021
2. Who We Are and Who Our Data Protection Officer (DPO) is
2.1 University Hospitals of Leicester NHS Trust is a registered Data Controller and Data Processor and it’s Information Commissioner Office (ICO) registration number is Z7882087. We collect and process personal information about you to allow us to provide and plan medical treatment for you and to analyse and improve our services on a local, regional and national level.
2.2 We will continually review and update this Privacy Notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the ‘last updated’ date as documented in the Version Control section of this Notice (1.2).
2.3 The DPO for University Hospitals of Leicester Trust is Head of Privacy, Mr Saiful Choudhury. He can be contacted via email at [email protected] or telephone on 07950854942.
3. Personal Information We Collect About You and the Legal Grounds for Processing
3.1 Types of Data We Use
Personal data means any information relating to an identified or identifiable natural, living person. An identifiable person may be someone who can be identified directly or indirectly (when several different pieces of information can be used together to identify an individual.)
Sensitive Personal Data relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.
Pseudonymised data takes the most identifying fields within a database and replaces them with artificial identifiers or pseudonyms. For example, a name is replaced with a unique number.
Pseudonymised data is not the same as anonymised data. When data has been pseudonymised it still retains a level of details in the replaced data that should allow tracking back of the data to its original state.
Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information as it changes it from personal data to statistical data. Where possible, University Hospitals of Leicester NHS Trust uses and shares anonymised data instead of identifiable data to protect the confidentiality of the subjects involved while still being able to plan services.
3.2 Personal details including your name, date of birth, contact details, phone number, next of kin details are collected and processed by the Trust in accordance with Article 6(1)(e) of GDPR:
1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
3.3 Sensitive personal data including information regarding your health, treatments we (or other organisations) have given you or plan to give you are collected and processed by the Trust in accordance with 9(2)(h) of the GDPR: ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
3.4 How We Use Your Personal Information
3.4.1 Direct Care
Direct Care refers to when we use your personal confidential and sensitive data to identify you and to keep an accurate record of your clinic visits and treatment, so that we know what treatments we and others have given you or plan to give you, for example if you are referred to a specialist or another part of the NHS.
We may not be able to provide you with the best or most appropriate service unless we have enough information about you.
3.4.2 Administrative Purposes
We use your contact and address details in order to contact you regarding appointments and to send letters regarding treatments that we have given or plan to give to you.
We use your contact details including your personal phone number to ask for and receive valuable feedback regarding your experience with our services. You can opt out of this feedback service should you wish to do so (see how to opt out at paragraph 5.5 of this Notice)
3.4.3 Training, Service Improvement and Analysis
We sometimes use patient data to train our staff. You will be approached for your consent if we would like to use your information in this way, if characteristics identifying who you are cannot be removed from the training materials.
We gather information about your treatment in order to produce statistics about how our Trust is working and compare these statistics to regional and national NHS targets. This allows us to thoroughly analyse our performance, plan our services and to be paid for the work that we do. Where possible, all information identifying individual patients is removed from statistical data before it is analysed or shared.
We are required by law and contract under the Health and Social Care Act to provide NHS Digital (our national governing body) with information when instructed. Where possible, all information identifying individual patients is removed from the information we share in this way.
Commissioning groups may receive personal data where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This is in addition to following the provisions set out in the GDPR and UK Data Protection Act.
3.4.4 Research and Audit
Researching new and innovative treatments is an essential part of the Trust’s strategy and is of national importance.
In order for your personal information to be used for medical research or clinical audit, the study or audit is assessed by us and, in the case of Research, approved by a Confidentiality Advisory Group, before any information is gathered. Most of the research studies conducted at the Trust will require you to give us your consent before you can be a participant. Some studies may not require information that identifies individual patients at all.
Further information on the use of personal data for research can be found on the Research pages of this website at: Leicester’s Research Team pages
3.4.5 Digital Recordings
The Trust reserves the right to have Closed Circuit Television (CCTV) systems across all sites that are used by members of the public, and some security staff use Body Worn Cameras (BWC) in the course of their duties, for the purposes of public health and safety and crime prevention and detection. CCTV cameras are also installed on the outside of some of the Trust’s buildings.
The cameras are only used by trained Security operatives. Digital recordings are kept as standard for 30 days unless an incident is captured that may require the footage to be stored for longer, for example, where a crime or security incident is being investigated. The Trust may share digital recordings with relevant agencies such as the Police, in accordance with the codes of practice and safeguards issued by the Information Commissioner’s Office (ICO).
3.4.6 Information Sharing
Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of service users.
We share your information when we are lawfully obliged to do so, for example when we have a contract or duty to share information in order to provide a service to our patients. We share health data with other NHS Trusts, GP surgeries and private health providers so that we can provide ‘joined up care’ should you need treatment by one or more of these services. We also have a responsibility as a public authority to share information to other agencies such as Social Services, local councils, courts of law, national registries or the Police. This work is completed in accordance with Data Protection law, alongside the common law Duty of Confidence and where possible will either have had any information that identifies you removed, or be shared with your implied or explicit consent.
The Trust co-ordinates the sharing of information with other organisations through the use of official Information Sharing Agreements to ensure that data is handled in accordance with the framework. This framework ensures that the responsibilities of the owner of the data
(Controller) and the party processing the data (Processor) are set out, what will happen in the event of a confidentiality breach and who takes responsibility for this.
We use external companies to process personal information for purposes such as archiving or secure destruction of data. These organisations are bound by contractual agreement and the contracts are reviewed regularly.
The Trust will never and has never sold patient data for financial or material gain. We have a responsibility to safeguard our employees and patients, and on occasion it may be necessary to share your personal confidential data in order to do this, without consent, to protect you or others. Such sharing of information is assessed on a case by case basis and all transfers are encrypted and protected.
3.4.7 Transfers Outside the European Economic Area (EEA)
Some patient data is shared with a health provider in the United States as part of the services offered by Leicester Fertility Centre. The Fertility Centre has it’s own policies on this as part of the private healthcare services it offers. If you are not a patient of the Fertility Centre your data will not be shared in this manner. Leicester’s Fertility Centre’s website is here: https://www.leicesterfertilitycentre.org.uk/
4. How We Keep Your Information Safe and How Long We Keep It For
4.1 We keep your information on a strict need to know basis, protecting it with a variety of physical, electronic and organisational measures. Physical measures we use include locks on doors and filing cabinets. Electronic protection includes passwords/passphrases, encrypting files and emails. Organisational measures we use are where only certain members of staff who need access to your information because of their job role are able to see or use it.
4.2 In addition to the provisions set out in data protection law, everyone working for the NHS is subject to the Common Law Duty of Confidence. Staff are required to protect your information under the NHS Confidentiality Code of Conduct as set out in their employment contracts. Staff are contracted to complete mandatory data protection training every year.
4.3 We keep your personal confidential data in identifiable format (where you can tell who a person is) as long as our purpose justifies us doing so. This is called the Retention Period. We follow the Records Management Code of Practice (2021) as a guide to help us work out retention periods for each type of data we use. Once the retention period is up, we review the data that we hold and either justify storing it for longer, delete the data or change it to an anonymized form (make it so that you can’t tell who each person is).
4.4 We use external companies to process personal information for purposes such as archiving or secure destruction of data. These organisations are bound by contractual agreement to use and store patient data under the same high standards we do and the contracts are reviewed regularly.
5. Your Rights Under Data Protection Law
5.1 Right to be Forgotten
Under the UK Data Protection Act 2018, you have the right to have an organisation erase the data they hold about you, unless that organisation is a public authority entrusted with processing personal confidential data in the public interest. The Trust processes personal confidential data in
order to provide healthcare, which is in the public interest. Because of this, we cannot entirely erase data we hold about our patients as then we would not be able to treat them or effectively manage our healthcare system.
5.2 Right to Rectification
You have a right to request that we change or correct the data we hold about you. Within a medical record, only requests that change or remove entirely incorrect data are likely to be upheld, and it is far more likely that we would simply update the medical record to reflect ‘new’ information in addition to what is already there. If the information is factually accurate, it is unlikely that the Trust will remove it, but can instead add explanatory notes to keep the record true and accurate.
Each request will be decided on it’s own merits.
5.3 Right to Portability
This means that you have the right to access your personal confidential data that the Trust holds and give it to any other Trust, or service provider, should you wish to do so. This right only applies to data that is about you, not about any other person or Trust staff member.
5.4 Right of Access
You have a right to access the information that we hold about you. The most effective way to make a request for a copy of your personal medical record is to contact the Access to Health Records team, based at Leicester Royal Infirmary, at [email protected] . You do not have to fill in an official form to access a copy of your records, but it will assist the team greatly if you do so.
For more information about how to obtain a copy of your medical records, including if you are requesting from outside the European Economic Area visit https://www.leicestershospitals.nhs.uk/patients/patient-and-visitor-services/health-and-medical- records/
For a copy of any information you believe the Trust holds about you that is not a medical record, contact the Privacy Unit at [email protected] to discuss your request with the team.
5.5 Right to Restrict Processing (Opt Out)
You are within your rights under data protection law to say that you do not want us to process your personal confidential data for research, audit, training staff or any other purpose than your direct care. You are unable to opt out of having your information shared for safeguarding purposes or in the public interest as we have a legal obligation to do this in certain circumstances. Further information regarding opting out can be found here: https://digital.nhs.uk/services/national-data-opt-out
5.6 Freedom of Information (FOI) Act 2000
Any person can request corporate information from University Hospitals of Leicester NHS Trust under the Freedom of Information Act. This Act only refers to corporate information (such as finances, personnel, procedures etc.) and not to personal information (that identifies or is about an individual). For further information, visit: https://www.leicestershospitals.nhs.uk/aboutus/freedom-of-information/
6 What You Should Do if Your Information Changes
If you are visiting a clinic at the Trust, or having an online or telephone appointment, you will be asked to confirm your contact and address details when you attend clinic or answer the call. It is important that the Trust has up to date information for you, so should these details change, please inform the clinic’s desk clerk, the secretarial staff or the person who is calling you at your appointments.
If your details change and you are expecting to be contacted by the Trust, let the secretarial staff working on the department know to change your details on the central system.
7 Who You Can Speak To For Further Information
7.1 How We Use Your Data
Should you have any concerns about how your information is to be used having read this Privacy Notice, you wish to request the notice in another accessible format or language, or if you do not wish your information to be shared by University Hospitals of Leicester NHS Trust, you can contact the Trust’s Data Protection Officer, the Head of Privacy at [email protected]
7.2 Complaints
Although we work hard to offer high standards of service and care, things can sometimes go wrong. Should this happen, we will do all that we can to put things right for you and to make sure that the same thing does not happen again. If you would like to know more information on complaints or wish to make a complaint, please click here.
7.3 Information Commissioner’s Office
University Hospitals of Leicester NHS Trust makes every effort to ensure that your data is used in an appropriate manner. However, if you feel you would like to take matters further, you may contact the Information Commissioner’s Office (ICO).
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone number 0845 306 060 or 01625 545 745
Website: https://ico.org.uk/