Who is Lancashire and South Cumbria NHS Foundation Trust?
Lancashire and South Cumbria NHS Foundation Trust provides health and wellbeing services for a population of around 1.4million people. The services provided include community services such as health visiting, podiatry, sexual health and dentistry as well as inpatient and community mental health services.
This page tells you what we do with the information that we collect and hold about you and why we might need to share it with other organisations involved in the delivery of your care.
Why do we collect information about you?
As a public authority providing healthcare the Trust has a legal justification to collect and use information about our service users for direct healthcare purposes.
It is important that our staff know as much about your mental and physical health as possible so that we can give you appropriate care and attention. Our aim is not to be intrusive, and we won’t ask irrelevant or unnecessary questions. We ask you for information so that we can keep your details accurate, relevant and up to date, and to give you the best treatment available.
If your details change you should let a member of your healthcare team know as soon as possible. The Trust encourages you to be the 'guardian' of your own safety by providing this information.
What will we collect?
- Basic details such as name, address, date of birth, next of kin and contact details including phone number and email address, where applicable. Text and email will only be used with your consent.
- Details of your family, relatives and carers
- Details about you such as racial or ethnic origin, gender, occupation, lifestyle and social circumstances, religion or similar belief
- Current health problems and any contacts that we have had with you, old and new
- Visual images, personal appearance and behaviour
- Notes and reports about your health, treatment and care and results of investigations and tests
- Offences and alleged offences, criminal proceedings, outcomes and sentences
- Sexual life
- Any relevant information from other health and social care professionals, who are, or have been, involved in your care including General practices (GPs), Acute hospitals, Ambulance services, Clinical Commissioning Groups, Dental, Community, Pharmaceutical and Mental Health Services, Walk-in Centres, Nursing Homes, and many others including family and carers.
- Information may be collected from other non-NHS organisations with whom you may also be receiving care such as social care organisations and partner services e.g. Alzheimer’s Society, Mind and Local Authorities.
Information about you may also be needed for the following reasons:
- To ensure that our services meet your needs
- To assist staff to review the care that they provide and to ensure that it is of the highest standard
- To investigate complaints or legal claims
- To ensure that the Trust receives funding from its commissioners to pay for your care
- To prepare statistics on NHS performance in order to manage, improve and extend the services we are able to provide to you
- To prevent or detect fraud and corruption in the use of public funds
- In some cases phone calls may be recorded for training and information purposes
- When information is used for statistical or financial purposes, strict measures are taken to ensure that you cannot be identified from your information. You have the right to withhold information unless the law requires us to obtain it
Who will you be seen by?
Whilst in our care you will be seen by a range of health and/or social care professionals and support workers. They will keep records which may be written and/or held on computer about your health and the treatment that you receive from them. This may include Doctors, Nurses, Dentists, Pharmacists, Counsellors, Psychologists, Psychiatrists, Occupational Therapists, Podiatrists, Health Visitors, Healthcare Assistants, District Nurses, Social Workers, Professional Assistants and Administrative staff.
Sharing your information with relatives, partners, carers and friends
Relatives, partners, carers and friends will be kept up to date about the progress of your treatment only if you have agreed to this and a record has been made of this agreement. If you change your mind this agreement can be withdrawn and your new decision will be recorded.
If an individual lacks capacity to consent to the collection or sharing of their information or making a request for access to their health record, then a decision may be made either by a health/social care professional or someone else appointed to act on their behalf.
Information may also be shared when a legal order is in place e.g. Power of Attorney, Guardianship or Court Orders.
Sharing your information
We sometimes need to share the personal information we process with yourself as a service user and also with other organisations What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
- healthcare, social and welfare organisations;
- suppliers, service providers, legal representatives;
- auditors and audit bodies;
- educators and examining bodies;
- survey and research organisations;
- professional advisers and consultants;
- business associates;
- police forces;
- security organisations;
- central and local government;
- voluntary and charitable organisations.
National Fraud Initiative
This authority is under a duty to protect the public funds it administers, and to this end may use the information you have provided on this form for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes. For further information contact your Local Anti-Fraud Specialist:
Name: Dave Alford
Mersey Internal Audit Agency (MIAA)
Tel: 0151 285 4714
Protecting Children and Young people’s personal data
Children and young people’s data is afforded the same rights and protection as the data collected from Adults. Children and young people are considered a ‘vulnerable’ group and therefore the Trust and others involved in their healthcare will always treat their data fairly and ensure that it is kept safe and secure.
When using or sharing children’s or young person’s data, we will always ensure that there is a legal reason for doing so or where relevant ask for their explicit consent.
In the UK and under GDPR, consent to care and treatment is required for children and young people under the age of 13 from whoever holds parental responsibility. Regular checks will be made to verify the age of the child or young person. However a child under the age of 13 may be able to consent on their own behalf if a clinician has assessed and documented that the person is capable of making decisions for themselves.
Children and young people over the age of 13 can provide consent themselves provided that they are capable. We will make sure that the child or young person understands what they are consenting to.
Regardless of age, every person has a right to privacy and confidentiality. If a young person asks a health professional to keep their information confidential, even from those who hold parental responsibility, then that wish will be respected, unless there is a lawful reason to override this protection.
In the event that the Trust provides online information services to children and young people consent for the use of an online service will be obtained from people 13 years old and over. Parental consent will be obtained for the use of online information services for children who are under the age of 13.
Closed Circuit Television (CCTV)
We use CCTV systems at Trust sites for prevention of criminal activity and to reduce fear of crime for Trust staff and service users. The use off CCTV systems is covered by the Trust Closed Circuit Television Policy which adheres to the relevant legislation and codes of practice, including Data Protection legislation.
The Trust ensures that the use of CCTV is publicised by appropriate signage and service users will be advised of any such use in clinical areas and on wards.
Information about a person's previous gender is subject to the current Gender Recognition Act. Personal data about a person’s previous gender will only be shared with the service user's explicit consent. More information on this can be found in the Interim Gender Protocol on the NHS England website.
Records Retention and Disposal
We will keep your records safe and secure and store them for the period outlined in the NHS Records Management Code of Practice retention schedule.
For healthcare purposes, and particularly mental health and children and young people’s health records, these records need to be kept for long periods of time and remain available to access. Consequently, it is unlikely that a record or information contained in the record will be erased or deleted if such a request is made.
Following the retention period the record will be confidentially destroyed.
How we keep your information confidential and secure
Everyone working for the NHS has a legal duty to keep information about you confidential and secure. We do this by using secure technologies and following safe practices.
You may be receiving care and support from other organisations as well as the Trust, such as Social Services or your GP. On these occasions we may need to share some information about you so that your care can be delivered to the highest and safest standard. We only use or pass on information about you if the organisation involved has a legitimate need for it and it is authorised for specific purposes.
Any organisation that receives information from the Trust is also bound by a legal duty of confidentiality under the General Data Protection Regulations (GDPR). An information sharing agreement is often in place with those organisations to ensure that it is kept confidential and secure.
We do not disclose information to third party organisations e.g. housing etc. without your written permission.
Occasionally there are exceptional circumstances that mean we may have to share your information, such as when you or someone else is at significant risk of harm, or where the law requires such information to be disclosed, e.g. for the prevention or detection of a crime.
How the NHS and Care Services work together
The Trust is one of many organisations working in the health and care system to improve care for service users and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using Mental Health or Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit https://digital.nhs.uk/national-data-opt-out. If you do choose to opt out you can still consent to your data being used for specific purposes.
Research and Planning
Why we do research
Research in the NHS helps to improve public health and patient care – it’s how we improve treatments and pathways in the NHS and make a real difference to people’s lives.
The Research and Development department here at Lancashire and South Cumbria NHS Foundation Trust is recognised as a leading centre for research, with more than 100 projects recruiting here each year.
Our research links closely with secondary care, mental health and community healthcare to ensure patients and their wellbeing are at the heart of everything we do. It covers all types of studies ranging from early stage developments of new treatments to large scale population-wide studies. It means patients have access to some of the most cutting edge treatments
The use of information for research
Some research will require your direct involvement (especially if taking part in clinical trials) in which case the circumstances will be fully explained to you and your express consent will be required. If you do not consent, then you will not be included in the research and/trial.
Sometimes, researchers need access to individual medical files. Before this can happen, the researchers must present their case before an ethics committee to check that their research is appropriate and worthwhile.
On rare occasions it is impractical to contact individuals for their consent, in which case the researchers must make their case before an ethics committee to show that there is enough benefit to the public at large to justify this.
Disclosures may be permitted under section 251 of the NHS Act 2006. This allows the Secretary of State for Health to set aside the common law duty of confidentiality in special circumstances.
This has to be to improve patient care or in the 'public interest', such as for important medical research.
Applications for approval to use Section 251 powers are considered by the Confidentiality Advisory Group (CAG) who will advise whether there is sufficient justification to access the requested confidential patient information. Examples of this, used in the short-term until other measures can be put in place are, risk stratification and invoice validation.
How can you access your information?
If you would like to know more about the information we hold about you and what we do with that information, please ask the health or social care professional that you are seeing or a member of their team.
You can ask the following:
- What personal information do we hold on you?
- What is it used for?
- Who has it been shared with?
- How long it will be kept?
You are entitled to access your health records under the provisions of the General Data Protection Regulations (GDPR) and Data Protection Bill 2018. This is known as a Subject Access Request (SAR). Unless the request is complicated or involves a large volume of information copies will be provided free of charge.
SARs are managed in accordance with the Trust Access to Records Policy. Your information will be reviewed first by a healthcare professional to ensure that what we send you will not cause upset or distress to your wellbeing. We will also check that the information we send you does not contain information you are not entitled to see.
You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about you or you are acting on behalf of someone).
Subject Access Requests can be made as follows
- On an informal basis, as part of the care process we can go through your record with you (by you requesting to view your record with a health professional.)
- On a formal basis, by you requesting in writing a copy of the record. You can also contact the Health Records Advisor via the Trust headquarters. Address details can be found on the back of this booklet or you can email your request to DPA@lancashirecare.nhs.uk
Who helps protect your information?
The Trust is committed to looking after your personal information and it is the responsibility of all staff throughout the organisation to make sure of this.
The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.
These roles include:
The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional appointed to ensure that the information of service users is handled in a confidential manner by the Trust and enabling appropriate information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.
Senior Information Risk Owner (SIRO)
The SIRO is an Executive Director in the Trust with overall responsibility for managing organisational information risk and putting strategies in place to control the identified risks.
Data Protection Officer (DPO)
Under the General Data Protection Regulations (GDPR) all large public authority organisations such as Lancashire Care are legally required to employ a Data Protection Officer. This person is responsible for providing advice and guidance to staff and the Trust Board on aspects of the Data Protection law and related regulation and codes of practice.
The Trust Data Protection Officer is Michelle Brammah.
General Data Protection Regulations (GDPR):
Your rights regarding your healthcare information
The GDPR provides the following rights for individuals:
The right to be informed
All Service users have the right to be informed about the collection and use of their information including the reasons for processing the data, how long the information will be held for and who it will be shared with.
The right of access
Service users have the right to access their personal data. See How can you access your information? above for details.
The right to rectification
Service users have the right to request that inaccurate personal information be corrected, or completed if it is incomplete. All requests to amend the information contained in your health record will be considered, and you will be informed of the decision. However, due to the nature of healthcare records we have the right to refuse amendments to your record. You will be informed of the reasons behind this decision.
If there has been a misdiagnosis in the record then the record will be updated with the correct diagnosis. Where an opinion is included this can be difficult to dispute, the record should acknowledge that this is an opinion. In some cases a statement may be added to your record to rectify the information.
Services users have the right to request a restriction in processing whilst accuracy checks are ongoing.
The right to erasure
Also known as ‘the right to be forgotten’, this right only applies in certain circumstances and is generally not applicable for healthcare records. This is because health and care service providers need an accurate record in order to provide further treatment.
This right does apply in cases where the Trust is using your consent to process your data for non-direct healthcare purposes including research and planning.
The right to restrict processing
Service users have the right to request we restrict the processing of their data where they have contested the accuracy of their data or feel that their data has been unlawfully processed.
This restriction will only be temporary whilst a decision about rectification or lawful processing is being made.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data from certain organisations for their own purposes across different services. Initiatives such as this allow individuals to view, access and use their personal consumption and transaction data to help understand spending habits and find a better deal.
This right only applies where consent has been used for the processing of your information or where there is automated decision making processes in place. Therefore this does not apply with healthcare records held by the Trust.
The right to object
Individuals have the right to object to the processing of their data in a number of different circumstances, in particular profiling, direct marketing and processing for purposes of scientific/historical research and statistics.
Organisations must stop processing the personal data unless they can demonstrate compelling legitimate grounds for the processing. With regards to healthcare LSCFT has to process service users data in order to provide treatment. This means that service users cannot exercise their right to object to LSCFT processing their data for healthcare purposes.
Rights in relation to automated decision making and profiling
The GDPR has rules in place to protect individuals where organisations are carrying out automated decision making. This is where a decision is made solely by automated means with no human involvement. This also includes profiling. Profiling evaluates certain things about an individual.
The Trust does not use processes which include solely automated decision making or profiling.
Service users have the right to lodge a complaint with the Trust’s Data Protection Officer or Hearing Feedback team if they feel that their information is not being processed, stored or shared in accordance with the General Data Protection Regulations (GDPR).
They can be contacted via the Trust headquarters or the following email addresses:
If you are not satisfied with the Trust response you can lodge a complaint with the Information Commissioners Office (ICO). Contact details can be found at ico.org.uk