Privacy Notice for Patients and Public
This privacy notice explains in detail the type of personal data that we, Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL), process about you. What we do with the information that we collect and hold about you and why we might need to share it with other organisations involved in the delivery of your care.
Informing you how we Use and Collect Your Data
Covid 19 Patient Privacy Notice - please click here
The Trust is a Data Controller. A Data Controller determines how the data will be processed and used within their organisation and with others they can share the data with.
We are legally responsible for ensuring that all personal data that we hold, and use, is done so in a way that meets Data Protection legislation, particularly the data protection principles under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. We need to make sure that where we process your personal data, we can do so legally. Article 6 of the UK GDPR lists 6 lawful bases for processing personal data, at least one must apply. This notice will explain the legal bases available, where we process personal data and in addition explains how we handle that data and keep it safe and secure.
The Trust is committed to looking after your personal data and it is the responsibility of all staff throughout the organisation to make sure of this. Our staff are required to sign up to and abide by the Trust’s Code of Confidentiality Policy.
The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.
These roles include:
Caldicott Guardian
The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional, appointed to ensure that the data, about those who use its service, is handled in a confidential manner by the Trust and enables appropriate data / information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.
Our Caldicott Guardian is Mr Alex Benson.
Senior Information Risk Owner (SIRO)
The SIRO is an Executive Director at the Trust with overall responsibility for managing organisational information risk, security of information and putting strategies in place to control the identified risks.
Our SIRO is Christine Walters.
Data Protection Officer (DPO)
Under the UK GDPR all large public authority organisations like ourselves are legally required to employ a Data Protection Officer. This person is an expert in data protection and can therefore inform and advise the Trust and its staff about their obligations to comply with the UK GDPR and other Data Protection laws. Where there are data protection concerns the DPO will look into the matter on your behalf and will also act as the main contact for communication with the Information Commissioner’s Office.
Our Trust Data Protection Officer (DPO) is Camilla Bhondoo.
Our DPO can be contacted via the following means:
Address: Jubilee Court, Academy Site, Waterside, St Helens, WA9 1TT
Email: IG@midmerseyda.nhs.uk
We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the law.
This page was last updated July 2022 and will be reviewed in July 2023.
- Who we are and what we do?
The Trust provides acute and community healthcare services at St Helens and Whiston Hospitals, both of which are modern, high quality facilities. Community Intermediate Care services are delivered from Newton Community Hospital in Newton-le-Willows. During 2019/20, the Trust became the provider of the Urgent Treatment Centre, operating from the Millennium Centre, which is in the centre of St Helens.
Alongside these community and secondary care services, the Trust also provides primary care services from the Marshalls Cross Medical Centre, which is situated inside St Helens Hospital. In addition, all St Helens Community Services were transferred to the Trust in April 2020.
The Trust has an excellent track record of providing high standards of care to a population of approximately 360,000 people, principally from St Helens, Knowsley, Halton, and Liverpool, but also from other neighbouring areas such as Warrington, Ormskirk and Wigan. In addition, the Mersey Regional Burns and Plastic Surgery Unit provides treatment for patients across Merseyside, Cheshire, North Wales, the Isle of Man and other parts of the North West, serving a population of over 4 million.
- Working with Southport and Ormskirk
From Monday 20th September, 2021, the Trust entered into a partnership for long-term collaboration with Southport and Ormskirk Hospital NHS Trust, with our Trust taking on responsibility for the strategic and operational management of Southport and Ormskirk Hospital. This will enable us to support the continuity of patient care, improvement in quality of care, patient safety and financial sustainability across the health service.
In order to facilitate a collaborative approach data pertinent to both parties will be shared, this will include personal, special category, confidential and business sensitive information. Both parties deem the sharing of the personal data as essential to allow our Trust to provide the support to Southport and Ormskirk to their services and functions.
The purpose of the data sharing will be for statutory functions, or to exercise of general powers on behalf of the secretary of state. Processing of information to support the following:
- To provide healthcare services to the local community;
- In respect of the oversight and regulation of NHS trusts;
- Planning for operational management of integrated teams;
- Processing to support recruitment, entering into and managing staff contracts;
- Processing by teams including members from any of the parties in support of one of the parties’ functions.
For the purposes of the processing both parties will be regarded as Joint Data Controllers. Each of the parties is a separate legal entity. The parties will be individually subject to the obligations placed on them by Data Protection Law and accountable for the activities that they undertake in relation to the Processing of personal data, for example data security incidents, subject access rights and other individual rights.
The Data Subjects will be all service users, that is; patients and employees.
Data identified to be shared will be in line with GDPR principles and where personal data is not required anonymised or pseudonymised data will be processed particularly where the processing does not fall under the key areas of processing identified below.
The areas where information will be shared will fall be for:
- Where Processing is necessary for the performance of the parties’ respective statutory functions, or exercise of general powers the parties – Legal Basis identified: Article 6(1)(e) and Article 9(2)(h) or (i) condition of the UK GDPR
- Where Processing is necessary for commissioning and healthcare planning purposes – Legal Basis identified: Article 6(1)(c) or Article 6(1)(e) and Article 9(2)(h) condition of the UK GDPR
- Where Processing relates to recruitment or the management of staff contracts – Legal Basis identified: Article 6(1)(b) and Article 9(2)(b)
- Where Processing is necessary for administrative purposes which do not relate to the performance of their public tasks or other purposes - Legal Basis identified: Article 6(1) (f) of the UK GDPR
- Definitions
The following are keywords that are used to describe what data the Trust may use and other key Data Protection terminology that you will see throughout this privacy notice.
This means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A Data Controller determines the purposes and means of processing personal data. The Trust are a Data Controller, we decide what to do with your data.
A Data Processor acts on instruction by a Data Controller and processes data on behalf of the controller. There may be instances that the Trust use a Data Processor to process your personal data. If we do the Data Processors we use must provide us with assurance that they will keep your data safe and demonstrate how. Just like Data Controllers they must also adhered to Data Protection legislation when processing any kind of personal data.
This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under UK GDPR, this now includes location data and online identifiers.
This is personal data that requires more protection due to the sensitive information it contains. The UK GDPR defines this data as personal data revealing: race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, it also relates to gene or biometric data (where used for identification purposes) and data concerning a person’s sexual life and sexual orientation and data relating to health. It does not include personal data about criminal allegations, proceedings or convictions as separate rules apply.
This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
Pseudonymised Data or Coded Data
This is also sometimes known as reversible anonymisation. Patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference. To be truly regarded as pseudonymised data the organisation must not hold the key to be able to reverse the anonymisation.
This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available. The UK GDPR does not apply to truly anonymised data.
This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
As many people's first point of contact with the NHS, around 90 per cent of patient interaction is with primary care services. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary Care Data relates to information which has been sourced from these types of services.
Secondary Care means treatment and care of a specialised medical service by clinicians, for example, specialist doctors and nurses, within a health facility or hospital, like us, on referral by a primary care clinician such as your GP. Secondary Care data relates to information which has been sourced from these types of services.
Secondary Uses Service (SUS) Data
The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. SUS data is useful to commissioners and providers of NHS-funded care for 'secondary' purposes – this is use of data other than for direct or 'primary' clinical care.
For further information about SUS, please visit:
https://digital.nhs.uk/services/secondary-uses-service-susCommunity Care / Social Care Data
Community care data includes data from social care services covering both adults and children.
- Why we collect personal data about you?
As a public authority providing healthcare the Trust has a legal justification to collect and use information about our service users for direct healthcare purposes.
It is important that our staff know as much about your physical health as possible so that we can give you appropriate care and attention. Our aim is not to be intrusive, and we won't ask irrelevant or unnecessary questions. We ask you for information so that we can keep your details accurate, relevant and up to date, and to give you the best treatment available.
This personal data can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.
If your details change you should let a member of your healthcare team know as soon as possible. The Trust encourages you to be the 'guardian' of your own safety by providing this information.
- What will we collect?
Depending on what you are being treated for the personal data we collect from you will differ, here are some examples:
- Basic details such as name, address, date of birth, next of kin and contact details including phone number and email address, where applicable. Text and email will only be used with your consent.
- Details of your family, relatives and carers
- Details about you such as racial or ethnic origin, gender, occupation, lifestyle and social circumstances, religion or similar belief
- Education
- Current health problems and any contacts that we have had with you, old and new
- Visual images, personal appearance and behaviour
- Notes and reports about your health, treatment and care and results of investigations and tests
- Offences and alleged offences, criminal proceedings, outcomes and sentences
- Sexual life
- Any relevant information from other health and social care professionals, who are, or have been, involved in your care including General practices (GPs), Acute hospitals, Ambulance services, Clinical Commissioning Groups, Dental, Community, Pharmaceutical and Mental Health Services, Walk-in Centres, Nursing Homes, and many others including family and carers.
- Information may be collected from other non-NHS organisations with whom you may also be receiving care such as social care organisations and partner services e.g. Alzheimer's Society, Mind and Local Authorities.
Information about you may also be needed for the following reasons:
- To ensure that our services meet your needs
- To assist staff to review the care that they provide and to ensure that it is of the highest standard
- To investigate complaints or legal claims
- To ensure that the Trust receives funding from its commissioners to pay for your care
- To prepare statistics on NHS performance in order to manage, improve and extend the services we are able to provide to you
- To prevent or detect fraud and corruption in the use of public funds
- In some cases, phone calls may be recorded for training and information purposes
- When information is used for statistical or financial purposes, strict measures are taken to ensure that you cannot be identified from your information. You have the right to withhold information unless the law requires us to obtain it
- What is our legal basis for processing your personal data?
Under the UK GDPR we cannot process / use your personal data without a legal basis. We must identify the appropriate legal basis depending on how we are using your data.
The UK GDPR details 6 legal bases (Article 6) for processing personal data:
A - Consent
B - Contract
C - Legal obligation
D - Vital interests
E - Public task
F - Legitimate interestsWhere special category data is processed we must also applied a legal condition from Article 9, special category data in the Trust’s case is Health data:
A - Explicit consent
B - Employment, social security and social protection (if authorised by law)
C - Vital interests
D - Not-for-profit bodies
E - Made public by the data subject
F - Legal claims or judicial acts
G - Reasons of substantial public interest (with a basis in law)
H - Health or social care (with a basis in law)
I - Public health (with a basis in law)
J - Archiving, research and statistics (with a basis in law)For the majority of our processing we require your personal data for direct patient care, this means we apply the following legal basis (i.e. consent is not required):
Article 6 (e) and Article 9 (h)
We do not need a legal basis where we have anonymised your personal data.
More information on legal bases can be found here on the ICO’s website
- Who we share your personal data with?
We sometimes need to share the personal data we process with yourself as a service user with other organisations. We will only do if we have a legal basis to do so. What follows is a description of the types of organisations we may need to share some of the personal data we process with for one or more reasons. In the following situations we will not need to ask your permission (gain consent) and can use another legal basis to share the data that is required:
- Staff;
- healthcare, social and welfare organisations;
- suppliers, service providers, legal representatives;
- auditors and audit bodies;
- educators and examining bodies;
- survey and research organisations;
- professional advisers and consultants;
- business associates;
- police forces;
- security organisations;
- central and local government;
- voluntary and charitable organisations.
Further examples:
- To protect children and vulnerable adults
- When a formal court order has been served upon us; and / or
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals (see section on Section 251 of the NHS Act 2006).
You may be receiving care and support from other organisations as well as the Trust, such as Social Services or your GP. On these occasions we may need to share some information about you so that your care can be delivered to the highest and safest standard. We only use or pass on information about you if the organisation involved has a legitimate need for it and it is authorised for specific purposes. Additionally, that we have identified a legal basis to share this information.
Any organisation that receives your personal data from the Trust is also bound by a legal duty of confidentiality under the UK GDPR. An information sharing agreement is often in place with those organisations to ensure that it is kept confidential and secure but what is key is making sure we establish the right legal basis before we share your data.
Occasionally there are exceptional circumstances that mean we may have to share your information, such as when you or someone else is at significant risk of harm, or where the law requires such information to be disclosed, e.g. for the prevention or detection of a crime.
There will be certain situations that we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. In this case as the data is anonymised we do not need a legal basis to share this data.
- When we share your personal data with relatives, partners, carers and friends
Relatives, partners, carers and friends will be kept up to date about the progress of your treatment only if you have agreed to this and a record has been made of this agreement. If you change your mind this agreement can be withdrawn, and your new decision will be recorded.
If an individual lacks capacity to consent to the collection or sharing of their information or making a request for access to their health record, then a decision may be made either by a health/social care professional or someone else appointed to act on their behalf.
Information may also be shared when a legal order is in place e.g. Power of Attorney, Guardianship or Court Orders.
- How we protect Children and Young people's personal data?
Children and young people's personal data is afforded the same rights and protection as the personal data collected from Adults. Children and young people are considered a ‘vulnerable' group and therefore the Trust and others involved in their healthcare will always treat their data fairly and ensure that it is kept safe and secure and in accordance with Data Protection legislation.
When using or sharing children's or young person's data, we will always ensure that there is a legal reason for doing so or if relevant ask for their explicit consent.
In the UK and under UK GDPR, the age of consent when it comes to processing personal data is the age of 13. However, a child under the age of 13 may be able to consent on their own behalf if a clinician has assessed and documented that the person is capable of making decisions for themselves.
Children and young people over the age of 13 can provide consent themselves provided that they are capable. We will make sure that the child or young person understands what they are consenting to, we are required to do this by Data Protection law.
Regardless of age, every person has a right to privacy and confidentiality. If a young person asks a health professional to keep their information confidential, even from those who hold parental responsibility, then that wish will be respected, unless there is a lawful reason to override this protection.
In the event that the Trust provides online information services to children and young people consent for the use of an online service will be obtained from people 13 years old and over. Parental consent will be obtained for the use of online information services for children who are under the age of 13.
- Other areas where we may process your personal data
Closed Circuit Television (CCTV) and Body Cameras
We use CCTV systems and body cameras at Trust sites for prevention of criminal activity and to reduce fear of crime for Trust staff and our service users. The use of these systems is covered by the Trust Closed Circuit Television Policy which adheres to the relevant legislation and codes of practice, including Data Protection legislation.
The Trust ensures that the use of CCTV and body cameras is publicised by appropriate signage as they may be required for any area of the Trust that deems it necessary and this includes clinical areas and on wards.
Information about a person's previous gender is subject to the current Gender Recognition Act. Personal data about a person's previous gender will only be shared with the service user's explicit consent. More information on this can be found in the Interim Gender Protocol on the NHS England website.
As part of your care when you are a patient at the Trust either attending an appointment or as part of an inpatient stay you may have an image taken (x-ray) or procedure (CT scan, MRI, ultrasound etc.) as part of your treatment and care. We use a form of technology called AI (Artificial Intelligence) to help us review your image/s as quickly as possible and to make sure that images of those patients who are the sickest are reviewed first by a Clinician. Your images continue to be viewed by a clinician, as they are now, but the use of AI helps us make sure the order in which they are reviewed helps identify those patients who are the sickest first.
- How long do we keep your personal data for (Records Retention and Destruction)?
Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. In the NHS, all providers and commissioners apply retention schedules in accordance with the Records Management Code of Practice (refer to Link section below). This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England.
For healthcare purposes, and particularly mental health and children and young people's health records, these records need to be kept for long periods of time and remain available to access. Consequently, it is unlikely that a record or information contained in the record will be erased or deleted if such a request is made.
Following the retention period, the record will be fully reviewed and confidentially destroyed if it is deemed appropriate.
Destruction of data will only happen following a “review” of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:
- To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder or subcontracted to a reputable confidential waste company (as identified in the table below) that complies with European Standard EN15713.
- To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current national cyber security standards.
- To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with the NHS Standard Contract and with assurance that the sub-contractor's organisational and technical security measures comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- How we keep your personal data confidential and secure?
We are committed to protecting your privacy and will only process personal data in accordance with the UK GDPR, the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998. We do this by using secure technologies and following safe practices.
All information is subject to rigorous measures and procedures to make sure it cannot be seen, accessed or disclosed to any inappropriate persons. We have an Information Governance Framework detailed within our Information Governance Strategy that explains the information governance / data security within the Trust.
Access to electronic data is password protected on secure network and / or online systems and, where it is practically possible, paper documentation is filed securely in lockable storage cabinets. Where documentation is required to be transported between sites measures are in place to ensure their safe delivery.
Our IT Services provider, Mid Mersey Digital Alliance, regularly monitor our systems for potential vulnerabilities and attacks and look to always ensure security is strengthened.
Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the common law duty of confidentiality and other NHS guidance.
All of our staff, including contractors, receive appropriate and ongoing information governance / data security training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We have incident reporting and management processes in place for reporting any personal data breaches or incidents. We learn from such events to help prevent further issues and inform data subjects like yourselves of breaches when required.
In line with Data Protection legislation the Trust has assigned roles are required to ensure the Trust embed and embrace the Information Governance Framework, please refer to the Introduction section for more information.
- Secondary use of Data
Secondary use of data in the NHS is when patient data is not used for direct care but for other secondary purposes such as commissioning, risk stratification, financial and national clinical audit, healthcare management and planning, research and public health surveillance.
Disclosure of anonymised, pseudonymised or aggregated data (see section ‘Definitions’ for more information) will often satisfy a number of secondary uses and must be used in preference to patient / personal data. Consent for disclosure of effectively de-identified data is not required as it is not personal data. De-identification / pseudonymisation processes must occur before data leaves the source organisation. If a request is for identifiable data and the source organisation feels that de-identified data would suffice clarification should be obtained as to why identifiable data is required other than, exceptionally, where mandated by law such as under a Section 251 approval as per the NHS Act 2006 (see section below) or patient consent is obtained. Where consent is being relied upon you have the right to dissent from the disclosure of your personal data for secondary purposes unless the law compels disclosure.
Section 251 of the NHS Act 2006
Section 251 of the NHS Act 2006 provides a mechanism which can enable the use of confidential information for certain purposes where it is unreasonable for consent to be obtained or that would otherwise be unlawful (e.g. information from NHS Digital on commissioning, Risk Stratification and Invoice Validation) through an application made to the Confidentiality Advisory Group (CAG).
The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority (HRA) and the Secretary of State for Health on whether an application to process patient information without consent should be approved.
The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006. This includes medical research and management of health and social care services.
Further information can be found on the Health Research Authority website – see the Links section below.
Research and Planning - Why we do research
Research in the NHS helps to improve public health and patient care, it's how we improve treatments and pathways in the NHS and make a real difference to people's lives.
The Research and Development department here at St Helens and Knowsley Teaching Hospitals NHS Trust is recognised as a leading centre for research, with more than 100 projects recruiting here each year.
Our research links closely with secondary care, mental health and community healthcare to ensure patients and their wellbeing are at the heart of everything we do. It covers all types of studies ranging from early stage developments of new treatments to large scale population-wide studies. It means patients have access to some of the most cutting-edge treatments
The use of your personal data for research
Some research will require your direct involvement (especially if taking part in clinical trials) in which case the circumstances will be fully explained to you and your express consent will be required. If you do not consent, then you will not be included in the research and/trial.
Sometimes, researchers need access to individual medical files. Before this can happen, the researchers must present their case before an ethics committee to check that their research is appropriate and worthwhile.
On rare occasions it is impractical to contact individuals for their consent, in which case the researchers must make their case before an ethics committee to show that there is enough benefit to the public at large to justify this.
The National Data Opt Out (objections to processing for secondary purposes)
The NHS Constitution states that "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".
In line with this there are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. The National Data Opt-Out Policy is a service that allows individuals to opt out of their confidential patient information being used for research and planning. It was introduced on 25 May 2018, providing a facility for individuals to opt-out from the use of their data for research or planning purposes.
The Trust is one of many organisations working in the health and care system to improve care for service users and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using Mental Health or Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit https://digital.nhs.uk/national-data-opt-out. If you do choose to opt out, you can still consent to your data being used for specific purposes.
- How to access your personal data?
You are entitled to request to view / ask for a copy of the personal data / information the Trust hold about you this is known as a Right of Access request but can also be referred to as a Subject Access Request (SAR).
Children can also make a request, please refer to the section on ‘How we protect Children’s and Young people’s data' for more information on eligibility.
You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about you or you are acting on behalf of someone). Your information will be reviewed first by a relevant member of staff, to ensure that what we send you will not cause upset or distress to your wellbeing. We will also check that the information we send you doesn't contain information you are not entitled to see.
You can make a request by writing to us, this can be via email if more convenient or by calling us. We may ask you to provide identification and provide further information to help us process your request.
There is no charge (subject to exemptions) to have a copy of the information held about you unless the request is complicated or involves a large volume of information copies, but we will advise you of this.
We must respond to you within one calendar month (subject to exemptions).
Requests are handled in line with our Right of Access / Subject Access Requests Procedure.
Subject Access Requests can be made as follows
If you want to see your personal data, you need to contact the NHS organisation(s) where you are being, or have been, treated, or have had any contact with by email, letter or a phone call
If you would like a copy of your personal data from St Helens & Knowsley Teaching Hospital NHS Trust please contact:
Legal Services
Whiston Hospital
Mersey and West Lancashire Teaching Hospitals NHS Trust
Warrington Road
Prescot
Merseyside
L35 5DRTelephone: 0151 430 1732
- Where is your data processed?
Your data is processed within the Trust and by other third parties suppliers. Where your data is processed and stored by our suppliers, for example the Trusts electronic patient record system (Careflow EPR), they must provide the Trust with the relevant assurances that your data will be kept safe and securely. This is monitored by the Trust’s Information Governance team.
Processing outside of the UK
The majority of the processing of your personal data is carried out in the UK. Where your data is processed outside the UK all suppliers and data processors as required to provide the Trust with extra assurances that your data will be kept safe and in line with Data Protection legislation, specifically the UK GDPR. This may mean that they are asked to provide extra evidence.
- What are your rights over your personal data?
You have a number of rights over your personal data under the Data Protection Act 2018 and UK General Data Protection Regulation 2016 (UK GDPR). We will respond to any of the requests within a calendar month (subject to exemptions):
You have the right to be informed about the collection and use of their information including the reasons for processing the personal data, how long the information will be held for and who it will be shared with. This notice, in support of other privacy notices published by the Trust, ensures that your right to be informed is achieved.
You are entitled to request to view / ask for a copy of the information the Trust hold about you this is known as a Right of Access request but can also be referred to as a Subject Access Request (SAR). For more information please refer to ‘How can you access your personal data’ above for details.
Rectification refers to correcting inaccuracies or incomplete data which is held by the Trust. This applies to factual information only – such as identifiers and next of kin. The Trust is unable to remove or alter professional opinions which you may disagree with. You do however; have the right to include your own statements alongside professional opinions.
All requests to amend the information contained in your health record will be considered, and you will be informed of the decision. However, due to the nature of healthcare records we have the right to refuse amendments to your record. You will be informed of the reasons behind this decision.
If there has been a misdiagnosis in the record, then the record will be updated with the correct diagnosis. Where an opinion is included this can be difficult to dispute, the record should acknowledge that this is an opinion. In some cases, a statement may be added to your record to rectify the information.
You have the right to request a restriction in processing, whilst accuracy checks are ongoing.
The right to erasure (‘forgotten’)
Also known as ‘the right to be forgotten', this right only applies in certain circumstances and is generally not applicable for healthcare records. This is because health and care service providers need an accurate record in order to provide further treatment.
This right will apply if the processing has been undertaken on the basis of consent which is withdrawn, the processing of data is determined not to be lawful or the information is no longer required. You will be informed of activities to which this right applies.
Only if we have your explicit consent for any processing we do, you have the right to withdraw that consent at any time and have the right to request this data to be deleted / erased. Please note this will not apply where healthcare data is processed as we do not apply the legal basis of consent but rather ‘public tasks’.
The right to restrict processing
This right enables individuals to suspend the processing of personal information, for example, you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim.
The right to data portability allows individuals to obtain and reuse their personal data from certain organisations for their own purposes across different services. Initiatives such as this allow individuals to view, access and use their personal consumption and transaction data to help understand spending habits and find a better deal.
Only if we have your explicit consent for any processing we do or where there is automated decision-making processes in place and the Trust is able to, you have the right to have personal data provided to you in a format you have requested such as an excel spreadsheet or .CSV file. Therefore, this does not apply with healthcare records held by the Trust.
There is no general right to object to processing; however, you can object if there are grounds relating to your own particular situation, or if information is likely to be used for:
- Marketing
- Scientific or historical research
- Statistical purposes
- Purposes in the public interest or under an official authority (e.g. NHS Act 2006)
You have the right to object to processing. However, please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue. If we didn’t process any information about you and your health care it would be very difficult for us to care and treat you.
Rights in relation to automated decision making and profiling
Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome, where a decision is made solely by automated means with no human involvement – credit ratings are an example of automated decision making. This also includes profiling. Profiling evaluates certain things about an individual.
The Trust does not use processes which include solely automated decision making or profiling, so this right will not apply to our data processing activities.
- Complaints / Contacting the Regulator
If you feel that your personal data we hold at the Trust has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of personal data, please contact our Data Protection Officer (DPO) at the following contact details.
Camilla Bhondoo - IG@midmerseyda.nhs.uk
Or the PALS team - pals@sthk.nhsuk
If you are not happy with our responses and believe we are not processing your personal data in accordance with the law you may wish to take your complaint to a supervisory authority, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
You can contact them by calling 0303 123 1133 or go online www.ico.org.uk/concerns
- Data Protection Registration
Any organisation that processes Personal Data whether they are a Data Controller or Data Processor is required to pay a data protection fee to the Information Commissioner’s Office (ICO) annually. The ICO publish a register of all registered organisations. This can be found here: https://ico.org.uk/ESDWebPages/Search
Mersey and West Lancashire Teaching Hospitals NHS Trust is a registered ‘Data Controller’ with the ICO.
ICO Registration Number: Z5040527
- Data Security and Protection Toolkit
The Data Security and Protection Toolkit (DSPT) is an online assessment that must be completed every year by organisations who process Personal Data.
It is based on the National Data Guardian 10 Data Security Standards and also incorporates key requirements of the Data Protection legislation.
It measures whether an organisation is Data Protection compliant. Organisations are asked to provide evidence to show how they meet each standard.
The final assessment and evidence is normally submitted by 30 June each year and are shared with the Care Quality Commission, Audit Commission and NHS England.
Mersey and West Lancashire Teaching Hospitals NHS Trust Information Governance Assessment Report (the DSPT) overall submission position for 2021-22 is 'standards met'.
To provide assurance that the Trust’s DSPT is of a good standard it has been audited by Mersey Internal Audit Agency. The level of assurance is ‘substantial assurance’.
- Further Information / Contact Us
We hope that this privacy notice has been helpful in setting out the way we handle your personal data at the Trust and your rights to control it. If you have any queries / or would like further information, please visit the useful websites below and / or contact us at the following contact details:
Information Governance Team
St Helens & Knowsley Teaching Hospitals NHS Trust
Alexandra Business Park
Court Building
Prescot Road
St Helens
WA10 3TPOr via IG@midmerseyda.nhs.uk
- Links
If you would like to find out more useful information on the wider health & care social system approach to using personal information, please see the links below:
- Cookies Information
Details of the cookies used on the Trust website can be found here:
