Privacy Notice for Patients and Public

This privacy notice explains in detail the type of personal data that we, Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL), process about you. What we do with the information that we collect and hold about you and why we might need to share it with other organisations involved in the delivery of your care.

Blue bar used to divide page content

Informing you how we Use and Collect Your Data

Covid 19 Patient Privacy Notice - please click here

The Trust is a Data Controller. A Data Controller determines how the data will be processed and used within their organisation and with others they can share the data with.

We are legally responsible for ensuring that all personal data that we hold, and use, is done so in a way that meets Data Protection legislation, particularly the data protection principles under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. We need to make sure that where we process your personal data, we can do so legally. Article 6 of the UK GDPR lists 6 lawful bases for processing personal data, at least one must apply. This notice will explain the legal bases available, where we process personal data and in addition explains how we handle that data and keep it safe and secure.

The Trust is committed to looking after your personal data and it is the responsibility of all staff throughout the organisation to make sure of this. Our staff are required to sign up to and abide by the Trust’s Code of Confidentiality Policy.

The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.

These roles include:

Caldicott Guardian

The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional, appointed to ensure that the data, about those who use its service, is handled in a confidential manner by the Trust and enables appropriate data / information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.

Our Caldicott Guardian is Mr Alex Benson.

Senior Information Risk Owner (SIRO)

The SIRO is an Executive Director at the Trust with overall responsibility for managing organisational information risk, security of information and putting strategies in place to control the identified risks.

Our SIRO is Malcolm Gandy.

Data Protection Officer (DPO)

Under the UK GDPR all large public authority organisations like ourselves are legally required to employ a Data Protection Officer. This person is an expert in data protection and can therefore inform and advise the Trust and its staff about their obligations to comply with the UK GDPR and other Data Protection laws. Where there are data protection concerns the DPO will look into the matter on your behalf and will also act as the main contact for communication with the Information Commissioner’s Office.

Our Trust Data Protection Officer (DPO) is Camilla Bhondoo.

Our DPO can be contacted via the following means:

Address: Jubilee Court, Academy Site, Waterside, St Helens, WA9 1TT
Email: IG@midmerseyda.nhs.uk

We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the law.
Who we are and what we do?

We serve a population of over 600,000 with a combined workforce of around 9,000 dedicated and skilled staff.

Our staff deliver care from a range of locations including hospitals, community locations and in patient’s own homes.

We strongly believe that the communities we serve should all have access to Five Star Patient Care.
Definitions

The following are keywords that are used to describe what data the Trust may use and other key Data Protection terminology that you will see throughout this privacy notice.

Processing

This means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller

A Data Controller determines the purposes and means of processing personal data. The Trust are a Data Controller, we decide what to do with your data.

Data Processor

A Data Processor acts on instruction by a Data Controller and processes data on behalf of the controller. There may be instances that the Trust use a Data Processor to process your personal data. If we do the Data Processors we use must provide us with assurance that they will keep your data safe and demonstrate how. Just like Data Controllers they must also adhered to Data Protection legislation when processing any kind of personal data.

Personal Data

This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under UK GDPR, this now includes location data and online identifiers.

Special Category Data

This is personal data that requires more protection due to the sensitive information it contains. The UK GDPR defines this data as personal data revealing: race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, it also relates to gene or biometric data (where used for identification purposes) and data concerning a person’s sexual life and sexual orientation and data relating to health. It does not include personal data about criminal allegations, proceedings or convictions as separate rules apply.

Personal Confidential Data

This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.

Pseudonymised Data or Coded Data

This is also sometimes known as reversible anonymisation. Patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference. To be truly regarded as pseudonymised data the organisation must not hold the key to be able to reverse the anonymisation.

Anonymised Data

This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available. The UK GDPR does not apply to truly anonymised data.

Aggregated Data

This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

Primary Care Data

As many people's first point of contact with the NHS, around 90 per cent of patient interaction is with primary care services. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary Care Data relates to information which has been sourced from these types of services.

Secondary Care Data

Secondary Care means treatment and care of a specialised medical service by clinicians, for example, specialist doctors and nurses, within a health facility or hospital, like us, on referral by a primary care clinician such as your GP. Secondary Care data relates to information which has been sourced from these types of services.

Secondary Uses Service (SUS) Data

The Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. SUS data is useful to commissioners and providers of NHS-funded care for 'secondary' purposes – this is use of data other than for direct or 'primary' clinical care.

For further information about SUS, please visit:
https://digital.nhs.uk/services/secondary-uses-service-sus

Community Care / Social Care Data

Community care data includes data from social care services covering both adults and children.
Why we collect personal data about you?

As a public authority providing healthcare the Trust has a legal justification to collect and use information about our service users for direct healthcare purposes.

It is important that our staff know as much about your physical health as possible so that we can give you appropriate care and attention. Our aim is not to be intrusive, and we won't ask irrelevant or unnecessary questions. We ask you for information so that we can keep your details accurate, relevant and up to date, and to give you the best treatment available.

This personal data can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

If your details change you should let a member of your healthcare team know as soon as possible. The Trust encourages you to be the 'guardian' of your own safety by providing this information.
What will we collect?
Depending on what you are being treated for the personal data we collect from you will differ, here are some examples:
- Basic details such as name, address, date of birth, next of kin and contact details including phone number and email address, where applicable. Text and email will only be used with your consent.
- Details of your family, relatives and carers
- Details about you such as racial or ethnic origin, gender, occupation, lifestyle and social circumstances, religion or similar belief
- Education
- Current health problems and any contacts that we have had with you, old and new
- Visual images, personal appearance and behaviour
- Notes and reports about your health, treatment and care and results of investigations and tests
- Offences and alleged offences, criminal proceedings, outcomes and sentences
- Sexual life
- Any relevant information from other health and social care professionals, who are, or have been, involved in your care including General practices (GPs), Acute hospitals, Ambulance services, Clinical Commissioning Groups, Dental, Community, Pharmaceutical and Mental Health Services, Walk-in Centres, Nursing Homes, and many others including family and carers.
- Information may be collected from other non-NHS organisations with whom you may also be receiving care such as social care organisations and partner services e.g. Alzheimer's Society, Mind and Local Authorities.
Information about you may also be needed for the following reasons:
- To ensure that our services meet your needs
- To assist staff to review the care that they provide and to ensure that it is of the highest standard
- To investigate complaints or legal claims
- To ensure that the Trust receives funding from its commissioners to pay for your care
- To prepare statistics on NHS performance in order to manage, improve and extend the services we are able to provide to you
- To prevent or detect fraud and corruption in the use of public funds
- In some cases, phone calls may be recorded for training and information purposes
- When information is used for statistical or financial purposes, strict measures are taken to ensure that you cannot be identified from your information. You have the right to withhold information unless the law requires us to obtain it
What is our legal basis for processing your personal data?

Under the UK GDPR we cannot process / use your personal data without a legal basis. We must identify the appropriate legal basis depending on how we are using your data.

The UK GDPR details 6 legal bases (Article 6) for processing personal data:

A - Consent
B - Contract
C - Legal obligation
D - Vital interests
E - Public task
F - Legitimate interests

Where special category data is processed we must also applied a legal condition from Article 9, special category data in the Trust’s case is Health data:

A - Explicit consent
B - Employment, social security and social protection (if authorised by law)
C - Vital interests
D - Not-for-profit bodies
E - Made public by the data subject
F - Legal claims or judicial acts
G - Reasons of substantial public interest (with a basis in law)
H - Health or social care (with a basis in law)
I - Public health (with a basis in law)
J - Archiving, research and statistics (with a basis in law)

For the majority of our processing we require your personal data for direct patient care, this means we apply the following legal basis (i.e. consent is not required):

Article 6 (e) and Article 9 (h)

We do not need a legal basis where we have anonymised your personal data.

More information on legal bases can be found here on the ICO’s website
Who we share your personal data with?
We sometimes need to share the personal data we process with yourself as a service user with other organisations. We will only do if we have a legal basis to do so. What follows is a description of the types of organisations we may need to share some of the personal data we process with for one or more reasons. In the following situations we will not need to ask your permission (gain consent) and can use another legal basis to share the data that is required:
- Staff;
- healthcare, social and welfare organisations;
- suppliers, service providers, legal representatives;
- auditors and audit bodies;
- educators and examining bodies;
- survey and research organisations;
- professional advisers and consultants;
- business associates;
- police forces;
- security organisations;
- central and local government;
- voluntary and charitable organisations.
Further examples:
- To protect children and vulnerable adults
- When a formal court order has been served upon us; and / or
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals (see section on Section 251 of the NHS Act 2006).
You may be receiving care and support from other organisations as well as the Trust, such as Social Services or your GP. On these occasions we may need to share some information about you so that your care can be delivered to the highest and safest standard. We only use or pass on information about you if the organisation involved has a legitimate need for it and it is authorised for specific purposes. Additionally, that we have identified a legal basis to share this information.

Any organisation that receives your personal data from the Trust is also bound by a legal duty of confidentiality under the UK GDPR. An information sharing agreement is often in place with those organisations to ensure that it is kept confidential and secure but what is key is making sure we establish the right legal basis before we share your data.

Occasionally there are exceptional circumstances that mean we may have to share your information, such as when you or someone else is at significant risk of harm, or where the law requires such information to be disclosed, e.g. for the prevention or detection of a crime.

There will be certain situations that we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. In this case as the data is anonymised we do not need a legal basis to share this data.
When we share your personal data with relatives, partners, carers and friends

Relatives, partners, carers and friends will be kept up to date about the progress of your treatment only if you have agreed to this and a record has been made of this agreement. If you change your mind this agreement can be withdrawn, and your new decision will be recorded.

If an individual lacks capacity to consent to the collection or sharing of their information or making a request for access to their health record, then a decision may be made either by a health/social care professional or someone else appointed to act on their behalf.

Information may also be shared when a legal order is in place e.g. Power of Attorney, Guardianship or Court Orders.
How we protect Children and Young people's personal data?

Children and young people's personal data is afforded the same rights and protection as the personal data collected from Adults. Children and young people are considered a ‘vulnerable' group and therefore the Trust and others involved in their healthcare will always treat their data fairly and ensure that it is kept safe and secure and in accordance with Data Protection legislation.

When using or sharing children's or young person's data, we will always ensure that there is a legal reason for doing so or if relevant ask for their explicit consent.

In the UK and under UK GDPR, the age of consent when it comes to processing personal data is the age of 13. However, a child under the age of 13 may be able to consent on their own behalf if a clinician has assessed and documented that the person is capable of making decisions for themselves.

Children and young people over the age of 13 can provide consent themselves provided that they are capable. We will make sure that the child or young person understands what they are consenting to, we are required to do this by Data Protection law.

Regardless of age, every person has a right to privacy and confidentiality. If a young person asks a health professional to keep their information confidential, even from those who hold parental responsibility, then that wish will be respected, unless there is a lawful reason to override this protection.

In the event that the Trust provides online information services to children and young people consent for the use of an online service will be obtained from people 13 years old and over. Parental consent will be obtained for the use of online information services for children who are under the age of 13.
Other areas where we may process your personal data

Closed Circuit Television (CCTV) and Body Cameras

We use CCTV systems and body cameras at Trust sites for prevention of criminal activity and to reduce fear of crime for Trust staff and our service users. The use of these systems is covered by the Trust Closed Circuit Television Policy which adheres to the relevant legislation and codes of practice, including Data Protection legislation.

The Trust ensures that the use of CCTV and body cameras is publicised by appropriate signage as they may be required for any area of the Trust that deems it necessary and this includes clinical areas and on wards.

Gender Recognition

Information about a person's previous gender is subject to the current Gender Recognition Act. Personal data about a person's previous gender will only be shared with the service user's explicit consent. More information on this can be found in the Interim Gender Protocol on the NHS England website.

Artificial Intelligence ( AI)

As part of your care when you are a patient at the Trust either attending an appointment or as part of an inpatient stay you may have an image taken (x-ray) or procedure (CT scan, MRI, ultrasound etc.) as part of your treatment and care. We use a form of technology called AI (Artificial Intelligence) to help us review your image/s as quickly as possible and to make sure that images of those patients who are the sickest are reviewed first by a Clinician. Your images continue to be viewed by a clinician, as they are now, but the use of AI helps us make sure the order in which they are reviewed helps identify those patients who are the sickest first.
How long do we keep your personal data for (Records Retention and Destruction)?
Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. In the NHS, all providers and commissioners apply retention schedules in accordance with the Records Management Code of Practice (refer to Link section below). This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England.

For healthcare purposes, and particularly mental health and children and young people's health records, these records need to be kept for long periods of time and remain available to access. Consequently, it is unlikely that a record or information contained in the record will be erased or deleted if such a request is made.

Following the retention period, the record will be fully reviewed and confidentially destroyed if it is deemed appropriate.

Destruction

Destruction of data will only happen following a “review” of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:
- To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder or subcontracted to a reputable confidential waste company (as identified in the table below) that complies with European Standard EN15713.
- To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current national cyber security standards.
- To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with the NHS Standard Contract and with assurance that the sub-contractor's organisational and technical security measures comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
How we keep your personal data confidential and secure?

We are committed to protecting your privacy and will only process personal data in accordance with the UK GDPR, the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998. We do this by using secure technologies and following safe practices.

All information is subject to rigorous measures and procedures to make sure it cannot be seen, accessed or disclosed to any inappropriate persons. We have an Information Governance Framework detailed within our Information Governance Strategy that explains the information governance / data security within the Trust.

Access to electronic data is password protected on secure network and / or online systems and, where it is practically possible, paper documentation is filed securely in lockable storage cabinets. Where documentation is required to be transported between sites measures are in place to ensure their safe delivery.

Our IT Services provider, Mid Mersey Digital Alliance, regularly monitor our systems for potential vulnerabilities and attacks and look to always ensure security is strengthened.

Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the common law duty of confidentiality and other NHS guidance.

All of our staff, including contractors, receive appropriate and ongoing information governance / data security training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We have incident reporting and management processes in place for reporting any personal data breaches or incidents. We learn from such events to help prevent further issues and inform data subjects like yourselves of breaches when required.

In line with Data Protection legislation the Trust has assigned roles are required to ensure the Trust embed and embrace the Information Governance Framework, please refer to the Introduction section for more information.
Secondary use of Data

Secondary use of data in the NHS is when patient data is not used for direct care but for other secondary purposes such as commissioning, risk stratification, financial and national clinical audit, healthcare management and planning, research and public health surveillance.

Disclosure of anonymised, pseudonymised or aggregated data (see section ‘Definitions’ for more information) will often satisfy a number of secondary uses and must be used in preference to patient / personal data. Consent for disclosure of effectively de-identified data is not required as it is not personal data. De-identification / pseudonymisation processes must occur before data leaves the source organisation. If a request is for identifiable data and the source organisation feels that de-identified data would suffice clarification should be obtained as to why identifiable data is required other than, exceptionally, where mandated by law such as under a Section 251 approval as per the NHS Act 2006 (see section below) or patient consent is obtained. Where consent is being relied upon you have the right to dissent from the disclosure of your personal data for secondary purposes unless the law compels disclosure.

Section 251 of the NHS Act 2006

Section 251 of the NHS Act 2006 provides a mechanism which can enable the use of confidential information for certain purposes where it is unreasonable for consent to be obtained or that would otherwise be unlawful (e.g. information from NHS Digital on commissioning, Risk Stratification and Invoice Validation) through an application made to the Confidentiality Advisory Group (CAG).

The CAG assesses applications against the Health Service (Control of Patient Information) Regulations 2002 and provides independent expert advice to the Health Research Authority (HRA) and the Secretary of State for Health on whether an application to process patient information without consent should be approved.

The use of data for which an application is made must be for a medical purpose as defined in section 251 (12) of the NHS Act 2006. This includes medical research and management of health and social care services.

Further information can be found on the Health Research Authority website – see the Links section below.

Research and Planning - Why we do research

Research in the NHS helps to improve public health and patient care, it's how we improve treatments and pathways in the NHS and make a real difference to people's lives.

The Research and Development department here at Mersey West Lancashire Teaching Hospitals NHS Trust is recognised as a leading centre for research, with more than 100 projects recruiting here each year.

Our research links closely with secondary care, mental health and community healthcare to ensure patients and their wellbeing are at the heart of everything we do. It covers all types of studies ranging from early stage developments of new treatments to large scale population-wide studies. It means patients have access to some of the most cutting-edge treatments

The use of your personal data for research

Some research will require your direct involvement (especially if taking part in clinical trials) in which case the circumstances will be fully explained to you and your express consent will be required. If you do not consent, then you will not be included in the research and/trial.

Sometimes, researchers need access to individual medical files. Before this can happen, the researchers must present their case before an ethics committee to check that their research is appropriate and worthwhile.

On rare occasions it is impractical to contact individuals for their consent, in which case the researchers must make their case before an ethics committee to show that there is enough benefit to the public at large to justify this.

The National Data Opt Out (objections to processing for secondary purposes)

The NHS Constitution states that "You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered".

In line with this there are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. The National Data Opt-Out Policy is a service that allows individuals to opt out of their confidential patient information being used for research and planning. It was introduced on 25 May 2018, providing a facility for individuals to opt-out from the use of their data for research or planning purposes.

The Trust is one of many organisations working in the health and care system to improve care for service users and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using Mental Health or Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. You can change your choice at any time.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit https://digital.nhs.uk/national-data-opt-out. If you do choose to opt out, you can still consent to your data being used for specific purposes.
How to access your personal data? (St Helens, Whiston and Newton)

You are entitled to request to view / ask for a copy of the personal data / information the Trust hold about you this is known as a Right of Access request but can also be referred to as a Subject Access Request (SAR).

Children can also make a request, please refer to the section on ‘How we protect Children’s and Young people’s data' for more information on eligibility.

You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about you or you are acting on behalf of someone). Your information will be reviewed first by a relevant member of staff, to ensure that what we send you will not cause upset or distress to your wellbeing. We will also check that the information we send you doesn't contain information you are not entitled to see.

You can make a request by writing to us, this can be via email if more convenient or by calling us. We may ask you to provide identification and provide further information to help us process your request.

There is no charge (subject to exemptions) to have a copy of the information held about you unless the request is complicated or involves a large volume of information copies, but we will advise you of this.

We must respond to you within one calendar month (subject to exemptions).

Requests are handled in line with our Right of Access / Subject Access Requests Procedure.

Subject Access Requests can be made as follows

If you want to see your personal data, you need to contact the NHS organisation(s) where you are being, or have been, treated, or have had any contact with by email, letter or a phone call

If you would like a copy of your personal data from Mersey and West Lancashire Teaching Hospital NHS Trust please contact:

Legal Services
Whiston Hospital
Mersey and West Lancashire Teaching Hospitals NHS Trust
Warrington Road
Prescot
Merseyside
L35 5DR

Telephone: 0151 430 1732

Email: Access.Disclosure@sthk.nhs.uk
How to access your personal data? (Southport and Ormskirk)

You have the right to access the information we hold about you, such as your medical information.

Requests must be made in writing to the Access to Medical Records department.

The Trust will provide your information to you within one month from receipt of your application. This can be extended dependent on the complexity of the request.

Please note that some or all of the information requested may be withheld in reliance on exemptions contained within the UK GDPR and Data Protection Act 2018.

You must complete a request form to see your records using the form above. A copy of a form of photo identification is required for all access requests (e.g. passport, driving license NUS card).

Access to medical records
Click to download

For all requests, a copy of a utility bill or bank statement no more than three months old will also be required to confirm address. You must provide your identity documents with the request form. (These will be destroyed once the request is closed.)

The application form and identification It should then be sent to: Access to Health Records, Mersey and West Lancashire Teaching Hospitals NHS Trust, Town Lane, Kew, Southport, PR8 6PN or soh-tr.access-to-health@merseywestlancs.nhs.uk.

If you require assistance, please call 01704 704616 or email soh-tr.access-to-health@merseywestlancs.nhs.uk.

Access to records of a deceased person

Records of the deceased are governed by the Access to Health Records Act and are usually kept for eight years after the patient’s death.

Only the person with an absolute right of access is the personal representative, who is the executor or administrator of the deceased persons’ estate.

Other individuals with a claim may request information and will be required to define on what grounds the request is being made.
Where is your data processed?

Your data is processed within the Trust and by other third parties suppliers. Where your data is processed and stored by our suppliers, for example the Trusts electronic patient record system (Careflow EPR), they must provide the Trust with the relevant assurances that your data will be kept safe and securely. This is monitored by the Trust’s Information Governance team.

Processing outside of the UK

The majority of the processing of your personal data is carried out in the UK. Where your data is processed outside the UK all suppliers and data processors as required to provide the Trust with extra assurances that your data will be kept safe and in line with Data Protection legislation, specifically the UK GDPR. This may mean that they are asked to provide extra evidence.
What are your rights over your personal data?
You have a number of rights over your personal data under the Data Protection Act 2018 and UK General Data Protection Regulation 2016 (UK GDPR). We will respond to any of the requests within a calendar month (subject to exemptions):

The right to be informed

You have the right to be informed about the collection and use of their information including the reasons for processing the personal data, how long the information will be held for and who it will be shared with. This notice, in support of other privacy notices published by the Trust, ensures that your right to be informed is achieved.

The right of access

You are entitled to request to view / ask for a copy of the information the Trust hold about you this is known as a Right of Access request but can also be referred to as a Subject Access Request (SAR). For more information please refer to ‘How can you access your personal data’ above for details.

The right to rectification

Rectification refers to correcting inaccuracies or incomplete data which is held by the Trust. This applies to factual information only – such as identifiers and next of kin. The Trust is unable to remove or alter professional opinions which you may disagree with. You do however; have the right to include your own statements alongside professional opinions.

All requests to amend the information contained in your health record will be considered, and you will be informed of the decision. However, due to the nature of healthcare records we have the right to refuse amendments to your record. You will be informed of the reasons behind this decision.

If there has been a misdiagnosis in the record, then the record will be updated with the correct diagnosis. Where an opinion is included this can be difficult to dispute, the record should acknowledge that this is an opinion. In some cases, a statement may be added to your record to rectify the information.

You have the right to request a restriction in processing, whilst accuracy checks are ongoing.

The right to erasure (‘forgotten’)

Also known as ‘the right to be forgotten', this right only applies in certain circumstances and is generally not applicable for healthcare records. This is because health and care service providers need an accurate record in order to provide further treatment.

This right will apply if the processing has been undertaken on the basis of consent which is withdrawn, the processing of data is determined not to be lawful or the information is no longer required. You will be informed of activities to which this right applies.

Only if we have your explicit consent for any processing we do, you have the right to withdraw that consent at any time and have the right to request this data to be deleted / erased. Please note this will not apply where healthcare data is processed as we do not apply the legal basis of consent but rather ‘public tasks’.

The right to restrict processing

This right enables individuals to suspend the processing of personal information, for example, you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data from certain organisations for their own purposes across different services. Initiatives such as this allow individuals to view, access and use their personal consumption and transaction data to help understand spending habits and find a better deal.

Only if we have your explicit consent for any processing we do or where there is automated decision-making processes in place and the Trust is able to, you have the right to have personal data provided to you in a format you have requested such as an excel spreadsheet or .CSV file. Therefore, this does not apply with healthcare records held by the Trust.

The right to object

There is no general right to object to processing; however, you can object if there are grounds relating to your own particular situation, or if information is likely to be used for:
- Marketing
- Scientific or historical research
- Statistical purposes
- Purposes in the public interest or under an official authority (e.g. NHS Act 2006)
You have the right to object to processing. However, please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue. If we didn’t process any information about you and your health care it would be very difficult for us to care and treat you.

Rights in relation to automated decision making and profiling

Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome, where a decision is made solely by automated means with no human involvement – credit ratings are an example of automated decision making. This also includes profiling. Profiling evaluates certain things about an individual.

The Trust does not use processes which include solely automated decision making or profiling, so this right will not apply to our data processing activities.

To access any of your rights please contact:

Legal Services
Whiston Hospital
Mersey and West Lancashire Teaching Hospitals NHS Trust
Warrington Road
Prescot
Merseyside
L35 5DR

Telephone: 0151 430 1732

Email: Access.Disclosure@sthk.nhs.uk
Complaints / Contacting the Regulator

If you feel that your personal data we hold at the Trust has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of personal data, please contact our Data Protection Officer (DPO) at the following contact details.

Camilla Bhondoo - IG@midmerseyda.nhs.uk

Or the PALS team - pals@sthk.nhsuk

If you are not happy with our responses and believe we are not processing your personal data in accordance with the law you may wish to take your complaint to a supervisory authority, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

You can contact them by calling 0303 123 1133 or go online www.ico.org.uk/concerns
Data Protection Registration

Any organisation that processes Personal Data whether they are a Data Controller or Data Processor is required to pay a data protection fee to the Information Commissioner’s Office (ICO) annually. The ICO publish a register of all registered organisations. This can be found here: https://ico.org.uk/ESDWebPages/Search

Mersey and West Lancashire Teaching Hospitals NHS Trust is a registered ‘Data Controller’ with the ICO.

ICO Registration Number: ZB567937
Data Security and Protection Toolkit

The Data Security and Protection Toolkit (DSPT) is an online assessment that must be completed every year by organisations who process Personal Data.

It is based on the National Data Guardian 10 Data Security Standards and also incorporates key requirements of the Data Protection legislation.

It measures whether an organisation is Data Protection compliant. Organisations are asked to provide evidence to show how they meet each standard.

The final assessment and evidence is normally submitted by 30 June each year and are shared with the Care Quality Commission, Audit Commission and NHS England.

Mersey and West Lancashire Teaching Hospitals NHS Trust Information Governance Assessment Report (the DSPT) overall submission position for 2023-24 is 'standards met'.

To provide assurance that the Trust’s DSPT is of a good standard it has been audited by Mersey Internal Audit Agency. The level of assurance is ‘substantial assurance’.
Further Information / Contact Us

We hope that this privacy notice has been helpful in setting out the way we handle your personal data at the Trust and your rights to control it. If you have any queries / or would like further information, please visit the useful websites below and / or contact us at the following contact details:

Information Governance Team
Mersey and West Lancashire Teaching Hospitals NHS Trust
Jubilee Court
Academy Site
Waterside
St Helens
WA9 1TT

Or via IG@midmerseyda.nhs.uk

Staff Privacy Notice

Background

As an employer Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL), (thereafter referred to as the Trust) must meet its contractual, statutory and administrative obligations. This ‘Privacy Notice’ explains in detail of the type of personal data that the Trust process about you.

The Trust is a Data Controller. A Data Controller determines how the data will be processed and used within their organisation and with others they can share the data with.

The Trust are registered as a ‘Data Controller’ with the Information Commissioner’s Office (ICO) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. Our ICO registration number is ZB567937. We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This notice also explains how we handle personal data and keep it safe and secure.

The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.

These roles include:

Caldicott Guardian

The Trust is required to have a Caldicott Guardian. The Caldicott Guardian is a senior health professional appointed to ensure that the data about those who use its service is handled in a confidential manner by the Trust and enabling appropriate data / information sharing. The Caldicott principles are incorporated into the NHS Code of Practice.

Our Caldicott Guardian is Mr Alex Benson - caldicott.guardian@merseywestlancs.nhs.uk

Senior Information Risk Owner (SIRO)

The SIRO is an Executive Director in the Trust with overall responsibility for managing organisational information risk, security of information and putting strategies in place to control the identified risks.

Our SIRO is Malcolm Gandy - siro@merseywestlancs.nhs.uk

Data Protection Officer (DPO)

Under the UK General Data Protection Regulations (UK GDPR) all large public authority organisations such as MWL are legally required to employ a Data Protection Officer. This person is an expert in data protection and can therefore inform and advise the Trust and its staff about their obligations to comply with the UK GDPR and other Data Protection laws. Where there are data protection concerns the DPO will act as a contact point for you and will also act as the main contact for communication with the Information Commissioner’s Office. The DPO for the Trust is:

Our Trust Data Protection Officer (DPO) is Camilla Bhondoo.

The DPO can be contacted via the following means:

Address: Jubilee Court, Academy Site, Waterside, St Helens, WA9 1TT
Email: IG@midmerseyda.nhs.uk

We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the law. When such changes occur, we will revise the last updated date as documented in the version status in the footer of this document.

Introduction

The Trust as your employer collects personal data about you using the following legal basis:

Article 6 1(b) – Processing is necessary for the performance of staff contracts
Article 6 1(c) – Processing is necessary for compliance with a legal obligation
Article 6 1(f) - Processing is necessary for the purposes of legitimate interests pursued by the Trust

Further specific details are provided in the ‘Data Processing Activities’ section below.

In general, the types of processing we undertake using personal data are:

Recruitment and employment checks (for example, professional membership, references, proof of identification right to work in the UK and Occupational Health Clearances, etc)
Staff Administration (bank account and salary / wages, as well as pension, tax and national insurance details)
Education, training and development
Publishing of senior level staff names in ‘Annual Reports’ and / or in response to Freedom of Information requests – the Trust has a legitimate interest to publish this information
Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
Medical information relevant to your employment, including physical health, mental health, evidence of relevant vaccinations where a legal duty applies and absence history
Information relating to your health and safety at work, and any incidents or accidents
In order to comply with health and safety legislation we may undertake risk assessments
Professional registration and qualifications, education and training history
Information relating to employee relations (i.e. disciplinary proceedings, grievances and complaints, tribunal claims, etc)
Criminal prosecution and prevention
National fraud initiatives
Conflict of Interest Forms
Quality monitoring such as staff surveys
Access to systems (network / email) and IT services
In order to complete mandatory / legally required registers e.g. the Conflict-of-Interest Register

If we need consent to process your data under Article 6 (1) (a) of the UK GDPR we will contact you about this. It will be explained to you in a clear way using plain language the reasons for this. For more detail please see the “Purposes where consent is required” section.

Please regularly check this privacy notice as it is constantly updated to ensure we inform you of all types of processing of your personal data.

Data Sources

Your information could be collected in a number of different ways. This could be directly from you - in person, over the telephone or on a form you have completed, such as a job application, contractual documentation, timesheet or spreadsheet.

Data also comes from external sources such as NHS Jobs, your professional body, current or previous employers or referees, the Disclosure and Barring Service, or government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration. Further details about our processing activities are detailed below.

Definition Of Data Types

The following are key words that are used to describe what data the Trust may use and other key Data Protection terminology that you will notice throughout this privacy notice.

Processing

This means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller

A Data Controller determines the purposes and means of processing personal data. The Trust are a Data Controller, we decide what to do with your data.

Data Processor

A Data Processor acts on instruction by a Data Controller and processes data on behalf of the controller. There may be instances that the Trust use a Data Processor to process your personal data. If we do the Data Processors we use must provide us with assurance that they will keep your data safe and demonstrate how. Just like Data Controllers they must also adhered to Data Protection legislation when processing any kind of personal data.

Personal Data

This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under UK GDPR, this now includes location data and online identifiers.

Special Category Data

This is personal data that requires more protection due to the sensitive information it contains. The UK GDPR defines this data as personal data revealing: race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, it also relates to gene or biometric data (where used for identification purposes) and data concerning a person’s sexual life and sexual orientation and data relating to health. It does not include personal data about criminal allegations, proceedings or convictions as separate rules apply.

Personal Confidential Data

This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.

Pseudonymised Data or Coded Data

This is also sometimes known as reversible anonymisation. Patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference. To be truly regarded as pseudonymised data the organisation must not hold the key to be able to reverse the anonymisation.

Anonymised Data

This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.

Aggregated Data

This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

Our Data Processing Activities

The law on data protection under the UK GDPR sets out a number of different reasons for which personal data can be processed. The law states that we have to inform you what the legal basis is for processing personal data and also if we process special category data such as your occupational health data what the condition is for processing it. The Trust also uses the services of data processors to process staff data as detailed below. The organisation’s we work with are bound by contractual agreements which outline that your information is processed under strict conditions and in accordance with the law.

Recruitment and employment checks

Data Processor	Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL) / NHS Jobs / Trac Systems Limited.
Type of data	Personal Data – Demographics / Bank Details Special Category Data – Race, ethnic origin, health, sexual life, criminal convictions (covered under the Data Protection Act 2018)
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(b) - Processing is necessary for the performance of staff contracts. Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law. In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the Data Protection Act 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee.

Recruitment and employment checks are carried out by the Trust. Personal data collected by the Trust during the recruitment process is downloaded from a recruitment management system called ‘Trac Systems Ltd’ and retained for successful applicants only.

The TRAC System is an automated recruitment system which enables greater communication to the recruiting managers. Managers that are recruiting staff into post will be able to log on and view the status of their vacancy, and progress of the pre-employment checks including ID Checks, Right to Work, Convictions, Professional Registration, Occupational Health and References.

Whilst TRAC is a separate advertising stream to NHS Jobs, jobs will still be posted on NHS Jobs (as a signpost only) and candidates that wish to apply for a vacancy will be redirected to the Trac portal. Privacy notices provided by Trac are displayed to all people who apply directly into the Trac Recruitment System.

Information downloaded from the system by the Trust is emailed to the Human Resources Team which you have been appointed to and forms the basis of your employee personal file. NHS Jobs website supplied by Trac Systems Ltd has updated their privacy notice.

Workforce Management

Data Processor	ESR (Electronic Staff Record) System
Type of data	Personal Data – Demographics Special Category Data
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(f) - processing is necessary for the purposes of legitimate interests pursued by the Trust. Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law. In addition, we rely on processing conditions at Schedule 1 part 1 paragraph 1 and Schedule 1 part 1 paragraph 2(2)(a) and (b) of the Data Protection Act 2018. These relate to the processing of special category data for employment purposes, preventative or occupational medicine and the assessment of your working capacity as an employee.

The NHS ESR system provides the Trust with a range of tools that facilitate effective workforce management and planning; thereby enabling improved quality, improved efficiency and improved patient safety.

For more detail about the NHS ESR system see: https://www.electronicstaffrecord.nhs.uk/home/

Payroll / Pension

Data Processor	Mersey and West Lancashie Teaching Hospitals NHS Trust (MWL)
Type of data	Personal Data – Demographics / Bank Details Special category data – to set up voluntary deductions to a trade union (where applicable).
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(b) - Processing is necessary for the performance of staff contracts. Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law.

E- Learning

Data Processor	Health Education England (e-learning for Health)
Type of data	Personal Data – Demographics
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(f) - Processing is necessary for the purposes of legitimate interests pursued by the Trust.

The training system used by the Trust is the national e-learning system for healthcare https://www.e-lfh.org.uk/

IT Administration (network / email / system account administration)

Data Processor	Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL) – IT Department
Type of data	Personal Data – Demographics
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller.

The IT Department process your demographic details in order to set you up on the network and systems. This is also required to set you up with a Trust account and also an email account for users who require this.

IT Department may have access to files and folders where personal data and / or special category data are stored as administrators of the network and to resolve any IT issues regarding the files / folders. All staff sign ‘Confidentiality’ agreements and receive adequate IG training to inform them to keep this information safe and secure.

MIAA – Local Counter Fraud Services

Data Processor	MIAA - Local Counter Fraud Services
Type of data	Personal Data – Demographics
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(c) – For compliance with a legal obligation

MIAA work in partnership with the Trust to instigate an organisation wide culture of fraud prevention and fraud risk management. They assess your organisation’s specific fraud risks and will investigate any alleged instances thoroughly. Where there any suspicions of fraud your personal data may be shared.

To view their ‘Privacy Policy’ see: https://www.miaa.nhs.uk/privacy-policy-miaa/

Purposes where consent is required

There are also other areas of processing undertaken where consent is required for us or you to continue with a data processing activity. Under UK GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent in order to confirm you have understood.

Employee Assistance Programme / Health and Wellbeing Support

Data Processor	Vita Health Group, Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL) – Absence Support Team
Type of data	Personal Data – Demographics Special Category Data – Health Data
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(a) - Individual has given consent to the processing of personal data. Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems.

Vita Health Group specialise in the provision of the Employee Assistance Programme (EAP) and are a data processor for the Trust. To view their ‘Privacy Policy’ see:

https://www.vitahealthgroup.co.uk/data-protection-policy/

Occupational Health

Data Processor	Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL) and Physio Med (for physiotherapy assistance)
Type of data	Personal Data – Demographics Special Category Data – Health Data
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(a) - Individual has given consent to the processing of personal data. Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems.

Physio Med specialise in the provision of the Physiotherapy services and are a data processor for the Trust. To view their ‘Privacy Policy’ see:

https://www.physiomed.co.uk/pages/our-privacy-policy

UK GDPR Article 15 - Right of Access Requests

Type of data

Personal Data – Demographics

Special Category Data – Health Data

Source of Data

Staff

Legal basis for processing Personal under UK GDPR

Article 6 (1)(a) – Consent (for personal data)

Article 9(2)(a) - Explicit Consent (for special category data)

If you have requested to view or be provided with a copy of your personal data we hold about you your request for access will provide this consent. It will not be necessary to ask for identity checks if you are a current member of staff.

Childcare Vouchers

Data Processor	Childcarechoices.gov.uk
Type of data	Personal Data – Demographics
Source of Data	Staff
Legal basis for processing Personal Data under UK GDPR	Article 6 (1)(a) – Consent

This childcare voucher is a service offered to you to support childcare costs. You need to access the website directly and provide your details online to the supplier. Please note by doing so you accept the risk of using this website and submitting your details online.

The NHS National Staff Survey

Data Processor	Quality Health
Type of data	Personal Data – Demographics
Source of Data	Staff
Legal basis for processing Personal Data under GDPR	Article 6 (1)(a) – Consent

Each year NHS staff are invited to take part in the NHS National Staff Survey which is the largest survey of staff opinion’s in the UK. This survey service is provided by ‘Quality Health’ who are an accredited supplier of survey services to the health sector.

Using anonymous or aggregate information

We use pseudonymised, anonymised and aggregated data in the following ways:

To undertake anonymous staff surveys / questionnaires using Survey Monkey
To produce staff statistics for example, number of staff in each department for Human Resource purposes
To respond to Freedom of Information requests using anonymised information if requested to provide information about staff.
To provide an Employee Assistance Programme run by Insight. They run an independent counselling and advice service, which is paid for by the Trust. It is available for you and any family members who are over 16, who live at your address. You do not need to disclose your personal information to use this service. You only need to provide the access code and the Trust name.

Where information is used for statistical purposes as above, secure measures are taken to ensure individuals cannot be identified where the law doesn’t allow this. Anonymous / aggregate staff information may be passed to the council as part of integrated working.

How we protect your personal data

Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards. We have an Information Governance Strategy and Framework that explains the data security governance within the Trust.

Technical assurance is provided regarding IT / Cyber processes in place as the Trust are required to complete the Data Security and Protection Toolkit (DSPT) which is an online assessment that must be completed every year by organisations who process Personal Data. It looks at what data protection, IT security and cyber security measures are in place. The Trust’s IT Department regularly monitor the network for potential vulnerabilities and attacks and look to always ensure security is strengthened.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.

Under the NHS and Trust’s Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Every NHS organisation has nominated staff with specific data protection responsibilities who are here to ensure your personal is safeguarded at all times, they are the SIRO, Caldicot Guardian and DPO.

Staff are reminded that actions within systems / emails and internet usage can be monitored, recorded and audited.

Everyone working for the Trust has a legal, ethical and contractual duty, enforceable through disciplinary procedures, to keep information confidential. As part of Information Governance mandatory training, all staff including contractors and committee members receive appropriate training and awareness regarding data security training to ensure you are aware of your personal responsibilities. We have incident reporting and management processes in place for reporting any IG (data) breaches or incidents. We learn from such events to help prevent further issues and inform data subjects of breaches when required.

Retention and Destruction of personal data

Retention

Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. In the NHS, all commissioners and providers apply retention schedules in accordance with the NHS England’s Records Management Code of Practice 2021. This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England.

For example, upon receipt of your recruitment information, information about your employment will be collated within your employee personal file for the duration of your employment, and for six years thereafter, or until your 75th birthday, whichever is sooner. Upon destruction of your file, a summary record is retained until your 75th birthday, unless your file is destroyed on your 75th birthday, when no further record will be retained. This is documented in NHS England’s Records Management Code of Practice 2021.

Destruction

Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we:

Ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a confidential waste disposal process. The Trust use VINCI Facilities Management to dispose of confidential waste. The Trust's Contract & Facilities Management manage and monitor the services provided by VINCI Facilities Management and ensures that the supplier complies with UK GDPR / DPA 2018 by documenting in a contract and / or obtaining assurance [CB1]
Ensure that electronic storage media used to hold or process information are destroyed or overwritten to national cyber security standard. The Trust’s IG Department manage this and are required to provide evidence as part of the Data Security and Protection Toolkit.

Who we share your data with?

To support you in your employment and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others. We will not disclose any staff information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out statutory functions i.e. reporting to external bodies to meet legal obligations.

Sometimes we are required by law to disclose or report certain information, which may include details which identify you. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud. Where mandatory disclosure is necessary, only the minimum amount of information is released. There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.

Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules.

We will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.

Where is your data processed?

Your data is processed within the Trust and by other third parties as stated above who are UK based. The services these companies provided are under specific contractual terms, which are compliant with UK data protection legislation. Your personal data is not sent outside of the UK for processing.

What are your rights over your personal data?

You have the following rights over your data we hold.

Right of access to personal data

Under the terms of the UK General Data Protection Regulation you have the right to request access to the information that we hold about you. This is known as a “Right of Access” request. We kindly request that this in provided in writing / email (please note this is not compulsory) in order to provide adequate information to process your request. There is no charge (subject to exemptions) to have a copy of the information held about you and we must respond to you within one month (subject to exemptions).

If you would like a copy of your personal data from Mersey and West Lancashire Teaching Hospital NHS Trust please contact:

Access and Disclosure Team
Whiston Hospital
Mersey and West Lancashire Teaching Hospitals NHS Trust
Warrington Road
Prescot
Merseyside
L35 5DR

Telephone: 0151 430 1732

Email: Access.Disclosure@sthk.nhs.uk

Requests are handled in line with our ‘Subject Access Procedure’ and you can use the Access Request form to make your request if this is helpful. To request a copy of this form please contact the egal Services, Access and Disclosure team at the email address as above. If your request is posted please ensure it is marked to the private and confidential and addressed to the Legal Services, Access and Disclosure team. The team will liaise with the relevant department to ensure you receive your personal data.

Right to Rectification

If you think that there are inaccuracies in your record, you have the right to request that these be corrected or annotated. We have 1 month of receipt to deal with these requests.

Right to Erasure (‘to be forgotten’)

Only if we have your explicit consent for any processing we do, you have the right to request for the data you have consented to be deleted / erased.

Right to Data Portability

Only if we have your explicit consent for any processing we do, you have the right to have data provided to you in a format you have requested such as in an excel spreadsheet, csv file format.

Right not to be subject to a decision based solely on automated processing

The Trust do not process data using this method, so this right will not apply to our data processing activities.

Right to withdraw consent

You have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on the Trust. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.

Right to object to processing

You have the right to object to processing. However please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue.

Right to restriction of processing

This right enables individuals to suspend the processing of personal information, for example, if you want to establish its accuracy or the reason for processing it.

If you wish to pursue any of the above rights, please contact the Access and Disclosure Team. .

Complaints / Contacting the Regulator

If you feel that your personal data we hold at the Trust has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of personal data, please contact our Data Protection Officer (DPO) at the following contact details.

Camilla Bhondoo

IG@midmerseyda.nhs.uk

Or the PALS team - pals@sthk.nhs.uk

If you are not happy with our responses and believe we are not processing your personal data in accordance with the law you may wish to take your complaint to a supervisory authority, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

You can contact them by calling 0303 123 1133

Or go online www.ico.org.uk/concerns

Or write to them at:

Information Commissioners Office (ICO)

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Further Information / Contact Us

We hope that this privacy notice has been helpful in setting out the way we handle your personal data at the Trust and your rights to control it. If you have any queries / or would like further information, please visit the useful websites below and / or contact us at the following contact details.

Information Governance Team
Mersey and West Lancashire Teaching Hospitals NHS Trust
Jubilee Court
Academy Site
Waterside
St Helens
WA9 1TT

Or via IG@midmerseyda.nhs.uk

Links

If you would like to find out more useful information on the wider health & care social system approach to using personal information, please see the links below:

Information Commissioners Office (ICO)
NHS Constitution
NHS Digital
NHS England Records Management Code of Practice 2021
NHS Digital Guide to Confidentiality in Health and Social Care

Fair Processing Notice for National Fraud Initiative 2024/25

Purpose

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Minister for the Cabinet Office takes responsibility within government for public sector efficiency and reform.

Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the UK GDPR.

All bodies participating in the Cabinet Office’s data matching exercises receive a report of matches that they should investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update their records accordingly.

Legal Basis of Processing

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by Part 6 of the Local Audit and Accountability Act 2014 (LAAA).

Under the LAAA Legislation

The Cabinet Office may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud.

The Cabinet Office may require certain bodies (as set out in the Act) to provide data for data matching exercises

Bodies may participate in its data matching exercises on a voluntary basis where the Cabinet Office considers it appropriate. Where they do so, the Act states that there is no breach of confidentiality and generally removes other restrictions in providing the data to the Cabinet Office.

The requirements of the data protection legislation, however, continue to apply, so data cannot be voluntarily provided if to do so would be a breach of data protection legislation. In addition sharing of patient data on a voluntary basis is prohibited.

The Cabinet Office may disclose the results of data matching exercises where this assists in the prevention and detection of fraud, including disclosure to bodies that have provided the data and to auditors that it appoints as well as in pursuance of a duty under an enactment.

The Cabinet Office may disclose both data provided for data matching and the results of data matching to the Auditor General for Wales, the Comptroller and Auditor General for Northern Ireland, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.

Wrongful disclosure of data obtained for the purposes of data matching by any person is a criminal offence. A person found guilty of the offence is liable on summary conviction to a fine not exceeding level 5 on the standard scale.

The Cabinet Office may charge a fee to a body participating in a data matching exercise and must set a scale of fees for bodies required to participate.

The Cabinet Office must prepare and publish a Code of Practice. All bodies conducting or participating in its data matching exercises, including the Cabinet Office itself, must have regard to the Code.

The Cabinet Office may report publicly on its data matching activities.

Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The legal basis for processing your special category personal data is:

Article 9(g) UK GDPR: processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014.

The Cabinet Office’s legal basis for processing your criminal convictions data is paragraphs 6 and 10 of schedule 1 to the Data Protection Act 2018.

Recipients

Your personal data will be shared by us as necessary for the purposes of preventing and detecting fraud with:

The Auditor General for Wales
The Comptroller and Auditor General for Northern Ireland
The Auditor General for Scotland
The Accounts Commission for Scotland
Audit Scotland

And with mandatory participants who include:

district and county councils
London and metropolitan boroughs
unitary authorities
police authorities
fire and rescue authorities
pension authorities
NHS Trusts and strategic health authorities Foundation Trusts
Integrated Care Boards
passenger transport authorities
passenger transport executives
waste authorities
Greater London Authority and its functional bodies

In addition, the following bodies provide data to the Cabinet Office for matching on a voluntary basis:

Private sector pension schemes (various)
Home Office
Metropolitan Police – Operation Amberhill
Special health authorities
Housing associations
Probation authorities
National park authorities
Central government pensions schemes
Insurance Fraud Bureau
Central government departments
Other private organisations/companies/credit reference agencies

We will share records containing personal data with HMRC. These will be matched against HMRC records and additional HMRC information appended and fed back to the NFI. The HMRC matching will seek to identify persons at the address provided and relevant income related information. Data matching services are then provided to the NFI by the Department for Work and Pensions, and by our IT Supplier using only UK Data Centres.

The data that is matched and the reasons for matching it

For information summarising the various match types for each particular type of participating organisation and the purpose of the matching please refer to the document NFI match types per participating body. We also provide the following services:

ReCheck

ReCheck is a flexible data matching service which complements the national exercise. This service allows NFI participant bodies to re-perform existing data matching, at a time that suits them, by uploading their organisation’s datasets for internal matching.

AppCheck

NFI participants can use this service at the point of application to check against NFI data to help verify people’s identity or if they have left out relevant information that might affect their entitlement to a benefit, service or employment.

FraudHub

Allows NFI participant bodies, who want to work together, to regularly and effectively screen their collective data in order to prevent errors in processing payments and to reduce fraud.

Code of Data Matching Practice

Data matching by the Cabinet Office is subject to a code of practice.

Further Information

View more information about the Cabinet Office data matching exercises. You can also read national reports on the NFI published by the Cabinet Office.

Your Rights

You have the right to:

request information about how your personal data are processed, and to request a copy of that personal data
request that any inaccuracies in your personal data are rectified without delay
request that any incomplete personal data are completed, including by means of a supplementary statement
request that your personal data are erased if there is no longer a justification for them to be processed.
in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted

Where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller: You have the right to object to the processing of your personal data. This right does not apply where your data is disclosed to us under a legal obligation under Paragraph 2 of Schedule 9 of the Local Audit and Accountability Act 2014.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact Details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Head of the NFI
1 Horse Guards Road
London
SW1A 2HQ
Email: nfiqueries@cabinetoffice.gov.uk

The contact details for the data controller’s Data Protection Officer (DPO) are:

Stephen Jones
DPO
Cabinet Office
70 Whitehall
London
SW1A 2AS
Email: dpo@cabinetoffice.gov.uk

Links
If you would like to find out more useful information on the wider health & care social system approach to using personal information, please see the links below:
Cookies Information

Details of the cookies used on the Trust website can be found here:

https://www.merseywestlancs.nhs.uk/cookies

This page was last updated October 2024 and will be reviewed in November 2024.

We are sorry but our website is not supported on your browser.

Privacy Statement

Privacy Notice for Patients and Public

Fair Processing Notice for National Fraud Initiative 2024/25