This Privacy notice describes how the Trust uses and manages the personal information it collects and holds about you, including how this information may be shared with other organisations, how its confidentiality is maintained and your rights.
Why do we collect and use your information – what is it for?
We may ask for or hold personal confidential information about you which will be used to support the delivery of treatment, management and the provision of high quality care.
We will only process your personal information where we have your consent or where we have a legal basis under data protection and health legislation
When you are referred to our services and attend any of our hospitals, clinics, surgeries or are seen at home, information about the care you receive is recorded in your health record. This information is required to make sure that we provide the best possible care and treatment. The information recorded may be used for any of the following purposes;
- Healthcare and medical purposes is used to directly contribute to your treatment, diagnosis or care, which includes supporting administrative processes and audit/assurance of the quality of healthcare services provided. Doctors, nurses or healthcare professionals involved in your care need accurate information about you to assess your health and deliver the care you need or refer you to another health professional, another part of the NHS or another public body (e.g. social services)
- Non-healthcare and medical purposes is used for research, audit, service management, commissioning, contract monitoring, reporting facilities and future planning of our services. When your personal information is used and where appropriate it is limited and de-identified so that the process is confidential. For example assess and review the type and quality of care you have received to ensure it is of the highest standard and arranging payment for the person who has treated you. It may also be used to teach and train healthcare professionals
- Safeguarding is where information is provided to ensure that adults and children at risk of harm are protected and managed appropriately. Access to identifiable information will be shared in limited circumstances where it’s legally required for the safety of the individuals concerned
- Incidents to ensure effective governance and to learn from incidents. The Trust will share and work with commissioning organisations to ensure quality health services are provided
- Complaints and legal claims for effective governance to ensure that your concerns can be properly investigated if you are unhappy with the care you have received
- Looking after the health of the general public using computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition
- Conducting health research and development, and monitoring NHS Performance Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions. Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. The Information Commissioners Anonymisation Code of Practice will be used.
NHS Digital has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.
What personal information do we collect about you?
In order to carry out our activities and obligations as a NHS Trust we handle data such as:
- Basic details, such as name, address, date of birth, next of kin.
- Personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions
- Contacts we have had, such as appointments and home visits
- Details and records of treatment and care, including notes and reports about your health
- Results of x-rays, blood tests and other results from examinations or tests
- Information from people who care for you and know you well, such as health professionals and relatives
Information is collected in a number of ways, via your healthcare professional, referral details from your GP or directly given by you and may be recorded in writing, digitally, or a mixture of both. It is important that you notify us of any changes to your personal details (e.g. address, contact number, next of kin).
How we keep your information confidential and safe?
Our aim is not to be intrusive, and we won’t ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and retained securely to make sure it can only be seen, accessed and/or disclosed to those who need to know.
We have policies and procedures that explain the approach within our Trust and our commitments and responsibilities to your privacy.
Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.
If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.
The Trust will endeavour to keep your information accurate, up-to-date and not kept for longer than necessary. The NHS Retention Schedule sets out the minimum appropriate length of time each type of NHS record is retained. This can be viewed on the NHS Digital website http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf. All records are destroyed confidentially in a secure way.
Protecting Children and Young people’s personal data
Children and young people’s data is afforded the same rights and protection as the data collected from adults. Children and young people are considered a ‘vulnerable’ group and therefore the Trust and others involved in their healthcare will always treat their data fairly and ensure that it is kept safe and secure.
When using or sharing children’s or young person’s data, we will always ensure that there is a legal reason for doing so or where relevant ask for their explicit consent.
Regardless of age, every person has a right to privacy and confidentiality. If a young person asks a health professional to keep their information confidential, even from those who hold parental responsibility, then that wish will be respected, unless there is a lawful reason to override this protection.
Why we share your information and who we share it with?
There are times when it is appropriate and necessary for us to share information about you and your healthcare with organisations and individuals to fulfil our role as an NHS organisation.
- Other NHS organisations to assess and deliver the care you need such as General Practices, Acute Hospitals, Community Service and Mental Health Care Providers, Nursing Homes
- Local Clinical Commissioning Group (CCG), and the Health & Social Care Information Centre (part of NHS England) to commission and manage healthcare. For this the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient’s identity to be included
- Non NHS organisations to help us work together for your benefit or to carry out their statutory duties. These may include, but are not restricted to: social services, education services, local authorities, the police, voluntary sector providers and private sector providers.
The Trust will not disclose confidential personal information to third parties unless we have your explicit consent or the health or safety of others is at risk or the law requires the Trust to disclose. Examples are the registration of a birth or death, reporting of an infectious disease, prevention, detection, investigation or prosecution of a serious crime, a court order or an insurance medical.
We will only give information to your relatives, friends and carers if you want us to and have given your permission.
What are your rights regarding your information
You have rights under data protection legislation but not all rights are absolute and will only apply in certain circumstances. Your rights are
- Right to be informed you have the right to be informed about the collection and use of your information including the reasons for processing the data, how long the information will be held for and who it will be shared with.
- Right of access you have the right to see or be given a copy of your personal information held by the Trust. To gain access to your information you will need to make a Subject Access Request. We will aim to respond within one month from receipt of your request. If you require general information about the Trust please see our Freedom of Information guidance.
- Right to rectification. We have a duty to ensure your information is accurate and up to date and to make certain we have the correct contact and treatment details about you. If you believe any information is not accurate, you can request for us to correct the record.
- Right to erasure is known as ‘the right to be forgotten’; this right only applies in certain circumstances and is generally not applicable for healthcare records. This is because health and care service providers need an accurate record in order to provide further treatment.
- Right to restrict processing you have a right to request we restrict the processing of data where you have contested the accuracy of your data or feel that your data has been unlawfully processed. This restriction will only be temporary whilst a decision about rectification or lawful processing is being made.
- Right to data portability allows you to obtain and reuse your personal data from certain organisations for your own purposes across different services. This right only applies where you have given consent to the processing of your information or where there are automated decision making processes in place. As this is not an absolute right this does not apply with healthcare records held by this Trust.
- Right to object you have the right to object to the processing of your data in a number of different circumstances, in particular profiling, direct marketing and processing for purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling is where a decision is made solely by automated means with no human involvement. This also included profiling. Profiling evaluates certain things about an individual.
The Trust does not use processes which include solely automated decision making or profiling.
To exercise your rights to make a Subject Access Request, you can download a copy of the Access to Health Records form here, or write to:
Access to Health Records Office
Peter Green Way
Furness Business Park
To exercise any other rights please contact the Data Protection Officer – contact details are listed below.
Withdraw consent to sharing your personal information
At any time, you have the right to refuse/withdraw consent to having your information shared.
Where consent is withdrawn fully the possible consequences (i.e. lack of joined up care, delay in treatment if information has to be sources from elsewhere, medication complications; all leading to the possibility of difficulties in providing the best level of care) will be fully explained to you to allow you to make an informed decision. To exercise this right refer to the Access to Health Records section.
Alternatively, the national data opt-out allows you to opt-out of your personal information being used for purpose beyond your individual care and treatment. To find out more about the wider use of personal information and to register your choice to opt out if you do not want your data to be used in this way visit: https://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/sharing-your-records.aspx
If you do choose to opt out you can still consent to your data being used for specific purposes.
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
If after having read this Privacy Notice you have any concerns about how your information is to be used, wish to learn more about how the Trust manages and maintains confidentiality of patient information, would like to request the notice in another accessible format or you do not want your information to be shared by the Trust then please speak to the health professionals concerned with your care, or contact
Data Protection Officer
University Hospitals of Morecambe Bay NHS Foundation Trust
Westmorland General Hospital
University Hospitals of Morecambe Bay NHS Foundation Trust
Westmorland General Hospital
(The Caldicott Guardian is the person who makes the final decision on how, what, when and why personal identifiable information will be used in the organisation and how it will be received / sent by the organisation).
For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner at
The Information Commissioner
Phone: 08456 30 60 60 or 01625 54 57 45
University Hospitals of Morecambe Bay NHS Foundation Trust is a ‘Data Controller’ under the Data Protection Legislation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z2866193 and our registered entry can be found on the Information Commissioner’s website. www.ico.gov.uk
We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by Law. Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.
This is Version 0.4 of the University Hospitals of Morecambe Bay NHS Foundation Trust Fair Processing Notice and was published on 21st May 2018.