This Privacy notice describes how the Trust uses and manages the personal information it collects and holds about you, including how this information may be shared with other organisations, how its confidentiality is maintained and your rights.
University Hospitals of Morecambe Bay NHS Foundation Trust is a ‘Data Controller’ under the Data Protection Legislation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z2866193 and our registered entry can be found on the Information Commissioner’s website. www.ico.gov.uk
Why do we collect and use your information – what is it for?
Whenever you are referred or use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in your health record. Collecting this information helps to ensure you get the best possible care and treatment.
- Healthcare and medical purposes is used to directly contribute to your treatment, diagnosis or care, which includes supporting administrative processes and audit/assurance of the quality of healthcare services provided. Doctors, nurses or healthcare professionals involved in your care need accurate information about you to assess your health and deliver the care you need or refer you to another health professional, another part of the NHS or another public body (e.g. social services).
- Non-healthcare and medical purposes is used for research, audit, service management, commissioning, contract monitoring, reporting facilities and future planning of our services. When your personal information is used and where appropriate it is limited and de-identified so that the process is confidential. For example to assess and review the type and quality of care you have received to ensure it is of the highest standard and arranging payment for the person who has treated you. It may also be used to teach and train healthcare professionals.
- Safeguarding is where information is provided to ensure that adults and children at risk of harm are protected and managed appropriately. Access to identifiable information will be shared in limited circumstances where it’s legally required for the safety of the individuals concerned.
- Incidents to ensure effective governance and to learn from incidents. The Trust will share and work with commissioning organisations to ensure quality health services are provided.
- Complaints and legal claims for effective governance to ensure that your concerns can be properly investigated if you are unhappy with the care you have received.
- Looking after the health of the general public using computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.
- Conducting health research and development, and monitoring NHS Performance Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions. Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. The Information Commissioners Anonymisation Code of Practice will be used.
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Under the General Data Protection Regulation (GDPR) we rely on the
- Lawful bases for processing
- Article 6 (1) (e)…exercise of official authority…
- Special category data processing
- Article 9 (2) (b) …social protection law…
- Article 9 (2) (h) … health or social care …
- Article 9 (2) (j) … research purposes…
Under the Data Protection Act 2018 we rely on
- Schedule 1, Part 1 (2) (2) Health and Social Care Purposes
- Schedule 1, Part 2 (18) Safeguarding of children and individuals at risk
- Schedule 1, Part 1 (4) Research etc
NHS Digital has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.
What personal information do we collect about you?
In order to carry out our activities and obligations as a NHS Trust we handle data such as:
- Basic details, such as name, address, date of birth, next of kin, phone number, mobile phone number
- Personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions
- Your next of kin and contact details
- Contacts we have had, such as outpatient appointments, hospital stays and home visits
- Details and records of treatment and care, including notes and reports about your health and treatment, care and support you need and receive
- Results of x-rays, blood tests and other results from examinations or tests
- Information on medicines
- Information from people who care for you and know you well, such as health professionals and relatives
- Patient experience feedback and treatment outcome information you provide
Information is collected in a number of ways, via your healthcare professional, referral details from your GP or directly given by you and may be recorded in writing, digitally, or a mixture of both. It is important that you notify us of any changes to your personal details (e.g. address, contact number, next of kin).
By providing the Trust with contact details, you are agreeing to the Trust using appropriate channels to communicate about your healthcare i.e. by letter (postal address), by voice mail or message (telephone or mobile number), by text message (mobile number) or by email (email address)
Why do we collect information about ethnicity?
Every NHS organisation has to collect information on the ethnic origins of its patients. You will be asked to select the group which best describes the ethnic group you belong to. We only use it to make sure our services meet the needs of all members of the community.
You don’t have to give us information about your ethnic origin if you do not want to
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This will be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times. It will also be used to support Friends and Family test that is used as a feedback tool to support people being given the opportunity to feedback on their experience see the NHS England website for more information.
Use of Surveillance Cameras
We employ surveillance cameras (Closed Circuit TV and Body Work Video) on and around the hospitals, for the purposes of public and staff safety and crime prevention and detection and monitoring building security.
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems. See section “What are your rights regarding your information”
In accordance with Data Protection Legislation images codes of practice issued by the Information Commissioner, images captured by surveillance cameras will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated.
How we keep your information confidential and safe?
Our aim is not to be intrusive, and we won’t ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and retained securely to make sure it can only be seen, accessed and/or disclosed to those who need to know.
We have policies and procedures that explain the approach within our Trust and our commitments and responsibilities to your privacy.
Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.
If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.
The Trust will endeavor to keep your information accurate, up-to-date and not kept for longer than necessary. The NHS Retention Schedule sets out the minimum appropriate length of time each type of NHS record is retained. This can be viewed on the NHS Digital website. All records are destroyed confidentially in a secure way.
Protecting Children and Young people’s personal data
Children and young people’s data is afforded the same rights and protection as the data collected from adults. Children and young people are considered a ‘vulnerable’ group and therefore the Trust and others involved in their healthcare will always treat their data fairly and ensure that it is kept safe and secure.
When using or sharing children’s or young person’s data, we will always ensure that there is a legal reason for doing so or where relevant ask for their explicit consent.
Regardless of age, every person has a right to privacy and confidentiality. If a young person asks a health professional to keep their information confidential, even from those who hold parental responsibility, then that wish will be respected, unless there is a lawful reason to override this protection.
Why we share your information and who we share it with?
There are times when it is appropriate and necessary for us to share information about you and your healthcare with organisations and individuals to fulfil our role as an NHS organisation. Wherever possible we try to use data that does not identify you, by removing all patient-identifying details, unless the law requires the patient’s identity to be included.
- Other NHS organisations to assess and deliver the care you need such as General Practices, Acute Hospitals, Community Service and Mental Health Care Providers, Nursing Homes
- Local Clinical Commissioning Group (CCG) anonymised data is provided to supporting local monitoring of commissioned services, allocating payments and help improve data quality
- NHS Digital to support effective monitoring of service standards, local monitoring of service provision, inform patient care and treatment choices. The data provided will be anonymised no information that could reveal your identity is used in national reports. More information on how NHS Digital use anonymised data can be found on their website. You do have a choice as to whether your personal information is used for this purpose – see section Control of Personal Information
- Non NHS organisations to help us work together for your benefit or to carry out their statutory duties. These may include, but are not restricted to: social services, education services, local authorities, the police, voluntary sector providers and private sector providers.
The Trust will not disclose, share, sell or distribute your confidential personal information to third parties unless we have your explicit consent or the health or safety of others is at risk or the law requires the Trust to disclose. Examples are the registration of a birth or death, reporting of an infectious disease, prevention, detection, investigation or prosecution of a serious crime, a court order or an insurance medical.
Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.
We will only give information to your relatives, friends and carers if you want us to and have given your permission.
What are your rights regarding your information
You have rights under data protection legislation but not all rights are absolute and will only apply in certain circumstances.
Correcting inaccurate information
We have a duty to ensure your information is accurate and up to date and to make certain we have the correct contact and treatment details about you. If you believe any information is not accurate, you can request for us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention.
You have the right to see or be given a copy of your personal information held by the Trust. You are not required to pay any charge for exercising your rights. To gain access to your information you will need to make a Subject Access Request. We will aim to respond within one month from receipt of your request. If you require general information about the Trust please see our Freedom of Information guidance.
To request a copy of your health record you can download a copy of the Access to Health Records form here, or write to:
Access to Health Records Office
Peter Green Way
Furness Business Park
Or contact the Data Protection Officer
Data Protection Officer
University Hospitals of Morecambe Bay NHS Foundation Trust
Westmorland General Hospital
Your request for information may be delayed due to urgent operational responses to dealing with Public Health priorities. We apologise for any inconvenience this may cause, we do remain committed to responding to your request and will respond as soon as we are able. Should our response to your request breach the statutory timeframe and you remain unhappy with our response you have the right to complain to the Information Commissioners Office and you can contact them on their Website: www.ico.org.uk or by phone: 08456 30 60 60 or 01625 54 57 45
Control of Personal Information
You have a choice whether your personal information is shared for purposes beyond your individual care and treatment i.e. improving quality and standards of care, research into new treatments, preventing illness and disease and planning services. If you choose not to share, your personal information will still be used to support individual care but not for research or planning. You do not need to do anything if you happy to share for all aspects. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters to support you making the choice, to access the system to view, set or change your settings or other contact details.
You can change your mind about your choice at any time.
In circumstances where you have explicitly agreed (consented) to sharing of your personal data for a specified purpose, you can refuse or withdraw your consent. Should this affect your care you will be informed of the consequences i.e. lack of joined up care, delay in treatment if information has to be sources from elsewhere, medication complications; all leading to the possibility of difficulties in providing the best level of care. You will need to contact AccessToHealthRecords@mbht.nhs.uk to this request.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
The Trust does not use processes which include solely automated decision making or profiling.
Data Protection Impact Assessments
As part of the Trust’s data protection transparency agenda and as required by the Data Security & Protection Toolkit. Details of Data Protection Impact Assessments or DPIAs that have been through the Trust approval process are published. Access this list of approved DPIAs here.
If after having read this Privacy Notice you have any concerns about how your information is to be used, wish to learn more about how the Trust manages and maintains confidentiality of patient information, would like to request the notice in another accessible format or you do not want your information to be shared by the Trust then please speak to the health professionals concerned with your care, or contact
Data Protection Officer – Email: DataProtectionOfficer@mbht.nhs.uk
We do however need to remind you that we may not be able to provide you with a service or be able to undertake the appropriate care needed unless we have enough information, or your permission to use that information.
Caldicott Guardian – The Caldicott Guardian is the person who makes the final decision on how, what, when and why personal identifiable information will be used in the organisation and how it will be received / sent by the organisation
University Hospitals of Morecambe Bay NHS Foundation Trust
Westmorland General Hospital
For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner at
The Information Commissioner
Phone: 08456 30 60 60 or 01625 54 57 45
Last Updated March 2019
Version 2.0 of the University Hospitals of Morecambe Bay NHS Foundation Trust Fair Processing Notice