Privacy Notice: Your information, your rights
The Walton Centre NHS Foundation Trust (the Trust) is the only specialist hospital trust in the UK dedicated to providing comprehensive neurology, neurosurgery, spinal and pain management services.
The Walton Centre hosts the Cheshire and Mersey Adult Critical Care and Major Trauma Specialised Services Clinical Networks and is also Host Provider for the Cheshire and Merseyside Rehabilitation Network.
For legal purposes, we must inform you that the Trust is the Data Controller processing your personal data, and is registered with the Information Commissioner's Office (Registration Number Z6052598).
If you require this privacy notice in any other language or format, please use the accessibility tab at the top of the web page. Please contact the Information Governance team via email, if you require a language or format not identified above: wcft.information.governance@nhs.net.
Our name, address and contact details are:
The Walton Centre NHS Foundation Trust
Lower Lane
Fazakerley
Liverpool
L9 7LJ
Telephone number: 0151 525 3611
Website: www.thewaltoncentre.nhs.uk
When you receive care from our services you will be asked to share information about yourself. This information is used to create records about your health, any treatment and care you receive from the NHS. These records can then be used to ensure that you receive the best possible care now and in the future.
Everyone working within the NHS has a legal duty to keep information about you confidential. This is often called information governance, or data protection.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to third parties without your permission unless there are exceptional circumstances, such as when your own or the health and safety of others is at risk, or where there is a lawful reason for your information to be disclosed.
The following information explains how we process your data, and your rights under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This is broken down into:
- Why does the Trust need my information?
- How does the Trust collect my information?
- How does the Trust use my information?
- Who else has access to my information?
- How do we protect your information?
- Can I access my own information?
- What are my rights?
- How can I get more information?
The NHS Constitution
- You have the right of access to your own records and to have any factual inaccuracies corrected.
- You have the right to privacy and confidentiality and to expect the health and social care system to keep your confidential information safe and secure.
- You have the right to be informed about how your information is used.
- You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.
The NHS and adult social services also commit:
- To ensure those involved in your care and treatment have access to your health and social care information so they can care for you safely and effectively (pledge);
- To anonymise the information collected during the course of your care and treatment and use it to support research and improve care for others (pledge);
- Where identifiable information has to be used, to give you the chance to object wherever possible (pledge);
- To inform you of research studies in which you may be eligible to participate (pledge); and
- To share with you any correspondence sent between staff about your care (pledge).
Why does the Trust need my information?
We ask you to share information with us so that we can provide you with the highest standard of care we possibly can.
This information is known as your “Health Record” and is stored securely by the Trust in both paper and electronic forms. This information provides NHS staff with the information they need in order to ensure that the delivery of your care continues to be of the highest standard. It includes:
• Name*, address*, date of birth, hospital number, NHS number
We collect this information to enable us to send you letters about your care e.g. appointment letters. This information is also used to identify you and distinguish you from other patients.
• Telephone numbers* email*
We collect telephone numbers for you which will be used to contact you about your care.
Your contact numbers will not be provided to any third parties without your consent or unless we have a lawful/legal basis to do so.
If you provide your email address, this may be used to contact you regarding appointments.
*Please inform the Trust if any of the above information changes.
• Next of kin
We will collect details of your next of kin. This person should be the person that you wish to be contacted in an emergency. Your next of kin has no legal right to any confidential information held about you or to make any decisions about your care.
If an individual wishes to be involved in a decision about your care they must obtain the appropriate legal Power of Attorney.
• Ethnicity
There is a legal requirement for us to collect your ethnicity to ensure that we provide a fair, open organisation where all patients receive equal treatment.
An individual’s ethnicity can also have a bearing on the type of illnesses an individual is susceptible to. Anonymised information on patient’s illnesses/disease and their ethnicity is passed by the Trust to the Department of Health who shares this information with the World Health Organisation to identify patterns in illness or diseases.
If you require further information on the services provided please contact the Trust's Equality and Diversity Department on 0151 556 3396.
• Disability, language preferences
This information is collected to enable us to provide care which meets your needs e.g. accommodate wheelchair users, provision of an interpreter.
If you require further information on the services provided please contact the HR team on 0151 556 3117.
• Religion
We offer all patients a Chaplaincy service. Your religion is passed to our Chaplains who run this service to enable them to visit you whilst in hospital to ensure the pastoral and spiritual needs of patients, their families and staff members are adequately addressed.
• Medical history including any allergies
There will be occasions when you would have been referred or transferred from another NHS organisation, such as your GP or another hospital. In this instance information relating to your healthcare will be transferred across with you or where possible will be accessed by the staff members involved in your care. This enables us to have a comprehensive history of your condition, past medical history and allergies which allows staff to be able to provide you with the most appropriate quality of care and service.
• Healthcare and treatment provided by the Trust
This includes information such as appointment letters, outpatient visits, overnight stays at the hospital, clinical notes and reports. This will be detailed information held in both paper and electronic forms and will be shared amongst clinical staff employed by us to provide your care.
• Results of X-rays, bloods, scans and any other tests
You may have provided samples e.g. urine, blood, etc. which will be processed by our laboratory, or, if a specialised test, with a partner laboratory.
The results of these tests are stored by the Trust and form part of your health record.
• GP details
When you receive any form of healthcare from us, whether this is a visit to the Emergency Department, or an outpatient appointment, or overnight stays, we will write to your GP detailing the reason for your visit and provide a summary of the care you received.
It is therefore very important that we have the correct details for your GP as a delay in receiving this information could affect any ongoing care required.
How does the Trust collect my information?
• Your information is collected from various sources, most commonly directly from you.
When you visit us, the clinicians and or administration staff will collect information from you which will form part of your health record. They will also document information relating to your care into the Trust’s systems.
• From other NHS sources
There will be occasions when you would have been referred or transferred from another NHS organisation, such as your GP or another hospital. In this instance information relating to your healthcare will be transferred across with you. This enables us to have a comprehensive history of your condition which allows staff to be able to provide you with the most appropriate quality of care and service.
• In what format do you collect my information?
Your health record is made up of both electronic and paper documents. The Trust uses a number of computer based clinical systems. These systems hold information relating to the care provided to you. The Trust retains information in accordance with best practice guidance issued by the Department of Health.
• How long does the Trust keep my Information for?
The Trust retains information in accordance with national guidance and the Records Management Code of Practice for Health and Social Care
For more information please visit NHS Digital.
How does the Trust use my information?
We use your information in several ways which includes enabling us to provide you with the highest quality of care, allowing us to improve the care provided to both yourself and others by managing, planning and improving NHS services.
• Your information is used by clinical and administrative staff to provide you with treatment and care, including professionals based in other locations, e.g. your GP, other NHS Trusts and Social Services. We work in partnership with other NHS organisations and clinical staff employed by other NHS organisations that could be consulted for an expert opinion relating to your care.
Your information could be shared with other organisations such as another NHS Trust, your GP and Social Services. You may need to be transferred to another hospital for further treatment. We also work with Social Services staff if necessary, whilst you are still in hospital to plan your discharge home. Information relating to your discharge arrangements will be recorded by Social Services within their manual and computerised records.
• To support your time in hospital, e.g. dietary requirements passed to catering staff, religion passed to the Trust Chaplains.
Any dietary requirements are passed to the catering staff with your choice of meal to ensure your dietary needs are met. Information relating to your religion is passed to Trust Chaplains running this service to enable them to visit you whilst in hospital to ensure the pastoral and spiritual needs of patients, their families and staff members are adequately addressed.
• For the Trust to undertake clinical audits.
We have an annual Clinical Audit programme which requires all clinical staff to participate. These audits enable us to monitor and improve the quality of care and treatment provided to you and others. Clinical staff across the Trust will review patient health records to review the care provided and to identify ways in which the care could be improved in the future.
• Student training
The Trust regularly has student doctors and nurses working with our clinical teams. Students will have access to your health records if they are involved in your care. If you do not wish for your health records to be used in this way, please discuss this with your healthcare professional.
• Patient satisfaction surveys
We may send to your home address a satisfaction survey after your treatment from us. These surveys will help us to review and improve the care and treatment we provide to patients.
We may also send patients surveys via SMS if we have collected your mobile contact number. The SMS you receive will give you the option to opt out of this if you wish to do so.
• To investigate complaints, untoward incidents or legal claims
Staff within the Legal Team and Complaints Department will need to access your health records and may need to share this information with other Trust staff and external third parties if applicable e.g. Trust Solicitors, NHS Litigation Authority, regulatory bodies, royal colleges, independent experts and other external bodies such as NHS England (NHSE), Information Commissioners Office (ICO) in order to deal with issues and incidents raised or to process your complaint or legal claim.
We take patient safety very seriously so if an incident occurs that was not expected the Trust will investigate. In this instance the staff involved in your care, with the support of the relevant departments, would access your health records.
• To undertake health service management/planning which entails preparing statistics on our performance to ensure that we can meet patient needs in the future.
Statistical information about patient care is collated by us e.g. how long patients have waited for an outpatient appointment. This is because every NHS Trust is performance managed and this information allows the Trust to improve the services it provides.
This information will be anonymised or coded so individual patients cannot be identified.
• Where appropriate, to ask you to participate in a research project.
The Walton Centre is a research active organisation and is committed to supporting innovation and the promotion, conduct and use of research to improve the current and future health and care of the population.
Your participation in any research project is entirely voluntary and will only occur with your explicit consent.
We anonymise the information collected during the course of your care and treatment and use it to support research and improve care for others.
Our Research, Development and Innovation Team manages all research projects undertaken in the Trust and ensures studies have the necessary NHS permission and are in compliance with the regulatory framework for research.
Privacy Notice - SPINE TANGO
If you have had a spinal operation and participated in the SPINE TANGO study at The Walton Centre – the following information applies to you.
In addition to what we currently do with your information, we now also use the information you have provided as described below.
We pride ourselves on delivering the best patient care and, as part of this, we have been collecting information regarding spinal surgery outcomes using a questionnaire known as SPINE TANGO since 2011. In order to continue to deliver outstanding care to patients, we will now be working in partnership with NEC Software Solutions UK Limited. This collaboration will produce reports using pseudonymised* information from the SPINE TANGO and other related questionnaires, which enables us and the manufacturers of medical devices to see how well specific devices are performing and to identify if there are any issues. In some cases pre- and post-operative radiological findings from X-rays, MRI’s and CT’s will be gathered for assessments also.
Under no circumstances will information that identifies you be shared for use in these reports.
If you have previously agreed to participate in SPINE TANGO, but would not like us to use the information that you provided for these new reports, please get in touch with our Clinical Effectiveness Team on 0151 556 4083 or 0151 556 1254, or alternatively you can email wcft.neurosurgeryclinicaleffectiveness@nhs.net
* Pseudonymised information is where we remove your name and address and replace other identifiable data with different codes/numbers, so that when we share the data, you cannot be identified.
Who else has access to my information?
• To protect your best interests, your information may be shared in an emergency situation.
We have developed an extensive emergency contingency plan e.g. in the event of fire, flood, loss of power, etc. If an emergency occurred within the hospital, details of patients currently within the hospital or due to come into hospital might be shared with external organisations that are assisting the Trust to manage the emergency.
• There are occasions where we have a legal duty to pass patient information to external organisations. These include: notification of new birth, notification of infectious diseases e.g. meningitis, or where a formal court order has been issued to the Trust.
• We share patient information with other external NHS organisations which operate to oversee and address issues relating to the management of the whole NHS, which contributes to providing an efficient and effective NHS.
These organisations include the NHS Business Services Authority and the NHS Counter Fraud Authority (NHSCFA). The NHSCFA is responsible for policy and operational matters relating to the prevention, detection and investigation of fraud in the NHS. In some instances information relating to patients will be shared with the NHS Counter Fraud Authority.
We may be required to provide information to the National Fraud Initiative (NFI) for the prevention and detection of crime. The NFI is a data matching exercise conducted by the Cabinet Office to assist in the prevention and detection of fraud. The data matching allows potentially fraudulent claims and payments to be identified. The authority is under a duty to protect the public funds it administers, and to this end may use the information you have provided for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes.
For further information, please see https://www.gov.uk/government/collections/national-fraud-initiative or contact your Local Anti-Fraud Specialist on 0151 2854547.
• There are a number of external NHS organisations who have a statutory duty to undertake financial and regulatory audits on NHS Trusts. Assessors from these organisations may require access to patient information.
All NHS Trusts are mandated by the Department of Health to undertake clinical audits on care delivered to patients, which can be undertaken by clinical staff employed by the Trust or by external audit companies. This could involve individuals who have not been involved with your direct care accessing your health records. Further information on national clinical audit can be found on the Department of Health and Social Care website
*If you wish to object to your records being made available to external assessors, please inform a member of staff or contact the Trust’s Clinical Governance Team or the Information Governance Department.
Access to shared systems
The Trust is part of the Cheshire and Merseyside Radiology Network consortium that use the same radiology system. All access and sharing arrangements are closely monitored by the Trusts within the consortium.
More information about the sharing arrangements in place can be obtained from the Trusts Radiology Department.
Health Procurement Liverpool
Health Procurement Liverpool (HPL) is a new shared Procurement function for Alder Hey Children’s Hospital, Clatterbridge Cancer Centre, Liverpool Heart and Chest Hospital and The Walton Centre Trust. In May 2021 the Trusts named above agreed to create a single shared procurement alliance in order to strengthen procurement services, support integrated ways of working and to deliver efficiencies through economies of scale and consolidated purchasing activity. The shared service is hosted by The Walton Centre. From 1 June 2024 HPL will provide strategic procurement services to Cheshire and Wirral Partnership NHS Foundation Trust (CWP) for a period of 12 months.
Patient/Staff Data - Patient data will not be processed by HPL. If any staff contact information is passed over during the requisition phase to HPL, the information will be removed and changed to initials only.
Supplier Data – Data such as contracts registers, supplier’s contracts and bid prices, supplier spend and usage on products/services, supplier addresses, and representative contact details will be held centrally by Health procurement Liverpool.
For further information regarding the sharing of information across the HPL collaboration please contact wcft.supplies@nhs.net. All sharing of information is carried out in line with the Data Protection Act 2018 and UK General Data Protection Regulation.
Privacy Notice - SPINE TANGO
If you have had a spinal operation and participated in the SPINE TANGO study at The Walton Centre – the following information applies to you.
In addition to what we currently do with your information, we now also use the information you have provided as described below.
We pride ourselves on delivering the best patient care and, as part of this, we have been collecting information regarding spinal surgery outcomes using a questionnaire known as SPINE TANGO since 2011. In order to continue to deliver outstanding care to patients, we will now be working in partnership with NEC Software Solutions UK Limited. This collaboration will produce reports using pseudonymised* information from the SPINE TANGO and other related questionnaires, which enables us and the manufacturers of medical devices to see how well specific devices are performing and to identify if there are any issues. In some cases pre- and post-operative radiological findings from X-rays, MRIs and CTs will be gathered for assessments also.
Under no circumstances will information that identifies you be shared for use in these reports.
If you have previously agreed to participate in SPINE TANGO, but would not like us to use the information that you provided for these new reports, please get in touch with our Clinical Effectiveness Team on 0151 556 4083 or 0151 556 1254, or alternatively you can email wcft.neurosurgeryclinicaleffectiveness@nhs.net
* Pseudonymised information is where we remove your name and address and replace other identifiable data with different codes/numbers, so that when we share the data, you cannot be identified.
Does The Walton Centre have access to any of my other health data?
In recent years the NHS has changed the way we share patient information among healthcare professionals in different settings e.g. hospitals, GP practices, Urgent Care Centres.
To prevent delay and ensure safe treatment, especially in urgent situations, doctors and other specialists may access essential parts of your record electronically, rather than writing to or phoning your GP or other healthcare professionals involved in your treatment and care.
The NHS nationally and locally currently use systems to share information electronically.
NHS Summary Care Record
The NHS Summary Care Record (SCR) is a secure national electronic record, enabling doctors and healthcare specialists to access information about you that could be vital in an emergency or out-of-hours situation.
Records for each individual will be created automatically. This will enable NHS staff caring for you anywhere in England to access the following information to support your care.
At a minimum, the SCR holds important information about:
- Current medication
- Allergies and details of any previous bad reactions to medicines
- The name, address, date of birth and NHS number of the patient
Healthcare staff will ask your permission before they look at your record except in certain circumstances (e.g. if you are unconscious).
Additional Information in the SCR, such as details of long-term conditions, significant medical history, or specific communications needs, is now included by default for patients with an SCR, unless they have previously told the NHS that they did not want this information to be shared. For further information, please see: Summary Care Records (SCR) - NHS Digital
Share2Care
Share2Care is a collaborative programme between the Cheshire and Merseyside Health and Care Partnership, and the Healthier Lancashire and South Cumbria, to deliver the sharing of local health care records electronically.
Through the Share2Care programme, your information will be accessed by healthcare professionals when you are referred for treatment or care. Your information will only be accessed by relevant healthcare professionals who care for you and the information viewed will be relevant to the treatment and/or care plans that need to be put in place for your needs. There will be some pieces of your information that will not be shared for legal and data protection purposes, which includes more sensitive and confidential information. The access levels that healthcare professionals have will be based on their clinical role.
For more information about Share2Care, visit the Share2Care website at http://www.share2care.nhs.uk/ which includes information on:
- What the Share2Care programme is
- Why information is shared
- Who information is shared with
- How to opt out of information being shared
All sharing of information is carried out in line with statutory legal requirements and in line with the UK General Data Protection Regulation and the Data Protection Act 2018.
DrDoctor / NHSapp
Since March 2023, The Walton Centre NHS Foundation Trust partnered with Dr Doctor to digitally enable wayfinding for patients using a Patient Portal, with the ability to integrate with the NHS app and NHS Website.
DrDoctor is a patient engagement platform which allows patients to communicate and interact with their Healthcare Provider and manage their appointments. It also enables Healthcare Providers to make data driven decisions, activate patients through self-booking and provide remote care. The digital platform supports the following functions:
- SMS and email appointment reminders and confirmations.
- The ability to opt-in to view digital letters and their attachments within a patient portal or receive printed letters instead.
- Patient portal which allows patients to view their appointments and add appointment information to their own calendars, obtain clinic level information and important treatment documentation.
- Allows patients to re-schedule or cancel appointments via two-way SMS system communication. Patients are given the ability to re-book appointments at a time which is acceptable to them and can request to be seen more urgently through the ‘See me sooner’ facility, which can enable patients to be booked into cancelled appointment slots. The system also offers a ‘Patient-led’ booking facility for first time attendees where they can choose their appointment time.
- Allows patients to complete digital assessments and respond to questionnaires.
- Allows staff to hold video consultations with patients remotely without the need for patients to come to the organisation.
- Provides a mechanism for the organisation to capture patient feedback and improve services and experience.
- Staff will be able to review and report on performance within their departments and receive organisational messaging through the system.
The Walton Centre currently utilises Dr Doctor to support with SMS and email appointment reminders, requests to reschedule appointments, send out adhoc questions to patients and plans to implement additional features including digital letters, which will be made available to patients in the NHS App.
DrDoctor has transparency information available to service users through its Privacy Policy. Additionally, DrDoctor has a host of information available on its website https://www.drdoctor.co.uk/privacy-notice to inform service users how their confidential information is used.
The NHS App gives you a simple and secure way to access a range of NHS services. Download the NHS App on your smartphone or tablet via the Google play or App store. You can also access the same services in a web browser by logging in through the NHS website. To access the NHS App, you will need to set up an NHS login and prove who you are. Your NHS App then securely connects to information from your GP surgery. If your device supports fingerprint detection or facial recognition, you can use it to log in to your NHS App each time, instead of using a password and security code.
You must be aged 13 or over to use the NHS App. You also need to be registered with a GP surgery in England or the Isle of Man. The privacy policy explains how NHS England and other organisations may use your data when you use the NHS App. https://www.nhs.uk/nhs-app/nhs-app-legal-and-cookies/nhs-app-privacy-policy/privacy-policy/
Attend Anywhere
NHS Attend Anywhere is a secure web-based platform used by The Walton Centre for pre-arranged video consultation appointments. Patients can connect to the platform on any PC, Mac or iOS/Android device by downloading and installing Google Chrome or by downloading and installing Safari. Attend anywhere collects certain information in order to facilitate video consultations between patients and clinicians and the details of this are outlined within their privacy notice https://www.inductionhealthcare.com/long-text/attend-anywhere-privacy-notice
How do we protect your information?
• Everyone working for the NHS has a legal duty to keep your information secure and confidential at all times.
All staff employed by the Trust or working with the Trust are bound by strict confidentiality agreements. Trust Staff also undertake training on both the Data Protection, Information Security and the Common Law of Confidentiality to ensure they know and understand how to keep your information secure and confidential at all times.
The Trust’s Information Security Department has deployed technical security measures to keep your information secure when stored electronically.
• All staff working in the NHS are bound by strict confidentiality guidelines which means only staff that are providing or supporting your care/treatment are entitled to access your information.
All staff are bound by the Common Law Duty of Confidentiality which means only staff involved with your care are entitled to access information relating to you. This is detailed within the confidentiality agreements signed by staff working in the Trust and is included within mandated training provided to all staff. All clinical staff are bound by strict professional codes of conduct which incorporate confidentiality clauses. Further information can be found on the respective British Medical Association (BMA), General Medical Council (GMC), and Nursing and Midwifery Council (NWC), and Allied Health Professions websites.
• We will not disclose any patient/personal information to a third party e.g. private organisation, solicitor, employer, police officer without obtaining your explicit consent, unless we have a legal duty to pass your information on in line with Data Protection laws.
• We will only collect the minimum information required to provide and support your care.
Data protection law requires the Trust to only collect information which is relevant to your care and is not excessive.
• We keep your health record for a defined period of time as determined by Department of Health and Social Care Guidance.
We have a legal obligation to store your health information. The length of time we will store your information is set out by the Department of Health and Social Care. The longest we will keep a patient’s record is 30 years after their care has stopped.
More information about the NHS Retention Schedules are contained in the NHS England Records Management Code of Practice 2021
Can I access my own health record?
Can I see my own health record?
Yes, under the data protection legislation, individuals have the right to access their own information held by us. However there are a few exceptions, see below. Please talk to the healthcare professional responsible for your care about this.
If you are no longer receiving care then please contact the Subject Access Request Team for access to your Medical Records - wcft.sarlegalrequests@nhs.net
How much does it cost?
As of 25 May 2018 there is no longer a charge for this service. However, you may be charged a reasonable fee for repeated requests for further copies of the same information.
Can I be refused access?
For the majority of requests you will be allowed access to your records. However, in some instances access may be denied to all or part of your records for the following reasons:
- If your doctor or another senior healthcare professional thinks seeing your records before seeing one of them could cause you or another serious harm or distress.
- If the information involves an identified person, who does not consent to this information being disclosed. This does not include healthcare professionals.
- If you are applying on behalf of someone who has died or who is not cable of managing their own affairs and they originally instructed that the information should not be disclosed.
How do I apply to access my health record?
If you would like to apply to access your health records, we ask you to complete our application form in order for us to gather all the information needed and return it to us via post or email (details below) along with copies of two forms of ID. Once the completed application form has been received, your application will begin to be processed.
Find out more information about accessing your health record
Can I change my records?
We have a legal obligation to ensure your information is accurate and up to date. We are however only obliged to make corrections to your records if the record contains incorrect facts such as name, address etc. If you believe that medical information or a clinician’s opinion that is noted on your file is incorrect this cannot be changed for safety reasons however a note can be added to your file stating your view.
If you wish to make changes to name, address etc. then please speak to your healthcare professional.
What are my rights?
If we need to use your personal information for any reason beyond those stated, we will discuss this with you. You have the right to ask us not to use your information in this way.
However, there are exceptions to this which are listed below.
If the public interest is thought to be of greater importance, for example:
- If a serious crime has been committed.
- If there are risks to the public or to our staff.
- To protect vulnerable children or adults.
If we have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders.
If we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority).
Data protection laws give individuals rights in respect of the personal information that we hold about you. These are:
- To be informed why, where and how we use your information (right to be informed)
- To ask for access to your information (right of access), also known as a subject access request
- To ask for information to be corrected if inaccurate or incomplete (right to rectification)
- To ask for your information to be erased or removed (the right to erasure) (this does not apply to an individual’s health or care record or for public health or scientific research reasons).
- To ask us to restrict the use of your information (the right to restrict processing)
- To ask us to copy or transfer your information to other providers in a safe and secure way, without impacting the quality of the information (the right to data portability)
- To object to how your information is used in certain circumstances (the right to object)
- To challenge any decisions made without human Intervention (automated decision making) (the right not to be subjected to automated decision-making)
N.B. The Trust does not undertake automated decision-making or profiling of your personal information. There are some situations where we use artificial intelligence. Please see the tab Does the Trust use Artificial intelligence?
Also, your information is not processed overseas.
Lawful basis for the processing of your information
We are committed to protecting your privacy and will only process personal confidential data in accordance with the appropriate legislation which includes the General Data Protection Regulation, Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
In our use of health and care information, we satisfy the Common Law Duty of Confidentiality by one or more of the following:
- You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses).
- We have approval from the Secretary of State for Health and Care or the Health Research Authority following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent.
- We have a legal requirement to collect, share and use the data.
- The public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).
The UK General Data Protection Regulation (UK GDPR) states that the processing of ‘personal data’ shall be lawful where it is:
Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
And for processing special categories of personal data where it is:
Article 9(2) (h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of healthcare professionals or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
The Health and Social Care Act 2012 also states the need to collect, record, store and use your personal data in order to provide healthcare services to you.
Data Controller - The Walton Centre NHS Foundation Trust is a Data Controller as defined in the UK General Data Protection Regulation and Data Protection Act 2018. This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. The Walton Centre ICO Data Protection Register number is Z6052598 and our entry can be found in the online Data Protection Register on ICO
Data Processors - The Trust will use the services of additional data processors, which will provide additional expertise to assist in the delivery of services. We share the minimum information necessary to allow the data processors to act on our behalf. Each contract will have a specific list of information to be shared and the legal basis allowing us to legitimately share the information. We have entered into contracts with other companies/organisations to provide some services for us or on our behalf. These organisations are known as “data processors". These organisations are subject to the same legislation and accountability for keeping personal confidential data safe and secure and which is set out in a contract with us. Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
Patient and Public Involvement - If you have asked us to keep you regularly informed and up to date about the work of the Trust, or if you are actively involved in our engagement and consultation activities, or patient participation groups, we will collect and process personal confidential data which you share with us. We will obtain your consent for this purpose, when you initially contact us to get involved in our engagement and consultation activities. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this Privacy Notice.
UK GDPR states that the processing of ‘personal data’ shall be lawful where:
Article 6(1) (a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
And for processing special categories of personal data where:
Article 9(2) (a) - the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes.
You can withdraw your consent to the further processing of your data at any time, if you have previously given consent for such processing, and there is no other legal basis for the Trust to continue processing it.
CCTV - We have installed CCTV cameras on our Trust sites in areas that are used by members of the public and staff. This is for the purposes of public safety and crime prevention/detection. In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme.
GDPR states that the processing of ‘personal data’ shall be lawful where it is:
Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Further queries
Should you have any further queries on the uses of your information, please speak or contact to one of the following:
Your healthcare professional
Data Protection Officer wcft.dpo@nhs.net
Information Governance Team on 0151 556 3038/3039 or wcft.information.governance@nhs.net
The Information Governance Team appreciates all patient feedback in relation to the information you have read on our Privacy Notice. If you could kindly complete one of our Patient Satisfaction surveys via this link or the QR code below.
If you wish to receive a copy of the survey via the post, then please contact our IG Team who will arrange this for you via 0151 556 3038/3039 or wcft.information.governance@nhs.net
The Patient Experience Team, for practical advice our Patient Experience Team provide a Patient Advice and Liaison Service (PALS). You can contact our Patient Experience Team on 0151 556 3090, or email them at: wcft.patientexperience@nhs.net
The Data Protection Officer is responsible for monitoring our compliance with data protection requirements. You can contact them with concerns relating to the use of your personal data.
Should you wish to lodge a complaint about the use of your information, please contact our Patient Experience Team using the information above.
Following this, if you are still unhappy with how we have used your data, you can then complain to the Information Commissioners Office (ICO).
The ICO’s address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Useful websites for more information
Information Commissioners Office - ICO
NHS England - www.england.nhs.uk
NHS England: Protecting and safely using data in the new NHS England - NHS England » Protecting and safely using data in the new NHS England
Opting out of data sharing
We are applying the national data opt-out because we are using confidential patient information for purposes beyond individual care.
The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this when allowed by law.
Most of the time, the data used for research and planning is anonymised, so that you cannot be identified, and your confidential patient information is not accessed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
If you’re happy for us to use your information, you do not need to do anything.
If you choose to opt out, your confidential patient information will still be used to support your individual care.
There are a number of different opt outs of data sharing you can choose:
- Opt out of your GP Practice sharing your data (Type 1 Opt-Out)
- Opt out of sharing your information for purposes other than your care and treatment (National Data Opt Out)
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Is my information sent overseas or sold for profit to other organisations?
Your information will only be sent outside of the UK where the country has laws in place that meet the standards of data protection similar to those in the UK. We perform a number of checks to ensure this. We will never sell any information about you to other organisations for profit.
The laws that health and care organisations rely on when using your information
Data protection laws mean that organisations must identify which law they are relying on when sharing information. For example if an organisation is sharing information because they are required by law to do so, they need to identify which law is requiring this. The following are the most likely laws that apply when using and sharing information in health and care. This list is not exhaustive.
Abortion Act 1967 and Abortion Regulations 1991
Requires that health and care staff share information with the Chief Medical Officer about abortion treatment they have provided.
Access to Health Records Act 1990
Allows access the health records of deceased people, for example to personal representatives or those who have a claim following the deceased person’s death.
Care Act 2014
Defines how NHS organisations and local authorities must provide care and support to individuals, including for the management of safeguarding issues. This includes using information to assess any person who appears to require care and support.
Children Act 1989
Sets out the duties of local authorities and voluntary organisations in relation to the protection and care of children. It requires organisations that come into contact with children to cooperate and share information to safeguard children at risk of significant harm.
Control of Patient Information Regulations 2002 (COPI)
Allows information to be shared for specific reasons in relation to health and care, such as for the detection and prevention of cancer, to manage infectious diseases, such measles or COVID-19. It also allows for information to be shared where approval has been given for research or by the Secretary of State for Health and Social Care.
Coroners and Justice Act 2009
Sets out that health and care organisations must pass on information to coroners in England.
Employment Rights Act 1996
Sets out requirements for employers in relation to their employees. This includes keeping records of staff when working for them.
Equality Act 2010
Protects people from discrimination based on their age, disability, gender reassignment, pregnancy or maternity, race, religion or belief, sex, sexual orientation. Organisations may need to use this information to ensure that they are complying with their responsibilities under this Act.
Female Genital Mutilation Act 2003
Requires health and care professionals to report known cases of female genital mutilation to the police.
Fraud Act 2006
Defines fraudulent activities and how information may be shared, for example with the police, to prevent and detect fraud.
Health and Social Care Act 2008 and 2012
Sets out the structure of the health and social care system and describes the roles of different types of organisations. It sets out what they can and can’t do and how they can or can’t use information. It includes a duty for health and care staff to share information for individual care, unless health and organisations have a reasonable belief that you would object. In addition, health and care organisations may need to provide information to:
- The Secretary of State for Health and Social Care
- NHS England, which leads the NHS in England
- The Care Quality Commission, which inspects health and care services
- The National Institute for Health and Care Excellence (NICE), which provides national guidance and advice to improve health and care
- NHS Digital, which is the national provider of information, data and IT systems for health and social care.
Health and Social Care (Community Health and Standards) Act 2003
Allows those responsible for planning health and care services to investigate complaints about health and care organisations they have a contract with.
Health Protection (Notification) Regulations 2010)
Requires health professionals to help manage the outbreaks of infection by reporting certain contagious diseases to local authorities and to the UK Health Security Agency. The UK Health Security Agency is responsible for protecting people from the impact of infectious diseases.
Human Fertilisation and Embryology Act 1990
Requires health organisations to report information about assisted reproduction and fertility treatments to the Human Fertilisation and Embryology Authority.
Human Tissue Act 2004
Requires health organisations to report information about transplants, including adverse reactions to the Human Tissue Authority.
Inquiries Act 2005
Sets out requirements in relation to Public Inquiries, such as the UK COVID-19 Inquiry. Public Inquiries can request information from organisations to help them to complete their inquiry.
Local Government Act 1972
Sets out the responsibilities of local authorities in relation to social care including managing care records appropriately. For example, it lays out how they should be created, stored and how long they should be kept for.
NHS Act 2006
Sets out what NHS organisations can and can’t do and how they can or can’t use information. It allows confidential patient information to be used in specific circumstances for purposes beyond individual care. These include a limited number of approved research and planning purposes. Information can only be used where it is not possible to use information which doesn’t identify you, or were seeking your explicit consent to use the information is not practical. The Act also sets out that information must be shared for the prevention and detection of fraud in the NHS.
Public Records Act 1958
Defines all records created by the NHS or local authorities as public records. This includes where organisations create records on behalf of the NHS or local authorities These records therefore need to be kept for certain periods of time, including permanently in some cases.
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013
Requires employers to report deaths, major injuries and accidents to the Health and Safety Executive, the national regulator for workplace health and safety.
Safeguarding Vulnerable Groups Act 2006
Sets out requirements for organisations who work with vulnerable to share information and to perform pre-employment checks with the Disclosure and Barring Service (DBS), which is responsible for helping employers make safer recruitment decisions.
Statistics and Registration Service Act 2007
Allows health organisations that plan services and local authorities to receive and disclose health and care information to the Office for National Statistics (ONS). The ONS is the UK’s largest independent producer of official statistics.
Terrorism Act 2000 and Terrorism Prevention and Investigation Measures Act 2011
Requires any person to share information with the police for the prevention and detection of terrorism related crimes.
The Road Traffic Act 1988
Requires any person to provide information to the police when requested to help identify a driver alleged to have committed a traffic offence.
CCTV and Body Worn Video Cameras (BWV)
Closed Circuit Television (CCTV)
The Walton Centre NHS Foundation Trust uses Closed Circuit Television (CCTV) systems to provide a safe and secure environment for patients, staff and visitors and to protect The Walton Centre property and assets. All cameras are located in prominent positions within public and staff view and do not infringe on clinical/treatment areas. There is also appropriate signage in place.
Body Worn Video Cameras (BWV)
Body worn Video Cameras are used in the Trust for the purpose of detection and prevention of crime. They are only used in situations where the camera wearer decides to take some sort of action or make an intervention i.e. violence prevention. The camera wearer must ensure that they inform the person, surrounding staff and public that images and audio footage of the area is being recorded.
Access to recordings of CCTV AND BWV footage is restricted dependant on role. CCTV and BWV footage will be erased after 31 days, however in cases where footage is being used for evidential purposes the data will be deleted after it is no longer required.
All requests must be directed to the Patient Experience Team. CCTV/BWV footage will only be released, if necessary and in line with the Data Protection Act 2018 and General Data Protection Regulation (GDPR).
Federated Data Platform
Inpatient Care Coordination Solution - FDP Product Privacy Notice
Product Description
NHS Trusts use this Product to support and improve their waiting list times for planned treatment and to provide you with the best care within the most appropriate timeframe in relation to the procedure or treatment you are being provided by the hospital. The Walton Centre is using this product.
The Product enables care teams in a hospital to identify the actions they can take to ensure that your procedure or treatment can be scheduled and carried out smoothly. Only members of your care team will have access to your personal information in the Product to provide you with care.
What are the purposes for processing my personal data in this Product?
This Product processes personal information (called ‘personal data’ under data protection laws) about patients who require planned treatment in a hospital to support the better coordination of your treatment. This includes information about your health, medical condition and the procedure or treatment. The Product enables your care team in the hospital to more effectively coordinate your treatment and care.
The use of the Product by NHS Trusts will improve the delivery of inpatient procedures and treatment through better use of the information that the hospital holds. This will include bringing together all required information into one place to support your care in relation to your planned stay in hospital.
The Product enables your care team to identify the actions they can take to improve and speed up your care pathway. Hospitals will use this Product to provide you with the best care within the most appropriate time frame. This will also help hospitals to improve their waiting lists times for planned treatment for all patients, following the increase in waiting times caused by the COVID-19 pandemic.
What personal data about me is processed in this Product?
Personal data which directly identifies you (we call this directly identifiable data) will be processed by NHS Trusts about patients who are having planned treatment scheduled, for the purposes above. Data that is processed by hospitals that use this Product may include your:
- name
- address
- telephone number (mobile and home)
- email address
- date of birth
- sex
- NHS number or hospital record number
- health information, including information about your medical condition, symptoms, diagnosis and treatment
- race or ethnicity
Personal data about members of staff involved in the delivery of care may also be processed when using this Product, including the names of staff involved in providing care, their email address, their role/profession and planned absence information, so that your treatment can be scheduled.
Who is my personal data shared with?
Your personal data is accessed and used by health care professionals in the hospital who are providing you with individual care and treatment, and support staff who need to support health care professionals to administer your care journey.
Your personal data will not be shared with any other organisations as part of this Product. The Product will enable the NHS Trust to share anonymous aggregated data with other organisations. This is statistical counts of data that don’t identify you. It is therefore not personal data. Anonymous aggregated data will be shared through a dashboard in the Product and reports to the local Integrated Care Board in your local area and NHS England to help plan and improve services.
UK GDPR Information
Controllers of your personal data
Under data protection law the NHS Trusts using the Product are the legal controllers of your personal data under data protection laws. The specific NHS Trusts using the Product are listed on the Product Description page of the NHS England website here.
Legal grounds for processing your personal data
The processing of personal data by NHS Trusts for the purposes explained above is permitted under the following legal grounds under data protection law (this is UK GDPR and the Data Protection Act 2018 (DPA2018)):
- Public Task - Article 6(1)(e) of UK GDPR ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Health Care - Article 9(2)(h) of UK GDPR ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” In addition, the legal grounds under paragraph 2 of Part 1 of the DPA 2018 apply (health care purposes).
The personal data processed about patients by the NHS Trust for the purposes above is also confidential data. As the NHS Trust is processing your confidential data to provide you with individual care, it is relying on your implied consent to do this, as you would reasonably expect the hospital to process your personal information this way to provide you with care. The NHS Trust will keep your personal data confidential and only use and share it with other members of the care team to provide you with care, where you would reasonably expect them to, and subject to strict confidentiality controls to ensure your information remains confidential.
Processor acting on behalf of NHS Trusts
The data platform contractor, Palantir Technologies UK LTD is a processor acting on behalf of the NHS Trusts who are using this Product. They provide the data platform and the technology that the Product uses and only act on the instructions of the NHS Trust.
Your rights under UK GDPR
You have the following rights under UK GDPR in relation to the processing of your personal data by the NHS Trust for the purposes above:
- Right to be informed
- Right of access
- Right to rectify
- Right to object
Further information about these rights is in the NHS Federated Data Platform Privacy Notice here. Your NHS Trust will also have a Privacy Notice on its own website which will explain more about how the Trust processes your personal data, your rights and how to exercise them.
Contact details for data protection officers in the NHS Trusts using this Product.
Does the National Data Opt Out or any other opt out apply to this Product?
The National Data Opt Out and Type 1 Opt Outs do not apply to the processing of your personal data by the NHS Trust for the purposes explained above. This is because the NHS Trust is processing your personal data to provide you with individual care and treatment and these opt-outs don’t apply in these circumstances.
More information
For more information about how personal data is processed within the Federated Data Platform please see the NHS Federated Data Platform Privacy Notice.
Last updated date 1 May 2024
Does the Trust use Artificial Intelligence?
Intelligent automation (IA) is a software term that refers to a combination of artificial intelligence (AI) and robotic process automation (RPA). We use Intelligent Automation (IA) in the following ways within The Walton Centre:
- As part of your care as a patient at The Walton Centre, either attending as an outpatient or as part of an inpatient stay, you may have radiology imaging (X-ray, CT scan, MRI, ultrasound, etc.) or a procedure in radiology. We sometimes use Artificial Intelligence to help us analyse or process these image(s) or identify anomalies. Your images will continue to be viewed by a clinician as they are now, but the use of IA helps us to speed up imaging results and/or improve their accuracy.
- The Trust is also in the process of developing and trialling a Headache Chatbot that includes IA to support the triage of headache patient neurology referrals which will result in reduced waiting times for patients and increased efficiency of consultation times.
- The Trust is also due to soon use software that will convert audio recordings to text such as within clinic letters.
For further information on any of these uses of IA, please contact wcft.information.governance@nhs.net.
Page last updated: 21 January 2025