Privacy Notice: Your information, your rights

Why does the Trust need my information?

 We ask you to share information with us so that we can provide you with the highest standard of care we possibly can. 

This information is known as your “Health Record” and is stored securely by the Trust in both paper and electronic forms. This information provides NHS staff with the information they need in order to ensure that the delivery of your care continues to be of the highest standard. It includes: 

• Name*, address*, date of birth

We collect your name, address and date of birth which enables us to send you letters about your care e.g. appointment letters.  This information is also used to identify you and distinguish you from other patients. 

• Telephone numbers*

We collect telephone numbers for you which will be used to contact you about your care. 

Your contact numbers will not be provided to any third parties without your consent or unless we have a lawful/legal basis to do so. 

*Please inform the Trust if any of the above information changes.

• Next of kin

We will collect details of your next of kin. This person should be the person that you wish to be contacted in an emergency.  Your next of kin has no legal right to any confidential information held about you or to make any decisions about your care.
 
If an individual wishes to be involved in a decision about your care they must obtain the appropriate legal Power of Attorney.

• Ethnicity

There is a legal requirement for us to collect your ethnicity to ensure that we provide a fair, open organisation where all patients receive equal treatment.

An individual’s ethnicity can also have a bearing on the type of illnesses an individual is susceptible to. Anonymised information on patient’s illnesses/disease and their ethnicity is passed by the Trust to the Department of Health who shares this information with the World Health Organisation to identify patterns in illness or diseases.

If you require further information on the services provided please contact the Trust's Equality and Diversity Department on 0151 556 3396.

• Disability, language preferences

This information is collected to enable us to provide care which meets your needs e.g. accommodate wheelchair users, provision of an interpreter.
 
If you require further information on the services provided please contact the HR team on 0151 556 3117. 

• Religion

We offer all patients a Chaplaincy service. Your religion is passed to our Chaplains who run this service to enable them to visit you whilst in hospital to ensure the pastoral and spiritual needs of patients, their families and staff members are adequately addressed.

• Healthcare and treatment provided by the Trust

This includes information such as appointment letters, outpatient visits, overnight stays at the hospital, clinical notes and reports.  This will be detailed information held in both paper and electronic forms and will be shared amongst clinical staff employed by us to provide your care.

• Results of X-rays, bloods and any other tests

You may have provided samples e.g. urine, blood, etc. which will be processed by our laboratory, or, if a specialised test, with a partner laboratory.

The results of these tests are stored by the Trust and form part of your health record.

• GP details

When you receive any form of healthcare from us, whether this is a visit to the Emergency Department, or an outpatient appointment, or overnight stays, we will write to your GP detailing the reason for your visit and provide a summary of the care you received.  

It is therefore very important that we have the correct details for your GP as a delay in receiving this information could affect any ongoing care required.

How does the Trust collect my information?

• Your information is collected from various sources, most commonly directly from you.

When you visit us, the clinicians and or administration staff will collect information from you which will form part of your health record. They will also document information relating to your care into the Trust’s systems.
 
• From other NHS sources

There will be occasions when you would have been referred or transferred from another NHS organisation, such as your GP or another hospital. In this instance information relating to your healthcare will be transferred across with you. This enables us to have a comprehensive history of your condition which allows staff to be able to provide you with the most appropriate quality of care and service.

• In what format do you collect my information?

Your health record is made up of both electronic and paper documents. The Trust uses a number of computer based clinical systems. These systems hold information relating to the care provided to you. The Trust retains information in accordance with best practice guidance issued by the Department of Health.

 

• How long does the Trust keep my Information for?

The Trust retains information in accordance with national guidance and the Records Management Code of Practice for Health and Social Care

For more information please visit NHS Digital.

How does the Trust use my information?

 

We use your information in several ways which includes enabling us to provide you with the highest quality of care, allowing us to improve the care provided to both yourself and others by managing, planning and improving NHS services.

• Your information is used by clinical and administrative staff to provide you with treatment and care, including professionals based in other locations, e.g. your GP, other NHS Trusts and Social Services. We work in partnership with other NHS organisations and clinical staff employed by other NHS organisations that could be consulted for an expert opinion relating to your care. 
 
Your information could be shared with other organisations such as another NHS Trust, your GP and Social Services. You may need to be transferred to another hospital for further treatment.  We also work with Social Services staff if necessary, whilst you are still in hospital to plan your discharge home. Information relating to your discharge arrangements will be recorded by Social Services within their manual and computerised records.
 
• To support your time in hospital, e.g. dietary requirements passed to catering staff, religion passed to the Trust Chaplains.

Any dietary requirements are passed to the catering staff with your choice of meal to ensure your dietary needs are met. Information relating to your religion is passed to Trust Chaplains running this service to enable them to visit you whilst in hospital to ensure the pastoral and spiritual needs of patients, their families and staff members are adequately addressed.

• For the Trust to undertake clinical audits.

We have an annual Clinical Audit programme which requires all clinical staff to participate. These audits enable us to monitor and improve the quality of care and treatment provided to you and others. Clinical staff across the Trust will review patient health records to review the care provided and to identify ways in which the care could be improved in the future.

• Student training

The Trust regularly has student doctors and nurses working with our clinical teams.
 
Students will have access to your health records if they are involved in your care. If you do not wish for your health records to be used in this way, please discuss this with your healthcare professional.

• Patient satisfaction surveys

We may send to your home address a satisfaction survey after your treatment from us. These surveys will help us to review and improve the care and treatment we provide to patients.
We may also send patients surveys via SMS if we have collected your mobile contact number. The SMS you receive will give you the option to opt out of this if you wish to do so.

• To investigate complaints, untoward incidents or legal claims

Staff within the Legal Team and Complaints Department will need to access your health records and may need to share this information with other Trust staff and external third parties if applicable e.g. Trust Solicitors, NHS Litigation Authority, in order to deal with issues raised or to process your complaint or legal claim.

We take patient safety very seriously so if an incident occurs that was not expected the Trust will investigate. In this instance the staff involved in your care, with the support of our Risk Management Department, would access your health records.

• To undertake health service management/planning which entails preparing statistics on our performance to ensure that we can meet patient needs in the future.

Statistical information about patient care is collated by us e.g. how long patients have waited for an outpatient appointment. This is because every NHS Trust is performance managed and this information allows the Trust to improve the services it provides.
 
This information will be anonymised or coded so individual patients cannot be identified.

• Where appropriate, to ask you to participate in a research project. 

The Walton Centre is a research active organisation and is committed to supporting innovation and the promotion, conduct and use of research to improve the current and future health and care of the population. 

Your participation in any research project is entirely voluntary and will only occur with your explicit consent.

We anonymise the information collected during the course of your care and treatment and use it to support research and improve care for others.

Our Research, Development and Innovation Team manages all research projects undertaken in the Trust and ensures studies have the necessary NHS permission and are in compliance with the regulatory framework for research.

Privacy Notice - SPINE TANGO

If you have had a spinal operation and participated in the SPINE TANGO study at The Walton Centre – the following information applies to you.

In addition to what we currently do with your information, we now also use the information you have provided as described below.

We pride ourselves on delivering the best patient care and, as part of this, we have been collecting information regarding spinal surgery outcomes using a questionnaire known as SPINE TANGO since 2011. In order to continue to deliver outstanding care to patients, we will now be working in partnership with NEC Software Solutions UK Limited. This collaboration will produce reports using pseudonymised* information from the SPINE TANGO and other related questionnaires, which enables us and the manufacturers of medical devices to see how well specific devices are performing and to identify if there are any issues. In some cases pre- and post-operative radiological findings from X-rays, MRI’s and CT’s will be gathered for assessments also.

Under no circumstances will information that identifies you be shared for use in these reports.

If you have previously agreed to participate in SPINE TANGO, but would not like us to use the information that you provided for these new reports, please get in touch with our Clinical Effectiveness Team on 0151 556 4083 or 0151 556 1254, or alternatively you can email wcft.neurosurgeryclinicaleffectiveness@nhs.net 

* Pseudonymised information is where we remove your name and address and replace other identifiable data with different codes/numbers, so that when we share the data, you cannot be identified.

Artificial Intelligence

As part of your care as a patient at The Walton Centre,  either attending  as an outpatient or as part of an inpatient stay,  you may have  radiology imaging (X-ray, CT scan, MRI, ultrasound, etc.) or a procedure in radiology. We sometimes use a form of technology called AI (Artificial Intelligence) to help us analyse or process these image(s). Your images will continue to be viewed by a clinician as they are now, but the use of AI helps us to speed up imaging results and/or improve their accuracy. For further information, please contact wcft.information.governance@nhs.net  

Who else has access to my information?

 • To protect your best interests, your information may be shared in an emergency situation.

We have developed an extensive emergency contingency plan e.g. in the event of fire, flood, loss of power, etc. If an emergency occurred within the hospital, details of patients currently within the hospital or due to come into hospital might be shared with external organisations that are assisting the Trust to manage the emergency.
 
• There are occasions where we have a legal duty to pass patient information to external organisations. These include: notification of new birth, notification of infectious diseases e.g. meningitis, or where a formal court order has been issued to the Trust.

• We share patient information with other external NHS organisations which operate to oversee and address issues relating to the management of the whole NHS, which contributes to providing an efficient and effective NHS.

These organisations include the NHS Business Services Authority and the NHS Counter Fraud Authority (NHSCFA). The NHSCFA is responsible for policy and operational matters relating to the prevention, detection and investigation of fraud in the NHS. In some instances information relating to patients will be shared with the NHS Counter Fraud Authority.

We may be required to provide information to the National Fraud Initiative (NFI) for the prevention and detection of crime. The NFI is a data matching exercise conducted by the Cabinet Office to assist in the prevention and detection of fraud. The data matching allows potentially fraudulent claims and payments to be identified. The authority is under a duty to protect the public funds it administers, and to this end may use the information you have provided for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes.

For further information, please see https://www.gov.uk/government/collections/national-fraud-initiative or contact your Local Anti-Fraud Specialist on 0151 2854547.

• There are a number of external NHS organisations who have a statutory duty to undertake financial and regulatory audits on NHS Trusts. Assessors from these organisations may require access to patient information.

All NHS Trusts are mandated by the Department of Health to undertake clinical audits on care delivered to patients, which can be undertaken by clinical staff employed by the Trust or by external audit companies. This could involve individuals who have not been involved with your direct care accessing your health records. Further information on national clinical audit can be found on the Department of Health and Social Care website
 

*If you wish to object to your records being made available to external assessors, please inform a member of staff or contact the Trust’s Clinical Governance Team or the Information Governance Department. 

Access to shared systems

The Trust is part of the Cheshire and Merseyside Radiology Network consortium that use the same radiology system. All access and sharing arrangements are closely monitored by the Trusts within the consortium.
More information about the sharing arrangements in place can be obtained from the Trusts Radiology Department.

Health Procurement Liverpool

Health Procurement Liverpool is a new shared procurement function for Alder Hey Children’s Hospital, Clatterbridge Cancer Centre, Liverpool Heart & Chest Hospital and The Walton Centre. In May 2021 the Trusts named above agreed to create a single shared procurement alliance in order to strengthen procurement services, support integrated ways of working and to deliver efficiencies through economies of scale and consolidated purchasing activity. The shared service is hosted by The Walton Centre.

• Patient/Staff Data - Patient data will not be processed by HPL. If any staff contact information is passed over during the requisition phase to HPL, the information will be removed and changed to initials only.
• Supplier Data – Data such as contracts registers, suppliers’ contracts and bid prices, supplier spend and usage on products/services, supplier addresses and representative contact details will be held centrally by Health Procurement Liverpool.

For further information regarding the sharing of information across the HPL collaboration please contact: wcft.supplies@nhs.net. All sharing of information is carried out in line with the Data Protection Act 2018 and UK General Data Protection Regulation.

Does The Walton Centre have access to any of my other health data?

 

In recent years the NHS has changed the way we share patient information among healthcare professionals in different settings e.g. hospitals, GP practices, Urgent Care Centres.

To prevent delay and ensure safe treatment, especially in urgent situations, doctors and other specialists may access essential parts of your record electronically, rather than writing to or phoning your GP or other healthcare professionals involved in your treatment and care.

The NHS nationally and locally currently use systems to share information electronically.

NHS Summary Care Record

The NHS Summary Care Record (SCR) is a secure national electronic record, enabling doctors and healthcare specialists to access information about you that could be vital in an emergency or out-of-hours situation.

Records for each individual will be created automatically. This will enable NHS staff caring for you anywhere in England to access the following information to support your care.

At a minimum, the SCR holds important information about:

• Current medication
• Allergies and details of any previous bad reactions to medicines
• The name, address, date of birth and NHS number of the patient 

Healthcare staff will ask your permission before they look at your record except in certain circumstances (e.g. if you are unconscious). 

Additional Information in the SCR, such as details of long-term conditions, significant medical history, or specific communications needs, is now included by default for patients with an SCR, unless they have previously told the NHS that they did not want this information to be shared. For further information, please see: Summary Care Records (SCR) - NHS Digital

Share2Care

Share2Care is a collaborative programme between the Cheshire and Merseyside Health and Care Partnership, and the Healthier Lancashire and South Cumbria, to deliver the sharing of local health care records electronically. 

Through the Share2Care programme, your information will be accessed by healthcare professionals when you are referred for treatment or care. Your information will only be accessed by relevant healthcare professionals who care for you and the information viewed will be relevant to the treatment and/or care plans that need to be put in place for your needs. There will be some pieces of your information that will not be shared for legal and data protection purposes, which includes more sensitive and confidential information. The access levels that healthcare professionals have will be based on their clinical role.

For more information about Share2Care, visit the Share2Care website at http://www.share2care.nhs.uk/ which includes information on:

•         What the Share2Care programme is
•         Why information is shared
•         Who information is shared with
•         How to opt out of information being shared 

All sharing of information is carried out in line with statutory legal requirements and in line with the UK General Data Protection Regulation and the Data Protection Act 2018. 

EMIS Web

EMIS Web allows healthcare professionals to record, share and use vital information so they can provide better, and more efficient:

• Primary care
• Community care
• Mental health care

Clinical staff will only be able to view the data if the patient has given consent to their GP practice to share their GP record, and if the GP practice has signed up to share the information. Not all GP data will be shared or made available.

For more information about EMIS Web, visit the EMIS Health website at www.emishealth.com or speak to your GP.

How do we protect your information?

 

• Everyone working for the NHS has a legal duty to keep your information secure and confidential at all times.

All staff employed by the Trust or working with the Trust are bound by strict confidentiality agreements. Trust Staff also undertake training on both the Data Protection, Information Security and the Common Law of
Confidentiality to ensure they know and understand how to keep your information secure and confidential at all times.

The Trust’s Information Security Department has deployed technical security measures to keep your information secure when stored electronically.
 
• All staff working in the NHS are bound by strict confidentiality guidelines which means only staff that are providing or supporting your care/treatment are entitled to access your information.

All staff are bound by the Common Law Duty of Confidentiality which means only staff involved with your care are entitled to access information relating to you. This is detailed within the confidentiality agreements signed by staff working in the Trust and is included within mandated training provided to all staff. All clinical staff are bound by strict professional codes of conduct which incorporate confidentiality clauses. Further information can be found on the respective British Medical Association (BMA), General Medical Council (GMC), and Nursing and Midwifery Council (NWC), and Allied Health Professions websites.

• We will not disclose any patient/personal information to a third party e.g. private organisation, solicitor, employer, police officer without obtaining your explicit consent, unless we have a legal duty to pass your information on in line with Data Protection laws. 

• We will only collect the minimum information required to provide and support your care.

Data protection law requires the Trust to only collect information which is relevant to your care and is not excessive.

• We keep your health record for a defined period of time as determined by Department of Health and Social Care Guidance.

We have a legal obligation to store your health information. The length of time we will store your information is set out by the Department of Health and Social Care. The longest we will keep a patient’s record is 30 years after their care has stopped.

More information about the NHS Retention Schedules are contained in the NHS England Records Management Code of Practice 2021

Can I access my own health record?

 

Can I see my own health record?

Yes, under the data protection legislation, individuals have the right to access their own information held by us. However there are a few exceptions, see below. Please talk to the healthcare professional responsible for your care about this. 

If you are no longer receiving care then please contact the Subject Access Request Team for access to your Medical Records - wcft.sarlegalrequests@nhs.net

How much does it cost?

As of 25 May 2018 there is no longer a charge for this service. However, you may be charged a reasonable fee for repeated requests for further copies of the same information.

 

Can I be refused access?

For the majority of requests you will be allowed access to your records. However, in some instances access may be denied to all or part of your records for the following reasons:

- If your doctor or another senior healthcare professional thinks seeing your records before seeing one of them could cause you or another serious harm or distress.

- If the information involves an identified person, who does not consent to this information being disclosed. This does not include healthcare professionals.

- If you are applying on behalf of someone who has died or who is not cable of managing their own affairs and they originally instructed that the information should not be disclosed.

 

How do I apply to access my health record?

If you would like to apply to access your health records, we ask you to complete our application form in order for us to gather all the information needed and return it to us via post or email (details below) along with copies of two forms of ID. Once the completed application form has been received, your application will begin to be processed.

Find out more information about accessing your health record

 

Can I change my records?

We have a legal obligation to ensure your information is accurate and up to date. We are however only obliged to make corrections to your records if the record contains incorrect facts such as name, address etc. If you believe that medical information or a clinician’s opinion that is noted on your file is incorrect this cannot be changed for safety reasons however a note can be added to your file stating your view.

If you wish to make changes to name, address etc. then please speak to your healthcare professional.

 

What are my rights?

 

If we need to use your personal information for any reason beyond those stated, we will discuss this with you. You have the right to ask us not to use your information in this way.

However, there are exceptions to this which are listed below.

If the public interest is thought to be of greater importance, for example:

• If a serious crime has been committed.
• If there are risks to the public or to our staff.
• To protect vulnerable children or adults.

If we have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders.

If we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority).

Data protection laws give individuals rights in respect of the personal information that we hold about you. These are:

1. To be informed why, where and how we use your information.

2. To ask for access to your information.

3. To ask for information to be corrected if inaccurate or incomplete.

4. To ask for your information to be erased or removed (this does not apply to an individual’s health or care record or for public health or scientific research reasons).

5. To ask us to restrict the use of your information.

6. To ask us to copy or transfer your information to other providers in a safe and secure way, without impacting the quality of the information.

7. To object to how your information is used.

8. To challenge any decisions made without human Intervention (automated decision making).

N.B. The Trust does not undertake automated decision-making or profiling of your personal information. The only exception to this is sometimes during radiology imaging or radiology procedures. Please see the tab above How does the Trust use my information for further information.

Also, your information is not processed overseas.

Lawful basis for the processing of your information

 

We are committed to protecting your privacy and will only process personal confidential data in accordance with the appropriate legislation which includes the General Data Protection Regulation, Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Special Categories of Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

In our use of health and care information, we satisfy the Common Law Duty of Confidentiality by one or more of the following:

• You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses).
• We have approval from the Secretary of State for Health and Care or the Health Research Authority following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent.
• We have a legal requirement to collect, share and use the data.
• The public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).

The UK General Data Protection Regulation (UK GDPR) states that the processing of ‘personal data’ shall be lawful where it is:

Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

And for processing special categories of personal data where it is:

Article 9(2) (h) - Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services, carried out by or under the supervision of healthcare professionals or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

The Health and Social Care Act 2012 also states the need to collect, record, store and use your personal data in order to provide healthcare services to you. 

Data Controller - The Walton Centre NHS Foundation Trust is a Data Controller as defined in the UK General Data Protection Regulation and Data Protection Act 2018. This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. The Walton Centre ICO Data Protection Register number is Z6052598 and our entry can be found in the online Data Protection Register on ICO 

Data Processors - The Trust will use the services of additional data processors, which will provide additional expertise to assist in the delivery of services. We share the minimum information necessary to allow the data processors to act on our behalf. Each contract will have a specific list of information to be shared and the legal basis allowing us to legitimately share the information. We have entered into contracts with other companies/organisations to provide some services for us or on our behalf. These organisations are known as “data processors". These organisations are subject to the same legislation and accountability for keeping personal confidential data safe and secure and which is set out in a contract with us. Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

Patient and Public Involvement - If you have asked us to keep you regularly informed and up to date about the work of the Trust, or if you are actively involved in our engagement and consultation activities, or patient participation groups, we will collect and process personal confidential data which you share with us. We will obtain your consent for this purpose, when you initially contact us to get involved in our engagement and consultation activities. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this Privacy Notice.

UK GDPR states that the processing of ‘personal data’ shall be lawful where:

Article 6(1) (a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

And for processing special categories of personal data where:

Article 9(2) (a) - the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes. 

You can withdraw your consent to the further processing of your data at any time, if you have previously given consent for such processing, and there is no other legal basis for the Trust to continue processing it. 

CCTV - We have installed CCTV cameras on our Trust sites in areas that are used by members of the public and staff. This is for the purposes of public safety and crime prevention/detection. In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme.

GDPR states that the processing of ‘personal data’ shall be lawful where it is:

Article 6(1)(e) - Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Further queries

Should you have any further queries on the uses of your information, please speak or contact to one of the following:

Your healthcare professional 

Data Protection Officer wcft.dpo@nhs.net 

Information Governance Team on 0151 556 3038/3039 or wcft.information.governance@nhs.net

The Patient Experience Team, for practical advice our Patient Experience Team provide a Patient Advice and Liaison Service (PALS). You can contact our Patient Experience Team on 0151 556 3090, or email them at: wcft.patientexperience@nhs.net  

The Data Protection Officer is responsible for monitoring our compliance with data protection requirements. You can contact them with concerns relating to the use of your personal data.

Should you wish to lodge a complaint about the use of your information, please contact our Patient Experience Team using the information above.

Following this, if you are still unhappy with how we have used your data, you can then complain to the Information Commissioners Office (ICO).

The ICO’s address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk 

Useful websites for more information 

Information Commissioners Office - ICO

NHS England - www.england.nhs.uk 
NHS England: Protecting and safely using data in the new NHS England - NHS England » Protecting and safely using data in the new NHS England

National Data opt-out

We are applying the national data opt-out because we are using confidential patient information for purposes beyond individual care.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this when allowed by law.

Most of the time, the data used for research and planning is anonymised, so that you cannot be identified, and your confidential patient information is not accessed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

The laws that health and care organisations rely on when using your information

Data protection laws mean that organisations must identify which law they are relying on when sharing information. For example if an organisation is sharing information because they are required by law to do so, they need to identify which law is requiring this. The following are the most likely laws that apply when using and sharing information in health and care. This list is not exhaustive.

Abortion Act 1967 and Abortion Regulations 1991
Requires that health and care staff share information with the Chief Medical Officer about abortion treatment they have provided.

Access to Health Records Act 1990
Allows access the health records of deceased people, for example to personal representatives or those who have a claim following the deceased person’s death.

Care Act 2014
Defines how NHS organisations and local authorities must provide care and support to individuals, including for the management of safeguarding issues. This includes using information to assess any person who appears to require care and support.

Children Act 1989
Sets out the duties of local authorities and voluntary organisations in relation to the protection and care of children. It requires organisations that come into contact with children to cooperate and share information to safeguard children at risk of significant harm.

Control of Patient Information Regulations 2002 (COPI)
Allows information to be shared for specific reasons in relation to health and care, such as for the detection and prevention of cancer, to manage infectious diseases, such measles or COVID-19. It also allows for information to be shared where approval has been given for research or by the Secretary of State for Health and Social Care.

Coroners and Justice Act 2009
Sets out that health and care organisations must pass on information to coroners in England.

Employment Rights Act 1996
Sets out requirements for employers in relation to their employees. This includes keeping records of staff when working for them.

Equality Act 2010
Protects people from discrimination based on their age, disability, gender reassignment, pregnancy or maternity, race, religion or belief, sex, sexual orientation. Organisations may need to use this information to ensure that they are complying with their responsibilities under this Act.

Female Genital Mutilation Act 2003
Requires health and care professionals to report known cases of female genital mutilation to the police.

Fraud Act 2006
Defines fraudulent activities and how information may be shared, for example with the police, to prevent and detect fraud.

Health and Social Care Act 2008 and 2012
Sets out the structure of the health and social care system and describes the roles of different types of organisations. It sets out what they can and can’t do and how they can or can’t use information. It includes a duty for health and care staff to share information for individual care, unless health and organisations have a reasonable belief that you would object. In addition, health and care organisations may need to provide information to:

• The Secretary of State for Health and Social Care
• NHS England, which leads the NHS in England
• The Care Quality Commission, which inspects health and care services
• The National Institute for Health and Care Excellence (NICE), which provides national guidance and advice to improve health and care
• NHS Digital, which is the national provider of information, data and IT systems for health and social care.
  

Health and Social Care (Community Health and Standards) Act 2003
Allows those responsible for planning health and care services to investigate complaints about health and care organisations they have a contract with.

Health Protection (Notification) Regulations 2010)
Requires health professionals to help manage the outbreaks of infection by reporting certain contagious diseases to local authorities and to the UK Health Security Agency. The UK Health Security Agency is responsible for protecting people from the impact of infectious diseases.

Human Fertilisation and Embryology Act 1990
Requires health organisations to report information about assisted reproduction and fertility treatments to the Human Fertilisation and Embryology Authority.

Human Tissue Act 2004
Requires health organisations to report information about transplants, including adverse reactions to the Human Tissue Authority.

Inquiries Act 2005
Sets out requirements in relation to Public Inquiries, such as the UK COVID-19 Inquiry. Public Inquiries can request information from organisations to help them to complete their inquiry.

Local Government Act 1972
Sets out the responsibilities of local authorities in relation to social care including managing care records appropriately. For example, it lays out how they should be created, stored and how long they should be kept for.

NHS Act 2006
Sets out what NHS organisations can and can’t do and how they can or can’t use information. It allows confidential patient information to be used in specific circumstances for purposes beyond individual care. These include a limited number of approved research and planning purposes. Information can only be used where it is not possible to use information which doesn’t identify you, or were seeking your explicit consent to use the information is not practical. The Act also sets out that information must be shared for the prevention and detection of fraud in the NHS.

Public Records Act 1958
Defines all records created by the NHS or local authorities as public records. This includes where organisations create records on behalf of the NHS or local authorities These records therefore need to be kept for certain periods of time, including permanently in some cases.

Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013
Requires employers to report deaths, major injuries and accidents to the Health and Safety Executive, the national regulator for workplace health and safety.

Safeguarding Vulnerable Groups Act 2006
Sets out requirements for organisations who work with vulnerable to share information and to perform pre-employment checks with the Disclosure and Barring Service (DBS), which is responsible for helping employers make

safer recruitment decisions.
Statistics and Registration Service Act 2007
Allows health organisations that plan services and local authorities to receive and disclose health and care information to the Office for National Statistics (ONS). The ONS is the UK’s largest independent producer of official statistics.

Terrorism Act 2000 and Terrorism Prevention and Investigation Measures Act 2011
Requires any person to share information with the police for the prevention and detection of terrorism related crimes.

The Road Traffic Act 1988
Requires any person to provide information to the police when requested to help identify a driver alleged to have committed a traffic offence.