Lhch Header
Liverpool Heart and Chest Hospital, Thomas Drive, L14 3PE
Switchboard: 0151 600 1616

Privacy notice

All personal data collected by Liverpool Heart and Chest Hospital NHS Foundation Trust is processed in accordance with the requirements of the General Data Protection Regulation and associated data protection legislation.  This notice explains why we collect personal information and how personal data is used by the Trust.  

The General Data Protection Regulation (GDPR)

The Trust processes data on behalf of patients, members of staff and any other living individual identified by manual or automated records.

All personal data collected is held and processed in accordance with the legal obligations placed on the Trust as a data controller by the GDPR. Data controllers are organisations who determine how and why personal data is processed, and under the GDPR, the data protection principles set out the main responsibilities for organisations.

The Trust conforms to the Data Protection Principles and ensures the personal data is collected fairly and processed lawfully.  Processing includes obtaining, recording, holding, altering, retrieving, destroying or disclosing. 

It is important that the information we hold about you is accurate. If you are aware of any inaccuracies in this information please let a member of staff know.  Data is only processed for legitimate purposes, is kept as accurate as possible and is only kept for only as long as is necessary. The Trust takes all reasonable steps to ensure your data is protected and not shared with anyone who does not have the right to access it.

In addition to the Data Protection Principles patient confidentiality is supported by compliance with the common law duty of confidentiality and the Caldicott Principles covering the use of personal information of patients

Read more about the Caldicott principles

Read more about the Duty of confidentiality

How we use information - patients

The Trust collects and uses your personal information for a number of purposes and the information we collect is important to support your care and is also a record of your relationship with healthcare staff involved in providing your care e.g. doctors nurses, administration and clerical staff.

This relationship is based on mutual trust and confidence and we will do everything possible to protect and maintain that trust.  It is important that the details you provide are accurate and that you let us know of any changes to them e.g. if you change address.

  

Direct care and administrative purposes

Information collected

Information may be shared with

The information we collect may be written down in paper records or held on computer in electronic records
and will include:

  • Basic details such as your name, address, date of birth, NHS number, phone number, Next of Kin etc.  
  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
  • Contacts we have had with you, such as outpatient clinic visits
  • Notes and reports about your health and any treatments you receive
  • Results of investigations such as laboratory and radiology results
  • Relevant information from other healthcare professionals, relatives and those who care for you

 Read more about how we use basic details and personal demographics

 

Health care cannot be delivered unless relevant information is shared amongst healthcare professionals therefore information will be shared with other health professionals who become involved with your care and may be shared with other organisations. These organisations may include:

  • Your GP
  • Community Pharmacies
  • Community Services e.g. district nurses
  • Other NHS hospitals
  • NHS Walk-in Centres
  • NHS Direct & Care Direct
  • Out of Hours Doctors Services
  • Local Authority Departments, including Social Services, Education and Housing
  • Voluntary organisations
  • Private Sector providers (private hospitals, care homes, hospices)

Data processing purposes

Lawful basis

  • Providing direct care and treatment
  • Carrying out local clinical audits; reviews of the care provided to make sure it is of the highest standard
  • External validation of care and services provided by Regulatory bodies such as Monitor and the Care Quality Commission
  • Waiting list management
  • Monitoring performance against national targets
  • Activity monitoring
  • Paying the hospital and its staff for the care they give you.
  • Auditing financial accounts
  • Fully investigate any concerns or complaints raised about direct care provided
  • We share information safeguard patients and family members with local authorities in line with current legislation
  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...
  • GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject

 

Commissioning and planning

Data processing purposes

Lawful basis

  • Managing and planning the NHS
  • Making sure our services can meet patient needs in the future
  • Submissions for commissioning purposes and national collections
  • Preparing statistics in NHS performance and activity
  • To plan future services to meeting future healthcare needs
  • To prepare statistics on NHS performance and activity
  • Seeking feedback on NHS services via the NHS National Patient Survey Programme (NPSP)
  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject

Information may be shared with

  • Clinical Commissioning Group (CCG)
  • Department of Health - NHS England
  • NHS Digital

You can choose whether your confidential patient information is used for planning - Click to find out more 

 

Research

Data processing purposes

Lawful basis

Information may be used for health research approved by the Local Research Ethics Committee. If you don’t want to take part in research you can refuse and this will not affect your treatment. If you do take part you will not be identified unless you agree.

Wherever we can we will remove anything that identifies you. If we cannot, your information will only be used for these purposes when you have given your consent. You will not be identified in any publication without your consent.

Further information about use of patient information for health and social care research is available on the NHS Health Research Authority website - click here to read more

  • GDPR Article 6(1)(a): the individual (data subject) has given clear consent for you to process their personal data for a specific purpose
  • GDPR Article 9(2)(a): the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
  • GDPR Article 9(2)(j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 

Information may be shared with

  • Research sponsors
  • University research teams

 Full details of information sharing arrangements will be provided in individual research project documentation.

You can choose whether your confidential patient information is used for research - Click to find out more 

 

Public health

Data processing purposes

Lawful basis

Information may be shared to control infectious diseases and look after & protect the health of the general public.        

 

  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(1)(i): Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices...

Information may be shared with

  • Department of Health – Public Health England

 

Legal claims

Data processing purposes

Lawful basis

We use information to fully investigate any legal claims and coroner requests for information

 

  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(f): Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

Information may be shared with

  • Solicitors – Claimant and defendant nominated panel solicitors
  • NHS Resolution (NHSR)
  • Coroner’s Office

 

Training and education

Data processing purposes

Lawful basis

Information may be used for training and education of health professionals to help to improve the quality of care and health services.  You can choose not to be involved if you prefer and this will not affect your treatment. 

Data are anonymised where explicit consent is not obtained.

 

  • GDPR Article 6(1)(a): the individual (data subject) has given clear consent for you to process their personal data for a specific purpose
  • GDPR Article 9(2)(a): the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

Information may be shared with

  • Health care professionals
  • Governing bodies

 

Legal obligation 

Data processing purposes

Lawful basis

The Trust will only share information if there is a genuine need for it as the law strictly controls the sharing of personal information and we will normally ask for your consent to share for non-care purposes. 

  • Prevent Duty

Sometimes however the law requires us to pass on information without your consent:

  • To notify of a death
  • To inform the police if a serious criminal offence has been committed
  • By court order
  • Where there is a risk of harm or abuse to you or other people
  • GDPR Article 6(1)(c): Processing is necessary for compliance with a legal obligation to which the controller is subject
  • GDPR Article 9(2)(b): processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law...

 

Information may be shared with

  • Coroner’s Office
  • The police
  • The courts
  • Local authorities

 

How we use information – other 

Private patients

Data processing purpose

Lawful basis

  • Providing direct care and treatment
  • Carrying out local clinical audits; reviews of the care provided to make sure it is of the highest standard
  • Activity monitoring
  • Paying the hospital and its staff for the care they give you
  • Invoicing and debt recovery
  • Auditing financial accounts
  • Fully investigate any concerns or complaints raised about direct care provided
  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest  in the exercise of official authority vested in the controller
  • GDPR Article 6(1)(b): processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
  • GDPR Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...

Information collected

Information may be shared with

  • Basic details such as your name, address, date of birth, phone number, Next of Kin; guarantor/sponsor etc.  
  • Nationality; Passport number
  • GP and insurance company details
  • Contacts we have had with you, such as outpatient clinic visits
  • Notes and reports about your health and any treatments you receive
  • Results of investigations such as laboratory and radiology results
  • Insurance company if you are not paying for your care yourself
  • NHS Shared Business Services for invoicing and debt recovery purposes
  • Your GP and other healthcare providers involved in your care

 

Overseas visitors

Data processing purpose

Lawful basis

  • Providing direct care and treatment
  • Carrying out local clinical audits; reviews of the care provided to make sure it is of the highest standard
  • Activity monitoring
  • Paying the hospital and its staff for the care they give you
  • Invoicing and debt recovery purposes
  • Auditing financial accounts
  • Fully investigate any concerns or complaints raised about direct care provided
  • GDPR Article 6(1)(c): Processing is necessary for compliance with a legal obligation to which the controller is subject
  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...

Information collected

Information may be shared with

  • Basic details such as your name, address, date of birth, phone number, Next of Kin; etc.  
  • Personal demographics: gender
  • Nationality; Passport number; Home Office reference number etc.
  • GP details
  • Contacts we have had with you, such as outpatient clinic visits
  • Notes and reports about your health and any treatments you receive
  • Results of investigations such as laboratory and radiology results
  • Home Office
  • NHS Shared Business Services for invoicing and debt recovery purposes
  • Your GP and other healthcare providers involved in your care

 

Employees

Data processing purposes

Lawful basis

  • Employment purposes – refer to the Employment Records privacy notice available to the Trust’s intranet 
  • To register ‘reportable incidents’ on Trust premises 
  • Foundation Trust membership
  • Prevention and detection of crime and fraud - We may use the information we hold about you to detect and prevent crime or fraud. We will also share this information with other bodies that inspect and manage public funds. We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
    • crime prevention, safeguarding and prosecution of offenders
    • sharing and matching of personal information for national fraud initiative 
  • GDPR Article 6(1)(b): processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
  • GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject
  • GDPR Article 6(1)(e): processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
  • GDPR Article 9(2)(b): processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

Information collected

Information may be shared with

  • For Employment records see the specific privacy notice available to the Trust’s intranet 
  • Non-employment
    • Basic details such as your name, address, date of birth, phone number, mobile phone number; email address
    • Personal demographics: gender; ethnic group
  • Prevention and detection of crime and fraud – more information is available on our intranet page ‘Anti-Fraud Service – Mersey Internal Audit Agency’
  • For Employment Records see the specific privacy notice available to the Trust’s intranet 
  • Non-employment
    • Health and Safety Executive (HSE)
    • Membership information is not shared elsewhere
  • Prevention and detection of crime and fraud – more information is available on our intranet page ‘Anti-Fraud Service – Mersey Internal Audit Agency’

 

Foundation Trust Public Members 

Processing purpose

Lawful basis

Information used to support your membership of the Trust, to keep your informed and invite you to participate in activities:

  • Members Matters newsletters
  • Members survey
  • Annual members meetings
  • Membership events
  • Council of Governors elections
  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Information collected

Information may be shared with

  • Basic details such as your name, address, date of birth, phone number, mobile phone number; email address and membership preferences (what you are most interested in).  
  • Personal demographics: gender; ethnic group
  • Information is only used in relation to membership and is not shared elsewhere

 

Visitors/General Public

Data processing purposes

Lawful basis

  • To register  ‘reportable incidents’ on Trust premises
  • CCTV images are used to protect patients, visitors and staff, and for prevention & detection of crime and disorder
  • GDPR Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject

Information collected

Information may be shared with

  • Basic details such as your name, address, date of birth, phone number, mobile phone number; job title, staff class (group) and email address
  • Health and Safety Executive (HSE)
  • The police

 

Website users

Data processing purposes

Lawful basis

 

  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

 

Information may be shared with

  •  Data is not shared externally and is not sold to third party organisations. The Trust may be required to share the data if required to be shared for any other lawful requirement imposed on the Trust.

 

Contact details

Compliance with data protection requirements is monitored by our Information Governance Team and any concerns raised are investigated. 

If you have a query about how the Trust uses information, please contact Information Governance on 0151 600 1240 or 1845, or by email to infogov@lhch.nhs.uk  

Alternatively contact our Data Protection Officer: Wyn Taylor, Information Governance & Health Records Manager on 0151 600 1368 or by email to wyn.taylor@lhch.nhs.uk

Read more

General Data Protection Regulation including key definitions

Data subject rights

Caldicott principles

Duty of confidentiality

 


 

Return to Data Protection and Confidentiality