Data protection law
We process data on behalf of our patients, staff and other individuals identified by manual or automated records. We conform to the principles of data protection and ensure that personal data is collected fairly and processed lawfully under the requirements of data protection legislation.
The Data Protection Act 2018 (DPA 2018) / UK General Data Protection Regulation (UK GDPR) provides protection for individuals regarding the processing of their personal data and places specific data protection & privacy considerations on organisations holding and using their information.
Personal data must processed be in accordance with the principles set out in the law and organisations processing personal data must demonstrate compliance with the principles.
Personal data is only processed by the hospital for legitimate lawful purposes; information is kept as accurate as possible and only for as long as is necessary. We take all reasonable steps to ensure your data is protected and not shared with anyone who does not have the right to access it.
If you are aware of any mistakes in the information we hold about you please let a member of staff know or contact Information Governance - infogov@lhch.nhs.uk or Information Governance, Liverpool Heart and Chest Hospital NHS Foundation Trust, Thomas Drive, Liverpool, L14 3PE.
The law gives you the right to see your health record although there are some exceptions to this. If you are still undergoing treatment you should talk to the healthcare professional responsible for your care and ask if you could see your notes. Alternatively, to see or obtain copies of your records you need to make a written request to the hospital.
The Data Protection Principles
(a) Processed lawfully, fairly and in a transparent manner
(b) Collected for specified, explicit and legitimate purposes
(c) Adequate, relevant and limited to what is necessary
(d) Accurate and where necessary kept up to date
(e) Kept in a form which permits identification of data subjects for no longer than is necessary
(f) Processed in a manner that ensures appropriate security of the personal data
Key definitions
personal data - any information relating to an identified or identifiable individual (data subject); an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
controller - the individual, organisation or organisations which, alone or jointly with others, determines the purposes and means of the processing of personal data
consent of the data subject - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
data concerning health - personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
Read more
Accessing health records and personal information |
Privacy notice |
Data subject rights |
Data protection by design and default (data protection impact assessments) |