Fair processing notice

Under the new General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 the Trust is required to inform its patients and staff of their rights.

Under the new General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 the Trust is required to inform its patients and staff of their rights. The Data Protection Bill which will become the Data Protection Act 2018 has been written to support the protection of your personal data in preparation of the UK leaving the European Union. Your rights will not be affected by these changes.

Covid-19 and your information – Updated on 9 April 2020

Download the privacy notice which includes information about COVID-19 and your information.

Why was the change needed?

The European Union (EU) General Data Protection Regulation (GDPR) has been years in the making. Over the last 25 years, technology has changed our lives in ways nobody could have imagined so a review of the rules was needed. In 2016, the EU adopted the GDPR, one of its greatest achievements in recent years. It replaces the1995 Data Protection Directive which was adopted at a time when the internet was in its early stages.

Therefore data protection was out of date and needed modernisation to:

  • Reinforce your rights in the digital age.
  • Give back control to you over how your information is to be used and by whom.
  • Improve the free flow of information in the digital market.
  • Simplify the regulatory environment for business.

What is a fair processing notice?

A fair processing notice provides accessible information to you about how the trust will use your personal data.

What are your rights?

You now have the rights to request the following:

  • Right to rectification – this requires the trust to rectify any information that has been found as inaccurate without delay.
  • Right to erasure – this requires the trust to erase any information.
    • That no longer is required to be kept by the trust
    • Where there is no legal grounds to keep the data
    • Your data has been unlawfully obtained.
    • That you object to the trust keeping the information. In this case if you object please report this to the data protection officer for investigation, the contact details can be found at the bottom of this notice.
  • Right to restriction of processing – you have a right to stop processing if one of the following is relevant:
    • the accuracy of the data is in question
    • you restrict the use of your personal data. If this is the case the trust will advise you that if this impacts on your healthcare we may refuse. This will be explained to you if this is the case.
  • Right to data portability – you have a right to request that any data held by the trust can be transferred to another organisation in a machine-readable format for onward transfer to the recipients system.
  • Right to object – you have the right to object to unless the trust can show it is in the vital interests of you. This may include:
    • Direct Marketing – the trust can confirm that it does not use any patient data for direct marketing purposes
    • Research/Scientific or historical purposes – the trust can confirm that it does collect and use information for these purposes. This will always be with your consent.
  • Automated individual decision-making, including profiling – you have the right to object to any automated decision making or profiling and request the trust ceases this activity. Profiling is described as taking information to evaluate things about you.

Who is the controller and what are our responsibilities?

The controller is:

United Lincolnshire Hospitals NHS Trust

Lincoln County Hospital

Greetwell Road




The trust shall;

  • have in place technical and organisational safeguards to protect your data and to demonstrate that processing of your information is in accordance with the regulation.
  • Put in place a data protection officer as the central point of contact on all matters relating to data protection.
  • Adhere to codes of practice as contained in article 40.

Who is the Data Protection Officer for the Trust?

The Data Protection Officer can be contacted via the below means:

Post: Data Protection Officer

Information Governance Department

Robey House

Lincoln County Hospital

Greetwell Road




Email: ulh.dpo@nhs.net

What information do we need to collect and why?

Personal information

Personal information is any information which can be used to identify you as an individual. It does not include information on organisations.

When we use your personal information we will do so in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 collectively known as the Data Protection Legislation.

We need to handle personal information about you so that we can provide services or work with you. This is how we look after your information:

When we ask you for personal information, we promise:

  • to make sure you know why we need it;
  • to only ask for what we need, and not to collect too much or irrelevant information;
  • to protect it and make sure no unauthorised person has access to it;
  • to let you know if we share it with other organisations to give you better public services – and if you can say no;
  • to make sure we don’t keep it longer than necessary;

In return, we ask you to:

  • give us accurate information;
  • tell us as soon as possible if there are any changes, such as a new address. This helps us to keep your information reliable and up to date.

What categories of data do we collect? 

The GDPR separates personal data into two categories as like the previous data protection act did. Under article 4 it defines personal data as any information relating to an individual who can be identified directly or indirectly from the data. This will include the use of a personal identifier such as your NHS of staff number.

The more sensitive personal data is now defined as special category data and includes the following;

  • Physical health
  • Physiological
  • Genetic
  • Mental
  • Economic
  • Social identity

Consent must be obtained in all circumstances the only difference is as the trust will be using health data or as defined in GDPR as special category data we are required to obtain explicit consent.

Consent explained

Under the new regulation the Trust must ensure that consent has been freely given, specific, informed and an unambiguous indication of your wishes. In other words a positive opt in. Consent must not be inferred by silence, pre-ticked boxes or inactivity. However as the Trust may not have seen you to obtain consent this may have been obtained from your GP or another healthcare provider and in this case we would check with each health professional that consent has been obtained before we access your data.

There may be occasions when we will use you information without your consent. These will include:

  • Where the trust has a legal duty to share your information.
  • The trust in unable to obtain consent and it is yours or another person best interests to do so.
  • The courts or coroner requests such data.

We would only share what is relevant to the request and no more.

Rights to complain to the supervisory authority?

If you believe the Trust has breached your rights or we have not investigated your concerns fully then you have rights to complain to the supervisory authority/Information Commissioners’ Office.

You can contact them by emailing directly to casework@ico.org.uk

Or in writing to:

Information Commissioner’s Office

Wycliffe House

Water Lane




Who does the Trust share information with?

We share your personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities, other NHS trusts, general practitioners (GPs), ambulance services and primary care agencies. This will always be done with your consent.

United Lincolnshire Hospitals NHS Trust is part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system, which is used by our healthcare professionals to access your radiology records.  If necessary, your radiology records may also be accessed by healthcare professionals in other NHS hospitals in the East Midlands or NHS Service Providers, to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care. If you have any concerns about providing information or how we use it, please discuss this with radiology staff so that you fully understand the potential impact on your care or treatment.

Lincolnshire Care Portal

In Lincolnshire NHS and social care services are working more closely together to better co-ordinate the delivery of care to people supported by local commissioners.

The Lincolnshire Care Portal is a programme which allows people to give health and care workers their consent to access their medical and care records during their treatment.

The people caring for you need to access information about your health and care record to make the best decisions about your diagnosis and treatment. By way of example this could include GPs, hospital-based clinicians, nurses, health visitors and social care workers.

To enable this to happen more quickly and to improve the care you receive, a new process has been put in place. This will allow your information to be viewed by different health and care organisations, using existing computer systems.

This new process does not share your record with third party organisations, but provides health and care workers, with your consent, access to view your information.

Information will only be accessed by health and care workers that have a legitimate relationship with you and they will only access the data required to support your care.

More information can be found on the Lincolnshire Care Portal website.

Letters to patients (Hybrid Mail):

Like many NHS Trusts across the country United Lincolnshire Hospitals NHS Trust use an external supplier to print and send out letters to patients. This is a fully automated process and the information contained within the letters is not visible during the process.

Both the supplier and the requirements for the process, storage and retention of sensitive data have been assessed to ensure the Trust remains compliant with UK Data Protection Legislation.

If you have any concerns or require further information please contact the Data Protection Officer via the below methods.

Information Governance Department,
Robey House,
Lincoln County Hospital,
Greetwell Road,
Email: ulh.dpo@nhs.net

Information sharing with non-NHS organisations

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services. However, we will not disclose any health information to third parties without your explicit consent unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection Legislation.

These non-NHS organisations may include, but are not restricted to:

  • Social Services
  • education services
  • local authorities
  • the police
  • voluntary sector providers
  • private sector providers

This Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust is carrying out surveys on the Grantham & District Hospital and may contact patients who have accessed these services in 2020/21.

If you have opted out of your confidential patient information being used for secondary use purposes (National Opt Out) you will not be contacted.

Research and Innovation 

United Lincolnshire Hospitals NHS Trust’s Research and Innovation team is committed to to promoting and supporting clinical trials. Its mission is to establish Lincolnshire as a centre of excellence for clinical trials. Visit the research page to find out more.

If you want to opt out of your data being used for any secondary use which includes research or audit please visit the data opt out website.

Clinical Audit

Clinical audit is the process formally introduced in 1993 into the United Kingdom’s National Health Service (NHS), and is defined as “a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change”.

The focus of the Clinical Audit Group is to approve a programme of National (HQIP, NCEPOD) and Local Clinical audits (which will be maintained as a live audit plan and may be subject to additions during the course of the year), ensuring that all audits are relevant to the trust.

Data Protection Impact Assessments

UK Data Protection legislation requires the Trust to carry out a Data Protection Impact Assessment for processing that is likely to result in a high risk to individuals.

Below is a list assessments that have been conducted and the status of each.

Reference Number Service Area System /Software Details Subject Class Approved Implementation
DPIA/005/18 Trust wide Hybrid Mail Personal Confidential Data Yes Nov-18
DPIA/006/18 Trust wide Digital Dictation Personal Confidential Data Yes
DPIA/008/18 Pharmacy OPAT Personal Confidential Data In Progress Feb-19
DPIA/009/18 Radiology Outsourcing of MRI scanning Personal Confidential Data In Progress Feb-19
DPIA/001/19 Pathology (Upgrade) Digital Images Personal Confidential Data/ Anonymised Data In Progress Feb-19
DPIA/002/19 Endoscopy Medical Devices Personal Confidential Data Yes Jul-19
DPIA/003/19 Estates Parking Personal Confidential Data- staff Yes Jul-19
DPIA/004/19 Corporate Storage/ circulation  programme Meeting papers circulation Yes Jul-19
DPIA/005/19 Cardiology Pacemaker Programmer Personal Confidential Data Yes Jul-19
DPIA/006/19 Radiology Overseas Reporting Personal Confidential Data In Process N/A
DPIA/007/19 Human Resources Job Matching software Corporate data Yes May-19
DPIA/008/19 Orthotics Electronic system to order specialist equipment Personal Confidential Data Yes Jun-19
DPIA/009/19 Maternity Maternity Patient Administration System Personal Confidential Data Yes May-19
DPIA/010/19 Opthalmology Opthalmology patient administration system Personal Confidential Data Yes Jun-19
DPIA/011/19 Transaltion Services Translation Solutions Personal Confidential Data In Process N/A
DPIA/012/19 Transaltion Services Translation Solutions Personal Confidential Data In Process N/A
DPIA/013/19 Orthopaedics Consent Management Patient sign up (optional) Yes Jul-19
DPIA/014/19 Orthodontics Imaging storage/ transfer system Imaging Yes Aug-19
DPIA/016/19 Trust Wide Email system Corporate data/ Personal Confidential Data In Process N/A
DPIA/017/19 Finance/ Payroll Salary Sacrafice- employees No data processed without consent from staff member Yes Jul-19
DPIA/018/19 Data Quality Waiting List Validation Personal Confidential Data Yes Jul-19
DPIA/019/19 Outpatient Department Electronic appointments Personal Confidential Data Yes Nov-19
DPIA/001/20 Digital Services VPN Corporate Data/ Personal Confidential Data Yes May-20
DPIA/002/20 Contracting/ Procurement Electronic signature Corpoate Data Yes May-20
DPIA/003/20 Mortuary Local authority sharing Personal Confidential Data Yes May-20
DPIA/004/20 Radiology Chest Imaging Database- COVID19 Personal Confidential Data Yes Apr-20
DPIA/005/20 Surgery Trauma system Personal Confidential Data In Process
DPIA/006/20 STP EMAS Care Portal Personal Confidential Data Yes Aug-20
DPIA/007/20 Pathology Coloscopy Database Personal Confidential Data Yes Aug-20
DPIA/008/20 Digital Services Communications solution (internal) No personal identifiable data Yes Nov-20
DPIA/009/20 Ophthalmology Patient transfer Personal Confidential Data Yes Nov-20
DPIA/011/20 Trust Board Patient engagement Personal Confidential Data Yes Dec-20
DPIA/001/20 Human Resources Staff Passports Personal Confidential Data Yes Jan-21

How the NHS and care services use your information

United Lincolnshire Hospitals NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit the NHS website. On this data matters web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used on the Health Research Authority website or visit the understanding patient data website.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.


If you wish to discuss any concerns with the trust Data Protection Officer you can contact them via email or post.


Post: Data Protection Officer

Information Governance Department

Robey House

United Lincolnshire Hospitals NHS Trust

Lincoln County Hospital

Greetwell Road