Fair processing notice

Under UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 the Trust is required to inform its patients and staff of their rights.

Privacy Notice

We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website; you can be assured that it will only be used in accordance with the law.

United Lincolnshire Hospitals NHS Trust may change this policy from time to time by updating this page. You should check this page frequently to ensure that you are happy with any changes.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Data Protection

Under the UK Data Protection Legislation (General Data Protection Regulation (GDPR) and the Data Protection Act 2018) the Trust is required to inform its patients and staff of their rights. These have been written to support the protection of your personal data. Your rights will not be affected by these changes.

What is a Privacy notice?

A privacy notice provides accessible information to you about how the trust will use your personal data.  It is important that you read this notice, together with any other privacy notice or specific information you may already have been given (for example, in participant information booklet/leaflets or any consent forms), so that you are aware of how and why we are using information about you.

Legal Basis

The ways in which we use your information are governed by law.

In addition, confidential information about you that you give to our staff to enable them to provide your care is governed by the common law duty of confidentiality.

Clinical (direct) care

When your information is used for your care and administrative purposes related to your care, we rely on Article 6(1)e and Article 9(2)h of the GDPR.

Secondary (indirect care) purposes

When there is a legal requirement that we provide specified data, for example to NHS Digital, we rely on Article 6(1)c of the GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.


In most instances we will rely on Article 6(1)e and Article 9(2)j of the GDPR if and when we use your information for research. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.

For further information on this legislation please visit the Government’s UK legislation website.

What are your rights?

The Data Protection Act 2018 gives you certain rights, including the right to:

  • Request access to the personal data we hold about you, e.g. in health records. Further details on how to do this can be found under Access to Health Records.
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is explained in our Access to Health Records Procedure.
  • Refuse/withdraw consent to the sharing of your health records;
    • Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records “for the management of healthcare systems and services”.
      • Your consent will only be required if we intend to share your health records beyond these purposes, as explained above.
  • In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
  • Request your personal information to be transferred to other providers on certain occasions.
  • Object to the use of your personal information.
      • In certain circumstances you may also have the right to “object” to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment
      • For further information, please see the National data opt-out programme
  • Challenge any decisions made without human intervention (automated decision making).
  • Ask us to restrict the use of your information where appropriate.

Who is the data controller and what are our responsibilities?

The Controller is:

United Lincolnshire Hospitals NHS Trust
Lincoln County Hospital
Greetwell Road

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018.

We shall:

  • have in place technical and organisational safeguards to protect your data and to demonstrate that processing of your information is in accordance with the regulation.
  • put in place a Data Protection Officer as the central point of contact on all matters relating to data protection.
  • adhere to codes of practice as contained in article 40 (GDPR).


How the NHS and care services use your information

United Lincolnshire Hospitals NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.

Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case, your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please see the NDOO section below.

You can find out more about how patient information is used on the Health Research Authority website or visit the understanding patient data website.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

National Data Opt Out (object to the use of your personal information)

In line with recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes.

You have the right to opt out of your information being used for anything outside of direct care. More information about how to do this can be found on the NHS Digital website. The Trust is compliant with the National Opt Out rules.

What information do we need to collect and why?

Personal information

Personal information is any information which can be used to identify you as an individual. It does not include information on organisations.

When we use your personal information we will do so in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 collectively known as the UK Data Protection Legislation.

We need to handle personal information about you so that we can provide services or work with you. This is how we look after your information:

When we ask you for personal information, we promise:

  • To make sure you know why we need it;
  • To only ask for what we need, and not to collect too much or irrelevant information;
  • To protect it and make sure no unauthorised person has access to it;
  • To let you know if we share it with other organisations to give you better public services – and if you can say no;
  • To make sure we don’t keep it longer than necessary;

In return, we ask you to:

  • Provide us with accurate information;
  • Inform us as soon as possible if there are any changes, such as a new address. This helps us to keep your information reliable and up to date.

What categories of data do we collect?

The UK Data Protection Legislation separates personal data into two categories. Under article 4 it defines personal data as any information relating to an individual who can be identified directly or indirectly from the data. This will include the use of a personal identifier such as your NHS.

Sensitive personal data is defined as special category data and includes the following;

  • Physical Health
  • Physiological
  • Genetic Information
  • Mental Health
  • Economic
  • Social Identity

Who does the Trust share information with?

We may share your personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities, other NHS trusts, general practitioners (GPs), ambulance services and primary care agencies.


United Lincolnshire Hospitals NHS Trust is part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system, which is used by our healthcare professionals to access your radiology records.  This is known as EMRAD. If necessary, your radiology records may also be accessed by healthcare professionals in other NHS hospitals in the East Midlands or NHS Service Providers, to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care.

For full details and to see the EMRAD Privacy Notice please visit: Terms and Conditions, Privacy Policy & Cookies – East Midlands Radiology (emrad.nhs.uk)

Lincolnshire Care Portal

In Lincolnshire NHS and social care services are working more closely together to better co-ordinate the delivery of care to people supported by local commissioners.

The people caring for you need to access information about your health and care record to make the best decisions about your diagnosis and treatment. By way of example, this could include GPs, hospital-based clinicians, nurses, health visitors and social care workers.

Information will only be accessed by health and care workers that have a legitimate relationship with you and they will only access the data required to support your care.

More information can be found on the Lincolnshire Care Portal website.


If you have an appointment scheduled with ULHT, your NHS number is provided to the NHS App so that you can access details of your appointments via the NHS App.

Information sharing with non-NHS organisations

We may need to share your personal information and information from your health records with non-NHS organisations from which you are also receiving care, such as Social Services and private sector providers.  However, we will not disclose information to third parties unless there are specific circumstances, such as where current legislation permits it or requires it, when the health or safety of others is at risk, or where we have explicit consent.

These non-NHS organisations may include, but are not restricted to:

  • Social Services
  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector providers

We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the Data Protection Legislation. For example;

  • Disclosure under a court order.
  • Sharing with the Care Quality Commission for inspection purposes.
  • Sharing with the Police for the prevention or detection of crime.
  • Where there is an overriding public interest to prevent abuse or serious harm to others.
  • Where the law requires it.
  • To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, which permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities.
    • Examples include the National Cancer Registration and Analysis Service, the Trauma Audit and Research Network, the National Congenital Anomaly and Rare Disease Registration Service, Inflammatory Bowel Disease Registry, UK Renal Registry and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.
  • Notifications of:
    • New births
    • Diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk.

Under a legal obligation we share personal information with the Data Services for Commissioners Regional Offices who de-identify the information before sharing it with commissioning organisations.

This Trust is required by law to protect the public funds it administers.  It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust is currently contracting with the following private sector provider to provide patient services:

  • Medefer who will provide a virtual outpatient services for some Specialities. A patient can decline the Medefer service and wait to be seen by the hospital, but may have to wait longer than if they were treated by Medefer.

Research and Innovation

United Lincolnshire Hospitals NHS Trust’s Research and Innovation team is committed to promoting and supporting clinical trials. Its mission is to establish Lincolnshire as a centre of excellence for clinical trials. Visit the research page to find out more.

If you want to opt out of your data being used for any secondary use, which includes research or audit, please visit the data opt out website.

How long do we keep information?

We will only keep your or your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. A summary of the legal retention periods of NHS records can be found in the Records Management Code of Practice for Health and Social Care.

How do I contact the Data Protection Officer (DPO)

You can contact the DPO via [email protected].

Appropriate Policy Document

The ULHT appropriate policy document provides information about the legal basis and safeguards that the department has put in place for sensitive processing, the processing of special categories of personal data and criminal offence data.

Read the Appropriate Policy Document

Additional Relevant Information