Fair processing notice

Under the new General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 the Trust is required to inform its patients and staff of their rights.

Privacy Notice

We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website; you can be assured that it will only be used in accordance with this privacy statement.

United Lincolnshire Hospitals NHS Trust may change this policy from time to time by updating this page. You should check this page frequently to ensure that you are happy with any changes.

Form data

We may collect the following information via any of the site’s input forms:

  • Your name and job title
  • Contact information including email address and telephone
  • Your address and postcode
  • Any email address data collected is never passed on to any third parties.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Data Protection

Under the UK Data Protection Legislation (General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018) the Trust is required to inform its patients and staff of their rights. These have been written to support the protection of your personal data. Your rights will not be affected by these changes.

Covid-19 and your information – Updated on 9 April 2020

Download the privacy notice which includes information about COVID-19 and your information.

What is a Privacy notice?

A privacy notice provides accessible information to you about how the trust will use your personal data.

What are your rights?

You have the rights to request the following:

  • Right to rectification – this requires the trust to rectify any information that has been found as inaccurate.
  • Right to erasure – this requires the trust to erase any information that falls under any of the following points;
    • No longer required to be kept by the trust
    • Where there is no legal grounds to keep the data
    • Unlawfully obtained.
    • That you object to the trust keeping the information. In this case, if you object please report this to the data protection officer for investigation, the contact details can be found at the bottom of this notice.
  • Right to restriction of processing – you have a right to stop processing if one of the following is relevant:
    • The accuracy of the data is in question
    • You restrict the use of your personal data. If this is the case, the trust will advise you that if this impacts on your healthcare we may refuse. This will be explained to you if this is the case.
  • Right to data portability – you have a right to request that any data held by the trust can be transferred to another organisation in a machine-readable format for onward transfer to the recipients system.
  • Right to object – you have the right to object to processing, unless the trust can show it is in the vital interests of you. This may include:
    • Direct Marketing – the trust can confirm that it does not use any patient data for direct marketing purposes
    • Research/ Scientific or historical purposes – the trust can confirm that it does collect and use information for these purposes. This will always be with your consent.
  • Automated individual decision-making, including profiling – you have the right to object to any automated decision making or profiling and request the trust ceases this activity. Profiling is described as taking information to evaluate things about you.

You can request to view or receive copies of the personal information United Lincolnshire Hospitals NHS Trust holds on you under the UK Data Protection Legislation. Further details on how to do this can be found under Access to Health Records.

Who is the controller and what are our responsibilities?

The controller is:

United Lincolnshire Hospitals NHS Trust

Lincoln County Hospital

Greetwell Road

Lincoln

Lincolnshire

LN2 5QY

United Lincolnshire Hospitals NHS Trust shall:

  • Have in place technical and organisational safeguards to protect your data and to demonstrate that processing of your information is in accordance with the regulation.
  • Put in place a data protection officer as the central point of contact on all matters relating to data protection.
  • Adhere to codes of practice as contained in article 40 (GDPR).

How the NHS and care services use your information

United Lincolnshire Hospitals NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.

Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case, your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit the NHS website. On this data matters web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used on the Health Research Authority website or visit the understanding patient data website.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

What information do we need to collect and why?

Personal information

Personal information is any information which can be used to identify you as an individual. It does not include information on organisations.

When we use your personal information we will do so in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 collectively known as the UK Data Protection Legislation.

We need to handle personal information about you so that we can provide services or work with you. This is how we look after your information:

When we ask you for personal information, we promise:

  • To make sure you know why we need it;
  • To only ask for what we need, and not to collect too much or irrelevant information;
  • To protect it and make sure no unauthorised person has access to it;
  • To let you know if we share it with other organisations to give you better public services – and if you can say no;
  • To make sure we don’t keep it longer than necessary;

In return, we ask you to:

  • Provide us with accurate information;
  • Inform us as soon as possible if there are any changes, such as a new address. This helps us to keep your information reliable and up to date.

What categories of data do we collect?

The UK Data Protection Legislation separates personal data into two categories. Under article 4 it defines personal data as any information relating to an individual who can be identified directly or indirectly from the data. This will include the use of a personal identifier such as your NHS.

Sensitive personal data is defined as special category data and includes the following;

  • Physical Health
  • Physiological
  • Genetic Information
  • Mental Health
  • Economic
  • Social identity

Consent explained

Under the UK Data Protection Legislation United Lincolnshire Hospitals NHS Trust must ensure that consent has been freely given, specific, informed and an unambiguous indication of your wishes. In other words, a positive opt in. Silence, pre-ticked boxes or inactivity must not infer consent.

However as the Trust may not have seen you to obtain consent this may have been obtained from your GP or another healthcare provider and in this case we would check with each health professional that consent has been obtained before we access your data.

There may be occasions when we will use you information without your consent. These will include:

  • Where the Trust has a legal duty to share your information.
  • The Trust in unable to obtain consent and it is yours or another person best interests to do so.
  • The courts or coroner requests such data.

We would only share what is relevant to the request and no more.

Who does the Trust share information with?

We share your personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities, other NHS trusts, general practitioners (GPs), ambulance services and primary care agencies. This will always be done with your consent.

Radiology

United Lincolnshire Hospitals NHS Trust is part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system, which is used by our healthcare professionals to access your radiology records.  If necessary, your radiology records may also be accessed by healthcare professionals in other NHS hospitals in the East Midlands or NHS Service Providers, to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care.

If you have any concerns about providing information or how we use it, please discuss this with radiology staff so that you fully understand the potential impact on your care or treatment.

Lincolnshire Care Portal

In Lincolnshire NHS and social care services are working more closely together to better co-ordinate the delivery of care to people supported by local commissioners.

The Lincolnshire Care Portal is a programme that allows people to give health and care workers their consent to access their medical and care records during their treatment.

The people caring for you need to access information about your health and care record to make the best decisions about your diagnosis and treatment. By way of example, this could include GPs, hospital-based clinicians, nurses, health visitors and social care workers.

To enable this to happen more quickly and to improve the care you receive, a new process has been put in place. This will allow your information to be viewed by different health and care organisations, using existing computer systems.

This new process does not share your record with third party organisations, but provides health and care workers, with your consent, access to view your information.

Information will only be accessed by health and care workers that have a legitimate relationship with you and they will only access the data required to support your care.

More information can be found on the Lincolnshire Care Portal website.

Letters to patients (Hybrid Mail):

Like many NHS Trusts across the country, United Lincolnshire Hospitals NHS Trust use an external supplier to print and send out letters to patients. This is a fully automated process and the information contained within the letters is not visible during the process.

Both the supplier and the requirements for the process, storage and retention of sensitive data have been assessed to ensure the Trust remains compliant with UK Data Protection Legislation.

If you have any concerns or require further information please contact the Data Protection Officer via the below methods.

Post:
Information Governance Department,
Robey House,
Lincoln County Hospital,
Greetwell Road,
Lincoln,
Lincolnshire,
LN2 5QY
Email: maria.dixon@ulh.nhs.uk

Information sharing with non-NHS organisations

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services. However, we will not disclose any health information to third parties without your explicit consent unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the Data Protection Legislation.

These non-NHS organisations may include, but are not restricted to:

  • Social Services
  • Education services
  • Local authorities
  • Police
  • Voluntary sector providers
  • Private sector providers

 

This Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust is carrying out surveys on the Grantham & District Hospital and may contact patients who have accessed these services in 2020/21.

If you have opted out of your confidential patient information being used for secondary, use purposes (National Opt Out) you will not be contacted. Further information on how you can opt-out of the secondary use of your information can be found on the data opt out website.

Research and Innovation

United Lincolnshire Hospitals NHS Trust’s Research and Innovation team is committed to promoting and supporting clinical trials. Its mission is to establish Lincolnshire as a centre of excellence for clinical trials. Visit the research page to find out more.

If you want to opt out of your data being used for any secondary use, which includes research or audit, please visit the data opt out website.

Clinical Audit

Clinical audit is the process formally introduced in 1993 into the United Kingdom’s National Health Service (NHS), and is defined as “a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change”.

The focus of the Clinical Audit Group is to approve a programme of National (HQIP, NCEPOD) and Local Clinical audits (which will be maintained as a live audit plan and may be subject to additions during the course of the year), ensuring that all audits are relevant to the trust.

Data Protection Impact Assessments

UK Data Protection legislation requires the Trust to carry out a Data Protection Impact Assessment for processing that is likely to result in a high risk to individuals.

The table below lists the assessments that have been conducted and the status.

Reference Number Service Area System /Software Details Subject Class Approved Implementation
DPIA/005/18 Trust wide Hybrid Mail Personal Confidential Data Yes Nov-18
DPIA/006/18 Trust wide Digital Dictation Personal Confidential Data Yes
DPIA/008/18 Pharmacy OPAT Personal Confidential Data In Progress Feb-19
DPIA/009/18 Radiology Outsourcing of MRI scanning Personal Confidential Data In Progress Feb-19
DPIA/001/19 Pathology (Upgrade) Digital Images Personal Confidential Data/Anonymised Data In Progress Feb-19

 

DPIA/002/19 Endoscopy Medical Devices Personal Confidential Data Yes Jul-19
DPIA/003/19 Estates Parking Personal Confidential Data- staff Yes Jul-19
DPIA/004/19 Corporate Storage/ circulation  programme Meeting papers circulation Yes Jul-19
DPIA/005/19 Cardiology Pacemaker Programmer Personal Confidential Data Yes Jul-19
DPIA/006/19 Radiology Overseas Reporting Personal Confidential Data In Process N/A
DPIA/007/19 Human Resources Job Matching software Corporate data Yes May-19
DPIA/008/19 Orthotics Electronic system to order specialist equipment Personal Confidential Data Yes Jun-19
DPIA/009/19 Maternity Maternity Patient Administration System Personal Confidential Data Yes May-19
DPIA/010/19 Ophthalmology Ophthalmology patient administration system Personal Confidential Data Yes Jun-19
DPIA/011/19 Translation Services Translation Solutions Personal Confidential Data In Process N/A
DPIA/012/19 Translation Services Translation Solutions Personal Confidential Data In Process N/A
DPIA/013/19 Orthopaedics Consent Management Patient sign up (optional) Yes Jul-19
DPIA/014/19 Orthodontics Imaging storage/ transfer system Imaging Yes Aug-19
DPIA/016/19 Trust Wide Email system Corporate data/ Personal Confidential Data In Process N/A
DPIA/017/19 Finance/ Payroll Salary Sacrifice- employees No data processed without consent from staff member Yes Jul-19
DPIA/018/19 Data Quality Waiting List Validation Personal Confidential Data Yes Jul-19
DPIA/019/19 Outpatient Department Electronic appointments Personal Confidential Data Yes Nov-19
DPIA/001/20 Digital Services VPN Corporate Data/ Personal Confidential Data Yes May-20
DPIA/002/20 Contracting/ Procurement Electronic signature Corporate Data Yes May-20
DPIA/003/20 Mortuary Local authority sharing Personal Confidential Data Yes May-20
DPIA/004/20 Radiology Chest Imaging Database- COVID19 Personal Confidential Data Yes Apr-20
DPIA/005/20 Surgery Trauma system Personal Confidential Data In Process
DPIA/006/20 STP EMAS Care Portal Personal Confidential Data Yes Aug-20
DPIA/007/20 Pathology Coloscopy Database Personal Confidential Data Yes Aug-20
DPIA/008/20 Digital Services Communications solution (internal) No personal identifiable data Yes Nov-20
DPIA/009/20 Ophthalmology Patient transfer Personal Confidential Data Yes Nov-20
DPIA/011/20 Trust Board Patient engagement Personal Confidential Data Yes Dec-20
DPIA/001/20 Human Resources Staff Passports Personal Confidential Data Yes Jan-21
DPIA/002/21 Diabetes Clinical Personal Confidential Data Yes Aug-20
DPIA/003/21 Human Resources Staff system Personal Confidential Data Yes Oct-20
DPIA/004/21 Human Resources Booking application Corporate Yes Dec-20
DPIA/005/21 Human Resources Application Corporate Yes Jan-21
DPIA/006/21 Digital Services Software Corporate Data/ Personal Confidential Data Yes Jan-21
DPIA/007/21 Stand Yes Jan-21
DPIA/008/21 Cardiology Disposable Devices Personal Confidential Data Yes Mar-21
DPIA/009/21 Estates CCTV Pilot CCTV Yes Mar-21
DPIA/010/21 Estates CCTV Pilot CCTV Yes Mar-21
DPIA/011/21 Information Services Mandatory Data Set Anonymised data Yes Aug-21
DPIA/012/21 Estates CCTV Pilot CCTV Yes Mar-21
DPIA/013/21 Corporate Software Corporate Data Yes Jan-22
DPIA/014/21 Corporate Solicitors Corporate Data Yes Jan-22
DPIA/001/22 Cardiology Clinical Patient Confidential Data Yes Feb-22
DPIA/002/22 Paediatrics Patient Management Patient Confidential Data Yes Feb-22
DPIA/003/22 Digital Services Software Patient Confidential Data In Progress

 Who is the Data Protection Officer for the Trust?

The Data Protection Officer can be contacted via the below means:

Post: Data Protection Officer

Information Governance Department

Robey House

Lincoln County Hospital

Greetwell Road

Lincoln

Lincolnshire

LN2 5QY

Email: maria.dixon@ulh.nhs.uk

Rights to complain to the supervisory authority?

If you believe the Trust has breached your rights or we have not investigated your concerns fully then you have rights to complain to the supervisory authority/Information Commissioners’ Office.

You can contact them by emailing directly to casework@ico.org.uk

Alternatively, you can write to:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF