- Privacy Notice
- Form data
- Links to other websites
- Data Protection
- Covid-19 and your information – Updated on 9 April 2020
- What is a Privacy notice?
- What are your rights?
- Who is the controller and what are our responsibilities?
- How the NHS and care services use your information
- What information do we need to collect and why?
- Personal information
- What categories of data do we collect?
- Consent explained
- Who does the Trust share information with?
- Lincolnshire Care Portal
- Letters to patients (Hybrid Mail):
- Information sharing with non-NHS organisations
- Research and Innovation
- Clinical Audit
- Data Protection Impact Assessments
We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website; you can be assured that it will only be used in accordance with this privacy statement.
United Lincolnshire Hospitals NHS Trust may change this policy from time to time by updating this page. You should check this page frequently to ensure that you are happy with any changes.
We may collect the following information via any of the site’s input forms:
- Your name and job title
- Contact information including email address and telephone
- Your address and postcode
- Any email address data collected is never passed on to any third parties.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Under the UK Data Protection Legislation (General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018) the Trust is required to inform its patients and staff of their rights. These have been written to support the protection of your personal data. Your rights will not be affected by these changes.
Covid-19 and your information – Updated on 9 April 2020
Download the privacy notice which includes information about COVID-19 and your information.
What is a Privacy notice?
A privacy notice provides accessible information to you about how the trust will use your personal data.
What are your rights?
You have the rights to request the following:
- Right to rectification – this requires the trust to rectify any information that has been found as inaccurate.
- Right to erasure – this requires the trust to erase any information that falls under any of the following points;
- No longer required to be kept by the trust
- Where there is no legal grounds to keep the data
- Unlawfully obtained.
- That you object to the trust keeping the information. In this case, if you object please report this to the data protection officer for investigation, the contact details can be found at the bottom of this notice.
- Right to restriction of processing – you have a right to stop processing if one of the following is relevant:
- The accuracy of the data is in question
- You restrict the use of your personal data. If this is the case, the trust will advise you that if this impacts on your healthcare we may refuse. This will be explained to you if this is the case.
- Right to data portability – you have a right to request that any data held by the trust can be transferred to another organisation in a machine-readable format for onward transfer to the recipients system.
- Right to object – you have the right to object to processing, unless the trust can show it is in the vital interests of you. This may include:
- Direct Marketing – the trust can confirm that it does not use any patient data for direct marketing purposes
- Research/ Scientific or historical purposes – the trust can confirm that it does collect and use information for these purposes. This will always be with your consent.
- Automated individual decision-making, including profiling – you have the right to object to any automated decision making or profiling and request the trust ceases this activity. Profiling is described as taking information to evaluate things about you.
You can request to view or receive copies of the personal information United Lincolnshire Hospitals NHS Trust holds on you under the UK Data Protection Legislation. Further details on how to do this can be found under Access to Health Records.
Who is the controller and what are our responsibilities?
The controller is:
United Lincolnshire Hospitals NHS Trust
Lincoln County Hospital
United Lincolnshire Hospitals NHS Trust shall:
- Have in place technical and organisational safeguards to protect your data and to demonstrate that processing of your information is in accordance with the regulation.
- Put in place a data protection officer as the central point of contact on all matters relating to data protection.
- Adhere to codes of practice as contained in article 40 (GDPR).
How the NHS and care services use your information
United Lincolnshire Hospitals NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services.
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.
Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case, your confidential patient information is not needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit the NHS website. On this data matters web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply.
You can also find out more about how patient information is used on the Health Research Authority website or visit the understanding patient data website.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.
What information do we need to collect and why?
Personal information is any information which can be used to identify you as an individual. It does not include information on organisations.
When we use your personal information we will do so in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 collectively known as the UK Data Protection Legislation.
We need to handle personal information about you so that we can provide services or work with you. This is how we look after your information:
When we ask you for personal information, we promise:
- To make sure you know why we need it;
- To only ask for what we need, and not to collect too much or irrelevant information;
- To protect it and make sure no unauthorised person has access to it;
- To let you know if we share it with other organisations to give you better public services – and if you can say no;
- To make sure we don’t keep it longer than necessary;
In return, we ask you to:
- Provide us with accurate information;
- Inform us as soon as possible if there are any changes, such as a new address. This helps us to keep your information reliable and up to date.
What categories of data do we collect?
The UK Data Protection Legislation separates personal data into two categories. Under article 4 it defines personal data as any information relating to an individual who can be identified directly or indirectly from the data. This will include the use of a personal identifier such as your NHS.
Sensitive personal data is defined as special category data and includes the following;
- Physical Health
- Genetic Information
- Mental Health
- Social identity
Under the UK Data Protection Legislation United Lincolnshire Hospitals NHS Trust must ensure that consent has been freely given, specific, informed and an unambiguous indication of your wishes. In other words, a positive opt in. Silence, pre-ticked boxes or inactivity must not infer consent.
However as the Trust may not have seen you to obtain consent this may have been obtained from your GP or another healthcare provider and in this case we would check with each health professional that consent has been obtained before we access your data.
There may be occasions when we will use you information without your consent. These will include:
- Where the Trust has a legal duty to share your information.
- The Trust in unable to obtain consent and it is yours or another person best interests to do so.
- The courts or coroner requests such data.
We would only share what is relevant to the request and no more.
Who does the Trust share information with?
We share your personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities, other NHS trusts, general practitioners (GPs), ambulance services and primary care agencies. This will always be done with your consent.
United Lincolnshire Hospitals NHS Trust is part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system, which is used by our healthcare professionals to access your radiology records. If necessary, your radiology records may also be accessed by healthcare professionals in other NHS hospitals in the East Midlands or NHS Service Providers, to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care.
If you have any concerns about providing information or how we use it, please discuss this with radiology staff so that you fully understand the potential impact on your care or treatment.
Lincolnshire Care Portal
In Lincolnshire NHS and social care services are working more closely together to better co-ordinate the delivery of care to people supported by local commissioners.
The Lincolnshire Care Portal is a programme that allows people to give health and care workers their consent to access their medical and care records during their treatment.
The people caring for you need to access information about your health and care record to make the best decisions about your diagnosis and treatment. By way of example, this could include GPs, hospital-based clinicians, nurses, health visitors and social care workers.
To enable this to happen more quickly and to improve the care you receive, a new process has been put in place. This will allow your information to be viewed by different health and care organisations, using existing computer systems.
This new process does not share your record with third party organisations, but provides health and care workers, with your consent, access to view your information.
Information will only be accessed by health and care workers that have a legitimate relationship with you and they will only access the data required to support your care.
More information can be found on the Lincolnshire Care Portal website.
Letters to patients (Hybrid Mail):
Like many NHS Trusts across the country, United Lincolnshire Hospitals NHS Trust use an external supplier to print and send out letters to patients. This is a fully automated process and the information contained within the letters is not visible during the process.
Both the supplier and the requirements for the process, storage and retention of sensitive data have been assessed to ensure the Trust remains compliant with UK Data Protection Legislation.
If you have any concerns or require further information please contact the Data Protection Officer via the below methods.
Information Governance Department,
Lincoln County Hospital,
Information sharing with non-NHS organisations
We may need to share your personal information and information from your health records with non-NHS organisations from which you are also receiving care, such as Social Services and private sector providers. However, we will not disclose information to third parties unless there are specific circumstances, such as where current legislation permits it or requires it, when the health or safety of others is at risk, or where we have explicit consent.
These non-NHS organisations may include, but are not restricted to:
- Social Services
- Education services
- Local authorities
- Voluntary sector providers
- Private sector providers
The Trust is contracting with the following private sector provider to provide patient services:
- Medefer who will provide a virtual outpatient services for some Specialities. A patient can decline the Medefer service and wait to be seen by the hospital, but may have to wait longer than if they were treated by Medefer.
We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the Data Protection Legislation.
There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:
- Disclosure under a court order.
- Sharing with the Care Quality Commission for inspection purposes.
- Sharing with the Police for the prevention or detection of crime.
- Where there is an overriding public interest to prevent abuse or serious harm to others.
- Where the law requires it.
- To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, which permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities.
- Examples include the National Cancer Registration and Analysis Service, the Trauma Audit and Research Network, the National Congenital Anomaly and Rare Disease Registration Service, Inflammatory Bowel Disease Registry, UK Renal Registry and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.
- Notifications of:
- New births
- diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk.
Under a legal obligation we share personal information with the Data Services for Commissioners Regional Offices who de-identify the information before sharing it with commissioning organisations.
This Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
Research and Innovation
United Lincolnshire Hospitals NHS Trust’s Research and Innovation team is committed to promoting and supporting clinical trials. Its mission is to establish Lincolnshire as a centre of excellence for clinical trials. Visit the research page to find out more.
If you want to opt out of your data being used for any secondary use, which includes research or audit, please visit the data opt out website.
Clinical audit is the process formally introduced in 1993 into the United Kingdom’s National Health Service (NHS), and is defined as “a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change”.
The focus of the Clinical Audit Group is to approve a programme of National (HQIP, NCEPOD) and Local Clinical audits (which will be maintained as a live audit plan and may be subject to additions during the course of the year), ensuring that all audits are relevant to the trust.
Data Protection Impact Assessments
UK Data Protection legislation requires the Trust to carry out a Data Protection Impact Assessment for processing that is likely to result in a high risk to individuals.
The table below lists the assessments that have been conducted and the status.
|Reference Number||Service Area||System /Software Details||Subject Class||Approved||Implementation|
|DPIA/005/18||Trust wide||Hybrid Mail||Personal Confidential Data||Yes||Nov-18|
|DPIA/006/18||Trust wide||Digital Dictation||Personal Confidential Data||Yes|
|DPIA/008/18||Pharmacy||OPAT||Personal Confidential Data||In Progress||Feb-19|
|DPIA/009/18||Radiology||Outsourcing of MRI scanning||Personal Confidential Data||In Progress||Feb-19|
|DPIA/001/19||Pathology (Upgrade)||Digital Images||Personal Confidential Data/Anonymised Data||In Progress||Feb-19|
|DPIA/002/19||Endoscopy||Medical Devices||Personal Confidential Data||Yes||Jul-19|
|DPIA/003/19||Estates||Parking||Personal Confidential Data- staff||Yes||Jul-19|
|DPIA/004/19||Corporate||Storage/ circulation programme||Meeting papers circulation||Yes||Jul-19|
|DPIA/005/19||Cardiology||Pacemaker Programmer||Personal Confidential Data||Yes||Jul-19|
|DPIA/006/19||Radiology||Overseas Reporting||Personal Confidential Data||In Process||N/A|
|DPIA/007/19||Human Resources||Job Matching software||Corporate data||Yes||May-19|
|DPIA/008/19||Orthotics||Electronic system to order specialist equipment||Personal Confidential Data||Yes||Jun-19|
|DPIA/009/19||Maternity||Maternity Patient Administration System||Personal Confidential Data||Yes||May-19|
|DPIA/010/19||Ophthalmology||Ophthalmology patient administration system||Personal Confidential Data||Yes||Jun-19|
|DPIA/011/19||Translation Services||Translation Solutions||Personal Confidential Data||In Process||N/A|
|DPIA/012/19||Translation Services||Translation Solutions||Personal Confidential Data||In Process||N/A|
|DPIA/013/19||Orthopaedics||Consent Management||Patient sign up (optional)||Yes||Jul-19|
|DPIA/014/19||Orthodontics||Imaging storage/ transfer system||Imaging||Yes||Aug-19|
|DPIA/016/19||Trust Wide||Email system||Corporate data/ Personal Confidential Data||In Process||N/A|
|DPIA/017/19||Finance/ Payroll||Salary Sacrifice- employees||No data processed without consent from staff member||Yes||Jul-19|
|DPIA/018/19||Data Quality||Waiting List Validation||Personal Confidential Data||Yes||Jul-19|
|DPIA/019/19||Outpatient Department||Electronic appointments||Personal Confidential Data||Yes||Nov-19|
|DPIA/001/20||Digital Services||VPN||Corporate Data/ Personal Confidential Data||Yes||May-20|
|DPIA/002/20||Contracting/ Procurement||Electronic signature||Corporate Data||Yes||May-20|
|DPIA/003/20||Mortuary||Local authority sharing||Personal Confidential Data||Yes||May-20|
|DPIA/004/20||Radiology||Chest Imaging Database- COVID19||Personal Confidential Data||Yes||Apr-20|
|DPIA/005/20||Surgery||Trauma system||Personal Confidential Data||In Process|
|DPIA/006/20||STP||EMAS Care Portal||Personal Confidential Data||Yes||Aug-20|
|DPIA/007/20||Pathology||Coloscopy Database||Personal Confidential Data||Yes||Aug-20|
|DPIA/008/20||Digital Services||Communications solution (internal)||No personal identifiable data||Yes||Nov-20|
|DPIA/009/20||Ophthalmology||Patient transfer||Personal Confidential Data||Yes||Nov-20|
|DPIA/011/20||Trust Board||Patient engagement||Personal Confidential Data||Yes||Dec-20|
|DPIA/001/20||Human Resources||Staff Passports||Personal Confidential Data||Yes||Jan-21|
|DPIA/002/21||Diabetes||Clinical||Personal Confidential Data||Yes||Aug-20|
|DPIA/003/21||Human Resources||Staff system||Personal Confidential Data||Yes||Oct-20|
|DPIA/004/21||Human Resources||Booking application||Corporate||Yes||Dec-20|
|DPIA/006/21||Digital Services||Software||Corporate Data/ Personal Confidential Data||Yes||Jan-21|
|DPIA/008/21||Cardiology||Disposable Devices||Personal Confidential Data||Yes||Mar-21|
|DPIA/011/21||Information Services||Mandatory Data Set||Anonymised data||Yes||Aug-21|
|DPIA/001/22||Cardiology||Clinical||Patient Confidential Data||Yes||Feb-22|
|DPIA/002/22||Paediatrics||Patient Management||Patient Confidential Data||Yes||Feb-22|
|DPIA/003/22||Digital Services||Software||Patient Confidential Data||In Progress|
Who is the Data Protection Officer for the Trust?
The Data Protection Officer can be contacted via the below means:
Post: Data Protection Officer
Information Governance Department
Lincoln County Hospital
Rights to complain to the supervisory authority?
If you believe the Trust has breached your rights or we have not investigated your concerns fully then you have rights to complain to the supervisory authority/Information Commissioners’ Office.
You can contact them by emailing directly to firstname.lastname@example.org
Alternatively, you can write to:
Information Commissioner’s Office