Skip to content

View navigation

Data Requests and Your Privacy

Access your information

In the UK by law you have a right to access your information under what is called a Subject Access Request. Simply complete the online form below and ensure the requested documents are attached such as Photographic ID and address verification so we can ensure you are who you say you are. You may be telephoned by one of the team to check some details from the record only you would know for security. We by law have to process this within 30 days.

Alternatively download the Online Data Request form here and email to ig.lch@nhs.net or post to our address listed on our Contact us.

Access someone else’s information

If you are not a public body (Police, Fire or GP etc.), executor of an individual’s estate or for any other reason you will usually need a Lasting Power of Attorney for Health and Wellbeing. Public bodies usually require a Court Order, or a special request previously known as a Section 29 to detect and prevent crime. If in doubt, simply complete the online data request form above and one of the team will come back to you initially usually within 48 hours.

If the individual is deceased, your information request would fall under the Access to Health Records Act 1990 and more information about medical records for the deceased can be found on the NHS website here.

In order to provide you with a copy or of your personal information, or invoke your individual rights as outlined below, we require two forms of identification; one photographic and one that confirms your current address. Please view our guidance on providing ID below.

Note: We will not release your information without the correct identification.

If you require any information outside the remit of Leeds Community Healthcare NHS Trust such as GP or Hospital information, please contact the relevant organisations directly.

Individual Rights Requests

If you wish to invoke your Individual Rights under the Data Protection Act 2018, this includes requesting an amendment or deletion to your personal information held by Leeds Community Healthcare NHS Trust, please download and complete the Individual Rights Requests form here and email to ig.lch@nhs.net

Please view the Guidance on providing ID information here  

Freedom of Information

Please complete the Online Data Request Form above. 

The Freedom of Information Act 2000 (FOIA) gives members of the public the right to request information that is held by public sector organisations such as NHS Trusts and local councils. You have the right to request information we hold under the FOIA.

The aim of the FOIA is to create a climate of openness in public services so that people can understand how operational decisions are made and how public funds are spent.

The FOIA does not permit the release of personal information such as health or employment records. If you require personal information held by the Trust, please submit a Subject Access request under the Data Protection Act 2018.

The FOIA covers all information held in a recorded format. The deadline to respond to requests made under the FOIA is 20 working days, although there are some circumstances where this may be extended under the terms of the legislation.

If the information you require is not available on our website via our Publication Scheme, please send us your Freedom of Information request via email or post (please see contacts box for details).

Our publications

A Publication Scheme is a legal requirement under Section 19 of the Freedom of Information Act.

A publication scheme gives people access to information an organisation routinely publishes. This includes plans, management arrangements, performance, inspection reports, policies and procedures and the minutes of key meetings. We aim to make as much information as possible available directly via our website, however as we continue to build our publication scheme, some content will be supplied on request.

How we use your information (Transparency Notice)

We respect privacy and confidentiality and are committed to protecting your personal data. This notice will tell you how we look after your personal data and about your rights and protection in law.

  • Leeds Community Healthcare NHS Trust (LCH) is the data controller under the UK General Data Protection Regulation and the Data Protection Act 2018 because we determine the purposes and means of the processing of your Personal Data when you are under our care.

    Personal Data is any information that is about you, from which you can be identified.

    We collect, store and use personal data to provide healthcare services.

    Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

    Our registered address is White Rose Office Park, Building 3, Leeds LS11 0LT

    Information Commissioner’s Office (ICO) registration:  Z258777X

    We take our duty to protect your personal data and maintain confidentiality and privacy very seriously.

    We are committed to taking all reasonable measures to make sure the personal data we are responsible for, whether this is computerised or in paper form, is kept securely.

     

    At Trust board level we have:

    • a Senior Information Risk Owner (SIRO) who is accountable for the management of the Trust’s information assets and has overall responsibility for LCH’s information risk.
    • a Caldicott Guardian who is responsible for protecting the confidentiality of people's health and care information entrusted to LCH and making sure it is used properly and in accordance with the Caldicott Principles.
    • We also have a Data Protection Officer who ensures the Trust is accountable and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Data Protection Officer’s details are shown on the top right of this page.
  • “Processing” includes all activities and actions carried out on Personal Data including collecting, storing, and using for purposes including Direct Care.

     LCH is a public body established by the NHS Act 2006, as amended by the Health and Social Care Act 2012.

    These Acts grant us statutory powers which underpin the legal bases that we use for the purposes of the UK GDPR. The legal bases for most of our healthcare related processing activities are:

    • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

     

    For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:

     

    • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

     

    Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

    • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

     

    In order to process Special Category Data, which would include Personal Data concerning health, genetics, racial or ethnic origin, sex life or sexual orientation, religious or philosophical beliefs, or biometric data used for identification purposes, we need to ensure we meet an additional Legal Basis in the UK GDPR to allow this.

     

    Where we are processing Special Category l Data for purposes related to the commissioning and provision of health services, including “Direct Care” the Legal Basis is:

    • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

    Where we process Special Category Data for safeguarding purposes the Legal Basis is:

    • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

     

    Where we process Special Category Data for purposes such as Statutory purposes (where we are obliged the process Special Category Data by Law), ensuring equality of opportunity, preventing or detecting unlawful acts, preventing fraud, supporting individuals with specific conditions or disabilities and safeguarding purposes the Legal Basis is:

    • Article 9(2)(g) – processing is necessary for reasons of substantial public interest (supported by an appropriate condition from Schedule 1, Part 2 of the Data Protection Act 2018)

     

    Where we process Special Category for the purpose of research the Legal Basis is:

    • Article 9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

    For further details regarding the type of data processed and the legal basis used for specific services, please see the “service specific privacy notices” section of the website

  • The health professionals providing care keep records about your health, treatment and the care you receive with LCH. The information in your record may come from you or from other care providers e.g. GP, social care or hospital. Your records will be held on a computer system (or may be written down on paper in some circumstances) and they will include:

    • Basic personal details about you such as name, address, date of birth, next of kin etc
    • Contacts we have had with you such as appointment or clinic visits
    • Notes and reports about your health, treatment and care
    • Results of x-rays, scans and laboratory tests
    • Relevant information from people who care for you and know you well such as health professionals, relatives and carers.

    It is essential that the details we hold about you are accurate and up to date. Always check that your personal details are correct when you speak to or visit us, and please inform us of any changes as soon as possible

  • Your data is securely held within LCH systems, or by third party Data Processors who process your Personal data on our behalf.

    All systems which hold Personal and Special Category Data have been reviewed to ensure that they are secure and fit for purpose, and if they are provided by third party Data Processors that appropriate robust contractual arrangements are in place to protect your Personal Data.

    LCH uses TPP’s SystmOne (https://tpp-uk.com/products/) extensively across the services we provide, and most of the services have their own SystmOne “Unit”. This product is endorsed by NHS England and is widely used across the NHS.

    SystmOne allows LCH to share data about you across those service’s Units for the purpose of providing Direct Care.

    SystmOne also allows LCH to directly access your records from other Healthcare Providers, such as GPs, if their systems are set up to share with LCH systems.

    Some LCH services do not share information with any other units because the nature of the care they provide is regarded as sensitive.

    Some LCH services use other systems, either instead of, or alongside SystmOne to manage your records and care. 

    The other commonly used systems used in LCH are:

     PCMIS (https://www.pcmis.com/)

    Dentally (https://www.dentally.com/en-gb/)

     

    Some historic records are held within:

     Carenotes (https://www.oneadvanced.com/solutions/carenotes/)

     

  • Your health records are used to assist in the management and delivery of the care you receive to ensure that:

    • The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
    • Healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive.
    • Appropriate information is available if you see another health professional, or are referred to a specialist or another part of the NHS.

     

    Your information will also be used to help manage the NHS and protect the health of the public by being used to:

    • Review the care we provide to ensure it is of the highest standard and quality
    • Protect the health of the general public
    • Manage the health service
    • Ensure our services can meet patient needs in the future
    • Investigate patient queries, complaints and legal claims
    • Ensure the health care providers receive payment for the care you receive
    • Prepare statistics on NHS performance
    • Audit NHS accounts and services
    • Undertake health research and development
    • Help train and educate healthcare professionals 

    Any usage of your data for any reason other than your Direct Care is carefully considered before any disclosure of data, and wherever possible your identity will be hidden.

    Some of the above disclosures are mandated i.e. LCH is compelled to comply.

  • All records held by Leeds Community Healthcare NHS will be kept for the duration specified by national guidance from the Department of Health & Social Care and found in the Records management: NHS code of practice for health and social care 2021.

    This will ensure that we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Everyone working within the NHS has a legal and ethical duty to ensure that the confidentiality of your records is respected.

     We will not disclose your information to any other third parties unless one of the following applies:

    • It is for the purpose of your Direct Care
    • We have your permission
    • We are required by law to share
    • We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse
    • We hold information that is essential to prevent, detect, investigate, or punish a serious crime

    Anyone who receives information from us has a legal duty to keep it confidential, unless the conditions above apply...

    We may share information with the following main partner organisations:

    • Other NHS Trusts and hospitals involved in your care
    • Integrated Care Boards (ICBs)
    • NHS England
    • Care quality commission (CQC)
    • General Practitioners (GP’s)
    • Ambulance Services
    • “Shared Care Records” systems

    You may be receiving care from other organisations as well as the NHS, for example social care services. We may need to share some information about you with them if they have a genuine need for it so we can all work together for your benefit. 

    Therefore, we may also share your information with:

    • Social care services
    • Education services
    • Local authorities
    • Voluntary and private sector providers working with the NHS

     

    Leeds Care Record

    To support the right information being available to the right healthcare practitioner at the right time, Leeds Community Healthcare may share your data via the Leeds Care Record.

    Leeds Care Record is a secure health and social care record used only by health and care organisations providing direct patient care.

    A list of these organisations with access is listed on the Leeds Care Record website and is available to view via the following link: https://www.leedscarerecord.org/about/participating-organisations/.

    Leeds Care Record pulls key information about you from the different health and social care records and displays it in one combined record. This enables clinical and care staff involved in your direct care to find all the key information for your care in one place, helping them provide the best care to you as a patient or service user.

    To do this, it is essential that clinical and care staff have access to the most up-to-date information including alerts. Link to the Leeds Care Record Privacy Notice.

    If you have any concerns or would like further information please ask the staff caring for you or contact the Data Protection Officer at the address given at the top of this page.

    Yorkshire & Humber Care Record

    The Yorkshire and Humber Care Record (YHCR) is a digital shared care record solution that enables citizen information from multiple sources, to be accessed securely and updated in real time, when it is needed by appropriate health and care professionals.

    More information regarding how your data is used can be found on the YHVR website: https://www.yhcr.org/your-privacy/

  • We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

    We limit access to your personal data to only those employees, agents, contractors and other third parties who have a genuine need to know and who will only process your personal data on our instructions and are subject to a duty of confidentiality.

    We have procedures in place to deal with any suspected personal data breach and will notify the data subject affected, and the appropriate regulator of a breach where we are legally required to do so.

  • LCH’s default position is that any Personal Data processed on our behalf is to be processed within the UK.

    On those occasions when data may be processed outside of the UK, in most circumstances it will remain within GDPR compliant territories and will have the same protection as if processed within the UK.

    On the very rare occasions when this data is processed outside the GDPR compliant territories, we will put in place an International Data Transfer agreement with the appropriate data protection clauses in place, prior to transfer.

  • Under certain circumstances, you have rights under data protection laws in relation to your personal data. We ensure that these rights are respected.

    Right to be informed

    You have a right to be informed about how  your personal data is being used. Your right to be informed is met by the provision of this privacy notice, and we also provide similar information to you at the point of contact when you first access one of our services.

    Right of access

    You have the right to obtain a copy of any or all personal data that we hold about you, although there are some exceptions to what we are obliged to disclose.

    We may not provide all the information if, in the opinion of an appropriate health professional, disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

    We will also remove references to any “Third Party” data (with the exception of the names of individual involved in your care).

    Further information and to submit a subject access request

    Right to rectification

    You have the right to ask us to rectify any inaccurate data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

    If you disagree with an opinion or diagnosis on your record we may not be able to rectify this if we feel it is factually accurate, or was accurate at the time of writing, but we may add an entry detailing that you think this is incorrect and why you think it is incorrect.

    Right to erasure (‘right to be forgotten’)

    The right to request that we erase personal data about you that we hold is not an absolute right, and depends on the legal basis that applies to the processing.

    This is generally not a right that is applicable to Medical Records.

    Right to object

    You have the right to object to processing of personal data about you on grounds relating to your particular situation, and you need to be aware that exercising this right may affect the care we can provide. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. E.g., we will not be able to stop the processing of your data if it is necessary to provide you with direct patient care.

    Right in relation to automated individual decision-making

    You have the right to object to being subject to a decision based solely on automated processing, including profiling.

    Right to notification

    You have the right to be notified if there has been a breach with regards to your personal data that we hold. This right is enforced if the breach is likely to result in a high risk of adversely affecting your rights and freedoms. 

    Right to complain to the Information Commissioner

    You have the right to complain to the Information Commissioner if you are not happy with any aspect of Leeds Community Healthcare’s processing of Personal Data or believe that we are not meeting our responsibilities as a Data Controller.

    We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact the Data Protection Officer at first instance.

    The contact details for the Information Commissioner are:

    Information Commissioner’s Office
    Wycliffe House
    Water Lane,
    Wilmslow SK9 5AF

    Website: ico.org.uk

  • A Data Protection Impact Assessment (DPIA) is a process that allows us to identify and minimise the data protection risks of a data processing activity, such as a new project, service, IT system etc and links into the principle of “Data Protection by Design and Default”

    When undertaking DPIAs we consider the impact on individuals that may be caused by the proposed processing and the security and controls that will be put in place. 

    Leeds Community Healthcare  has an established procedure to ensure that DPIAs are carried out when appropriate.

    A DPIA must:

    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.

    At LCH we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and reviewed.

  • Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

    The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

    • improving the quality and standards of care provided
    • research into the development of new treatments
    • preventing illness and diseases
    • monitoring safety
    • planning services

    This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

    Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

    You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

    To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

    • See what is meant by confidential patient information
    • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
    • Find out more about the benefits of sharing data
    • Understand more about who uses the data
    • Find out how your data is protected
    • Be able to access the system to view, set or change your opt-out setting
    • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
    • See the situations where the opt-out will not apply

    You can also find out more about how patient information is used at:

    https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

    https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

    You can change your mind about your choice at any time.

    Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

    Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

    Our organisation is compliant with the national data opt-out policy.

  • The Trust is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

    The Cabinet Office is responsible for carrying out data matching exercises.

    Your personal data will be subject to the following automated profiling (as defined in Article 4, paragraph 4 GDPR):

    Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

    The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the GDPR.

    Data matching by the Cabinet Office is subject to a Code of Practice.

    View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

    For further information on this data matching exercise contact the Trusts Counter Fraud Specialist, Nikki Cooper; mobile 07872 988939 or email: nikki.cooper1@nhs.net

  • Leeds Community Healthcare NHS Trust utilises Closed Circuit Television (CCTV) cameras in and around the Trust’s sites.

    The legal basis for collection of CCTV images is that processing is necessary for the purpose of the legitimate interests pursued by the controller, the Trust (GDPR Article 6(1)(f)). Our legitimate interest in doing so is in order to:

    • Protect staff, patients, visitors and Trust property
    • Assist in the identification, apprehension and prosecution of offenders and provide evidence in support of criminal or civil action in the courts.
    • Provide a deterrent effect and reduce unlawful activity
    • Help provide a safer environment for our staff
    • Help to identify practices that jeopardise the health and safety of other staff, patients or visitors

    All areas where CCTV is in use will be clearly signed to comply with data protection legislation. This is to alert people that they are about to enter an area monitored by CCTV cameras or remind them they are still in an area covered by CCTV. The signs will also act as an additional deterrent. We do not perform any covert surveillance.

    We MAY when necessary, lawful and fair share personal data / images to:

    • Police and other law enforcement agencies
    • Other emergency services
    • Public bodies with regulatory functions (which includes Council services)
    • Legal representatives, Courts, Hearings and Tribunals linking to legal proceedings
    • Ombudsman and Regulatory bodies
    • Insurance companies
    • Individuals / organisations requesting information where there is a lawful basis for disclosure under legislation such as the Data Protection Act 2018.
    • CCTV images will not be released or used for entertainment purposes.

    Images will not routinely be transferred to recipients outside of the UK.

    CCTV images are normally kept for no longer than 31 days.

    Images supplied as evidence supplied to the police and other agencies etc will be kept for longer.

    You have the right to access the personal data we hold about you; to request we rectify or erase your personal data; to object to or restrict processing in certain circumstances; and a right of data portability in certain circumstances.

    If you wish to request access to CCTV footage please follow the Subject Access Request Process, for Public Bodies such as the police please email your data request and completed authorisation form to: ig.lch@nhs.net

  • Data Protection Officer

    Steve Creighton

    Leeds Community Healthcare NHS Trust

    White Rose Office Park, Building 3

    Millshaw Park Lane

    Leeds, LS11 0DL

    Email: dpo.lch@nhs.net

    Department of Data Protection & Information Governance

    Leeds Community Healthcare NHS Trust

    White Rose Office Park, Building 3

    Millshaw Park Lane

    Leeds, LS11 0DL

    Email: ig.lch@nhs.net

Staff privacy notice

During the course of its employment activities, Leeds Community Healthcare Trust collects, stores and processes personal information about prospective, current and former staff (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff Personal and Special Category Data in a fair and lawful manner.

 This Privacy Notice should be read in conjunction with our HR policies.

Data Protection Officer

Steve Creighton
Leeds Community Healthcare NHS Trust
White Rose Office Park, Building 3
Millshaw Park Lane
Leeds, LS11 0DL

Email: dpo.lch@nhs.net

Information Governance Team    

Leeds Community Healthcare NHS Trust
White Rose Office Park, Building 3
Millshaw Park Lane
Leeds, LS11 0DL

Email: ig.lch@nhs.net

What to do if you need to speak to someone urgently...