Information on coronavirus

For information on the Coronavirus outbreak please go to the page on coronavirus on NHS.UK or the information on Gov.uk

View navigation

Privacy Notice

We respect your privacy and are committed to protecting your personal data. This privacy notice will tell you how we look after your personal data and about your privacy rights and protection in law. 

QWho is the Data Controller?

Leeds Community Healthcare NHS Trust (LCH) is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018 because we collect, store and use personal data to provide healthcare services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

Our registered address is Stockdale House, Victoria Road, Leeds. LS6 1PF

Information Commissioner’s Office (ICO) registration:  Z258777X

We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to make sure the personal data we are responsible for, whether this is computerised or in paper form is kept securely.

At Trust board level we have a Senior Information Risk Owner (SIRO) who is accountable for the management of the Trust’s information assets and a Caldicott Guardian who is responsible for the management of patient data and patient confidentiality. We also have a Data Protection Officer who ensures the Trust is accountable and complies with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

The Data Protection Officer details are show on the top right of this page.

QWhat is our legal basis for processing my personal data?

LCH is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. Our business is based on statutory powers which underpin the legal bases that apply for the purposes of the GDPR. The legal bases for the majority of our processing are:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:

  • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special categories data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:

  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Where we process special categories data for employment or safeguarding purposes the condition is:

  • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

QWhat information do you collect about me?

The health professionals caring for you keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you or other care providers e.g. GP, social care or hospital. The maintenance of these records will ensure that you receive the best possible care. These may be written down on paper or held on a computer and they include:

  • Basic personal details about you such as name, address, date of birth, next of kin etc

  • Contacts we have had with you such as appointment or clinic visits

  • Notes and reports about your health, treatment and care

  • Results of x-rays, scans and laboratory tests

  • Relevant information from people who care for you and know you well such as health professionals, relatives and carers.

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

QHow will my personal information be used?

Your health records are used to direct, manage and deliver the care you receive to ensure that:

  • The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
  • Healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive
  • Appropriate information is available if you see another health professional, or are referred to a specialist or another part of the NHS

Your information will also be used to help manage the NHS and protect the health of the public by being used to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Protect the health of the general public
  • Manage the health service
  • Ensure our services can meet patient needs in the future
  • Investigate patient queries, complaints and legal claims
  • Ensure the health care providers receive payment for the care you receive
  • Prepare statistics on NHS performance
  • Audit NHS accounts and services
  • Undertake health research and development
  • Help train and educate healthcare professionals

QHow long will you keep my personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have been considered.

All records held by Leeds Community Healthcare NHS will be kept for the duration specified by national guidance from the Department of Health & Social Care found in the Records management: NHS code of practice for health and social care 2016.

QWho do you share my personal information with?

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

We will share information with the following main partner organisations:

You may be receiving care from other people as well as the NHS, for example social care services. We may need to share some information about you with them if they have a genuine need for it so we can all work together for your benefit . Therefore, we may also share your information, subject to  your permission and strict agreement about how it will be used, with:

  • Social care services

  • Education services

  • Local authorities

  • Voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties unless:

  • We have your permission

  • We have to share by law

  • We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse

  • We hold information that is essential to prevent, detect, investigate or punish a serious crime

If you have any concerns or would like further information please ask the staff caring for you or contact the Data Protection Officer at the address given at the top of this page.

QHow is my personal data you hold secured?

We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

QIs my personal data transferred to other countries?

Sometimes your data may be processed outside of the UK, in most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within the UK. When this is outside the EEA we will identify the data protections in place prior to transfer.

QWhat are my legal rights?

Under certain circumstances, you have rights under data protection laws in relation to your personal data. We ensure that these rights are respected.

Right to be informed

You have a right to be informed if your personal data is being used. Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR (commonly known as a subject access request), although there are exceptions to what we are obliged to disclose.

A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

Further information and to submit a subject access request

Right to rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Right to erasure (‘right to be forgotten’)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

Right to object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. E.g. we will not be able to stop the processing of your data if it is necessary to provide you with direct patient care.

Right in relation to automated individual decision-making

You have the right to object to being subject to a decision based solely on automated processing, including profiling.

Right to notification

You have the right to be notified if there has been a breach with regards to your personal data that we hold. This right is enforced if the breach is likely to result in a high risk of adversely affecting your rights and freedom.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of Leeds Community Healthcare’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact the Data Protection officer at first instance.

The contact details for the Information Commissioner are:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Website: ico.org.uk

QData Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals.  To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered.  High risk could result from either a high probability of some harm, or a lower possibility of serious harm.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.

The DPIA must:

  • describe the nature, scope, context and purposes of the processing;

  • assess necessity, proportionality and compliance measures;

  • identify and assess risks to individuals; and

  • identify any additional measures to mitigate those risks.

Here at Leeds Community Healthcare NHS Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.

View a summary of all DPIAs carried out since 25 May 2018 when this became a data protection requirement.  The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact dpo.lch@nhs.net

QNational Data Opt Outs

Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is currently compliant with the national data opt-out policy.

QHow will the Coronavirus Act 2020 affect how you use my information?

Supplement privacy notice for Patients/Service Users

This notice describes how we may use your information in accordance with the Coronavirus Act 2020 to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available on the Trusts internet page.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information is available on gov.uk here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of

protecting public health, providing healthcare services to the public and monitoring and

managing the outbreak.  All required processing will be centrally controlled. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here. 

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice on or before 30 September 2020 and may be extended. If no further notice is sent, they will expire on 30 September 2020. The date at the top of this page will be amended each time this notice is updated.

QNational Fraud Initiative 2020/22

The Trust is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Your personal data will be subject to the following automated profiling (as defined in Article 4, paragraph 4 GDPR):

Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the GDPR.

Data matching by the Cabinet Office is subject to a Code of Practice.

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

For further information on this data matching exercise contact the Trusts Counter Fraud Specialist, Beric Dawson on 0845 300 3333, 07580 163541 or email: beric.dawson@tiaa.co.uk

Data Protection Officer

Narissa Leyland
Leeds Community Healthcare NHS Trust
Stockdale House
Victoria Road
Leeds
LS6 1PF

Email: dpo.lch@nhs.net

Information Governance Team    

Leeds Community Healthcare NHS Trust
Stockdale House
Victoria Road
Leeds 
LS6 1PF

Email: foi.lch@nhs.net

Find out more about Freedom of Information

Access your Personal Information

Further information and to submit a subject access request is here

What to do if you need to speak to someone urgently...