View navigation

Privacy Notice

We respect your privacy and are committed to protecting your personal data. This privacy notice will tell you how we look after your personal data and about your privacy rights and protection in law. 

QWho is the Data Controller?

Leeds Community Healthcare NHS Trust (LCH) is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018 because we collect, store and use personal data to provide healthcare services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

Our registered address is Stockdale House, Victoria Road, Leeds. LS6 1PF

Information Commissioner’s Office (ICO) registration:  Z258777X

We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to make sure the personal data we are responsible for, whether this is computerised or in paper form is kept securely.

At Trust board level we have a Senior Information Risk Owner (SIRO) who is accountable for the management of the Trust’s information assets and a Caldicott Guardian who is responsible for the management of patient data and patient confidentiality. We also have a Data Protection Officer who ensures the Trust is accountable and complies with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

The Data Protection Officer details are show on the top right of this page.

QWhat is our legal basis for processing my personal data?

LCH is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. Our business is based on statutory powers which underpin the legal bases that apply for the purposes of the GDPR. The legal bases for the majority of our processing are:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:

  • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special categories data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:

  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Where we process special categories data for employment or safeguarding purposes the condition is:

  • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

QWhat information do you collect about me?

The health professionals caring for you keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you or other care providers e.g. GP, social care or hospital. The maintenance of these records will ensure that you receive the best possible care. These may be written down on paper or held on a computer and they include:

  • Basic personal details about you such as name, address, date of birth, next of kin etc

  • Contacts we have had with you such as appointment or clinic visits

  • Notes and reports about your health, treatment and care

  • Results of x-rays, scans and laboratory tests

  • Relevant information from people who care for you and know you well such as health professionals, relatives and carers.

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

QHow will my personal information be used?

Your records are used to direct, manage and deliver the care you receive to ensure that:

  • The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you

  • Healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive

  • Appropriate information is available if you see another health professional, or are referred to a specialist or another part of the NHS

Your information will also be used to help manage the NHS and protect the health of the public by being used to:

  • Review the care we provide to ensure it is of the highest standard and quality

  • Protect the health of the general public

  • Manage the health service

  • Ensure our services can meet patient needs in the future

  • Investigate patient queries, complaints and legal claims

  • Ensure the health care providers receive payment for the care you receive

  • Prepare statistics on NHS performance

  • Audit NHS accounts and services

  • Undertake health research and development

  • Help train and educate healthcare professionals

For these purposes we use data anonymised in line with the Information Commissioners Office (ICO) Anonymisation Code of Practice.

QHow long will you keep my personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have been considered.

All records held by Leeds Community Healthcare NHS will be kept for the duration specified by national guidance from the Department of Health & Social Care found in the Records management: NHS code of practice for health and social care 2016.

QWho do you share my personal information with?

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

We will share information with the following main partner organisations:

You may be receiving care from other people as well as the NHS, for example social care services. We may need to share some information about you with them if they have a genuine need for it so we can all work together for your benefit . Therefore, we may also share your information, subject to  your permission and strict agreement about how it will be used, with:

  • Social care services

  • Education services

  • Local authorities

  • Voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties unless:

  • We have your permission

  • We have to share by law

  • We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse

  • We hold information that is essential to prevent, detect, investigate or punish a serious crime

If you have any concerns or would like further information please ask the staff caring for you or contact the Data Protection Officer at the address given at the top of this page.

QHow is my personal data you hold secured?

We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

QIs my personal data transferred to other countries?

Sometimes your data may be processed outside of the UK, in most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within the UK. When this is outside the EEA we will identify the data protections in place prior to transfer.

QWhat are my legal rights?

Under certain circumstances, you have rights under data protection laws in relation to your personal data. We ensure that these rights are respected.

Right to be informed

You have a right to be informed if your personal data is being used. Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR (commonly known as a subject access request), although there are exceptions to what we are obliged to disclose.

A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

Further information and to submit a subject access request

Right to rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Right to erasure (‘right to be forgotten’)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

Right to object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. E.g. we will not be able to stop the processing of your data if it is necessary to provide you with direct patient care.

Right in relation to automated individual decision-making

You have the right to object to being subject to a decision based solely on automated processing, including profiling.

Right to notification

You have the right to be notified if there has been a breach with regards to your personal data that we hold. This right is enforced if the breach is likely to result in a high risk of adversely affecting your rights and freedom.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of Leeds Community Healthcare’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact the Data Protection officer at first instance.

The contact details for the Information Commissioner are:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Website: ico.org.uk

QData Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals.  To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered.  High risk could result from either a high probability of some harm, or a lower possibility of serious harm.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.

The DPIA must:

  • describe the nature, scope, context and purposes of the processing;

  • assess necessity, proportionality and compliance measures;

  • identify and assess risks to individuals; and

  • identify any additional measures to mitigate those risks.

Here at Leeds Community Healthcare NHS Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.

View a summary of all DPIAs carried out since 25 May 2018 when this became a data protection requirement.  The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact dpo.lch@nhs.net

QService specific Privacy Notices

Data Protection Officer

Narissa Leyland
Leeds Community Healthcare NHS Trust
Stockdale House
Victoria Road
Leeds
LS6 1PF

Email: dpo.lch@nhs.net

Information Governance Team    

Leeds Community Healthcare NHS Trust
Stockdale House
Victoria Road
Leeds 
LS6 1PF

Email: foi.lch@nhs.net

Find out more about Freedom of Information

Access your Personal Information

Further information and to submit a subject access request is here

What to do if you need to speak to someone urgently...