Protecting your personal information is extremely important to us and we take our duty to protect and safeguard your personal information and confidentiality very seriously.
Personal data is information that relates to an identified or identifiable living individual. Additionally, special category data (such as health data, ethnicity, religion, sexual orientation, etc.) and criminal convictions and offence data is also personal data that needs more protection and security because of its sensitivity.We are committed to taking all reasonable measures to ensure the confidentiality and security of all personal data for which we are responsible, whatever format and medium it is held in, at all times.
At Trust Board level:
- Rob Collins, Executive Director of Finance is our appointed Senior Information Risk Owner (SIRO). The SIRO has executive responsibility for the management of information risks and incidents and the protection and secure handling of all information within the Trust.
- Dr Noir Thomas, Executive Medical Director is our appointed Caldicott Guardian. The Caldicott Guardian is responsible for the management and protection of patient information and patient confidentiality.
In line with current Data Protection law, we are registered with the Information Commissioner’s Office (ICO) as a data controller and our Registration Number is Z6634416, and we have appointed a Data Protection Officer (DPO), who is our Head of Information Governance.
The SIRO and Caldicott Guardian are supported by the Data Protection Officer and the Information Governance (IG) Team. The Information Governance Team’s roles cover:
- Access to records requests (including the courts, deceased patients, police, etc.)
- Caldicott Principles
- Care and corporate records (including record-keeping and records management)
- Clinical coding
- Confidentiality
- Data Protection
- Environmental Information Regulations (EIR)
- Freedom of Information (FOI)
- Information incidents and breaches
- Information risk management
- Information security
- Information sharing
- Subject Access Requests (SAR) from individuals and/or their authorised representatives
- Training.
The current Data Protection law – the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) – were originally introduced back in May 2018. The new legislation strengthened the previous legislation that had been in place for 20 years and brought it in line with modern society and technology. It aimed to achieve a balance between the rights of individuals and the interests of those with legitimate reasons for using personal information. The law applies to all types of personal information, whether held on a computer system, other electronic media or paper records, and includes both facts and opinions about the individual.
The legislation places legal obligations on those who collect, store and share information (data controllers), and gives rights to those who are the subject of that information (data subjects).
We are registered with the Information Commissioner’s Office (ICO) as a data controller and our Registration Number is Z6634416.
To learn more about the legislation, please visit the Information Commissioner’s Office’s website. The full Data Protection Act 2018 is available on the Government's legislation website.
Data Protection law works in two main ways – it sets out rules for organisations (data controllers) that handle personal information and it gives individuals (data subjects) rights over how their personal information is used.
As part of performing our public task as a provider of healthcare services, we collect, store, use and share information about employees, patients, emergency contacts, carers, family members, Foundation Trust members, suppliers and members of the public.
Any personal information provided to us is essential for us to provide effective healthcare and services. We sometimes need to collect, store and share this information, but must always respect an individual's right to privacy and the right to be informed about how the information will be used.
The law requires the Trust to process person confidential information in accordance with a set of legal rules - the seven Data Protection Principles.
These include obligations covering the lawfulness, collection and use, accuracy, security, retention and ultimately deletion of personal information, specifically:
- Lawfulness, fairness and transparency - processed lawfully, fairly and transparently
- Purpose limitation - collected for specified, explicit and legitimate purposes
- Data minimisation - adequate, relevant and limited to what is necessary.
- Accuracy - accurate and, where necessary, kept up-to-date
- Storage limitation - not kept for longer than necessary
- Integrity and confidentiality - processed in a manner that ensures appropriate security
- Accountability - must be able to demonstrate compliance with the principles above.
The Trust collects and processes personal information in order to help provide healthcare services to our patients and ensure that they receive the best possible care from us, and to assist us in meeting our business responsibilities. The information we obtain and hold must comply with the Data Protection law and only be used for specific purposes allowed by law.
The current Data Protection law provides individuals with eight rights in respect of their own person confidential information. Please note that the lawful basis used for processing under the legislation also affects which rights are available to individuals and some rights will not always apply. The specific rights are:
- To be informed - about the collection and use of their personal data (see our privacy notices)
- Access – to access and receive a copy of their personal data. This is commonly referred to as a Subject Access Request (SAR).
Individuals wishing to access their records should initially contact SAR@merseycare.nhs.uk
Applicants need to provide sufficient information to identify them (e.g. name, address, date of birth, etc.), details of the services they were under and the time period their request relates to, as well as copies of proof of their identity sufficient to confirm their name, address and date of birth (e.g. utility bill, driving licence, etc.) and to correctly identify them in our records.
People have a right to have their records kept confidential and the Trust, as record holders, are obliged to be satisfied that an applicant is legitimate and entitled to access a specific person’s record. This is why we ask for proof of identity as part of the application process.
Upon receipt, the request will be forwarded to the relevant SAR Lead within the Trust to be acknowledged and processed.
- Rectification - to have inaccurate personal data rectified or completed if it is incomplete. Individuals wishing to rectify their records should initially contact the Records Team
- Erasure (also known as 'the right to be forgotten') - to have their personal data erased. Please note that the right of erasure does not apply to health information and health records maintained and held by the Trust or to any special category data processed for health and social care purposes (further guidance on this is available on the ICO's website)
- Restrict processing - to request the restriction or suppression of their personal data
- Data portability - allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing them to move, copy or transfer personal data easily from one IT environment to another. Please note that this right only applies to information an individual has provided to the Trust (further guidance on this is available on the ICO's website)
- Object - to the processing of their personal data in certain circumstances, including being used for direct marketing. Please note that, except for direct marketing, in other cases where the right to object applies, the Trust may be able to continue processing if it can show that it has a compelling reason for doing so (further guidance on this is available on the ICO's website)
- Rights in relation to automated decision making and profiling
Individuals wishing to request any of their other rights should initially contact the IG Team or the Data Protection Officer.
As part of Data Protection law, we are required to have and appoint a Data Protection Officer (DPO).
The Data Protection Officer’s responsibilities include informing and advising the Trust on its Data Protection obligations, monitoring internal compliance with Data Protection law, and acting as a contact point for individuals (data subjects) and the Information Commissioner’s Office (ICO).
If you have any concerns regarding how your information is used or our compliance with Data Protection requirements, please contact our Information Governance Team at IG@merseycare.nhs.uk or our Data Protection Officer at DPO@merseycare.nhs.uk
Compliance with the national Information Governance (IG) framework and agenda is measured and monitored through the national Data Security and Protection Toolkit (DSPT) - an online self-assessment tool - to which the Trust makes regular submissions each year.
The Trust's submissions are published and publicly available on the DSPT website.
The DSPT allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
We are committed to sharing person confidential information appropriately and lawfully.
To provide effective health care, we routinely share your information with other organisations involved in your care, including your GP and other NHS and Social Care organisations. Our Trust has a legitimate legal basis to share information to provide direct care for health and social care purposes under the current Data Protection law.
Sometimes we may need to share your information with other organisations. We will identify an appropriate legal basis to share information in such instances and, if necessary, we will ask your permission before sharing it. However, there are certain circumstances where our Trust does not need to, for example:
- If the information has been anonymised so you are not identifiable
- If you need urgent medical treatment
- To protect children, young people and adults from harm, abuse or neglect
- To assist with the prevention or detection of a crime
- If we are ordered to provide information as part of legal proceedings
- If there is an overriding public interest concern.
The Caldicott Principles set the standards for handling patient identifiable information. There are eight general principles that are applicable to all health and social care organisations:
- Justify why you need to use it
- Only use it when absolutely necessary
- Use the minimum information required
- Access should be on a strict need-to-know basis
- Everyone involved must understand and be aware of their responsibilities
- Understand and comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality
- Inform patients and service users about how their confidential information is used
In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes.
The Government response to the review set out that all health and adult social care organisations in England must comply with the national data opt-out policy by March 2020.
What is the national data opt-out?
It is a service that enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment. The public can change their national data opt-out choice at any time.
Who needs to comply with national data opt-out policy?
The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority. It does not apply to data related to private patients at private providers.
In summary the national data opt-out applies to:
- all NHS organisations (including private patients treated within such organisations),
- all Local Authorities providing publicly funded care,
- adult social care providers where the care provided is funded or arranged by a public body, and
- private or charitable healthcare providers providing NHS funded treatment or arranged care.
Which data disclosures do national data opt-outs apply to?
National data opt-outs apply to a disclosure when an organisation, eg a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.
The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.
In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, eg research body, without being in breach of the common law duty of confidentiality. To be clear it is only in these cases where opt-outs apply.
National data opt-outs do not apply where:
- information being disclosed is anonymised in accordance with the Information Commissioner's Office's anonymisation code of practice,
- the individual has given their consent for their information to be used for a particular purpose, eg a specific research study,
- there is an overriding public interest in the disclosure, ie the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the 'public interest test', and
- there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.
In these scenarios above, section 251 approvals would not have been sought.
What has the Trust done?
The Trust has put processes in place to assess any current or future uses of confidential patient information prior to disclosure to consider and apply national data opt-outs where necessary in accordance with national data opt-out operational policy. These have been included in Trust policies and procedures and staff have been advised. It has also updated its patient privacy notice with a national data opt-out compliance statement.
Further information
For more information on being compliant with and applying national data opt-outs see compliance with national data opt-out. For queries relating to the national data opt-out, please email enquiries@nhsdigital.nhs.uk or call 0300 303 5678.
Further information
The Information Commissioner's Office (ICO) is the independent authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.
They regulate, enforce and oversee the current Data Protection law, the Freedom of Information Act and the Environmental Information Regulations
Further information on their role is available from the ICO website.