This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.
It covers information we collect directly from you or receive from other individuals or organisations. The law strictly controls the sharing of some types of personal information and the Trust ensures full compliance with the Data Protection Act 2018 when processing its data. However within the law, the information about you may be passed onto others for your continuing healthcare and treatment.
This notice is not exhaustive. However, we are happy to provide any additional information or an explanation if needed. To contact us about any of the points in this notice please see the contact details at the end of this notice.
We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR), the Privacy and Electronic Communications Regulations (PECR), the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Under the terms of the Data Protection Act Luton and Dunstable University Hospital NHS Foundation Trust is a Data Controller.
We are legally responsible for ensuring that all personal information we hold and use is done so in compliance with the law. All data controllers must ensure they are compliant with the Data Protection Act 2018. More information can be found on the Information Commissioner’s website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, the NHS Constitution, the Health and Social Care Information Centre Guide to Confidentiality as well as the NHS Confidentiality Code of Practice provide a commitment that all NHS organisations, and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and well-being.
We will not share information that identifies you unless we have a fair and lawful basis on which to do so:
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies. This is done for the purpose of improving local services, research, audit and public health. This is an important part of our processing as it ensures that the NHS keeps improving its standards and treatments.
We also anonymise information for Indirect Care so that we can:
Your information is held by the Trust so we can ensure we give you the correct care and treatment.
There are many definitions of personal data, please see below which may be of use to you.
This refers to any information relating to an identified living individual.
This is defined in the Data Protection Act as information about an identifiable factor.
Processing Personal Data
This means any operation or set of operations which are undertaken on personal data, whether by automated means or not.
Personal Confidential Data
This is personal information about identified or identifiable individuals which is also confidential. ‘Personal’ includes the Data Protection Act definition of personal data, but is also includes the deceased as well as the living. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ e.g. health records. It is adapted to include ‘special categories’ data as defined in the Data Protection Act.
This means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that information is kept separately.
Anonymised Information – is data that has been changed into a form which does not identify individuals or where there is little risk of identification.
Aggregated Information – is anonymised data that is grouped together so that it does not identify any individuals
The Trust ensures that information is not kept for any longer than is necessary in line with the Data Protection Act 2018 and GDPR. The Trust abides by the NHS Retention Schedules which can be found here.
The right of access, commonly referred to as a subject access request, gives individuals the right to obtain a copy of their personal data as well as other supplementary information.
What are you entitled to?
You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about you or you are acting on behalf of someone).Please click here to complete a form if you would like access to the following health records
Accessing a deceased patient’s health record
The Access to Health Records Act 1990 gives deceased patient’s personal representation and anyone who may have a claim arising out of the patient’s death, a right of access to the patient’s clinical records. This is not a general right and access may be limited to information of relevance to the possible claim.
Access can be limited or refused if:
Return the completed form to us attaching your proof of identity documentation.
post: Luton and Dunstable University Hospital, Lewsey Rd
We will not charge a fee for providing your information, your child’s heath record, as a nominee for a patient or that of a deceased family member. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with request for further copies of the same information. The fee will be based on the administrative cost of providing the information.
Viewing health records
Viewing your health records is free of charge.
An appointment MUST be arranged with the Information Governance Department prior to viewing records electronically. Please contact us on 01582 718386
The Trust will endeavour to deal with your request within a 21 day time limit (NHS best practices). However, by law we have 30 days to respond. If this is likely to take longer the applicant (you) will be warned and an explanation of the delay provided.
Luton and Dunstable University Hospital embraces transparency as a means of building trust and confidence with our patient/staff.
Being transparent and providing accessible information to individuals about how we will use personal data is a key element of the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).
We want to be clear about the purpose/purposes for which we hold personal information and data.
It is often argued that people’s expectations about personal data are changing. People are increasingly willing to share information on social media and to allow their data to be collected by mobile apps, but they are unwilling to read lengthy privacy notices.
These factors are sometimes used to support the view that they are relatively unconcerned that their data is being collected and processed. However, we believe that people do have concerns about how organisations handle their data and want to retain some control over its further use.
Therefore, we have separated our full privacy notice into easy to read sections as it is important for us to be transparent about our processing and comply with the legal requirements to provide privacy information.
Your information will not be sent outside of the United Kingdom unless there is a clinical need to do so.
We will always ensure that your privacy is protected in the same way overseas as it is here in the UK. We will never sell any information about you.
You have a right to privacy and to expect the NHS to keep your information confidential and secure.
Under the Data Protection Act 2018 (DPA 2018) it becomes a legal right to ensure that your data is processed on a fair and lawful basis and in a transparent manner.
Right to be informed
The information we supply about the processing of personal data must be:
Right of access
You can find out if we hold any personal information by making a ‘subject access request’ under the DPA 2018. If we do hold information about you, we will:
Right to rectification (correction)
You are entitled to have personal data rectified if it is inaccurate or incomplete. If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.
We have one month to respond to a request for rectification. This can be extended by two months where the request for rectification is complex. If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority.
Right to erasure (to be forgotten)
The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances.
This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
Please note that the right to be forgotten does not apply to special category data i.e. medical records.
Right to restrict processing
We will be required to restrict the processing of personal data in the following circumstances:
We will continue to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.
Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
Right to object
You must have an objection on ‘grounds relating to your particular situation’ in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There is no grounds to refuse.
You have the right to object to the following:
We will stop processing the personal data unless:
We will not charge a fee for providing your information. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with request for further copies of the same information. The fee will be based on the administrative cost of providing the information.
The Trust will endeavour to deal with your request within a 21 day time limit (NHS best practice). However, by law we have 30 days to response, if this is likely to take longer, the applicant will be warned and an explanation of the delay provided.
If you would like more information about your rights, about how we process your information or if you feel your confidentiality has been breached, please contact:
Data Protection Officer (Heidi Walker) Tel: 01582 497928
Information Governance Team: Tel: 01582 718386
Access to Health Records: Tel: 01582 497288
For Further information on the Data Protection act 2018/General Data Protection regulations (GDPR) or to make a complaint to the governing body, please contact:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF
Tel: 0303 123 1113