Privacy statement

This privacy statement explains what information is collected about you, why it is collected and the ways it is used. West London NHS Trust recognises how important it is that you are fully aware of the information we collect and hold about you as well as how we share that information.

To provide a healthcare service, we need to collect and use personal information for a range of purposes. Primarily, we collect data for healthcare and administration purposes. There are some cases where it is necessary and a legal requirement to process your personal information even without your consent.

To ensure that your information is kept confidential and that your data is kept safe and secure, all our staff are given training in data protection and information governance before they start work with us. Current staff must also undertake regular refresher training courses tailored to their individual roles.

This statement applies to all of our current and former patients. We may update this statement at any time.

If we do not have accurate, up to date information, this may impact on the services (such as effective treatment) that we provide. It is important that you inform us of any changes to your personal information (such as your contact details) we hold about you so that the information which we hold is accurate and current.

We are West London NHS Trust (the Trust/we/us).

Our head office is located at 1 Armstrong Way, Southall, UB2 4SD.

We are a 'data controller' in respect of the information we hold about you. This means that we are responsible for deciding how we use your personal information.

Our DPO is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.

If you have any concerns or questions about our use of your personal information, you can contact our DPO at Kevin.Towers@westlondon.nhs.uk or by writing to

Information Governance Team
West London NHS Trust
A block
1 Armstrong Way
Southall
UB2 4SD.

Personal information is any information that can be used to identify you. We may collect the following personal information about you:

This information is referred to as 'personal data' under the data protection legislation and 'personal confidential data' under the Caldicott Principles. Under both the data protection legislation and the Caldicott Principles we are required to ensure that your information is treated in confidence and with respect.

Some of the information which we collect about you may be “special categories of personal data”. Special categories of personal data require a greater level of protection. The special categories of personal data about you which we may collect include your racial or ethnic origin, your religious beliefs, information about your sex life or sexual orientation and information about your health.

The above information which we collect about you will be obtained through a variety of sources which include:

• From you directly via any direct access with our healthcare services
• From your friends and relatives who provide us with information about you
• From anyone who has the authority to act on your behalf such as a power of attorney or deputy
• From your GP
• From other healthcare professionals and officers in the local authority, social services department and emergency services; and
• From any other (current and/or previous) healthcare and care providers.

We use the types of personal information listed above for a number of purposes, each of which has a ‘lawful basis’. 

In accordance with the data protection laws, we need a ‘lawful basis’ for collecting and using information about you. There are a variety of different lawful bases for using personal information which are set out in the data protection laws.

We have set out below the different purposes for which we collect and use your personal information, along with the lawful bases we rely on to do so.

Sharing your information without your consent

There are circumstances where we need to share your information without your consent. For example:

• When the health and safety of others (including members of staff) is at risk;
• To ensure we provide you with the appropriate care, also known as direct care
• To protect public health;
• When the law requires information to be passed on;
• For the prevention or investigation of serious crime;
• Under a court order;
• When sharing is in the public interest; or
• Where there are safeguarding concerns for vulnerable people.

Information may not be shared if it is believed it may cause serious harm or distress to you or to another person.

The Trust uses Electronic Patient Record systems to store and process patient information. These systems include SystemOne, Rio, IAPTUS and Alfresco.

Some of these systems, that is Rio and SystemOne feed data into the London Care Record – Health Information Exchange. The London Care Record is enabled by a network of health information exchanges (HIEs) across London, providing a read-only view of an individual’s health and care information.

Also, the London Care Record (Health Information Exchange) provides access to joined-up care records – important and current information at the point of care, for the whole care team. Most information will be updated in real time, but in some cases will be updated every 24 hours. Access to joined-up health and care records will save time and support everyone delivering health and care services.

Article 21 of the UK GDPR gives data subjects the right to object to the processing of their personal data at any time. This effectively allows data subjects to stop or prevent their personal data being processed. Please note that the right to object is not absolute if the processing is for a task carried out in the public interest (Public Task), the exercise of official authority vested in you; or your legitimate interests (or those of a third party).

If you would like to exercise your right to object to processing, please contact the Information Governanace (IG) team by emailing IG@westlondon.nhs.uk where a member of the IG team will be in touch regarding your request.

Sometimes it is necessary for us to share information with another organisation. For example, you may be receiving care from social services and we may need to share information about you so we can all work together for your benefit.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We may also share your information with third parties such as:

• Your friends, family and others: including anyone who has the authority to act on your behalf such as a power of attorney or deputy, where appropriate to do so for the provision of your health or social care, in the vital interests of you or others (or with your consent where applicable);
• Other healthcare providers and multi-disciplinary teams: for direct care purposes, we will share information about you with other healthcare providers such as other NHS Trusts, your GP, community staff/district nurses, hospital staff, emergency services, NHS 111, social services and local authorities;  
• Regulators / safeguarding authorities/commissioners: such as child and adult safeguarding services (e.g. MASH), the Care Quality Commission and Public Health England. We share your personal data with these public bodies where we are required to do so by law or a regulatory obligation;
• The police and other law enforcement agencies: in limited circumstances we may share your personal data with the police if required for the purposes of criminal investigations and law enforcement;
• Courts (including a Coroner’s Court) and to tribunals: for the investigation of deaths (coroner) and processing of legal claims;
• Service providers: such as external IT providers, systems maintenance providers, language and sign language interpretation/translation and telephone call recording for monitoring purposes;
• Professional advisors: such as lawyers, in the exercise or defence of legal claims;​​​​​​​
• Charitable organisations: such as organisations that can help with support for you and your family, provision of hospice care and funding of treatments, with your consent; and​​​​​​​
• Bulk mailing providers: in order to communicate with patients to satisfy our legal obligations and provide you with relevant healthcare information.

We will not transfer your data outside of the European Economic Area.

We typically will only use your personal information for the purposes for which we collect it.

It is possible that we will use your information for other purposes as long as those other purposes are compatible with those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.

We may also use your personal information for other purposes where such use is required or permitted by law.

You have the right to confidentiality under the General Data Protection Regulation EU 2016/679 (GDPR), the Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA), the Health and Social Care Act 2012 (HSCA), as well as the common law duty of confidence. 

The Equality Act 2010 may also apply in some circumstances.

Under certain circumstances, by law you have the right to:

• Be kept informed about how and why we use your personal information.
• Request access to the information we hold about you (commonly known as a "data subject access request"), which enables you to receive a copy of that information and check that we are lawfully processing it;
• Request correction of any incomplete or inaccurate information we hold about you;
• Request erasure of your personal information where there is no good reason for us continuing to process it;
• Object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
• Request the restriction of processing of your information, for example if you want us to establish its accuracy or the reason for processing it;
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact our DPO by writing to Kevin.Towers@westlondon.nhs.uk or contact the Information Governance Team – Dayo Adebari, Head of Information Governance and Records Management - Adedayo.Adebari@westlondon.nhs.uk. 

Information Governance Team
West London NHS Trust
A block 1 Armstrong Way
Southall
UB2 4SD

All organisations providing care for the NHS or on its behalf must follow the same strict policies and controls as managed by the Department of Health’s Information Governance Framework.

The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances; for example, where we are required to so by law. In all cases, where personal information is shared, either with or without your consent, a record will be kept.

Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality. 

We only keep your information for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

Details of retention periods for different aspects of your personal information are available in our retention policy which is available from our DPO by writing to Kevin.Towers@westlondon.nhs.uk  or contact the Information Governance Team – Dayo Adebari, Head of Information Governance and Records Management - Adedayo.Adebari@westlondon.nhs.uk.

Information Governance Team
West London NHS Trust
A block 1 Armstrong Way
Southall
UB2 4SD

The GDPR, the DPA and other data protection laws

We will comply with data protection law. At the heart of data protection laws are the 'data protection principles' which say that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way; 
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
• Relevant to the purposes we have told you about and limited only to those purposes;
• Accurate and kept up to date;
• Kept only as long as necessary for the purposes we have told you about; 
• kept securely.

The Caldicott Principles

We will comply with the Caldicott Principles, which set out that we must:

• Justify the purpose(s) for using confidential information;
• Not use patient identifiable information unless it is absolutely necessary;
• Use the minimum necessary patient identifiable information;
• Restrict access to patient identifiable information on a strict need-to-know basis;
• Ensure everyone with access to patient identifiable information is aware of their responsibilities;
• Comply with the law; and
• Be aware that the duty to share information can be as important as the duty to protect patient confidentiality.

We want to ensure that the information contained within this privacy statement is relevant and accessible for use by the people who use our children’s services.

That includes clinicians, carers, families and children. Please read the child-friendly version of the privacy policy. (PDF)

To improve your individual care, plan local services, research new treatments and speed up diagnoses, we may at times safely and securely share data with external researchers, organisations and analysts who can assist us with these processes.

We only share what is necessary for each piece of research and where possible, information is removed so that you cannot be identified. However, you can choose not to have information about you shared or used for any purpose beyond providing your own treatment or care.

This is known as the national data opt-out. If you choose to opt out, West London NHS Trust will apply your opt out immediately.

All other health and social care organisations have been required to apply your opt-out from March 2020.

West London NHS Trust shares information about you (your personal confidential data) for the Improving Access to Psychological Therapies (IAPT) Data Set, to help achieve better outcomes and experiences of care.

NHS Digital has been directed by NHS England under section 254 of the Health and Social Care Act (HSCA) 2012 to establish and operate a system for the collection and analysis of IAPT information from providers.

The Trust previously used to seek consent for data to be sent to NHS digital. This has now changed as we are now mandated to send all data. Service users must use national data 
opt-out to control how their data is processed.

Under GDPR, the Trust’s lawful basis for processing is Article 6 (1) (c), which relates to processing necessary to comply with a legal obligation to which we are subject. Our lawful basis for processing special category data is GDPR Article 9 (2) (h) and Schedule 1, Part 1 (2) (2) (f) of the Data Protection Act 2018.

• The data set collects information about demographics (e.g. postcode, date of birth, ethnic category), referral, treatment and outcomes details.
• The data will be securely sent to NHS Digital which is the central organisation that receives the same data from all NHS-funded IAPT services across England.
• The data set is used to produce anonymised national reports that show summary numbers of, for instance, numbers of patients referred to different IAPT services across the country as well as average waiting times and outcomes.
• The reports help the NHS to improve the care it provides to you and other patients.
• No information that could reveal your identity is used in these reports.
• The data may be linked with other sources of data to support a wider range of information within these national reports, such as to investigate the relationship between IAPT services and other care services.

For more information about how NHS Digital uses IAPT data including their lawful basis for processing, how long they hold it for and your rights, please see the GDPR register.

Find more information about the IAPT Data Set on the NHS Digital IAPT web pages visit the NHS Digital website. 

This section of the privacy statement describes how we may use your information to protect you and others during the Covid-19 outbreak. 

We may amend this section of the privacy statement at any time.

Patient information

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. 

Using this law the Secretary of State for Health and Social Care has required organisations to 
to share confidential patient information to respond to the Covid-19 outbreak. These are: NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); Local authorities; Health organisations and GPs. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. 

See gov.uk. See FAQs on the law.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. See gov.uk for information on National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests while we focus our efforts on responding to the outbreak.

To look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. 

See how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. 

This includes data already collected by: NHS England; NHS Improvement; Public Health England; NHS Digital. New data will include: 999 call data; Data about hospital occupancy; Emergency department capacity data; Data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation. In such circumstances where you tell us you are experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Staff information (the following only applies to employees working for the Trust)

HR and non-HR teams of the Trust may collect and process information relating to your Covid-19 self-isolation status, test results and confirmed diagnosis. 

This is to help with workforce planning and ensure continuity of services. Information will only be shared with other NHS organisations, such as NHS England and Clinical Commissioning Groups, in an appropriate and proportionate manner.

The lawful bases and conditions to enable this processing are listed under Articles 6 and 9 of the GDPR and include the following:

• Article 6(1)(c) (“necessary to comply with legal obligations”)
• Article 9(2)(b) (" employment,="" social="" security="" and="" protection")=""

This is because, in the UK, there is a requirement under the Health and Safety at Work etc. Act 1974 for employers to take reasonable steps to look after the health, safety and welfare of staff. As such, it is reasonable for the Trust to collect certain information (such as information about confirmed diagnosis) as part of the organisation’s general duty to safeguard health and safety.

Indeed, the concept that employers may have a role to play in relation to coronavirus has been highlighted in the Government’s recent guidance for employers and businesses on dealing with Covid-19.

You have the right to complain to the Information Commissioner's Office (the ICO) if you are not satisfied with the way we use your information. 

You can contact the ICO by writing to:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow 
Cheshire
SK9 5AF

We reserve the right to update this privacy statement at any time, and we will provide you with a new privacy statement when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.