Privacy and Your Data

In some locations we may use CCTV, usually to help maintain your safety.  An explanation of their purpose is clearly displayed near our CCTV cameras and advises who to contact if you have questions about their use.

We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others.

We keep your personal information according to the NHS records management code of practice.

We do not store or routinely send your information overseas. If you need a copy of your records to be transferred out of the UK please discuss this with us. 

We keep a list of our suppliers and the systems they provide where they contain personal information. This is regularly updated. Please ask to see a copy if you have concerns or want to know more about how we process personal information.

How your personal information is used

Your clinical care team and other health and care professionals caring for you keep records about your health and any treatment and care you receive from the NHS and other related agencies.  The data we hold about you includes basic information such as name, address and other contact details. We also collect sensitive confidential data (known as ‘special category personal data’). This includes your health information, and if we need this information to care for you, your religious beliefs and sexual preferences. Your health information may include:

• Details about you such as your address, carer, legal representative and emergency contact details 
• Contacts we have had with you – appointments, clinics, in-patient stays 
• Details about your health, treatment and care 
• Relevant information from other professionals, relatives or those who care for you

How do we lawfully use your data?

We need this information to help provide you with the best possible healthcare. 

We process and share information in line with the Health and Social Care Act 2015, the Data Protection Act 2018 and the GDPR (General Data Protection Regulation)  article  9 (processing of special categories of personal data):
9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

Your information is shared for health and social care purposes. Not sharing information may lead to a clinical risk, safeguarding issues or concerns about your care, and may have an impact on the care and treatment that we or our partners are able to provide.   Where it supports your care we may also share your information with education and voluntary and private sector agencies (including care homes) working with us. We will also upload demographic and key clinical information to local integrated clinical systems accessed by local agencies. This is only ever accessed on a strict need to know basis. In most other circumstances we will seek your consent to share your information. 

We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others. 

If we use the information for research purposes that identifies you we will seek your consent first.  If you do not want your information to be used for research purposes you can also register your choice nationally through the National Data Opt-Out initiative at www.nhs.uk/your-nhs-data-matters. 

You may want to consider treatment through another provider if do not agree with the above.

What formats do we use to keep your information safe?

The records we hold about you are mostly electronic, but some may be kept on paper (especially older records). We use a combination of working practices and technology to make sure your information is kept confidential and secure. 

If you give us your email address we will use that to contact you. If you give us your mobile phone number we may use it to send you SMS messages about your appointments. We will never disclose any special categories of your personal data in a text message. 

How long will we store your information?

We keep your personal information according to the NHS records management code of practice.

We do not store or routinely send your information overseas. If you need a copy of your records to be transferred out of the UK please discuss this with us. 

How can you access your personal information?

You have a right under Data Protection legislation to request a copy of the information we hold about you, or to ask to see it. If you are currently receiving care from us, speak to someone in the team where your care is taking place and they will be able to help you. Otherwise please send your request to elft.accesstorecords@nhs.net .

You will need to give us adequate information about you to verify your identity (name, address, date of birth, NHS number and what information you are requesting). We may ask you to provide documents to confirm your identity. 

There is no charge for this. We will respond to you within one month unless your request is extensive or complex and make take us up to three months to respond. When this happens we will let you know.  
If your personal information changes, please tell the team where you are receiving your care so we can update your records.

If you think the information we hold about you is inaccurate please state this clearly in writing to elft.palsandcomplaints@nhs.net

We can change factual information if it’s incorrect. We are not able to change clinical opinions. If you think these are wrong please set out why you think this and we will add it to your clinical record to make this clear. 
Where you have given consent for us to process your information (such as for research purposes) you can withdraw your consent. Please put this in writing to us. 

Objections and complaints

If you have any concerns about how your information is managed you can speak to the clinical team where you are receiving your care. 

Alternatively, our Patient Advice and Liaison Service (PALS) can help. They can be contacted at elft.palsandcomplaints@nhs.net

Our Data Protection Officer can also listen to your concerns or give you advice about your rights in respect of the data we hold about you. Contact her by email at elft.dpo@nhs.net or by phoning 020 7655 4000 and asking to speak to the Data Protection Officer. 

If you are still concerned you have the right to complain to the Information Commissioner:

Call their helpline on 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). Or see the ICO website https://ico.org.uk/  

Shared Care Records

As part of our digital journey as a Trust, we share records with the health and care providers that are directly involved in a service user's care.

By sharing care records, staff can deliver fast and frictionless care and patients can be sure that everyone involved in their care - their GP, hospital, community health, mental health and social care teams – are all up to speed.

We use a number of different systems that link the various health and care systems in operation across our two ICS's: North East London and Bedfordshire, Luton and Milton Keynes. Find out more here.

How do we lawfully use your data?

We process and share your information under  Article 6 1(e) of the UK General Data Protection Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller).

How your personal information is used?

As a Foundation Trust, we have a statutory requirement to process membership data in our capacity as a public body. We process membership data to maintain membership, run annual elections and ensure the membership is representative of our communities.  We need information about you so that we can manage and maintain the Trust membership system. Trust membership is an inherent part of the governance arrangements of a Foundation Trust and is authorised under the NHS Constitution. 

Your information is securely on a database held by an external provider who has physical security controls together with accredited IT security.

We may share your information with an external provider during public consultation exercises, for you to participate in governor elections or any other related purposes. We do not sell your information and we do not use it for marketing purposes. 

The information we hold about you will only be used to contact you about the Trust, membership or other related issues. 

How long will we store your information?

We keep your personal information according to the NHS records management code of practice. We do not routinely store or send your personal information overseas. 

If you withdraw your membership we will not retain your personal information.  You may also request that your information is removed or forgotten or that you do not give us your consent to process your personal information. This would mean you would be unable to continue as a member or governor. 

What formats do we use to keep your information safe?

The records we hold about you are electronic. 

How can you access your personal information?

You have a right under Data Protection legislation to request a copy of the information we hold about you or to ask to see it. If you are a public member, speak to someone in the membership team who will be able to help you, or email them at elft.membership@nhs.net. If you are a staff member, contact your local HR representative. Otherwise please send your request to elft.accesstorecords@nhs.net. You will need to give us adequate information about you to verify your identity (name, address, date of birth, and what information you are requesting). We may ask you to provide documents to confirm your identity. There is no charge for this. We will respond to you within one month unless your request is extensive or complex and make take us up to three months to respond. When this happens we will let you know.  

By staff, we mean applicants, employees, former employees, agency staff, apprentices, volunteers, trainees, secondees and contractors. 

How do we lawfully use your data?

We process and share your information under Article 6 1(b) of the General Data Protection Regulation (processing is necessary for the performance of a contract), Article 6 1(a) (consent has been given for the processing of personal data) – this mostly applies to the sensitive categories of information you give us when you apply for a job as this ensures we treat you fairly and equitably. We will also seek your consent if we want to refer you to occupational health or similar external agencies.

How your personal information is used?

To carry out our activities and obligations as an employer we process your personal information where required in relation to:

• name, home address, telephone, personal email address, date of birth, national insurance number, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee's application for and employment with us national insurance number 
• special categories of personal data: for example, data about race, ethnic origin, religious or philosophical beliefs, trade union membership, health, and sexual orientation (collected only where required by law and used and disclosed only to fulfil legal requirements) 
• absence information, e.g. annual leave, sickness absence, study leave, maternity leave, paternity leave, occupational health clearance information 
• qualification and training information 
• statutory and voluntary registration data 

When you are no longer our employee, we may continue to share your information as described in this notice as long as this is fair and lawful.

We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, to HM Revenue and Customs, Pensions Agencies, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others. 

We also share information through ESR and with our payroll provider to enable us to pay you. 

How long will we store your information?

We keep your personal information according to the NHS records management code of practice. We do not store or routinely send your personal data overseas. 

What formats do we use to keep your information safe?

The records we hold about you centrally are mostly electronic. Records held locally by your manager may be either in electronic or paper format. 

How can you access your personal information?

You have a right under Data Protection legislation to request a copy of the information we hold about you, or to ask to see it. If you are employed with us contact your local P&C representative.

Otherwise please send your request to elft.accesstorecords@nhs.net . You will need to give us adequate information about you to verify your identity (name, address, date of birth, and what information you are requesting).

We may ask you to provide documents to confirm your identity. There is no charge for this. We will respond to you within one month unless your request is extensive or complex and make take us up to three months to respond.

When this happens we will let you know. 

Board Member Fit & Proper Persons Test (FPPT) Privacy Notice

Find out about your right to object here.

If you have any concerns about how your information is managed you can speak to the clinical team where you are receiving your care.

Alternatively, our Patient Advice and Liaison Service (PALS) can help. They can be contacted at elft.palsandcomplaints@nhs.net

Our Data Protection Officer can also listen to your concerns or give you advice about your rights in respect of the data we hold about you. Contact her by email at elft.dpo@nhs.net or by phoning 020 7655 4000 and asking to speak to the Data Protection Officer.

If you are still concerned you have the right to complain to the Information Commissioner:
Call their helpline on 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). Or see the ICO website https://ico.org.uk/ 

The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs. 

Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by clicking on "Your Health" in the NHS App, and selecting "Choose if data from your health records is shared for research and planning".

Find out more here: www.digital.nhs.uk/services/national-data-opt-out

Your Records & You - ELFT's Information Leaflet for Service Users (2021). 

Your Records & You - Information Poster