How we use information about you
Leeds and York Partnership NHS Foundation Trust will record information about you to provide you with healthcare services. Your information will also be used to plan our services and to make sure those services are as good as they can be.
When we use your information to provide your care, we will use your name and other identifiers to make sure those providing your care know who you are, but when we use your information for other reasons, we will usually take your name and other pieces of identifying information out – to make your information anonymous.
We will share relevant information with other healthcare professionals who are involved in your care and we will make key information from your records available via the Leeds Care Record unless you object. Your information will not be used for any other purpose without your consent, unless that purpose is required by law. Our Trust will keep your records according to the conditions of the Data Protection Act (2018) and the EU General Data Protection Regulation at all times.
Our Data Protection Privacy Notice is available below and we have also put together a more ‘easy read’ leaflet on how we use your information, how we keep it confidential and contact details in case you’d like to know more. As the leaflet says: It’s your information, but it’s our responsibility.
Our information governance policies and procedures
Our Trust maintains a number of information governance procedural documents as part of our overall approach to information governance and our information governance framework.
These procedural documents are based on the requirements of the NHS Digital Data Security and Protection Toolkit, National Data Guardian Standards, the Care Record Guarantee, the NHS and Department of Health and Social Care Policy and best practice and UK Data Protection Law.
As well as regulating the activities of our staff, these documents are also intended as instructional guidance on the handling of personal data within our Trust.
- Read our Information Governance Policy
- Read our Health Records Policy.
- Read our Confidentiality Code of Conduct
- Read our Freedom of Information Procedure
- Read our Data Quality Policy
- Read our Corporate Records Management Guidance
- Medical Records Subject Access Request Procedure
- Read our Safe Haven Guidance
- Data Protection Policy.
Our information sharing protocols and agreements
When our Trust enters into arrangements with partner organisations where we will need to pass information between both parties, we will often enter into information sharing agreements. Information sharing agreements mean both parties have an agreed approach to the sharing of information and how the information can be used once it is shared.
Our Trust is also a signatory to over-arching information sharing protocols. Information sharing protocols bind all signatories to a high-level information framework and it is under this framework that information sharing agreements can be created for specific purposes.
- Read the Leeds City-wide Information Sharing Protocol
- Read the General Framework for Information Sharing in North Yorkshire and York
- Read our information sharing agreement with West Yorkshire Police
- Read our information sharing agreement with Leeds Child and Adolescent Mental Health Service (CAMHS)
- Read our information sharing agreement with Yorkshire Ambulance Service NHS Trust
- Read the Memorandum of Understanding for Multi-agency Public Protection Arrangements (MAPPA) – West Yorkshire Police, the Prison Service and the West Yorkshire Probation Service act as the Responsible Authority for MAPPA in West Yorkshire
- Read our information sharing agreement with Leeds Teaching Hospitals NHS Trust (LTHT) that allows our Trust to access LTHT’s e-Results Service
- Read the Leeds Safeguarding Adults Partnership Information Sharing Agreement
- Read our information sharing agreement with Tees, Esk and Wear Valleys NHS Foundation Trust (TEWV) covering services transferred from our Trust to TEWV in York and North Yorkshire
- Read the Leeds Care Record Information Sharing Agreement
What is the NHS Digital Data Security and Protection Toolkit?
The NHS Digital Information Governance (IG) Toolkit was replaced for 2018-2019 with the Data Security & Protection (DSP) Toolkit.
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. This system is subject to ongoing development.
In 2018-2019, our Trust achieved the required “Standards Met” attainment level on all 32 mandatory requirements.
The Trust undertook an audit of a subset of 14 mandatory requirements in 2018-2019. The final opinion at audit was of an overall position of “Significant Assurance”.
Consent to use your personal information for Trust communications
The Communications Team manages the use of personal information consent for use in communications, public relations and / or marketing work on behalf of the Trust. This includes permission of staff, service users, carers and the public to use photographs, audio recordings and video footage in which they appear, and some personal information about them and their experiences, for a variety of projects and initiatives that support the Trust’s strategic aims and objectives.
The use of people’s personal data is not limited to one publication or communications channel. You can find a list of the primary communications channels we manage on our Media page.
Some of the projects we undertake involve sharing information with trusted partners and accredited news media organisations to achieve their objectives. Where this is the case we will discuss what this means with all concerned to ensure people are comfortable before we take any action.
For more information and to download consent forms visit our Media page.
LYPFT General GDPR Privacy Notice
As a provider of healthcare services, the Trust’s main processing of personal information relates to the provision of healthcare to our Service Users. Our Privacy Notice, explaining how we process information relating to our Service Users, is set out below.
Separate Privacy Notices for HR / Workforce and other corporate functions will be provided to those whose data is processed as part of the “business-as-usual” processes of our various departments. Feel free to contact the Trust Data Protection Officer for more information.
Leeds and York Partnership NHS Foundation Trust (“the Trust”) are the accountable Data Controller for the information we hold. Our contact addresses are as follows;
St Mary’s House, Main House
St Mary’s Road
|Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Mary’s House
St Martins View
Leeds LS7 3LA
Processing information relating to our Service Users, for healthcare purposes.
The legal basis for this is GDPR Article 9, subsection 2(h)
“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”.
To provide high-quality, effective care that is safe, responsive, timely, and efficient, we will both receive and share relevant and necessary information with other health and social care professionals involved in our Service Users’ care, on the same legal basis.
Privacy notice: National Fraud Initiative (NFI)
The Trust is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds or where undertaking a public function in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing sets of data held by one body against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
We are a mandatory participant in the Cabinet Office’s NFI, a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed on the Government website.
The processing of data by the Cabinet Office in a data matching exercise is carried out with a statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or GDPR.
Data matching by the Cabinet Office is subject to a code of data matching practice.
The Cabinet Office has published its privacy notice which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the General Data Protection Regulation (GDPR).
The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
For further information on data matching at this organisation, please email Nikki Cooper or call 07872 988 939. Full information and details regarding the initiative can be found on the Government website.
The Trust does not process healthcare data outside the European Economic Area.
The Trust will retain and subsequently securely dispose of personal information aligned with the requirements & retention schedules of the Records Management Code of Practice for Health & Social Care 2016.
The EU General Data Protection Regulation gives those who personal information we hold certain rights. These rights are set out and explained below.
- The right to be informed
The information in this Privacy Notice should inform our Service Users how their information is processed by the Trust.
- The right of access
Service Users have a right to make a request to receive a copy of the information we hold about them, however the Trust has a legal obligation to have an appropriate healthcare professional review the information before it is released, to ensure that information likely to cause harm or distress to the Service User or anyone else is removed.
- The right to rectification
If factual inaccuracies are found and agreed, these will be corrected.
- The right to erasure
This right does not apply in all circumstances, and does not apply to information held for healthcare purposes. Service User records are retained according to the requirements of the Records Management Code of Practice for Health & Social Care 2016.
- The right to restrict processing
This right does not apply in all circumstances. The Trust will record and act upon any restrictions a service user wishes to place on the sharing of their information – e.g. with family members etc., but will share relevant and necessary information with other health and social care professionals involved in our service user’s care, or when otherwise required to do so by law.
- The right to data portability
This right does not apply in all circumstances. As we do not process healthcare information by automated means or on the basis of consent, it does not apply to healthcare information. We will however respond to Subject Access Requests and provide the information requested in a format of the Service User’s choice when it is reasonable to do so.
- The right to object
This right does not apply in all circumstances. As we process Service User information on the legal basis provided above, this right does not apply.
- Rights in relation to automated decision making and profiling.
No automated decision making or profiling is carried out using service user information.
- The right to lodge a complaint with a supervisory authority.
If anyone feels the Trust has failed to uphold any of the above rights, or has other concerns relating to the handling of their information, they may lodge a complaint with the Information Commissioner’s Office. The ICO’s contact details are included below:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 (geographic rate number)
The ICO’s website for raising concerns relating to the handling of personal information is:https://ico.org.uk/concerns/handling/
Service users are not under a statutory or contractual obligation to provide their information, but we do however require service users to provide us with all necessary and relevant information so that we can in turn provide them with safe and effective care.
LYPFT Recovery College GDPR Privacy Notice
The Recovery College is hosted by Leeds and York Partnership NHS Foundation Trust (“the Trust”). Leeds and York Partnership NHS Foundation Trust are the accountable Data Controller for data processed by the Recovery College.
Contact addresses are as follows:
2 Asket Place
Leeds, LS14 1PP
St Mary’s House, Main House
St Mary’s Road
Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Mary’s House
St Martins View
Leeds, LS7 3LA
The Recovery College team will collect, store and process information relating to the management of your enrolment with the Recovery College and the courses you undertake with us. Your consent, as indicated on the enrolment form, will form the legal basis for this data processing, with the processing of your data essential to the management of your enrolment and the services we provide.
Data processed will include your personal information to identify you and the organisations currently (or previously) providing your care, and your contact details. We will also record information relating to accessibility issues, and Equality & Diversity Monitoring data. As the purpose of the College is to promote recovery, we will also ask you for information relating to your current and future health, to monitor the progress you make and the effectiveness of our courses.
The Recovery College will seek your consent using an Opt-In form to record your preferences relating to the marketing of courses which we feel may be of interest to you.
Some of our courses will be facilitated by partner organisations, we will share your information with these partners when required to manage your attendance on our courses. We will not otherwise share your information unless required to do so by law.
We will not process your personal data outside the European Economic Area.
We will retain and subsequently securely dispose of your information in accordance with the requirements of the Records Management Code of Practice for Health & Social Care.
You have a right to request a copy of any and all the records the Recovery College team holds that are about you, which we will provide to you within 30 days of receiving your written request.
We will correct any factual errors within your records and erase your records when no longer required, or if you withdraw your consent for processing because you have left the Recovery College.
You have a statutory right to raise a complaint with the Information Commissioner’s Office if you feel we have failed to honour your rights under Data Protection legislation.
Your Data & COVID-19 – Supplementary Privacy Notice
Updated 22nd April
This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our main Privacy Notice.
The Health and Social Care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms-Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk and FAQs on this law are also available.
During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-Outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.
It may take us longer to respond to Subject Access requests and Freedom of Information Act requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information, including health and care records, with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal / confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal / confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response is available on the NHSX website.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
Opting out of secondary use of your information
The Trust keeps records of the things you tell us and other information about your health and who you are in electronic computer systems. We only use this information to provide you with care, and will not share your information for any other reason unless the law says we must.
Your information can however be used in an anonymous form (with your name, address, and other information which can identify you removed) to help the NHS and the Government plan future healthcare services and carry out medical research. This is known as a “secondary use” of your information
Your Right to Opt Out of Secondary Use
The Government gives you the right to Opt Out of this use of your data. More information on what this means for you, and how to Opt Out is available online.
The General Practice Data for Planning and Research scheme (GPDPRS)
In addition to the above, the Government is planning to use information held in GP records to support a wide variety of research and analysis to help run and improve health and care services. This does not affect the information held by the Trust, but we are taking this opportunity to make you aware of this scheme, and to provide you with information on your right to opt out.
To opt out of the use of your data in this way you should complete the “Stop your GP surgery from sharing your data” opt-out form available online.
The Trust Data Protection Officer would be happy to discuss any concerns you may have by using the contact details below:
Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Marys House
St Martins View
Leeds LS7 3LA
- Confidentiality Code of Conduct
- Corporate Records Management Guidance
- Medical Records Subject Access Request Procedure
- Data Quality Policy
- Freedom of Information Procedure
- General Framework for Information Sharing in York and North Yorkshire
- Health Records Policy
- Information Governance Policy
- Information Sharing Agreement with Leeds Teaching Hospitals
- Leeds Adult Safeguarding Partnership Information Sharing Agreement
- Leeds CAMHS Information Sharing Agreement
- Leeds Care Record Information Sharing Agreement
- Leeds Information Sharing Protocol
- Memorandum of Understanding for Information Sharing – MAPPA
- Safe Haven Guidance
- TEWV Information Sharing Agreement
- West Yorkshire Police Information Sharing Agreement
- Yorkshire Ambulance Service Information Sharing Agreement