Covid-19 and your information – updated 13 April 2020
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available further down this page.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available here.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency, we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards. We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
This Trust participates in a joint programme to support the delivery of remote/virtual outpatient appointments. Currently, this uses a system called Attend Anywhere. To enable us to deliver this service in the most efficient way possible, patients may be seen over a video call consultation by specialists from any of these Lancashire and South Cumbria Hospital Trusts:
- Blackpool Teaching Hospitals NHS Foundation Trust
- East Lancashire Hospitals NHS Trust
- Lancashire Teaching Hospitals NHS Foundation Trust
- University Hospitals of Morecambe Bay NHS Foundation Trust
To deliver services in this way, it will be essential for your personal details (relevant to the appointment) to be shared with the consultant/specialist seeing you. If you do not wish your details to be shared with consultants and specialists in more than one Hospital Trust, please let your GP or referring doctor know as soon as possible.
This Privacy notice describes how the Trust uses and manages the personal information it collects and holds about you, including how this information may be shared with other organisations, how its confidentiality is maintained and your rights.
University Hospitals of Morecambe Bay NHS Foundation Trust is a ‘Data Controller’ under the Data Protection Legislation. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the current and future data protection principles. We must also notify the Information Commissioner about all of our data processing activity. Our registration number is Z2866193 and our registered entry can be found on the Information Commissioner’s website. www.ico.gov.uk
Why do we collect and use your information – what is it for?
Whenever you are referred or use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in your health record. Collecting this information helps to ensure you get the best possible care and treatment.
- Healthcare and medical purposes is used to directly contribute to your treatment, diagnosis or care, which includes supporting administrative processes and audit/assurance of the quality of healthcare services provided. Doctors, nurses or healthcare professionals involved in your care need accurate information about you to assess your health and deliver the care you need or refer you to another health professional, another part of the NHS or another public body (e.g. social services).
- Non-healthcare and medical purposes is used for research, audit, service management, commissioning, contract monitoring, reporting facilities and future planning of our services. When your personal information is used and where appropriate it is limited and de-identified so that the process is confidential. For example to assess and review the type and quality of care you have received to ensure it is of the highest standard and arranging payment for the person who has treated you. It may also be used to teach and train healthcare professionals.
- Safeguarding is where information is provided to ensure that adults and children at risk of harm are protected and managed appropriately. Access to identifiable information will be shared in limited circumstances where it’s legally required for the safety of the individuals concerned.
- Incidents to ensure effective governance and to learn from incidents. The Trust will share and work with commissioning organisations to ensure quality health services are provided.
- Complaints and legal claims for effective governance to ensure that your concerns can be properly investigated if you are unhappy with the care you have received.
- Looking after the health of the general public using computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.
- Conducting health research and development, and monitoring NHS Performance Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions. Where it is not sufficient to use anonymised information, person-identifiable information may be used, but only for essential NHS purposes. This may include research and auditing services. This will only be done with your consent, unless the law requires information to be passed on to improve public health. The Information Commissioners Anonymisation Code of Practice will be used.
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Under the General Data Protection Regulation (GDPR) we rely on the
- Lawful bases for processing
- Article 6 (1) (e)…exercise of official authority…
- Special category data processing
- Article 9 (2) (b) …social protection law…
- Article 9 (2) (h) … health or social care …
- Article 9 (2) (j) … research purposes…
Under the Data Protection Act 2018 we rely on
- Schedule 1, Part 1 (2) (2) Health and Social Care Purposes
- Schedule 1, Part 2 (18) Safeguarding of children and individuals at risk
- Schedule 1, Part 1 (4) Research etc
NHS Digital has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.
What personal information do we collect about you?
In order to carry out our activities and obligations as a NHS Trust we handle data such as:
- Basic details, such as name, address, date of birth, next of kin, phone number, mobile phone number
- Personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions
- Your next of kin and contact details
- Contacts we have had, such as outpatient appointments, hospital stays and home visits
- Details and records of treatment and care, including notes and reports about your health and treatment, care and support you need and receive
- Results of x-rays, blood tests and other results from examinations or tests
- Information on medicines
- Information from people who care for you and know you well, such as health professionals and relatives
- Patient experience feedback and treatment outcome information you provide
Information is collected in a number of ways, via your healthcare professional, referral details from your GP or directly given by you and may be recorded in writing, digitally, or a mixture of both. It is important that you notify us of any changes to your personal details (e.g. address, contact number, next of kin).
By providing the Trust with contact details, you are agreeing to the Trust using appropriate channels to communicate about your healthcare i.e. by letter (postal address), by voice mail or message (telephone or mobile number), by text message (mobile number) or by email (email address)
Why do we collect information about ethnicity?
Every NHS organisation has to collect information on the ethnic origins of its patients. You will be asked to select the group which best describes the ethnic group you belong to. We only use it to make sure our services meet the needs of all members of the community.
You don’t have to give us information about your ethnic origin if you do not want to
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This will be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times. It will also be used to support Friends and Family test that is used as a feedback tool to support people being given the opportunity to feedback on their experience see the NHS England website for more information.
Use of Surveillance Cameras
We employ surveillance cameras (Closed Circuit TV and Body Work Video) on and around the hospitals, for the purposes of public and staff safety and crime prevention and detection and monitoring building security.
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems. See section “What are your rights regarding your information”
In accordance with Data Protection Legislation images codes of practice issued by the Information Commissioner, images captured by surveillance cameras will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated.
How we keep your information confidential and safe?
Our aim is not to be intrusive, and we won’t ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and retained securely to make sure it can only be seen, accessed and/or disclosed to those who need to know.
We have policies and procedures that explain the approach within our Trust and our commitments and responsibilities to your privacy.
Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.
If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.
The Trust will endeavor to keep your information accurate, up-to-date and not kept for longer than necessary. The NHS Retention Schedule sets out the minimum appropriate length of time each type of NHS record is retained. This can be viewed on the NHS Digital website. All records are destroyed confidentially in a secure way.
Protecting Children and Young people’s personal data
Children and young people’s data is afforded the same rights and protection as the data collected from adults. Children and young people are considered a ‘vulnerable’ group and therefore the Trust and others involved in their healthcare will always treat their data fairly and ensure that it is kept safe and secure.
When using or sharing children’s or young person’s data, we will always ensure that there is a legal reason for doing so or where relevant ask for their explicit consent.
Regardless of age, every person has a right to privacy and confidentiality. If a young person asks a health professional to keep their information confidential, even from those who hold parental responsibility, then that wish will be respected, unless there is a lawful reason to override this protection.
Why we share your information and who we share it with?
There are times when it is appropriate and necessary for us to share information about you and your healthcare with organisations and individuals to fulfil our role as an NHS organisation. Wherever possible we try to use data that does not identify you, by removing all patient-identifying details, unless the law requires the patient's identity to be included.
- Other NHS organisations to assess and deliver the care you need such as General Practices, Acute Hospitals, Community Service and Mental Health Care Providers, Nursing Homes
- Local Clinical Commissioning Group (CCG) anonymised data is provided to supporting local monitoring of commissioned services, allocating payments and help improve data quality
- NHS Digital to support effective monitoring of service standards, local monitoring of service provision, inform patient care and treatment choices. The data provided will be anonymised no information that could reveal your identity is used in national reports. More information on how NHS Digital use anonymised data can be found on their website. You do have a choice as to whether your personal information is used for this purpose – see section Control of Personal Information
- Non NHS organisations to help us work together for your benefit or to carry out their statutory duties. These may include, but are not restricted to: social services, education services, local authorities, the police, voluntary sector providers and private sector providers.
The Trust will not disclose, share, sell or distribute your confidential personal information to third parties unless we have your explicit consent or the health or safety of others is at risk or the law requires the Trust to disclose. Examples are the registration of a birth or death, reporting of an infectious disease, prevention, detection, investigation or prosecution of a serious crime, a court order or an insurance medical.
Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.
We will only give information to your relatives, friends and carers if you want us to and have given your permission.
What are your rights regarding your information
You have rights under data protection legislation but not all rights are absolute and will only apply in certain circumstances.
Correcting inaccurate information
We have a duty to ensure your information is accurate and up to date and to make certain we have the correct contact and treatment details about you. If you believe any information is not accurate, you can request for us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention.
You have the right to see or be given a copy of your personal information held by the Trust. You are not required to pay any charge for exercising your rights. To gain access to your information you will need to make a Subject Access Request. We will aim to respond within one month from receipt of your request. If you require general information about the Trust please see our Freedom of Information guidance.
To request a copy of your health record you can download a copy of the Access to Health Records form here, or write to:
Access to Health Records Office
Peter Green Way
Furness Business Park
Or contact the Data Protection Officer
Data Protection Officer
University Hospitals of Morecambe Bay NHS Foundation Trust
Westmorland General Hospital
Your request for information may be delayed due to urgent operational responses to dealing with Public Health priorities. We apologise for any inconvenience this may cause, we do remain committed to responding to your request and will respond as soon as we are able. Should our response to your request breach the statutory timeframe and you remain unhappy with our response you have the right to complain to the Information Commissioners Office and you can contact them on their Website: www.ico.org.uk or by phone: 08456 30 60 60 or 01625 54 57 45
Control of Personal Information
You have a choice whether your personal information is shared for purposes beyond your individual care and treatment i.e. improving quality and standards of care, research into new treatments, preventing illness and disease and planning services. If you choose not to share, your personal information will still be used to support individual care but not for research or planning. You do not need to do anything if you happy to share for all aspects. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters to support you making the choice, to access the system to view, set or change your settings or other contact details.
You can change your mind about your choice at any time.
In circumstances where you have explicitly agreed (consented) to sharing of your personal data for a specified purpose, you can refuse or withdraw your consent. Should this affect your care you will be informed of the consequences i.e. lack of joined up care, delay in treatment if information has to be sources from elsewhere, medication complications; all leading to the possibility of difficulties in providing the best level of care. You will need to contact AccessToHealthRecords@mbht.nhs.uk to this request.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
The Trust does not use processes which include solely automated decision making or profiling.
Data Protection Impact Assessments
As part of the Trust's data protection transparency agenda and as required by the Data Security & Protection Toolkit. Details of Data Protection Impact Assessments or DPIAs that have been through the Trust approval process are published. Access this list of approved DPIAs here.
If after having read this Privacy Notice you have any concerns about how your information is to be used, wish to learn more about how the Trust manages and maintains confidentiality of patient information, would like to request the notice in another accessible format or you do not want your information to be shared by the Trust then please speak to the health professionals concerned with your care, or contact
Data Protection Officer - Email: DataProtectionOfficer@mbht.nhs.uk
We do however need to remind you that we may not be able to provide you with a service or be able to undertake the appropriate care needed unless we have enough information, or your permission to use that information.
Caldicott Guardian - The Caldicott Guardian is the person who makes the final decision on how, what, when and why personal identifiable information will be used in the organisation and how it will be received / sent by the organisation
University Hospitals of Morecambe Bay NHS Foundation Trust
Westmorland General Hospital
For independent advice about data protection, privacy and data-sharing issues you can contact the Information Commissioner at
The Information Commissioner
Phone: 08456 30 60 60 or 01625 54 57 45
Last Updated March 2019
Version 2.0 of the University Hospitals of Morecambe Bay NHS Foundation Trust Fair Processing Notice
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Cookies are used minimally on this website for site usage analytics. You may delete and block all cookies from this site, but some parts of the site may not work as expected.
In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the website. For this purpose, we use Google Analytics.
We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this and we will make it clear when we collect personal information and will explain what we intend to do with it.
For more information on enabling and disabling cookies please visit About Cookies.
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
This cookie is used by the website's CMS (Content Management System) to track if the user is a public guest or is logged in to an account on the website. This cookie is not used for any other purpose.
Keep track of whether or not you have clicked "Got it!" on the notice about cookies on this website, so that it doesn't keep appearing when you load a page.
Keep track of which language has been selected from the Google Translate tool.
Keep track of which colour contrast mode has been selected from the Accessibility Tools.
Keep track of whether the accessibility bar is opened or closed.
Keep track of the text size that has been set from the Accessibility Tools.
|Weighted Search||weighted_search_ajax_[id]||Keep tracks of which way you've set the "dynamic search" button on the "search results" page|