When you receive care from our services you will be asked to share information about yourself. This information is used to create records about your health, any treatment and care you receive from the NHS. These records can then be used to ensure that you receive the best possible care now and in the future. 

Everyone working within the NHS has a legal duty to keep information about you confidential. This is called information governance.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to third parties without your permission unless there are exceptional circumstances, such as when your own or the health and safety of others is at risk or where there is a lawful reason for this information to be disclosed.

Find out more about why we need your information and what we do with it.

Your doctor and the team of health and social care professionals caring for you use the information you provide to create a record which may be stored in different mediums, e.g. paper format as a health record or electronic format held on the trust clinical information systems.

Your record may include:

  • Personal details such as your name, address, and date of birth 
  • Your legal representative
  • Any contact we have had with you, for example outpatient clinic visits or in-patient stays
  • Details and records about your health, treatment and care
  • Results of x-rays, laboratory tests and any other tests
  • Relevant information from people who care for you and know you well, such as health professionals and relatives.

When you visit us please check that your personal details are up to date. We need this information to ensure that we can contact you when required and that we have your current GP’s address to make any necessary contact.  

The information in your records help your doctor, nurse or other health and social care professionals involved in your care to assess your health and treatment and to decide what care you need. It also means that full information is available should you see another doctor, or be referred to a specialist or another part of the NHS.

If you are unhappy with your care, having a record of what has taken place means your concerns can be properly investigated.

Your information may also be used to help us:

  • look after the health of the wider public
  • pay your GP, dentist and hospital for the care they provide
  • audit NHS accounts and services
  • investigate complaints, legal claims or untoward incidents
  • make sure our services can meet service user and carer needs in the future
  • prepare statistics on NHS performance
  • review the care we provide to ensure it is of the highest standard
  • teach and train health and social care professionals
  • conduct health research and development

Where we use your information to gather statistics we make sure that individual patients cannot be identified.

We may also pass anonymous statistical information to organisations with a legitimate interest, including universities, community safety units and research institutions.

Personal identifiable information may be used for essential NHS purposes such as research and auditing services. This will only be done by obtaining your consent, unless the law requires information to be passed on to improve public health.

Everyone working within the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it confidential.

You may be receiving care from other organisations as well as the NHS (like Social Services). We may need to share some information about you so we can all work together for your benefit.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to third parties without your permission unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires information to be passed on.

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health and social care professional. Occasions when we must pass on information include:

  • where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
  • where a formal court order has been issued

We may share information with:

  • Clinical Commissioning Groups
  • NHS Hospitals and clinics
  • General Practitioners (GPs)
  • Ambulance Services

Your information may also, subject to strict agreements, be shared with:

  • Social Services
  • Education Services
  • Local Authorities
  • Voluntary Sector Providers
  • Private Sector Providers
  • Police

You have a right to access information held about you by our Trust, including both paper and electronic records.

The Data Protection legislation allows individuals to view or obtain a copy of the personal information held about them. To access your personal records, a request can be made in writing or verbally – this is known as a Subject Access Request (SAR).
The Access to Health Records Act 1990 allows restricted access to care records of people who have died.


Informal access to your records

Our patients and staff can see the information recorded about them during or at the end of their treatment or upon them leaving the Trust.
This type of request can be arranged informally with a member or staff if it is a patient seeking access to their records, or between the member of staff and their line manager if it is a staff member.


Formal access to your records

If an individual requests hard copies such as photocopies and print-outs or an electronic copy of their records, then the request should be forwarded to the relevant divisional Subject Access Request (SAR) lead, for the area you received services from, who will follow the access to records process.

Under current Data Protection legislation, the statutory timescale for responding to a Subject Access Request (SAR) is within one month. If an individual has made a number of requests or their request is complex, we may need extra time to consider their request and we can take up to an extra two months to respond.


Individuals wishing to access their records should initially contact SAR@merseycare.nhs.uk

Applicants need to provide sufficient information to identify them (e.g. name, address, date of birth, etc.), details of the services they were under and the time period their request relates to and copies of proof of their identity - one form of photographic ID (e.g. driving licence, passport, etc.) and one recent proof of current address document (e.g. utility bill, council tax bill, etc.).

People have a right to have their records kept confidential and the Trust as record holders are obliged to be satisfied that an applicant is legitimate and entitled to access a specific person’s record. This is why we ask for proof of identity as part of the application process.

Information Governance ensures that one of the Trust's most important assets, information, in both clinical and management terms, is respected and held in secure and manageable conditions. Therefore it is of paramount importance that the Trust ensures that information is:

  • Held safely and confidentially
  • Obtained fairly and effectively
  • Recorded accurately and reliably
  • Used effectively and ethically
  • Shared appropriately and lawfully.

The Trust has put into place a range of appropriate policies, procedures and management arrangements to provide a robust framework for Information Governance to manage these aspects.

Our joint senior Information Risk Owner/ Information Governance Committee monitors the development of Policies and procedures to meet the current legislative framework.  There is a Data Security and Protection Toolkit which consists of a number of assertions relating to the management of Information which is monitored by the Trust making evidence available and making an annual submission to NHS Digital. The Trust submitted the annual return and evidence in March 2019 and was awarded “substantial assurance” by Mersey Internal Audit Agency when audited.

Membership of the Joint SIRO/ Information Governance Committee comprises of: the Medical Director as Caldicott Guardian, Senior Information Risk Owner, Chief Clinical Information Officer, Head of Information Governance, Senior Nurse Management Representative, Information Security Manager, Adverse Incident Manager and nominated representatives from Corporate and Clinical specialties. Membership is also seconded as and when specific issues arise.  The Committee meets bi-monthly and reports to the Executive Committee.

Data Security and Protection Toolkit

Data Security and Protection Toolkit Assurance 2019/20

Budget and Expenditure

For 2019/20 the annual budget has been set at £292,404, with expenditure being used for registration fees with the Information Commissioners Office declaring the categories of information held and the reason for processing. Funding is also used to fund 5 members of staff relating to Information Governance, provide bespoke training and development in respect of Information Governance, Data Protection Act, Confidentiality for staff, Freedom of Information Act, General Data Protection Regulation. 

The team also comprises of 2.8 wte Clinical Coders who are responsible for the translation of clinical diagnosis into the International Classification of Diseases statistical index.  This information is used to assist the Trust in planning new facilities and for monitoring key clinical conditions nationally and by the World Health Organisation.

Policies and Procedures

Please visit the Trust Policy and Procedure page and look at the Information Management Technology and Governance section.  

Current Policies to look out for, include:

  • Information Governance Policy
  • Corporate Records Policy
  • Data Protection Act Policy
  • Freedom of Information Act Policy
  • Health Records Policy
  • IM&T Clinical Coding Policy
  • IT15 Clinical Coding Policy.


We provide the following:

  • Provision of professional advice, guidance relating to the Data Protection Act, Caldicott principles, Confidentiality and Data Sharing, Use and disclosure of personal data, Subject Access Requests, Police requests, Court directives, Safeguarding issues, general enquiries, mental health capacity, information governance general
  • Development, implementation of Information Sharing Agreements
  • Development, implementation of Trust Information Governance policies
  • Corporate records management – professional advice & guidance on NHS Code of Practice for Records Management, Records Management standards.
  • NHS Code of Practice – Confidentiality, NHS Code of Practice Information Governance, NHS Digital – Confidentiality
  • Health Record Management – Professional advice and guidance in respect of health records management, standards, retention/destruction and transfer of records for deposit at public records office.

Our major ongoing projects during  2019/20 are: continued training relating to Information Governance, addressing the Corporate Lifecycle agenda by undertaking Corporate Records Management Audits, monitoring and review of data loss/data breach incidents, mitigation of risks associated with data loss/data breach, identification of information assets and identification and mapping of data flows. The Trust continues to ensure compliance against the Data Security and Protection Toolkit assertions and implementation of the new Data Protection Act 2018 and General Data Protection Regulation (GDPR). 

Useful Information

Guide to confidentiality in health and social care
Guide to Good Record Keeping