We take protecting your personal information very seriously. It is important to us that your information is kept safe and confidential.

Personal data means any information that can identify you, either on its own or when combined with other information. Some types of personal data are more sensitive, such as health information, ethnicity, religion, sexual orientation, and information about criminal convictions or offences. These need extra protection.

We are committed to taking all reasonable steps to always keep all personal data safe and secure, no matter how or where it is stored

Data protection law (Data Protection Act 2018, UK General Data Protection Regulation and Data (Use and Access) Act 2025) sets rules for how personal information must be handled.  It applies to all personal information, whether it is stored electronically or on paper, and includes both facts and opinions about a person.  The law requires organisations that collect, use, or share personal information to protect it properly. It also gives individuals rights over their own information.

As part of performing our public task as a provider of healthcare services, we collect, store, use and share information about employees, patients, emergency contacts, carers, family members, Foundation Trust members, suppliers and members of the public.

Any personal information provided to us is essential for us to provide effective healthcare and services. We sometimes need to collect, store and share this information, but must always respect an individual's right to privacy and the right to be informed about how the information will be used.

To find out more about the information we collect and how we use it, see our privacy notices on the right hand side of this page. 

The law requires the Trust to process person confidential information in accordance with a set of legal rules - the seven Data Protection Principles.

These include obligations covering the lawfulness, collection and use, accuracy, security, retention and ultimately deletion of personal information, specifically:

  • Lawfulness, fairness and transparency - processed lawfully, fairly and transparently
  • Purpose limitation - collected for specified, explicit and legitimate purposes
  • Data minimisation - adequate, relevant and limited to what is necessary.
  • Accuracy - accurate and, where necessary, kept up-to-date
  • Storage limitation - not kept for longer than necessary
  • Integrity and confidentiality - processed in a manner that ensures appropriate security
  • Accountability - must be able to demonstrate compliance with the principles above.

The Trust collects and processes personal information in order to help provide healthcare services to our patients and ensure that they receive the best possible care from us, and to assist us in meeting our business responsibilities. The information we obtain and hold must comply with the Data Protection law and only be used for specific purposes allowed by law.

At Trust Board level:

  • Rob Collins, Executive Director of Finance is our appointed Senior Information Risk Owner (SIRO). The SIRO has executive responsibility for the management of information risks and incidents and the protection and secure handling of all information within the Trust.
  • Dr Noir Thomas, Executive Medical Director is our appointed Caldicott Guardian. The Caldicott Guardian is responsible for the management and protection of patient information and patient confidentiality.

In line with current Data Protection law, we are registered with the Information Commissioner's Office (ICO) as a data controller and our Registration Number is Z6634416.  We have also appointed a Data Protection Officer (DPO), who is our Head of Information Governance.

The DPO’s responsibilities include informing and advising the Trust on its Data Protection obligations, monitoring internal compliance with Data Protection law, and acting as a contact point for individuals (data subjects) and the ICO.

The SIRO and Caldicott Guardian are supported by the Data Protection Officer and the Information Governance (IG) Team. The Information Governance Team’s roles cover:

  • Access to records requests (including the courts, deceased patients, police, etc.)
  • Caldicott Principles
  • Care and corporate records (including record-keeping and records management)
  • Clinical coding
  • Confidentiality
  • Data Protection
  • Environmental Information Regulations (EIR)
  • Freedom of Information (FOI)
  • Information incidents and breaches
  • Information risk management
  • Information security
  • Information sharing
  • Subject Access Requests (SAR) from individuals and/or their authorised representatives
  • Training.

The current Data Protection law provides individuals with eight rights in respect of their own person confidential information. Please note that the lawful basis used for processing under the legislation also affects which rights are available to individuals and some rights will not always apply. The specific rights are:

  • To be informed - about the collection and use of their personal data (see our privacy notices)
  • To make a Data Protection complaint – if they are unhappy or dissatisfied with something from a data protection perspective (see the Data protection complaints section below).
  • Access – to access and receive a copy of their personal data. This is commonly referred to as a Subject Access Request (SAR).

Individuals wishing to access their records should initially contact SAR@merseycare.nhs.uk

Applicants need to provide sufficient information to identify them (e.g. name, address, date of birth, etc.), details of the services they were under and the time period their request relates to, as well as copies of proof of their identity sufficient to confirm their name, address and date of birth (e.g. utility bill, driving licence, etc.) and to correctly identify them in our records.

People have a right to have their records kept confidential and the Trust, as record holders, are obliged to be satisfied that an applicant is legitimate and entitled to access a specific person’s record. This is why we ask for proof of identity as part of the application process.

Upon receipt, the request will be forwarded to the relevant SAR Lead within the Trust to be acknowledged and processed.

  • Rectification - to have inaccurate personal data rectified or completed if it is incomplete. Individuals wishing to rectify their records should initially contact the Records Team
  • Erasure (also known as 'the right to be forgotten') - to have their personal data erased. Please note that the right of erasure does not apply to health information and health records maintained and held by the Trust or to any special category data processed for health and social care purposes (further guidance on this is available on the ICO's website)
  • Restrict processing - to request the restriction or suppression of their personal data
  • Data portability - allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing them to move, copy or transfer personal data easily from one IT environment to another. Please note that this right only applies to information an individual has provided to the Trust (further guidance on this is available on the ICO's website)
  • Object - to the processing of their personal data in certain circumstances, including being used for direct marketing. Please note that, except for direct marketing, in other cases where the right to object applies, the Trust may be able to continue processing if it can show that it has a compelling reason for doing so (further guidance on this is available on the ICO's website)
  •  Rights in relation to automated decision making and profiling​​​​​​​

​​​​​​​​​​​​​​Individuals wishing to request any of their other rights should initially contact the IG Team or the Data Protection Officer

From 19 June 2026, you will need to raise any concerns about how your personal information has been handled directly with the organisation first, before contacting the Information Commissioner’s Office (ICO).

We take all concerns and complaints seriously and are committed to helping you. If you believe the Trust has not handled personal information correctly — either your own or on behalf of someone else — please contact our Data Protection Officer and Information Governance Team using the link below.

What happens next?

  • We will acknowledge your complaint as quickly as possible, and within 30 days at the latest.
  • We will carefully review your concerns.
  • We will respond to you as soon as we can, without unnecessary delay.

Our aim is to resolve your concerns promptly, fairly and transparently.

If you are submitting this complaint on behalf of someone else, you will need to provide a signed authority form confirming that you can act on their behalf.  Complete the authority form to DPO@merseycare.nhs.uk.

Supporting documentation

To help us process your request, we may ask for:

  • Proof of identity for the person making the request,
  • Proof of identity for the data subject (if applicable), and/or
  • Evidence of authority (eg letter of authority, proof of executorship, or next of kin status)
  • Consent form to act on behalf of another person

We are committed to sharing person confidential information appropriately and lawfully.

To provide effective health care, we routinely share your information with other organisations involved in your care, including your GP and other NHS and Social Care organisations. Our Trust has a legitimate legal basis to share information to provide direct care for health and social care purposes under the current Data Protection law.

Sometimes we may need to share your information with other organisations. We will identify an appropriate legal basis to share information in such instances and, if necessary, we will ask your permission before sharing it. However, there are certain circumstances where our Trust does not need to, for example:

  • If the information has been anonymised so you are not identifiable
  • If you need urgent medical treatment
  • To protect children, young people and adults from harm, abuse or neglect
  • To assist with the prevention or detection of a crime
  • If we are ordered to provide information as part of legal proceedings
  • If there is an overriding public interest concern.

The Caldicott Principles set the standards for handling patient identifiable information. There are eight general principles that are applicable to all health and social care organisations:

  1. Justify why you need to use it
  2. Only use it when absolutely necessary
  3. Use the minimum information required
  4. Access should be on a strict need-to-know basis
  5. Everyone involved must understand and be aware of their responsibilities
  6. Understand and comply with the law
  7. The duty to share information can be as important as the duty to protect patient confidentiality
  8. Inform patients and service users about how their confidential information is used

 

Compliance with the national Information Governance (IG) framework and agenda is measured and monitored through the national Data Security and Protection Toolkit (DSPT) - an online self-assessment tool - to which the Trust makes regular submissions each year.

The Trust's submissions are published and publicly available on the DSPT website.

The DSPT allows organisations to measure their performance against the National Data Guardian’s 10 data security standards and the Cyber Assurance Framework (CAF).

All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes. 

The Government response to the review set out that all health and adult social care organisations in England must comply with the national data opt-out policy by March 2020.

What is the national data opt-out?

It is a service that enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment.  The public can change their national data opt-out choice at any time.

Who needs to comply with national data opt-out policy?

The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority. It does not apply to data related to private patients at private providers.

In summary the national data opt-out applies to:

  • all NHS organisations (including private patients treated within such organisations),
  • all Local Authorities providing publicly funded care,
  • adult social care providers where the care provided is funded or arranged by a public body, and
  • private or charitable healthcare providers providing NHS funded treatment or arranged care.

Which data disclosures do national data opt-outs apply to?

National data opt-outs apply to a disclosure when an organisation, eg a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.

The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002.  The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, eg research body, without being in breach of the common law duty of confidentiality.  To be clear it is only in these cases where opt-outs apply.

National data opt-outs do not apply where:

  • information being disclosed is anonymised in accordance with the Information Commissioner's Office's anonymisation code of practice,
  • the individual has given their consent for their information to be used for a particular purpose, eg a specific research study,
  • there is an overriding public interest in the disclosure, ie the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the 'public interest test', and
  • there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.

In these scenarios above, section 251 approvals would not have been sought.

What has the Trust done?

The Trust has put processes in place to assess any current or future uses of confidential patient information prior to disclosure to consider and apply national data opt-outs where necessary in accordance with national data opt-out operational policy.  These have been included in Trust policies and procedures and staff have been advised.  It has also updated its patient privacy notice with a national data opt-out compliance statement.

Further information

For more information on being compliant with and applying national data opt-outs see compliance with national data opt-out.  For queries relating to the national data opt-out, please email enquiries@nhsdigital.nhs.uk or call 0300 303 5678.

Further Information

The Information Commissioner's Office (ICO) is the independent authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.

They regulate, enforce and oversee the current Data Protection law, the Freedom of Information Act and the Environmental Information Regulations

Further information on their role is available from the ICO website.