Protecting your personal information is extremely important to us and we take our duty to protect and safeguard your personal information and confidentiality very seriously.

Personal data is information that relates to an identified or identifiable living individual. Additionally, special category data (such as health data, ethnicity, religion, sexual orientation, etc.) and criminal convictions and offence data is also personal data that needs more protection and security because of its sensitivity.

We are committed to taking all reasonable measures to ensure the confidentiality and security of all personal data for which we are responsible, whatever format and medium it is held in, at all times. At Trust Board level:

  • Neil Smith, Executive Director of Finance / Deputy Chief Executive is our appointed Senior Information Risk Owner (SIRO). The SIRO has executive responsibility for the management of information risks and incidents and the protection and secure handling of all information within the Trust.
  • Dr Noir Thomas, Executive Medical Director is our appointed Caldicott Guardian. The Caldicott Guardian is responsible for the management and protection of patient information and patient confidentiality.

In line with current Data Protection law, we are registered with the Information Commissioner’s Office (ICO) as a data controller and our Registration Number is Z6634416, and we have appointed a Data Protection Officer (DPO), who is our Head of Information Governance.

The SIRO and Caldicott Guardian are supported by the Data Protection Officer and the Information Governance (IG) Team. The Information Governance Team’s roles cover:

  • Access to records requests (including the courts, deceased patients, police, etc.)
  • Caldicott Principles
  • Care and corporate records (including record-keeping and records management)
  • Clinical coding
  • Confidentiality
  • Data Protection
  • Environmental Information Regulations (EIR)
  • Freedom of Information (FOI)
  • Information incidents and breaches
  • Information risk management
  • Information security
  • Information sharing
  • Subject Access Requests (SAR) from individuals and/or their authorised representatives
  • Training.

The current Data Protection law – the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) – were originally introduced back in May 2018. The new legislation strengthened the previous legislation that had been in place for 20 years and brought it in line with modern society and technology. It aimed to achieve a balance between the rights of individuals and the interests of those with legitimate reasons for using personal information. The law applies to all types of personal information, whether held on a computer system, other electronic media or paper records, and includes both facts and opinions about the individual.

The legislation places legal obligations on those who collect, store and share information (data controllers), and gives rights to those who are the subject of that information (data subjects).

We are registered with the Information Commissioner’s Office (ICO) as a data controller and our Registration Number is Z6634416.

To learn more about the legislation, please visit the Information Commissioner’s Office’s website. The full Data Protection Act 2018 is available on the Government's legislation website.

Compliance with the national Information Governance (IG) framework and agenda is measured and monitored through the national Data Security and Protection Toolkit (DSPT) - an online self-assessment tool - to which the Trust makes regular submissions each year.

The Trust's submissions are published and publicly available on the DSPT website.

The DSPT allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Data Protection law works in two main ways – it sets out rules for organisations (data controllers) that handle personal information and it gives individuals (data subjects) rights over how their personal information is used.

As part of performing our public task as a provider of healthcare services, we collect, store, use and share information about employees, patients, emergency contacts, carers, family members, Foundation Trust members, suppliers and members of the public.

Any personal information provided to us is essential for us to provide effective healthcare and services. We sometimes need to collect, store and share this information, but must always respect an individual's right to privacy and the right to be informed about how the information will be used.

To find out more about the information we collect and how we use it, see our privacy statement.

The law requires the Trust to process person confidential information in accordance with a set of legal rules - the seven Data Protection Principles.

These include obligations covering the lawfulness, collection and use, accuracy, security, retention and ultimately deletion of personal information, specifically:

  • Lawfulness, fairness and transparency - processed lawfully, fairly and transparently
  • Purpose limitation - collected for specified, explicit and legitimate purposes
  • Data minimisation - adequate, relevant and limited to what is necessary.
  • Accuracy - accurate and, where necessary, kept up-to-date
  • Storage limitation - not kept for longer than necessary
  • Integrity and confidentiality - processed in a manner that ensures appropriate security
  • Accountability - must be able to demonstrate compliance with the principles above.

The Trust collects and processes personal information in order to help provide healthcare services to our patients and ensure that they receive the best possible care from us, and to assist us in meeting our business responsibilities. The information we obtain and hold must comply with the Data Protection law and only be used for specific purposes allowed by law.

As part of Data Protection law, we are required to have and appoint a Data Protection Officer (DPO).

The Data Protection Officer’s responsibilities include informing and advising the Trust on its Data Protection obligations, monitoring internal compliance with Data Protection law, and acting as a contact point for individuals (data subjects) and the Information Commissioner’s Office (ICO).

If you have any concerns regarding how your information is used or our compliance with Data Protection requirements, please contact our Information Governance Team at IG@merseycare.nhs.uk or our Data Protection Officer at DPO@merseycare.nhs.uk

The Freedom of Information (FOI) Act 2000 provides the general public (anyone, anywhere in the world) with a right of access to all types of recorded information held by public authorities, which includes NHS organisations, and the right to receive it subject to certain conditions and exemptions (for example it excludes personal information about individuals and environmental information).

The Act does not give people access to their own personal data (information about themselves), such as their health or employment records, or personal data about others.

The Act places two main obligations on public authorities:

  • Publish certain information proactively through the adoption and maintenance of a Publication Scheme which sets out details of information that is routinely made available, how and where the information can be obtained and whether there is any charge for it.
  • Respond to requests for information where by the public authority must inform the applicant in writing whether it holds the information requested and if so, and not exempt from disclosure, communicate that information to the applicant promptly but not later than 20 working days after receipt of the request.

The Act aims to make public authorities more transparent, open and accountable. It also aims to help people understand better how public authorities carry out their duties, why they make the decisions they do and how they spend public money.

Visit our Freedom of Information page for more information or to make a request.

We are committed to sharing person confidential information appropriately and lawfully.

To provide effective health care, we routinely share your information with other organisations involved in your care, including your GP and other NHS and Social Care organisations. Our Trust has a legitimate legal basis to share information to provide direct care for health and social care purposes under the current Data Protection law.

Sometimes we may need to share your information with other organisations. We will identify an appropriate legal basis to share information in such instances and, if necessary, we will ask your permission before sharing it. However, there are certain circumstances where our Trust does not need to, for example:

  • If the information has been anonymised so you are not identifiable
  • If you need urgent medical treatment
  • To protect children, young people and adults from harm, abuse or neglect
  • To assist with the prevention or detection of a crime
  • If we are ordered to provide information as part of legal proceedings
  • If there is an overriding public interest concern.

The Caldicott Principles set the standards for handling patient identifiable information. There are eight general principles that are applicable to all health and social care organisations:

  1. Justify why you need to use it
  2. Only use it when absolutely necessary
  3. Use the minimum information required
  4. Access should be on a strict need-to-know basis
  5. Everyone involved must understand and be aware of their responsibilities
  6. Understand and comply with the law
  7. The duty to share information can be as important as the duty to protect patient confidentiality
  8. Inform patients and service users about how their confidential information is used

 

Under the Act, we have to routinely publish information whenever possible within our Publication Scheme. This is based on the Model Publication Scheme and a Definition Document for NHS Organisations developed by the Information Commissioner’s Office (ICO) for adoption that outline the minimum expectations for disclosure.

The majority of information we make routinely available can be accessed through our website, by using the search facility, with the information on there continually reviewed and updated,. Such information is continually updated. If you cannot find information on our website, please contact the Information Governance Team (Freedom of Information)

If the information required cannot be located on our website or within our Publication Scheme, you may submit a request for information under the Freedom of Information Act. Under the Act, for a request to be valid it must:

  • Be made in writing - either by email, letter or via our website
  • Include your real name (the Trust does not have to respond to requests made under a pseudonym)
  • Include your address for correspondence – either an email address or postal address
  • Describe the information you want (clearly identify what you want, being as specific as possible, in order for us to answer your request)
  • Outline any preferences for the format in which you wish to receive the information (e.g. electronic or hard copy – we will try as far as possible to provide the information in the format you want, but this may not always be possible, in which case we will contact you and explain why not)

Individuals wishing to submit a request for information should use one of the following methods:

By email: FOI@merseycare.nhs.uk

By post:         

Information Governance Team (Freedom of Information)
Mersey Care NHS Foundation Trust
V7 Building
Kings Business Park
Merseyside
L34 1PJ

Online: By using our online form to submit your request electronically. Please note that sending information via the internet is not a secure means of communication and the sender uses this form at their own risk.

We have a legal obligation to reply to your FOI request within 20 working days of receiving it (although there are limited circumstances in which this can be extended).

Under the Act, we must inform you whether we hold the information requested and, if so, provide you with the information unless it is exempt from disclosure and an appropriate exemption applies.

Wherever possible, we will supply you with the information you requested but there are some circumstances where we may not be able to do so.

There may be occasions when we may refuse all or part of a request and decide not to disclose the requested information, for example if:

  • We do not actually hold the information.
  • One or more of exemptions apply. There are 23 specific exemptions that allow us to withhold information.
  • The cost of complying with the request exceeds the appropriate limit of 18 hours (Section 12 exemption).
  • The request is vexatious or repeated (Section 14 exemption).

Due to the current Covid-19 pandemic, the Government has temporarily paused the National Data Opt-out project.  This will be resumed once the crisis has ended​.

In line with the recommendations made by the National Data Guardian in her ‘Review of Data Security, Consent and Opt-outs’, the national data opt-out was introduced for the health and social care system on 25 May 2018. This to give patients and the public more control over how their confidential patient information is used for research and planning purposes. 

The Government response to the review set out that all health and adult social care organisations in England must comply with the national data opt-out policy by March 2020.

 

What is the national data opt-out?

It is a service that enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment.  The public can change their national data opt-out choice at any time.

 

Who needs to comply with national data opt-out policy?

The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority. It does not apply to data related to private patients at private providers.

 

In summary the national data opt-out applies to:

  • all NHS organisations (including private patients treated within such organisations),
  • all Local Authorities providing publicly funded care,
  • adult social care providers where the care provided is funded or arranged by a public body, and
  • private or charitable healthcare providers providing NHS funded treatment or arranged care.

 

Which data disclosures do national data opt-outs apply to?

National data opt-outs apply to a disclosure when an organisation, eg a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust.

The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002.  The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, eg research body, without being in breach of the common law duty of confidentiality.  To be clear it is only in these cases where opt-outs apply.

 

National data opt-outs do not apply where:

  • information being disclosed is anonymised in accordance with the Information Commissioner's Office's anonymisation code of practice,
  • the individual has given their consent for their information to be used for a particular purpose, eg a specific research study,
  • there is an overriding public interest in the disclosure, ie the public interest in disclosing the data overrides the public interest in maintaining confidentiality, also referred to as the 'public interest test', and
  • there is a legal requirement that sets aside the common law duty of confidentiality or the information is required by a court order.

In these scenarios above, section 251 approvals would not have been sought.

 

What has the Trust done?

The Trust has put processes in place to assess any current or future uses of confidential patient information prior to disclosure to consider and apply national data opt-outs where necessary in accordance with national data opt-out operational policy.  These have been included in Trust policies and procedures and staff have been advised.  It has also updated its patient privacy notice with a national data opt-out compliance statement.

 

Further information

For more information on being compliant with and applying national data opt-outs see compliance with national data opt-out.  For queries relating to the national data opt-out, please email enquiries@nhsdigital.nhs.uk or call 0300 303 5678.

Further Information

The Information Commissioner's Office (ICO) is the independent authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.

They regulate, enforce and oversee the current Data Protection law, the Freedom of Information Act and the Environmental Information Regulations

Further information on their role is available from the ICO website.