Key points

Why we use your personal data: We typically use your personal information (including special categories of personal data such as information about your health) to provide safe and effective care and treatment to you.  

Who else has access to your personal data: To provide you with the care and treatment you need, we may share your personal information with third parties, such as other healthcare providers and third party service providers.

Security of your personal data: We respect the security of your data and treat it in accordance with the law.



Transferring your data internationally: We will not transfer your data outside of the EU.

This privacy statement explains what information is collected about you, why it is collected and the ways it is used. West London NHS Trust recognises how important it is that you are fully aware of the information we collect and hold about you as well as how we share that information.

To provide a healthcare service, we need to collect and use personal information for a range of purposes. Primarily, we collect data for healthcare and administration purposes. There are some cases where it is necessary and a legal requirement to process your personal information even without your consent.

To ensure that your information is kept confidential and that your data is kept safe and secure, all our staff are given training in data protection and information governance before they start work with us. Current staff must also undertake regular refresher training courses tailored to their individual roles.

This statement applies to all of our current and former patients. We may update this statement at any time.

If we do not have accurate, up to date information, this may impact on the services (such as effective treatment) that we provide. It is important that you inform us of any changes to your personal information (such as your contact details) we hold about you so that the information which we hold is accurate and current.

We are West London NHS Trust (the Trust/we/us).

Our head office is located at 1 Armstrong Way, Southall, UB2 4SD.

We are a 'data controller' in respect of the information we hold about you. This means that we are responsible for deciding how we use your personal information.

Our DPO is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.

If you have any concerns or questions about our use of your personal information, you can contact our DPO at wlm-tr.dpo@nhs.net or by writing to

Information Governance Team
West London NHS Trust
A block
1 Armstrong Way
Southall
UB2 4SD.

Personal information is any information that can be used to identify you. We may collect the following personal information about you:

Categories of information Types of information within each category
Personal details Such as your name, gender and date of birth

Contact details

Such as your address and telephone number(s)

Details of each contact that we have had with you

Including home visits and telephone consultations

Records of your health and wellbeing

Including reports from other healthcare providers

Details of your care and treatments

Including test results and investigations that have been undertaken

Relevant information from people who care for you

Including other health and care providers, carers and relatives

Information about your family and friends

Such as dependants, next of kin and emergency contact numbers

Security information

Such as CCTV footage

Biometric data

For identification purposes (fingerprints, photo of visitors and staff to our High Secure Areas)

 

This information is referred to as 'personal data' under the data protection legislation and 'personal confidential data' under the Caldicott Principles. Under both the data protection legislation and the Caldicott Principles we are required to ensure that your information is treated in confidence and with respect.

Some of the information which we collect about you may be “special categories of personal data”. Special categories of personal data require a greater level of protection. The special categories of personal data about you which we may collect include your racial or ethnic origin, your religious beliefs, information about your sex life or sexual orientation and information about your health.

The above information which we collect about you will be obtained through a variety of sources which include:

  • From you directly via any direct access with our healthcare services
  • From your friends and relatives who provide us with information about you
  • From anyone who has the authority to act on your behalf such as a power of attorney or deputy
  • From your GP
  • From other healthcare professionals and officers in the local authority, social services department and emergency services; and
  • From any other (current and/or previous) healthcare and care providers.

We use the types of personal information listed above for a number of purposes, each of which has a ‘lawful basis’. 

In accordance with the data protection laws, we need a ‘lawful basis’ for collecting and using information about you. There are a variety of different lawful bases for using personal information which are set out in the data protection laws.

We have set out below the different purposes for which we collect and use your personal information, along with the lawful bases we rely on to do so.

Why we use your information

Our lawful basis for using your information

To keep and maintain an accurate record of your medical history: To help inform decisions that we make about your care, including diagnosis, decisions around medical intervention and prescriptions and to plan your care and treatment. 

 

 

 

 

 

 

 

 

 

 

 

 

The legal basis we rely on to process your personal data is article 6 (1) (e) of the GDPR:

Public task

The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR.

Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

To provide you with safe and effective care and treatment: To provide you with safe, appropriate and personalised care and treatment as one of our service users and ensure that we meet your individual requirements. This will include us using your personal information for the following reasons:

  • Delivering the healthcare and personal care you require;
  • Determining your capacity for decision making;
  • Meeting your dietary requirements; and
  • Reviewing care provided to ensure it is meeting your needs.

The legal basis we rely on to process your personal data is article 6 (1) (e) of the GDPR:

Public task

The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:


Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

To work effectively with other organisations who may be involved in your care: To send information regarding your health to others, such as your GP, other healthcare and/or social care providers for continuity of care and to ensure that your needs are being meet appropriately.

The legal basis we rely on to process your personal data is article 6 (1) (e) of the GDPR:


Public task 
The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:


Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

To communicate with you:

We will use your personal information to contact you/anyone who has authority to act on your behalf, regarding your health, care, treatment, appointments and/or test results.

The legal basis we rely on to process your personal data is article 6 (1) (e) of the GDPR:


Public task
The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:


Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

For identification: When visiting our high secure hospital we will collect biometric data (photo and fingerprints) for identification purposes.

The legal basis we rely on to process your personal data is article 6 (1) (a) of the GDPR:


Consent


The legal basis we rely on to process your special category data is article 9 (2)(b) of the GDPR:


Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law in so far as it is authorised by Union or Member state law…

For security: We may need to capture images of you as part of our security processes to ensure the safety of our staff, service users and members of the public. This may include the use of CCTV systems.

The legal basis we rely on to process your personal data is article 6 (1) (f) of the GDPR:

 

Legitimate interest
To conduct clinical audits and prepare statistics on NHS performance: To check the quality of care provided to you to identify areas where we may need to improve. We do this by collecting information from the records of groups of patients who have similar conditions or have received similar treatments, and comparing this with what we know are the best standards of care. This helps us to identify areas where we need to make improvements. Information is anonymised as soon as possible.

The legal basis we rely on to process your personal data is article 6 (1) (e) of the GDPR:

Public task

The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State

To improve our services: You may choose to complete our patient survey, to help us to improve the services we provide to you and others.

The legal basis we rely on to process your personal data is article 6 (1) (a) of the GDPR:

Consent

To train and monitor our staff:

Your records help us to teach, train and monitor staff and their work (including providing staff and clinicians with anonymous feedback from patient surveys) to audit and improve our services and ensure they meet your needs.

Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.

Health: It is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment.*

To conduct medical research: To help plan services, improve care provided and to conduct research into developing new treatments and preventing diseases, understanding more about disease risks and causes, improving diagnosis and improving patient safety.

The legal basis we rely on to process your personal data is article 6 (1) (f) of the GDPR:

Legitimate interest
The legal basis we rely on to process your personal data is article 6 (1) € of the GDPR:

Public task
The legal basis we rely on to process your special category data is article 9 (2)(j) of the GDPR:

Processing is necessary for archiving purposes in the public interest, scientific or historical research

To investigate concerns or complaints: To ensure that any concerns or complaints you may have about your healthcare are appropriately investigated and responded to.
 

The legal basis we rely on to process your personal data is article 6 (1) € of the GDPR:

Public task

The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:

Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

For safeguarding and regulation: We use your personal data for the purpose of safeguarding and regulation of care.
 

The legal basis we rely on to process your personal data is article 6 (1) € of the GDPR:

Public task

The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:

Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

To collect data about public health matters: To protect against serious cross-border threats to health or ensuring high standards of quality and safety of health care, medical products or devices.
 

The legal basis we rely on to process your personal data is article 6 (1) € of the GDPR:

Public task

The legal basis we rely on to process your special category data is article 9 (2)(h) of the GDPR:

Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law…

   
   
   

 

 

 

There are circumstances where we need to share your information without your consent. For example:

  • When the health and safety of others (including members of staff) is at risk;
  • To ensure we provide you with the correct care;
  • To protect public health;
  • When the law requires information to be passed on;
  • For the prevention or investigation of serious crime;
  • Under a court order;
  • When sharing is in the public interest; or
  • Where there are safeguarding concerns for vulnerable people.

Information may not be shared if it is believed it may cause serious harm or distress to you or to another person.

Sometimes it is necessary for us to share information with another organisation. For example, you may be receiving care from social services and we may need to share information about you so we can all work together for your benefit.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We may also share your information with third parties such as:

  • Your friends, family and others: including anyone who has the authority to act on your behalf such as a power of attorney or deputy, where appropriate to do so for the provision of your health or social care, in the vital interests of you or others (or with your consent where applicable);
  • Other healthcare providers and multi-disciplinary teams: for direct care purposes, we will share information about you with other healthcare providers such as other NHS Trusts, your GP, community staff/district nurses, hospital staff, emergency services, NHS 111, social services and local authorities;  
  • Regulators / safeguarding authorities/commissioners: such as child and adult safeguarding services (e.g. MASH), the Care Quality Commission and Public Health England. We share your personal data with these public bodies where we are required to do so by law or a regulatory obligation;
  • The police and other law enforcement agencies: in limited circumstances we may share your personal data with the police if required for the purposes of criminal investigations and law enforcement;
  • Service providers: such as external IT providers, systems maintenance providers, language and sign language interpretation/translation and telephone call recording for monitoring purposes;​​​​​​​
  • Professional advisors: such as lawyers, in the exercise or defence of legal claims;​​​​​​​
  • Charitable organisations: such as organisations that can help with support for you and your family, provision of hospice care and funding of treatments, with your consent; and​​​​​​​
  • Bulk mailing providers: in order to communicate with patients to satisfy our legal obligations and provide you with relevant healthcare information.

We will not transfer your data outside of the European Economic Area.

We typically will only use your personal information for the purposes for which we collect it.

It is possible that we will use your information for other purposes as long as those other purposes are compatible with those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.

We may also use your personal information for other purposes where such use is required or permitted by law.

You have the right to confidentiality under the General Data Protection Regulation EU 2016/679 (GDPR), the Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA), the Health and Social Care Act 2012 (HSCA), as well as the common law duty of confidence. 

The Equality Act 2010 may also apply in some circumstances.

Under certain circumstances, by law you have the right to:

  • Be kept informed about how and why we use your personal information.
  • Request access to the information we hold about you (commonly known as a "data subject access request"), which enables you to receive a copy of that information and check that we are lawfully processing it;
  • Request correction of any incomplete or inaccurate information we hold about you;
  • Request erasure of your personal information where there is no good reason for us continuing to process it;
  • Object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
  • Request the restriction of processing of your information, for example if you want us to establish its accuracy or the reason for processing it;
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact our DPO by writing to wlm-tr.sar@nhs.net or contact the Information Governance Team. 

Information Governance Team
West London NHS Trust
A block 1 Armstrong Way
Southall
UB2 4SD

All organisations providing care for the NHS or on its behalf must follow the same strict policies and controls as managed by the Department of Health’s Information Governance Framework.

The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances; for example, where we are required to so by law. In all cases, where personal information is shared, either with or without your consent, a record will be kept.

Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality. 

We only keep your information for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

Details of retention periods for different aspects of your personal information are available in our retention policy which is available from our DPO by writing to wlm-tr.dpo@nhs.net or contact the Information Governance Team.

Information Governance Team
West London NHS Trust
A block 1 Armstrong Way
Southall
UB2 4SD

The GDPR, the DPA and other data protection laws

We will comply with data protection law. At the heart of data protection laws are the 'data protection principles' which say that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way; 
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • Relevant to the purposes we have told you about and limited only to those purposes;
  • Accurate and kept up to date;
  • Kept only as long as necessary for the purposes we have told you about; 
  • kept securely.

The Caldicott Principles

We will comply with the Caldicott Principles, which set out that we must:

  • Justify the purpose(s) for using confidential information;
  • Not use patient identifiable information unless it is absolutely necessary;
  • Use the minimum necessary patient identifiable information;
  • Restrict access to patient identifiable information on a strict need-to-know basis;
  • Ensure everyone with access to patient identifiable information is aware of their responsibilities;
  • Comply with the law; and
  • Be aware that the duty to share information can be as important as the duty to protect patient confidentiality.

We want to ensure that the information contained within this privacy statement is relevant and accessible for use by the people who use our children’s services.

That includes clinicians, carers, families and children. Please read the child-friendly version of the privacy policy. (PDF)

To improve your individual care, plan local services, research new treatments and speed up diagnoses, we may at times safely and securely share data with external researchers, organisations and analysts who can assist us with these processes.

We only share what is necessary for each piece of research and where possible, information is removed so that you cannot be identified. However, you can choose not to have information about you shared or used for any purpose beyond providing your own treatment or care.

This is known as the national data opt-out. If you choose to opt out, West London NHS Trust will apply your opt out immediately.

All other health and social care organisations have been required to apply your opt-out from March 2020.

West London NHS Trust shares information about you (your personal confidential data) for the Improving Access to Psychological Therapies (IAPT) Data Set, to help achieve better outcomes and experiences of care.

NHS Digital has been directed by NHS England under section 254 of the Health and Social Care Act (HSCA) 2012 to establish and operate a system for the collection and analysis of IAPT information from providers.

The Trust previously used to seek consent for data to be sent to NHS digital. This has now changed as we are now mandated to send all data. Service users must use national data 
opt-out to control how their data is processed.

Under GDPR, the Trust’s lawful basis for processing is Article 6 (1) (c), which relates to processing necessary to comply with a legal obligation to which we are subject. Our lawful basis for processing special category data is GDPR Article 9 (2) (h) and Schedule 1, Part 1 (2) (2) (f) of the Data Protection Act 2018.

  • The data set collects information about demographics (e.g. postcode, date of birth, ethnic category), referral, treatment and outcomes details.
  • The data will be securely sent to NHS Digital which is the central organisation that receives the same data from all NHS-funded IAPT services across England.
  • The data set is used to produce anonymised national reports that show summary numbers of, for instance, numbers of patients referred to different IAPT services across the country as well as average waiting times and outcomes.
  • The reports help the NHS to improve the care it provides to you and other patients.
  • No information that could reveal your identity is used in these reports.
  • The data may be linked with other sources of data to support a wider range of information within these national reports, such as to investigate the relationship between IAPT services and other care services.

For more information about how NHS Digital uses IAPT data including their lawful basis for processing, how long they hold it for and your rights, please see the GDPR register.

Find more information about the IAPT Data Set on the NHS Digital IAPT web pages visit the NHS Digital website. 

This section of the privacy statement describes how we may use your information to protect you and others during the Covid-19 outbreak. 

We may amend this section of the privacy statement at any time.

Patient information

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. 

Using this law the Secretary of State for Health and Social Care has required organisations to 
to share confidential patient information to respond to the Covid-19 outbreak. These are: NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); Local authorities; Health organisations and GPs. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. 

See gov.uk. See FAQs on the law.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. See gov.uk for information on National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests while we focus our efforts on responding to the outbreak.

To look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. 

See how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. 

This includes data already collected by: NHS England; NHS Improvement; Public Health England; NHS Digital. New data will include: 999 call data; Data about hospital occupancy; Emergency department capacity data; Data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation. In such circumstances where you tell us you are experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Staff information (the following only applies to employees working for the Trust)

HR and non-HR teams of the Trust may collect and process information relating to your Covid-19 self-isolation status, test results and confirmed diagnosis. 

This is to help with workforce planning and ensure continuity of services. Information will only be shared with other NHS organisations, such as NHS England and Clinical Commissioning Groups, in an appropriate and proportionate manner.

The lawful bases and conditions to enable this processing are listed under Articles 6 and 9 of the GDPR and include the following:

  • Article 6(1)(c) (“necessary to comply with legal obligations”)
  • Article 9(2)(b) (" employment,="" social="" security="" and="" protection")=""

This is because, in the UK, there is a requirement under the Health and Safety at Work etc. Act 1974 for employers to take reasonable steps to look after the health, safety and welfare of staff. As such, it is reasonable for the Trust to collect certain information (such as information about confirmed diagnosis) as part of the organisation’s general duty to safeguard health and safety.

Indeed, the concept that employers may have a role to play in relation to coronavirus has been highlighted in the Government’s recent guidance for employers and businesses on dealing with Covid-19.

You have the right to complain to the Information Commissioner's Office (the ICO) if you are not satisfied with the way we use your information. 

You can contact the ICO by writing to:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow 
Cheshire
SK9 5AF

We reserve the right to update this privacy statement at any time, and we will provide you with a new privacy statement when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.