Privacy Notice

This page explains how we use any information you give to us, and the ways in which we protect your privacy.

Why we need your personal information

We collect information about you mainly to provide you with health and care services. This is in accordance with the statutory obligations under the NHS Act 2006 and Health and Social Care Act 2012.

The information we collect is used for medical purposes that include:

• preventative medicine
• medical diagnosis
• medical research
• provision of direct care and treatment

We collect your personal information so that your care team has accurate and up-to-date information to plan your treatment options.

The new data protection law

The General Data Protection Regulation (GDPR) regulates the processing of personal data for health and social care, especially special categories like health data. Health providers must demonstrate lawful bases under Article 6 and satisfy conditions under Article 9 for special category data. Relevant clauses include:

• Article 6(1)(e): Necessary for the performance of a task carried out in the public interest
• Article 9(2)(h): Necessary for medical diagnosis, care, treatment, or management of health or social care systems
• Article 9(2)(i): Necessary for reasons of public interest in public health
• Article 9(2)(j): For research or statistical purposes under appropriate safeguards

What information we collect about you

Health and care organisations have a legal duty to keep complete, accurate and up-to-date information about your health. This is so that you can receive the best possible care, both now and in the future.

This information is known as your ‘health record’ and is stored securely on managed systems. The information stored includes:

Category	Data type
Identifiers	Your name, date of birth, NHS Number.
Contact details	Your address, telephone number, email address (if provided).
Support contact details	Names, contact details of carers, relevant close relatives, next of kin, representatives.
Physical, social or mental health situation or condition	Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving.
Protected characteristics	Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way for the people being cared for.

Who will access your information?

People who have access to your information will only normally have access to that which they need to fulfil their roles. For instance:

• Admin staff: name, address, contact details, appointment history, registration details
• Practice nurses: immunisation, treatment, allergies, recent contacts, active and important past histories
• GPs: normally have access to everything in your record

Where we get your information from

• Your GP
• Directly from you or a friend or relative
• Other health and care organisations
• Local authorities, schools, government agencies

Typically, we get information by referral. For example, if your GP decides you need an appointment with a hospital team or social care professional, they will provide those professionals with information about you so that you can be supported appropriately.

All care professionals, and others working with them in care services, have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Who we share your information with

We will share your information with those health and care partners who are directly involved in your care. These may include:

• Local NHS hospitals
• Your GP practice
• Local voluntary and private care providers
• Urgent and emergency care services, such as NHS 111 and the London Ambulance Service

You may be receiving care from other people as well as the NHS, for example social care services. Health and social care providers may need to receive or share some information about you if they have a genuine need to. This may help them form a complete picture of your health needs and provide care and treatment that is most suited to your needs and preferences. They should only share information with your permission.

We will not normally give your information to any other third party for any reason outside your individual care and treatment without your permission. However, there may be exceptional circumstances where we do, such as if someone’s health and safety is at risk or if the law requires us to pass on information.

Watch a short animation that explains how your personal data is used in health and care.
If you would like to understand the structure of the NHS in England, core organisations and their roles, click here.

Why we share your information

People often access a range of services available to them to support their health and care needs. Care organisations are increasingly providing services in regional partnerships.

See a list of all regional care partnerships

These services are not restricted by geographical boundaries or by organisational structures. There is also crossover in the information these services need to make sure the care they deliver is safe and of the highest quality. Health and care services use a range of IT systems and increasingly there is the ability to share special category personal data between systems. Care professionals and others supporting your care use IT systems developed and monitored according to strict rules to share your personal data securely and lawfully.

If care services do not share information about you, then they may be making decisions without the best available information. This may affect the quality and safety of care they give you.

You have a legal right to opt out of having your data shared between your care professionals. However, you should be aware of the risks to the safety and the quality of the care you receive.

London Care Record

Lambeth Healthcare LTD. uses a shared record system called the London Care Record. The London Care Record is a secure view of your health and care information and lets health and care professionals involved in your care see important details about your health when and where they need them.

Having a single, secure view of your information helps speed up communication between care professionals across London, improves the safety of care and can save lives.

Watch the video: What is the London Care Record

London Care Record can only be lawfully looked at by staff who are directly involved in your care. Your information isn’t available to anyone who doesn’t need it to provide treatment, care and support to you. Your details are kept safe and won’t be made public, passed on to a third party who is not directly involved in your care, used for advertising or sold.

For more information please read the London Care Record privacy notice for South East London.

Opting out of the London Care Record

You have the right to object to your information being available through London Care Record. Although patients have the right to object and request restrictions on sharing their records, there may be instances where this request will not be upheld due to a clinical need as determined by the direct care giver.

Please discuss this with your GP/health and social care worker. Further information can be found in this London Care Record leaflet.

For advice, contact Lewisham and Greenwich Trust who manage the London Care Record for South East London: Visit the website or call 020 3192 6011.

Personal health records

Your health and care providers, such as your GP and hospitals, are increasingly providing online secure platforms for you to access your health information.

• GP Online Services: Secure online service where you can book or cancel appointments, order repeat prescriptions, view parts of your GP record including medication, allergies, vaccinations, test results and referral letters.
• Healthlocker: A secure online platform for you, carers and care teams. It promotes supported self-management of your care with secure online options to improve communication and provides access to information about your treatment and care.

Other uses of your personal information

Using information for commissioning or regulatory compliance

Commissioning is when organisations plan and pay for health care services. Health and care commissioners need information from your GP practice, hospitals and other care providers about your treatment to review and plan health services. To do this, they need to be able to see information about your care, but they do not need to know who you are.

Commissioners use intermediary services called Data Services for Commissioners Regional Office (DSRCO). These services analyse and convert coded clinical information into a format that commissioners can legally use. This data does not reveal your identity.

Find out more about Data Services for Commissioners.

NHS Digital, now part of NHS England, can provide coded data securely to commissioners under the Health and Social Care Act 2012. NHS Digital, through its DSCROs, is allowed by law to collect, hold and process your personal data. This is for purposes beyond direct patient care, to support commissioning organisations and local authorities.

About NHS Digital
How NHS Digital looks after your information

Service evaluation contributes to the overall quality and effectiveness of clinical services to you and groups of patients. It covers:

• Care services management
• Preventative care and medicine
• Health and social care research

Service evaluations are routinely undertaken using anonymised data. Where identifiable information is to be used, it will be done lawfully and securely to protect your privacy.

Risk Stratification

Identifiable and clinical data about you, for the purposes of risk stratification, is held securely. GPs use this data to provide world-class health care. Risk Stratification is the process where your GP uses your personal and health data to target specific patient groups and enables clinicians with the duty of care for the patient to offer appropriate services. It also aids Commissioners to understand service use and to target interventions to improve care services within the Borough.

Risk stratification will enable GPs to:

• Identify patients within their practice at the highest risk of unplanned hospital admission
• View patient timelines showing a linked history of interactions with primary and secondary care
• View a patient’s risk history
• Deliver proactive care to those who need it
• Provide relevant clinical information to support care management
• Enable proactive intervention for a patient at risk of deterioration

You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to comply with our legal obligations.

Risk stratification involves applying computer-based algorithms or calculations to identify those patients registered with the GP surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

Using information for research

Most care teams work with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They must follow strict rules to ensure your personal data is always kept secure and confidential.

Where possible, researchers will remove information that could identify you, such as your name, address and postcode. If they cannot practically remove such information, they must obtain your explicit permission (consent).

We work with healthcare partners, researchers and technical experts to develop systems such as the Clinical Record Interactive Search and techniques such as pseudonymisation (using special codes) to protect your confidentiality.

Learn about Clinical Record Interactive Search (CRIS)
King’s Health Partners Informatics
HRA – Data protection and information governance

In exceptional cases, researchers may seek ‘section 251 support’ under the health service (control of patient information) regulations. This allows the use of personal data without permission where it is not practical to obtain consent, but only under strict independent review.

See Confidentiality Advisory Group registers

Clinical data linkages

Regional partnerships between care providers, such as GPs, hospitals and universities, allow secure linking of healthcare data from different sources within a regulated NHS environment. This improves the quality of information and enables researchers to look at your healthcare in more detail. Any information that may identify individuals is removed before researchers can access it.

Research recruitment

You can give your care coordinator advance permission for researchers to contact you in the future if you match the criteria of a trial. This is known as ‘consent for contact’ and will be noted in your health records. You will only be contacted by a research nurse, who will explain the study in more detail.

Other ways your information is used

• Handling complaints you have made about services
• Recording incidents you may have been involved in while receiving treatment
• Managing any work with us, including volunteering, public engagement or projects with partners
• Delivering training, education or supervision to you
• Use of CCTV or multimedia devices

NHS Work based CVD Health Checks and Vital 5 Programme

Any personal data collected as part of this programme will be put into an aggregated and anonymised format that will not be identifiable before sharing with the DHSC and the programme’s evaluator.

How we keep your information secure

Your health and care providers store and use large volumes of sensitive personal data every day, mostly stored electronically. These systems are managed by NHS IT departments or approved suppliers.

You can find more information on how your information is kept securely on NHS information systems at this link: How NHS Digital looks after your information.

We take our duty to protect your information very seriously. We are committed to ensuring confidentiality and security of personal data. Examples include:

• Encrypting all outgoing email containing personal data
• Reviewing our information storage and processing practices
• Providing staff training on handling data securely

At the most senior level, we have:

• A senior information risk owner accountable for information management
• A Caldicott guardian responsible for patient information and confidentiality
• A Data Protection Officer overseeing lawful and best-practice data use

See details of these senior responsible officers and their contact details.

Your legal rights

Lawful basis for processing data

• Data Protection Act 2018 - Schedule 1(2)(d): Processing necessary for provision of health care or treatment
• UK GDPR - Article 6(1)(e): Processing necessary for tasks carried out in the public interest
• UK GDPR - Article 9(2)(h): Processing necessary for provision of health or social care

You have several rights under data protection law:

• Right to be informed: This Privacy Notice ensures transparency about how your data is used.
• Right of access: You can request confirmation of what information is recorded about you, how it is used, and access to your personal health information. This is done via a Subject Access Request (SAR).
• Right to rectification: You can correct inaccuracies or incomplete data. Professional opinions cannot be removed but you can add personal statements.
• Right to deletion: In limited circumstances, you can request deletion of your information (with exceptions due to legal retention requirements). See the Record Management Code of Practice.
• Right to object: You can object if data is used for purposes such as marketing, research or statistical purposes, but not generally for direct care.
• Right to restrict processing: You can request data to be stored but not used if you have a dispute about accuracy or lawful use.

We will respect these rights whether you are an adult or a child. Parents or guardians’ wishes will be respected for children under 14.

What other information we collect

We collect information on all staff we employ, volunteers, agency staff and those with honorary contracts. The data is used for administrative, academic and statutory purposes and to support health and safety.

Data type	Purpose of collecting
Names, addresses, telephone numbers	Employment contracting
Emergency contact details	Emergency situations
Employment records, training, references	Statutory employment, performance management, professional development
Bank, National Insurance and pension details	Payment of salaries and claims
Nationality/domicile	Proof of eligibility to work in the UK
Ethnicity	Equality monitoring, equal opportunities
Medical information	Adjustments to work, management of disability rights
Religious beliefs	Spiritual support, equality monitoring

More details: NHS SBS Employment Services | NHS SBS Finance & Accounting

Other bodies

In some exceptional circumstances we must share staff information with official bodies due to legal obligations. These may include:

• Disclosure and Barring Service
• Home Office
• HMRC
• Banks or building societies (for mortgage references)
• Educational, training and academic bodies
• Department for Work and Pensions (DWP)

If you want to complain

If you think that information in your NHS records is wrong, speak to the health professional looking after you or contact the information governance team. If your request is denied, a statement of your views will be added to the record.

If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act. Call 0303 123 1113 for more information.

Data Controller Contact Details

Lambeth Healthcare Ltd
Unit 7, The Viaduct Business Centre,
360A Coldharbour Lane,
London SW9 8PL
Tel: 0208 175 0145

Further information

Please talk to the team looking after you if you want to know more about how we use your health records or if you do not want your information used in any of the ways described here.

V1.2 — Updated October 2024 - CN