Privacy and Your Data
East London NHS Foundation Trust is committed to protecting your privacy when you use our services.
This privacy notice explains:
- Who we are, how we use your information and who our Data Protection Officer is
- What personal information about you we process
- What are the legal grounds for processing your personal information (including when we share it with others
- What you should do if your personal information changes
- How long we retain your personal data
- What are your rights under data protection laws
- How to object or complain about data usage
Who We Are
ELFT provides a wide range of community and inpatient services to children, young people, adults of working age, older adults and forensic services to the City of London, Hackney, Newham, Tower Hamlets, Bedfordshire and Luton. We provide psychological therapy services to the London Borough of Richmond.
In addition, the Trust provides forensic services to the London Boroughs of Barking and Dagenham, Havering, Redbridge and Waltham Forest, and some specialist mental health services to North London, Hertfordshire and Essex.
The specialist Forensic Personality Disorder service serves North London.
The Trust recently acquired community services in Tower Hamlets and Bedfordshire.
Our registration with the Information Commissioner
We are registered with the Information Commissioner’s Office to process personal and special categories of data under the Data Protection Act 2018. Our registration number is Z5601596.
Our Data Protection Officer
Our Data Protection Officer makes sure we respect your rights and process your personal information according to the law. If you have any concerns or questions about how we look after your personal information please contact the Data Protection Officer, Chris Kitchener, email elft.dpo@nhs.net or call us on 020 7655 4000.
In some locations we may use CCTV, usually to help maintain your safety. An explanation of their purpose is clearly displayed near our CCTV cameras and advises who to contact if you have questions about their use.
We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others.
We keep your personal information according to the NHS records management code of practice.
We do not store or routinely send your information overseas. If you need a copy of your records to be transferred out of the UK please discuss this with us.
We keep a list of our suppliers and the systems they provide where they contain personal information. This is regularly updated. Please ask to see a copy if you have concerns or want to know more about how we process personal information.
How your personal information is used
Your clinical care team and other health and care professionals caring for you keep records about your health and any treatment and care you receive from the NHS and other related agencies. The data we hold about you includes basic information such as name, address and other contact details. We also collect sensitive confidential data (known as ‘special category personal data’). This includes your health information, and if we need this information to care for you, your religious beliefs and sexual preferences. Your health information may include:
- Details about you such as your address, carer, legal representative and emergency contact details
- Contacts we have had with you – appointments, clinics, in-patient stays
- Details about your health, treatment and care
- Relevant information from other professionals, relatives or those who care for you
How do we lawfully use your data?
We need this information to help provide you with the best possible healthcare.
We process and share information in line with the Health and Social Care Act 2015, the Data Protection Act 2018 and the GDPR (General Data Protection Regulation) article 9 (processing of special categories of personal data):
9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
Your information is shared for health and social care purposes. Not sharing information may lead to a clinical risk, safeguarding issues or concerns about your care, and may have an impact on the care and treatment that we or our partners are able to provide. Where it supports your care we may also share your information with education and voluntary and private sector agencies (including care homes) working with us. We will also upload demographic and key clinical information to local integrated clinical systems accessed by local agencies. This is only ever accessed on a strict need to know basis. In most other circumstances we will seek your consent to share your information.
We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others.
If we use the information for research purposes that identifies you we will seek your consent first. If you do not want your information to be used for research purposes you can also register your choice nationally through the National Data Opt-Out initiative at www.nhs.uk/your-nhs-data-matters.
You may want to consider treatment through another provider if do not agree with the above.
What formats do we use to keep your information safe?
The records we hold about you are mostly electronic, but some may be kept on paper (especially older records). We use a combination of working practices and technology to make sure your information is kept confidential and secure.
If you give us your email address we will use that to contact you. If you give us your mobile phone number we may use it to send you SMS messages about your appointments. We will never disclose any special categories of your personal data in a text message.
How long will we store your information?
We keep your personal information according to the NHS records management code of practice.
We do not store or routinely send your information overseas. If you need a copy of your records to be transferred out of the UK please discuss this with us.
How can you access your personal information?
You have a right under Data Protection legislation to request a copy of the information we hold about you, or to ask to see it. If you are currently receiving care from us, speak to someone in the team where your care is taking place and they will be able to help you. Otherwise please send your request to elft.accesstorecords@nhs.net .
You will need to give us adequate information about you to verify your identity (name, address, date of birth, NHS number and what information you are requesting). We may ask you to provide documents to confirm your identity.
There is no charge for this. We will respond to you within one month unless your request is extensive or complex and make take us up to three months to respond. When this happens we will let you know.
If your personal information changes, please tell the team where you are receiving your care so we can update your records.
If you think the information we hold about you is inaccurate please state this clearly in writing to elft.palsandcomplaints@nhs.net
We can change factual information if it’s incorrect. We are not able to change clinical opinions. If you think these are wrong please set out why you think this and we will add it to your clinical record to make this clear.
Where you have given consent for us to process your information (such as for research purposes) you can withdraw your consent. Please put this in writing to us.
Objections and complaints
If you have any concerns about how your information is managed you can speak to the clinical team where you are receiving your care.
Alternatively, our Patient Advice and Liaison Service (PALS) can help. They can be contacted at elft.palsandcomplaints@nhs.net
Our Data Protection Officer can also listen to your concerns or give you advice about your rights in respect of the data we hold about you. Contact her by email at elft.dpo@nhs.net or by phoning 020 7655 4000 and asking to speak to the Data Protection Officer.
If you are still concerned you have the right to complain to the Information Commissioner:
Call their helpline on 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). Or see the ICO website https://ico.org.uk/
Shared Care Records
As part of our digital journey as a Trust, we share records with the health and care providers that are directly involved in a service user's care.
By sharing care records, staff can deliver fast and frictionless care and patients can be sure that everyone involved in their care - their GP, hospital, community health, mental health and social care teams – are all up to speed.
We use a number of different systems that link the various health and care systems in operation across our two ICS's: North East London and Bedfordshire, Luton and Milton Keynes. Find out more here.
How do we lawfully use your data?
We process and share your information under Article 6 1(e) of the UK General Data Protection Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller).
How your personal information is used?
As a Foundation Trust, we have a statutory requirement to process membership data in our capacity as a public body. We process membership data to maintain membership, run annual elections and ensure the membership is representative of our communities. We need information about you so that we can manage and maintain the Trust membership system. Trust membership is an inherent part of the governance arrangements of a Foundation Trust and is authorised under the NHS Constitution.
Your information is securely on a database held by an external provider who has physical security controls together with accredited IT security.
We may share your information with an external provider during public consultation exercises, for you to participate in governor elections or any other related purposes. We do not sell your information and we do not use it for marketing purposes.
The information we hold about you will only be used to contact you about the Trust, membership or other related issues.
How long will we store your information?
We keep your personal information according to the NHS records management code of practice. We do not routinely store or send your personal information overseas.
If you withdraw your membership we will not retain your personal information. You may also request that your information is removed or forgotten or that you do not give us your consent to process your personal information. This would mean you would be unable to continue as a member or governor.
What formats do we use to keep your information safe?
The records we hold about you are electronic.
How can you access your personal information?
You have a right under Data Protection legislation to request a copy of the information we hold about you or to ask to see it. If you are a public member, speak to someone in the membership team who will be able to help you, or email them at elft.membership@nhs.net. If you are a staff member, contact your local HR representative. Otherwise please send your request to elft.accesstorecords@nhs.net. You will need to give us adequate information about you to verify your identity (name, address, date of birth, and what information you are requesting). We may ask you to provide documents to confirm your identity. There is no charge for this. We will respond to you within one month unless your request is extensive or complex and make take us up to three months to respond. When this happens we will let you know.
By staff, we mean applicants, employees, former employees, agency staff, apprentices, volunteers, trainees, secondees and contractors.
How do we lawfully use your data?
We process and share your information under Article 6 1(b) of the General Data Protection Regulation (processing is necessary for the performance of a contract), Article 6 1(a) (consent has been given for the processing of personal data) – this mostly applies to the sensitive categories of information you give us when you apply for a job as this ensures we treat you fairly and equitably. We will also seek your consent if we want to refer you to occupational health or similar external agencies.
How your personal information is used?
To carry out our activities and obligations as an employer we process your personal information where required in relation to:
- name, home address, telephone, personal email address, date of birth, national insurance number, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee's application for and employment with us national insurance number
- special categories of personal data: for example, data about race, ethnic origin, religious or philosophical beliefs, trade union membership, health, and sexual orientation (collected only where required by law and used and disclosed only to fulfil legal requirements)
- absence information, e.g. annual leave, sickness absence, study leave, maternity leave, paternity leave, occupational health clearance information
- qualification and training information
- statutory and voluntary registration data
When you are no longer our employee, we may continue to share your information as described in this notice as long as this is fair and lawful.
We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, to HM Revenue and Customs, Pensions Agencies, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others.
We also share information through ESR and with our payroll provider to enable us to pay you.
How long will we store your information?
We keep your personal information according to the NHS records management code of practice. We do not store or routinely send your personal data overseas.
What formats do we use to keep your information safe?
The records we hold about you centrally are mostly electronic. Records held locally by your manager may be either in electronic or paper format.
How can you access your personal information?
You have a right under Data Protection legislation to request a copy of the information we hold about you, or to ask to see it. If you are employed with us contact your local P&C representative.
Otherwise please send your request to elft.accesstorecords@nhs.net . You will need to give us adequate information about you to verify your identity (name, address, date of birth, and what information you are requesting).
We may ask you to provide documents to confirm your identity. There is no charge for this. We will respond to you within one month unless your request is extensive or complex and make take us up to three months to respond.
When this happens we will let you know.
Find out about your right to object here.
If you have any concerns about how your information is managed you can speak to the clinical team where you are receiving your care.
Alternatively, our Patient Advice and Liaison Service (PALS) can help. They can be contacted at elft.palsandcomplaints@nhs.net
Our Data Protection Officer can also listen to your concerns or give you advice about your rights in respect of the data we hold about you. Contact her by email at elft.dpo@nhs.net or by phoning 020 7655 4000 and asking to speak to the Data Protection Officer.
If you are still concerned you have the right to complain to the Information Commissioner:
Call their helpline on 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). Or see the ICO website https://ico.org.uk/
The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by clicking on "Your Health" in the NHS App, and selecting "Choose if data from your health records is shared for research and planning".
Find out more here: www.digital.nhs.uk/services/national-data-opt-out
Your Records & You - ELFT's Information Leaflet for Service Users (2021).
Your Records & You - Information Poster
What information we collect about you and why we do this?
We need to make a record about you to help give you the best possible care. Each time you use our services we record why you were here, things we have told you, what medicines we have given you and what care you are getting from us. Sometimes if they tell us we will record information from other organisations involved in your care. We record personal information such as your name, date of birth, address and NHS number. This is to make sure we know where you are if we need to contact you. Having a record about you means we can look back at what we have done for you and make sure you are getting the best possible care.
Where we save information about you
Your information will be stored safely on our clinical systems. Only people involved in your care will be able to see it. We have strict rules to make sure your information is stored securely. All our staff have training to make sure they understand this.
Who we share your information with
We share your information with your doctor, other hospitals, schools or social services. This is to make sure all the people who care for you know exactly who you are and what you need. We only share information necessary to care for you. We are allowed to do this under something called the General Data Protection Regulations and we do not need your consent as this sharing information helps all organisations involved in your care to provide the best possible treatment.
Usually we will also share your information with your parents or guardians unless you tell us not to do this. If you don’t want us to include your parents or guardian then we’ll need to make sure you fully understand what you are telling us and why you’ve said this. Sometimes we may not agree with you and make a decision in your best interests.
Using technology to help care for you
Sometimes instead of coming to see us we may want to use video to meet you electronically. This is usually over something called Teams, or we may phone you. We will always make sure you are comfortable with this and can help you if you are worried about using technology. We might also use technology to help you learn about how to manage an illness, so we may send you links to websites or apps if we think it will help you.
Seeing the information we hold about you
You can ask us to show you or give you a copy of the information we have about you. We may ask you to give us some details like who you are and where you live, to make sure we are giving your information to the right person. If your parents or guardian ask to see your information we may ask them to show in writing that you agree to this. If you say no, then usually we won’t then share your information with them.
If you think the information we hold about you is wrong
If you think something is incorrect then please talk to the team who are providing your care. They can correct facts that are wrong (like your name, address, colour of your hair) but they can’t correct their opinions and what your diagnosis is. Our PALS team (elft.pals@nhs.net ) can put you in touch with your clinical team, or the Data protection Officer who can also help.
How long we keep your information for
We will keep your information until your 25th birthday, or your 26th birthday if you were 17 you’re your treatment with a children’s services team ended.