Accessibility options |
West London NHS Trust > Publications > Privacy statement

Privacy statement

Key Points 

  • Why we use your personal data: We typically use your personal information (including special categories of personal data such as information about your health) to provide safe and effective care and treatment to you.  
  • Who else has access to your personal data? In order to provide you with the care and treatment you need, we may share your personal information with third parties, such as other healthcare providers and third party service providers.

  • Security of your personal data: We respect the security of your data and treat it in accordance with the law.
  • Transferring your data internationally: Where we are obliged to transfer data outside of the EU, we will ensure that this is done in accordance with the law.

What is the purpose of this privacy statement?

This privacy statement explains what information is collected about you, why it is collected and the ways it is used. West London NHS Trust recognises how important it is that you are fully aware of the information we collect and hold about you as well as how we share that information.

In order to provide a healthcare service, we need to collect and use personal information for a range of purposes. Primarily, we collect data for healthcare and administration purposes. There are some cases where it is necessary and a legal requirement to process your personal information even without your consent.

To ensure that your information is kept confidential and that your data is kept safe and secure, all our staff are given training in data protection and information governance before they start work with us. Current staff must also undertake regular refresher training courses tailored to their individual roles.

This statement applies to all of our current and former patients. We may update this statement at any time.

If we do not have accurate, up to date information, this may impact on the services (such as effective treatment) that we provide. It is important that you inform us of any changes to your personal information (such as your contact details) we hold about you so that the information which we hold is accurate and current.

Who are we?

We are West London NHS Trust (the Trust/we/us). Our head office is located at 1 Armstrong Way, Southall, UB2 4SD.

We are a "data controller" in respect of the information we hold about you. This means that we are responsible for deciding how we use your personal information.

Our Data Protection Officer (DPO)

Our DPO is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws. If you have any concerns or questions about our use of your personal information, you can contact our DPO at wlm-tr.dpo@nhs.net or by writing to Information Governance Team, West London NHS Trust, A block 1 Armstrong Way, Southall, UB2 4SD.

Information we hold about you

Personal information is any information that can be used to identify you. We may collect the following personal information about you:

Categories of information

Types of information within each category

Personal details

Such as your name, gender and date of birth

Contact details

Such as your address and telephone number(s)

Details of each contact that we have had with you

Including home visits and telephone consultations

Records of your health and wellbeing

Including reports from other healthcare providers

Details of your care and treatments

Including test results and investigations that have been undertaken

Relevant information from people who care for you

Including other health and care providers, carers and relatives

Information about your family and friends

Such as dependants, next of kin and emergency contact numbers

Security information

Such as CCTV footage

This information is referred to as "personal data" under the data protection legislation and "personal confidential data" under the Caldicott Principles. Under both the data protection legislation and the Caldicott Principles we are required to ensure that your information is treated in confidence and with respect.

Some of the information which we collect about you may be “special categories of personal data”. Special categories of personal data require a greater level of protection. The special categories of personal data about you which we may collect include your racial or ethnic origin, your religious beliefs, information about your sex life or sexual orientation and information about your health.

How we obtain your personal information

The above information which we collect about you will be obtained through a variety of sources which include:

  1. from you directly via any direct access with our healthcare services;

  2. from your friends and relatives who provide us with information about you;

  3. from anyone who has the authority to act on your behalf such as a power of attorney or deputy;

  4. from your GP;

  5. from other healthcare professionals and officers in the local authority, social services department and emergency services; and

  6. from any other (current and/or previous) healthcare and care providers.

How and why your records are used

We use the types of personal information listed above for a number of purposes, each of which has a "lawful basis". In accordance with the data protection laws, we need a "lawful basis" for collecting and using information about you. There are a variety of different lawful bases for using personal information which are set out in the data protection laws.

We have set out below the different purposes for which we collect and use your personal information, along with the lawful bases we rely on to do so.

Why we use your information

Our lawful basis for using your information

To keep and maintain an accurate record of your medical history: To help inform decisions that we make about your care, including diagnosis, decisions around medical intervention and prescriptions and to plan your care and treatment. 



Legal obligations: It is necessary to meet legal / regulatory obligations.


Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of health

To provide you with safe and effective care and treatment: To provide you with safe, appropriate and personalised care and treatment as one of our service users and ensure that we meet your individual requirements. This will include us using your personal information for the following reasons:

  • delivering the healthcare and personal care you require;
  • determining your capacity for decision making;
  • meeting your dietary requirements; and
  • reviewing care provided to ensure it is meeting your needs.

Legal obligations: It is necessary to meet legal / regulatory obligations.


Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment.*














To work effectively with other organisations who may be involved in your care: To send information regarding your health to others, such as your GP, other healthcare and/or social care providers for continuity of care and to ensure that your needs are being meet appropriately. 

 

Legal obligations: It is necessary to meet legal / regulatory obligations.


Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment.*

To communicate with you: We will use your personal information to contact you/anyone who has authority to act on your behalf, regarding your health, care, treatment, appointments and/or test results.



Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment.*


For security: We may need to capture images of you as part of our security processes to ensure the safety of our staff, service users and members of the public. This may include the use of CCTV systems.





Legitimate interests: It is necessary for our legitimate interests, where they are not overridden by your rights (we have a legitimate commercial interest to ensure our premises are secure and to protect our organisation and our employees).


Health: It is necessary for the management of health and social care services.*


To conduct clinical audits and prepare statistics on NHS performance: To check the quality of care provided to you to identify areas where we may need to improve. We do this by collecting information from the records of groups of patients who have similar conditions or have received similar treatments, and comparing this with what we know are the best standards of care. This helps us to identify areas where we need to make improvements. Information is anonymised as soon as possible.

Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment.*







To improve our services: You may choose to complete our patient survey, to help us to improve the services we provide to you and others.

Consent: We will only use your information in this way if you have provided your consent/explicit consent for us to do so.*

To train and monitor our staff:

Your records help us to teach, train and monitor staff and their work (including providing staff and clinicians with anonymous feedback from patient surveys) to audit and improve our services and ensure they meet your needs.

Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment.*


To conduct medical research: To help plan services, improve care provided and to conduct research into developing new treatments and preventing diseases, understanding more about disease risks and causes, improving diagnosis and improving patient safety.



Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the purposes of medical diagnosis, and the provision of

health or social care or treatment.*


Research: It is necessary for scientific research purposes.*

To investigate concerns or complaints: To ensure that any concerns or complaints you may have about your healthcare are appropriately investigated and responded to.





Legal obligations: It is necessary to meet legal / regulatory obligations.


Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the provision of health or social care or treatment.*

For safeguarding and regulation: We use your personal data for the purpose of safeguarding and regulation of care.


Legal obligations: It is necessary to meet legal / regulatory obligations.


Official authority: It is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority.


Health: It is necessary for the provision of health or social care or treatment.*


To collect data about public health matters: To protect against serious cross-border threats to health or ensuring high standards of quality and safety of health care, medical products or devices.


Legal obligations: It is necessary to meet legal / regulatory obligations.


Public interest: It is necessary in the interest of public health.*



Sharing your information without your consent

There are circumstances where we need to share your information without your consent. For example:

  • when the health and safety of others (including members of staff) is at risk;
  • to ensure we provide you with the correct care;
  • to protect public health;
  • when the law requires information to be passed on;
  • for the prevention or investigation of serious crime;
  • under a court order;
  • when sharing is in the public interest; or
  • where there are safeguarding concerns for vulnerable people.

Information may not be shared if it is believed it may cause serious harm or distress to you or to another person.

Third parties we may share your information with

Sometimes it is necessary for us to share information with another organisation. For example, you may be receiving care from social services and we may need to share information about you so we can all work together for your benefit.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We may also share your information with third parties such as:

  • Your friends, family and others: including anyone who has the authority to act on your behalf such as a power of attorney or deputy, where appropriate to do so for the provision of your health or social care, in the vital interests of you or others (or with your consent where applicable);
  • Other healthcare providers and multi-disciplinary teams: for direct care purposes, we will share information about you with other healthcare providers such as other NHS Trusts, your GP, community staff/district nurses, hospital staff, emergency services, NHS 111, social services and local authorities;  
  • Regulators / safeguarding authorities/commissioners: such as child and adult safeguarding services (e.g. MASH), the Care Quality Commission and Public Health England. We share your personal data with these public bodies where we are required to do so by law or a regulatory obligation;
  • The police and other law enforcement agencies: in limited circumstances we may share your personal data with the police if required for the purposes of criminal investigations and law enforcement;
  • Service providers: such as external IT providers, systems maintenance providers, language and sign language interpretation/translation and telephone call recording for monitoring purposes;
  • Professional advisors: such as lawyers, in the exercise or defence of legal claims;
  • Charitable organisations: such as organisations that can help with support for you and your family, provision of hospice care and funding of treatments, with your consent; and
  • Bulk mailing providers: in order to communicate with patients to satisfy our legal obligations and provide you with relevant healthcare information.

Transferring information outside the EEA

Where we are obliged to transfer data outside of the European Economic Area, we will ensure that this is done in accordance with the law.

Can we use your information for any other purpose?

We typically will only use your personal information for the purposes for which we collect it. It is possible that we will use your information for other purposes as long as those other purposes are compatible with those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.

We may also use your personal information for other purposes where such use is required or permitted by law.

Your rights

You have the right to confidentiality under the General Data Protection Regulation EU 2016/679 (GDPR), the Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA), the Health and Social Care Act 2012 (HSCA), as well as the common law duty of confidence. The Equality Act 2010 may also apply in some circumstances.

Under certain circumstances, by law you have the right to:

  • Be kept informed about how and why we use your personal information.
  • Request access to the information we hold about you (commonly known as a "data subject access request"), which enables you to receive a copy of that information and check that we are lawfully processing it;
  • Request correction of any incomplete or inaccurate information we hold about you;
  • Request erasure of your personal information where there is no good reason for us continuing to process it;
  • Object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
  • Request the restriction of processing of your information, for example if you want us to establish its accuracy or the reason for processing it;
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact our DPO by writing to wlm-tr.sar@nhs.net or Information Governance Team, West London NHS Trust, A block 1 Armstrong Way, Southall, UB2 4SD.

How do we keep your records confidential and secure?

All organisations providing care for the NHS or on its behalf must follow the same strict policies and controls as managed by the Department of Health’s Information Governance Framework.

The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances; for example, where we are required to so by law. In all cases, where personal information is shared, either with or without your consent, a record will be kept.

Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality. We only keep your information for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from our DPO by writing to wlm-tr.dpo@nhs.net or Information Governance Team,                         West London NHS Trust, A block 1 Armstrong Way, Southall, UB2 4SD.

What guidance/legislation do we have to adhere to?

There are a number of pieces of legislation that organisations, and in particular, NHS organisations, must adhere to:

The GDPR, the DPA and other data protection laws

We will comply with data protection law. At the heart of data protection laws are the "data protection principles" which say that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way;
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and kept up to date;
  • kept only as long as necessary for the purposes we have told you about; and
  • kept securely.

The Caldicott Principles

We will comply with the Caldicott Principles, which set out that we must:

  • justify the purpose(s) for using confidential information;
  • not use patient identifiable information unless it is absolutely necessary;
  • use the minimum necessary patient identifiable information;
  • restrict access to patient identifiable information on a strict need-to-know basis;
  • ensure everyone with access to patient identifiable information is aware of their responsibilities;
  • comply with the law; and
  • be aware that the duty to share information can be as important as the duty to protect patient confidentiality.

Right to complain to the ICO

You have the right to complain to the Information Commissioner's Office (the ICO) if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Changes to this privacy statement

We reserve the right to update this privacy statement at any time, and we will provide you with a new privacy statement when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.