At NHS Midlands and Lancashire (NHS ML) we’re committed to protecting and respecting your privacy. This Privacy Policy provides you with the following information:
What are our data protection responsibilities?
What services do we provide?
What is the lawful basis for processing your personal data?
How may we use and share your information?
How is your information stored?
How long is your information kept?
How does the wider NHS collaboratively use your information?
What are your information rights?
How do I exercise my information rights?
If I have a concern regarding how my personal information is being used, who should I contact?
What are our data protection responsibilities?
NHS ML is a Commissioning Support Unit, an organisation hosted by NHS England, and is not a separate entity in its own right. However, we operate as if we have the same privacy responsibilities to ensure that we manage personal data in a professional, legal, and ethical way.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (the ‘Act’) the Controller is NHS England which hosts NHS ML. NHS England is registered on the Data Protection Register with the Information Commissioner’s Office (ICO). Their registration number is Z2950066, and a copy of the registration is available through the ICO website. MLCSU is also listed but we only act as a Controller when NHS England asks us to on their behalf.
MLCSU provides services to clients including care providers and Integrated Care Boards (ICB). ICBs are responsible for commissioning healthcare services for the geographical area which they cover and are required to have their own Privacy Notices.
When providing these services to our client organisations we will collect and use the personal information of both patients and service users. In these instances, we will act as a Data Processor on behalf of our clients. Where MLCSU is the Processor for such organisations, you should see us named in their privacy notices for the services we provide.
We may collect personal information about you in several ways:
- Information you provide to us, in order to help you resolve an issue or to provide you with guidance.
- Information provided as part of work we do, supporting clients to improve and deliver health services. This information will be collected and used under a defined legal basis and under strict conditions of privacy and confidentiality.
- Information that may be passed to us from care providers in order to resolve questions or queries on your behalf.
What services do we provide?
Our range of services are listed below, and where applicable we have provided a link to further information about that service and how they use your personal data.
Analytical and Statistics for the management of Health Services
- Better Business Case Training
- Business Intelligence
- Clinical Support Services
- Complaints
- Contract Management
- Communications and Engagement
- Consultancy Services
- Data Management Services
- Data Services for Commissioning Regional Office (DSCRO)
- Digital Innovation & Transformation
- Financial Services
- Human Resources
- Individual Funding Requests (IFR)
- Information Governance and Data Protection
- Freedom of Information Requests
- Data Protection Officer Service
- IT Services
- Organisational Development
- Personalised Healthcare Commissioning (PHC)
- Prevention and Detection of Fraud
- Procurement
- System Transformation
The following Units / Services are also part of NHS ML and may process your personal data:
Personalised Healthcare Commissioning (PHC)
Our PHC team delivers assessment, review, and care planning for people with continuing healthcare and complex healthcare needs on behalf of our client NHS organisations.
For further information regarding how your personal data is used, please see the following links as appropriate:
If you would like further information regarding the services we provide to our NHS customers, please visit the follow link:
PHC activitiesYou can find further information on PHC activities.
The Communication and Engagement Service
Support client NHS organisations by providing professional support to carry out communication and engagement activities. This will often include collecting the contact details of members of the public where they have agreed to participate in such activities. This will be on behalf of our client NHS organisations who would be Data Controller.
For further information on their activities please see our Communications and Engagement page.
Health Economics Unit
Provide economic and analytical expertise to deliver insights to power the future of health and care delivery. For further information on their activities please see the Health Economics Unit website.
The Strategy Unit
A specialist NHS team which produces high quality, multi-disciplinary analytical work to allow clients to achieve better evidence, better decisions, and better outcomes. For further information on their activities please see the Strategy Unit website.
The Transformation Unit
NHS team of consultants, working alongside health and care clients to deliver major change programmes to transform care and health outcomes for people and communities, empowering change from within. For further information on their activities please see the Transformation Unit website.
NHS Horizons
NHS Horizons’ purpose is to amplify the efforts of others to deliver transformation and large-scale improvement, and to accelerate new change thinking in line with the priorities of the NHS. For further information on their activities please see the NHS Horizons website.
Data Services for Commissioners Regional Offices
Following the 2012 NHS reform (Health and Social Care Act 2012), the legal basis for the Clinical Commissioning Groups (CCGs) (now replaced by ICBs under the Health and Care Act 2022) prevented staff from directly handling identifiable personal and confidential information for commissioning purposes.
Using regional processing centres (RPCs) the Data Services for Commissioners Regional Offices (DSCROs) de-identify the data before it is passed to NHS ML who act as the data processer for our client organisation ICBs.
For further information about this service and the Data Services for Commissioners team please see the Data Services for Commissioners page.
What is the lawful basis for processing your personal data?
Where we provide services to our client organisations, we are not responsible for determining the legal basis for that processing activity. This is the responsibility of our client organisations who are the Data Controller. To establish the legal basis, you may visit their Privacy Notice, or you may wish to contact them instead.
Please see the links below to our main client’s Privacy Notices:
Where NHS ML is acting as a Data Processor on behalf of NHS England we process data under the following legal basis:
Article 6(1)(a) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
We would rarely rely on Consent as a legal basis.
Article 6(1)(b) – The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This would be by virtue of legislation such as the NHS Act 2006, or the Health and Social Care Act 2012.
Article 9(2)(g) – Processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Where we rely on Article 9(2)(g) the substantial public interest would be determined by provisions in the Data Protection Act 2018. This would include matters such as for Safeguarding.
Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
This would be by virtue of legislation such as the Data Protection Act 2018, NHS Act 2006, or the Health and Social Care Act 2012.
Article 9(2)(j) – Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Domestic Law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
We have in place robust mechanisms for considering how personal information is used which includes formal documentation to consider the reasons for sharing and also the involvement of a “Caldicott Guardian”, a senior member of staff whose role it is to consider whether or not sharing and use of personal data is reasonable and that the right controls are in place.
Generally, we do not share individual’s identifiable information with any other organisations unless there is a defined legal basis to do so. Where required, we will seek your consent.
If we share your personal information, it will be with very tight controls on who sees the information and the purposes for which it is used.
We record any instances where we transfer personal information to a third country or international organisation. This is very limited, and we check and record the safeguards in place to protect the information to be transferred.
We do share anonymised statistical information with client organisations for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas. This is used to help our client organisations support their commissioning, management, and planning decisions for healthcare services.
We may use your information to arrange training and events where you have signed up to these and may also seek consent for you to be added to mailing lists regarding upcoming events and opportunities to join professional networks.
Your personal data is always kept secure, and all NHS organisations are required to provide assurances, every year, that controls are in place to manage personal data. These controls include access controls, encryption, and physical controls.
Your personal data will be kept under strict conditions within the UK, being protected by suitable access controls ensuring that only people with an authorised professional need can access your data and encrypting your data, when necessary, to ensure it is protected from inappropriate access. Where exceptions to this process are undertaken you will be informed.
Where we provide an invoice validation service for our client organisations the processing activity is within a Controlled Environment for Finance.
All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security, and that personal information is handled correctly. This is to measure their performance against the National Data Guardian’s 10 data security standards.
See our publication history on the Data Security and Protection Toolkit.
We retain personal information in accordance with data protection legislation and in line with the NHS Records Management Code of Practice 2021. We may sometimes retain information longer than the minimum retention periods but only where there is a business requirement to do so. For details regarding how long specific records are kept please see the Records Management Code of Practice.
NHS ML (as part of NHS England) is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this were allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit this page NHS website. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply.
You can also find out more about how patient information and healthcare research on the NHS Health Research Authority website.
To understand how and why patient information is used (including what safeguards are in place and how decisions are made) you may wish to visit the NHS Confederation website.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
NHS England is required to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or were undertaking a public function, in order to prevent and detect fraud.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.
For more information on this please visit the National Fraud Initiative page.
Under the UK GDPR and the Data Protection Act 2018 you have several rights, and these are listed below. Some rights are not absolute rights, whether they apply is dependent upon the legal basis used to process your data.
Right to Be Informed
You have a right to know how your personal information is being used, and this privacy notice is part of this obligation which we must fulfil. You may contact us if you want to know more about how we use your information or if something is unclear.
Right of Access
You have a right to request to see what information we are holding about you (this is known as making a “subject access request”).
Right of Rectification
You have a right to have any inaccurate information held about you corrected. You can contact us and request this if you believe we hold inaccurate information about you. We can also refuse a request for rectification in certain circumstances.
Right of Erasure
Dependent upon the legal basis, you have a right to have your personal information erased. This may only be performed if we have no other legal reasons to keep your information.
Right of Portability
Dependent upon the legal basis, you may have a right to receive your personal information in a “machine readable form” and to be able to take this information to another person or organisation.
Right to Object
Dependent upon the legal basis, you have a right to object to how personal data about you is processed, in some instances. You have right to object to your data being shared with others or used, for example, in research or statistical processes.
Withdraw Consent
Where we are relying on the lawful basis of consent, you can withdraw your consent by contacting us and we will act on such requests as soon as we can.
There are also rights around the use of Automated Decision Making and Profiling. We do not use automated decisions and profiling at this time. However, where NHS ML or its client organisations plan to undertake this activity, you will be informed by our privacy notice and that of our client organisations.
Where you choose to exercise the above rights NHS ML must respond to your request (and provide you with your information where you submit a Subject Access Request) within one month, although we may extend this time in certain circumstances.
You can do so by contacting us on either of the following methods.
Email: mlcsusars@nhs.net
Telephone: 01782 872648 (Monday to Friday, 9am-5pm)
Post: Leyland House, Lancashire Enterprise Business Park, Leyland, Lancashire, PR26 6TY
Where NHS ML are acting on behalf of our client organisations, those organisations are the Data Controllers and so you will need to contact them to exercise your rights. Please see the links below to our main client’s Privacy Notices where you can find their contact details:
If I have a concern regarding how my personal information is being used, who should I contact?
For further details on how to contact us, including telephone numbers for specific services or locations, then please visit our Help and Contact page. Alternatively:
Our Data Protection Officer is Hayley Gidman. Should you wish to contact them you can do so by:
- Email: mlcsu.dpo@nhs.net
- Telephone: 01782 916875
- Post: Leyland House, Lancashire Enterprise Business Park, Leyland, Lancashire, PR26 6TY
NHS ML also has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. Our Caldicott Guardian is Elizabeth Miller.
A further senior member of staff is responsible for information risk and information security and is accountable to the Managing Director; this person is called the Senior Information Risk Owner (SIRO). Our SIRO is John Uttley.
Further privacy information on NHS England may be found on the NHS England Privacy Notice webpage.
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Email: casework@ico.org.uk or visit the ICO website.
We keep our privacy notice under regular review, and we will place any updates on this web page. This notice was last updated on 15 August 2024.