Roles and Responsibilities 

Introduction

We are LLR Patient Care Locally (“LLR PCL”, “us”, “we”, “our”), Registered in England and Wales, registration number: 07789175

We are registered with the UK supervisory authority, the Information Commissioner’s Office (“ICO”) in relation to our processing of Personal Data under the registration number: ZA018698.

We are the data controller for the information we hold about you. A data controller is the organisation that makes decisions about the personal data that is being collected and processed, and we are ultimately in charge of and responsible for the processing.

You can contact us in relation to this notice and raise any queries about it and / or exercise your right to access your information using the details below:

Address:

Office 2 and 3, Coalville Business Centre

Goliath Way, Coalville

Leicestershire LE67 3FT

Phone: 0116 380 0590

Email: llrpcl.datagovernance@nhs.net

LLR PCL has been commissioned to provide healthcare services on behalf of GPs and the Integrated Care Board (ICB) through our Referral Support Service (RSS) and local provider healthcare sites. Healthcare providers screen referrals and direct the patient to the most appropriate clinical setting where they are treated either by local provision community sites contracted via LLR PCL or in an acute hospital setting. We use a clinical system called TPP SystmOne like other healthcare providers to securely record your healthcare information.

At LLR PCL we are committed to protecting and respecting your privacy, informing you of your rights under the Data Protection legislation and giving you access to these rights. 

This Privacy Notice sets out important details about how LLR PCL and its staff are responsible for your information, what we may collect and hold about you, how that information may be used and your legal rights. 

We will review this Privacy Notice on a regular basis, and we advise you to check back on our website for the latest version.

2. What information does LLR PCL hold about me?

We hold two types of personal data about you. 

1. Personal Data (data which identifies you)

• Personal data includes information about people like their name, phone number, email address, address, date of birth, etc. 
• We may also hold another type of personal data, called special category data, or criminal conviction and offences data. These are more sensitive, and LLR PCL may only process them in more limited circumstances.
• Some data we hold may be pseudonymised to help reduce privacy risks by making it more difficult to identify individuals, but it is still counts as personal data.

2. Special Category Data (sensitive data)

This sort of data could include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where used for identification purposes)
• Health
• Sex life
• Sexual orientation

3. How does LLR PCL collect information about me?

The information we collect and process about you has either been provided by you or by others involved in your care treatment (e.g. GP, hospital, community, employers).

This is likely to include your personal data and more sensitive information about you especially around your health (see definitions in section 2).

We may collect information from you when:

• You contact us via telephone calls which may be recorded and retained for a limited period for training and monitoring purposes and to help improve our services.
• You communicate with us via email, social media or our website. 
• We interact with you as part of the referral process to ensure the information we have been provided is up to date.

We may also obtain information about you from:

• Other health or care providers, such as your GP to provide you with healthcare services.
• Government agencies such as HMRC.

4. Why LLR PCL use the information it holds about me?

We use the information we hold about you in connection to:

• Referral to the best treatment and/or care pathway
• Referral for tests or assessments
• For medical examinations and delivery of care pathways
• For service improvement 
• For anonymous key performance indicator reporting in relation to contractual obligation

We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud or safeguarding) or in connection with legal proceedings.

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling. 

5. Who has access to the information about me?

LLR PCL collects personal Information for your health care purposes. There may be instances where we are required under legislation to share that information, but we will only do so if we have a legal basis.

We carefully control who has access to your information. Staff only have access where they are required to do so in relation to their job role, e.g. to provide direct care or support (i.e., receptionist and secretary). Where possible we limit the access that staff have on our systems.

In order to reduce risk of a data breach LLR PCL has in place robust policies and procedures, and we carry out training for all staff on an annual basis.

We also carry out spot checks and audits to see if there has been any inappropriate access. Where that occurs, disciplinary action may be taken against the staff. If a data breach includes access to your information, we will contact you. We also have an obligation if it is a serious data breach to inform the Information Commissioner’s Office.

6. How do you keep my information safe and secure?

• LLR PCL is required to complete the NHS Digital Data Security and Protection Toolkit. This is a tool that provides assurance that we are meeting standards on handling patient/client information
• We have in place Data Protection Policies and Information Security Policies to ensure staff understand the ‘must’ or ‘must not do’ with patient/client data
• Staff are required to complete induction training in Information Governance and to complete annual update training
• Spot checks are carried out across the organisation
• Our IT is managed by an outsourced IT provider who ensure that all safeguards are in place on our IT systems to protect data and keep it secure from unauthorised access, loss or damage
• Passwords are changed on a regular basis, and we use multi-factor authentication across all available systems
• Where incidents do happen, our investigations include actions we take, and lessons learnt

7. Will LLR PCL share information about me with others?

Yes, we set out these reasons below and assure you that in each case, we share only such information as is appropriate, necessary and proportionate.

If you would like more detailed information on who we share your data with, please get in contact with us.

1. 1. Primary Care Network (PCN)

We are a provider of Enhanced Access services working directly with Primary Care Networks (PCN). This means we work closely with a number of GP Practices and health and care organisations to provide healthcare services to you. No health data is automatically shared. 

Patient records remain with the GP practice that the patient is registered with, the record would only be accessed by another organisation if the patient has booked and agreed an enhanced access appointment or clinical services delivered in an alternative setting, the patient is advised of this at the time of accepting the appointment.

8. What lawful basis does LLR PCL have for using information about me?

Data Protection law requires that we only use your personal data if we have a lawful basis to do so. Processing shall be lawful only if and to the extent that at least one of the following applies:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
2. processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering a contract.
3. processing is necessary for compliance with a legal obligation to which the controller is subject.
4. processing is necessary to protect the vital interests of the data subject or of another natural person.
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.

Data protection law requires that we set out the legal basis for holding and using information about you. We have set out the various reasons we use information about you and alongside each, the legal basis for doing so. 

• For the purpose of delivering your direct health care and sharing your information we use Article 6(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Where we have to share your information because we are required to do so under law, we use Article 6(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis which we have set out below explaining our reason for this.

• For the purpose of delivering your direct health care and sharing your information we use Article 9(h) – health or social care.

9. Where and for how long does LLR PCL store information about me?

The majority of the information that we hold about you is held securely in the United Kingdom and stored electronically on secure servers and in paper format.

However, some information is stored outside the European Economic Area (EEA). This is:

• Call recordings

We retain your records for certain periods (depending on the record) under our retention of records policy. LLR PCL follows the recommended best practices contained in the NHS Records Management Code of Practice. This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including:

• To support patient care and continuity of care
• To support evidence-based clinical practice
• To assist clinical and other audits
• To support our public task
• To meet legal requirements

Your records may not be retained in hard copy form where a digital copy exists. If you would like more detailed information on this, please contact us (contact details above).

10. 10.What rights do I have?

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

If you wish to exercise any of the rights set out below, please contact us using the contact details set out above. Details of your rights are set below:

The right to be informed
This privacy notice forms part of that, but we also aim to keep you fully informed during your consultations, via our communications to you and using posters in healthcare settings.

The right to access your personal information
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in the form you request, if we are unable to do that, we will inform you. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you, we usually need to explain to you:

• The purposes for which we use your personal information.
• The types of personal information we hold about you.
• Who your personal information has been or will be shared with.
• Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
• If the personal data we hold about you was not provided by you, where we obtained the information from.
• Your right to ask us to amend or delete your personal information (if appropriate).
• Your right to ask us to restrict how your personal information is used or to object to our use of your personal information (if appropriate).
• Your right to complain to the Information Commissioner’s Office.
• We also need to provide you with a copy of your personal information.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity (which will be proportionate) and ensure your right to access your personal information (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.

We respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

The right to request correction of your personal information
We take reasonable steps to ensure that the personal information we hold about you is accurate, complete, and up to date.  However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information
In some circumstances, you have the right to request the erasure of the personal information that we hold about you.  This is also known as the ‘right to be forgotten’.  However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.

The right to restrict the processing of your personal information
In some circumstances, you have the right to object to the processing of your personal information. This would usually apply to processing for other purposes other than your direct healthcare (i.e., research).

The right to request a transfer of your personal information
In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/organisation of your choice. The information must be transferred in an electronic format.

The right to object
You can ask us to stop processing your information for any other purposes other than your healthcare.

The right not to be subject to automatic decisions and profiling
You have a right to not be subject to automatic decisions (i.e., decisions that are made about you by computer alone) that have a legal or other significant effect on you. 

The right to withdraw your consent
You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information.

To apply any of the Individual Rights above please contact the Data Protection Officer.

11. 11.National Data Opt-Out

We review our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies. If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose. 

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is used, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/. 

12. 12.The Right to Complain to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

Making a complaint will not affect any other legal rights or remedies that you have.

More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ and the Information Commissioner’s Office can be contacted by post, phone, or email as follows:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate number)

Fax: 01625 524 510

Email: casework@ico.org.uk

For further questions or to exercise any rights set out in this Privacy Notice, please contact us on the contact details provided above to request to speak to the Data Protection Officer. 

Please note that this privacy notice applies to LLR PCL and the information we collect about you only. For any services, other parties or websites mentioned in this privacy notice or on our website, we do not accept liability, and we advise you to read their privacy notices.