Privacy notice

What we do

In the National Health Service (NHS), we aim to provide you with the highest quality healthcare. To do this we must keep information about you, your health and the care we have provided to you or plan to provide to you. This privacy statement provides a summary of how we use your information.

The Data Protection Act 2018 and United Kingdom General Data Protection Regulation (UK GDPR) controls how your personal information is used by organisations, businesses or the government. The Data Protection Act 2018 defines the Lewisham and Greenwich NHS Trust as a ‘data controller’ of personal information. We collect information to help us provide and manage healthcare to our patients. Lewisham and Greenwich is registered with the Information Commissioner’s Office, Certificate Reference number Z4898169.

If you are looking for information about privacy, please contact


What kind of personal information does the Trust collect?

  • Name
  • address
  • date of birth
  • NHS number
  • next of kin
  • Details of diagnosis
  • treatment
  • hospital appointments
  • Allergies and
  • health conditions.

The Trust also records CCTV images for the prevention and detection of crime; this may include body worn video and audio recordings.


Legal basis for processing personal and sensitive information

The UK GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing.

As personal data is processed for the purposes of Trust’s statutory functions, the Trust’s legal bases for the processing of personal data as listed in Article 6 of the UK GDPR are as follows:

  • Article 6(1)(b) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Article 6(1)(c) – Processing is necessary for compliance with a legal obligation
  • Article 6 (1) (d) provides a lawful basis for processing where: “processing is necessary in order to protect the vital interests of the data subject or of another natural person” (Note a person is a person who is alive.)
  • Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Where the Trust processes special categories of personal data, its additional legal bases for processing such data as listed in Article 9 of the UK GDPR are as follows:

  • 9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • 9(2)(h) – Processing is necessary for health or social care (with a basis in law)
  • 9(2)(i) – Processing is necessary for public health (with a basis in law)
  • 9(2)(j) – Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

The UK GDPR defines special category data as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

Please note that not all the above legal bases will apply for each type of processing activity that the Trust may undertake. However, when processing any personal data for any particular purpose, one or more of the above legal bases will apply.


Privacy notice regarding children and young people

The personal data that we collect about your child may include details such as:

  • Full name, title, address, telephone number (mobile and home), email address
  • Date of birth, gender, age
  • Who has parental responsibility
  • Any contact we have had with your child through appointments, attendance or inpatient stays
  • Details and records of treatment and care/ notes
  • Health reports including any allergies or health conditions.
  • Information from research/ clinical trials
  • Results of x-rays, scans, blood tests, etc.
  • Other relevant data from people who care for your child and know them well, such as health professionals, social workers, relatives and carers.
  • Whether or not you or your child is subject to any protection orders regarding their health, wellbeing and human rights (safeguarding status);
  • A record of contact with us by telephone or email for the purposes of the provision of healthcare including complaints, claims or PALS enquires.

We may also collect other data about your child, such as your child’s race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).


Why do we collect your child’s and family personal data?

We collect personal data about you and your child to support the delivery of appropriate healthcare and treatment. In order to provide high quality care, we must keep records about your child, their health and the care that we provide, or plan to provide them. This may include certain information about you or family members. It is important for us to have a complete picture as this data enables us to provide the right care to meet a child’s individual needs and this can include social care information.

If you ever have any questions as to why certain data is collected, our Information Governance team will be happy to discuss this with you and can be contacted on


LGT Portal

Please see the Privacy Notice for the LGT Portal app:

LGT Portal Privacy Notice July 2021 [pdf] 323KB


London Care Record

With the progress of data sharing across London and beyond, the system formerly known as “Connect Care” has been renamed to “The London Care Record”.

The London Care Record enables health and care staff to have one secure view of a person’s relevant heath and care information. Even if a person’s details are held in other London care organisations, information can still be accessed safely and securely. For example, if someone from Peckham (South East London) attends A&E at Chelsea and Westminster Hospital (North West London), staff involved can access the information they need to treat that person quickly and safely. This could include information on allergies, current medications, or existing long-term conditions.

Information is transferred securely, via a health information exchange system - this enables more effective care at the first point of contact.

Please note - If you previously requested your information not be shared in Connect Care this is still honoured in London Care Record. If you prefer your health and care information not to be shared in the London Care Record, please download and complete this form and inform your health and care professional.


Why we collect information about you and your choices

The people who care for you use your information and records to:

  • provide a good basis for all health decisions made by you and your care professionals
  • allow you to work with those providing care
  • make sure your care is safe and effective
  • work effectively with those providing you with care Others in the NHS may also need to use records about you to:
  • check the quality of care (called clinical audit)
  • collect data regarding public health matters
  • ensure NHS funding is being allocated appropriately
  • help investigate any concerns or complaints you may have about your health care
  • teach healthcare workers and help with research and planning.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit the Your NHS Data Matters website or call the national helpline on 0300 303 5678. You can change your mind about your choice at any time.


How long do we hold information for?

Records are retained in accordance with national guidance from the Department of Health and Social Care and the Records Management Code of Practice for Health and Social Care  2020. Records including confidential information are securely destroyed in line with this code of practice.

Download The NHS Records Management Code of Practice for Health and Social Care.


Information sharing with non-NHS organisations

For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving direct care, such as social services or private healthcare organisations. We may also need to share your information, such as blood test results, for direct care processing purposes by a non-NHS organisation under an agreement with the Trust. We will always seek your permission to share your information with organisations for purposes other than your direct care. However, in exceptional situations we may need to share information without your permission if:

  • it is in the public interest – for example, there is a risk of death or serious harm
  • there is a legal need to share it – for example, to protect a child under the Children Act 1989
  • a court order tells us that we must share it
  • there is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime.

We do not share, send or transfer person identifiable information outside of the European  Economic Area.

Where processing is likely to result in a high risk to individuals' privacy interests, the Trust will conduct a Data Protection Impact Assessment (DPIA). The aim of a DPIA is to identify and minimise the data protection risks of a project. A copy of the Trust’s DPIAs can be requested from the Data Protection Officer


How do I access information recorded about me?

What are your rights?

The UK GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Some of these rights are qualified rights and some are absolute rights.

For further information, or if you wish make an Individual Rights Request(s), please contact the Trust Information Governance Team, or call the Trust on the numbers provided below and ask for the Information Governance Team in the first instance.

Under the Data Protection Act 2018 UK GDPR, individuals have a right to access information that is held about them by an organisation.If you have undergone medical treatment at University Hospital Lewisham, Queen Elizabeth Hospital Woolwich, some acute services at Queen Mary’s Sidcup or Lewisham Community NHS, please contact


Lewisham and Greenwich NHS Trust Data Protection Officer

Alternatively, if you are not happy with the response to your Individual Rights Requests, please contact the Trust Data Protection Officer email or call the Trust on one of the numbers below and ask for the Trust Data Protection Officer.



University Hospital Lewisham

Queen Elizabeth Hospital


020 8333 3000

020 8836 6000


University Hospital Lewisham
High Street
SE13 6LH

Queen Elizabeth Hospital
Stadium Road
SE18 4QH


How do I raise a concern?

To raise any concern with us, please contact the Patient Advice and Liaison Service (PALS).