Privacy notice

What we do

At Lewisham and Greenwich Trust, we aim to provide you with the highest quality healthcare. To do this we must keep information about you, your health and the care we have provided to you or plan to provide to you. This privacy statement provides a summary of how we use your information.

The United Kingdom General Data Protection Regulation (UK GDPR) is the primary law governing how your personal information is used. It sits alongside the Data Protection Act 2018 and the Data Use and Access Act 2025 (DUAA 2025), which strengthens transparency, safeguards and accountability in how health and care data is accessed and used.

The UK GDPR defines the Lewisham and Greenwich NHS Trust as a ‘data controller’ of personal information. We collect information to help us provide and manage healthcare to our patients. Lewisham and Greenwich is registered with the Information Commissioner’s Office, Certificate Reference number Z4898169.

Lewisham and Greenwich NHS Trust is the Data Controller for your personal data.

What kind of personal information does the Trust collect?

We may collect:

• Name
• Address
• Date of birth
• NHS number
• Next of kin
• Details of diagnosis
• Treatment
• Hospital appointments
• Allergies and
• Health conditions.

The Trust also records CCTV images for the prevention and detection of crime; this may include body worn video and audio recordings.

We usually collect information directly from you. We may also receive information from your GP, other NHS organisations, social care services, ambulance services, private providers involved in your care, or family members/carers where appropriate and lawful to do so.

Legal basis for processing personal and sensitive information

The UK GDPR requires organisations that process personal data todemonstrate compliance, including identifying the lawful basis for processing

As personal data is processed for the purposes of Trust’s statutory functions, the Trust’s legal bases for the processing of personal data as listed in Article 6 of the UK GDPR are as follows:

• Article 6(1)(b) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• Article 6(1)(c) – Processing is necessary for compliance with a legal obligation
• Article 6 (1) (d) provides a lawful basis for processing where: “processing is necessary in order to protect the vital interests of the data subject or of another natural person” (Note a person is a person who is alive.)
• Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For the majority of NHS healthcare activities, we rely on Article 6(1)(c) – Legal Obligation and Article 6(1)(e) – Task in the Public Interest

Where the Trust processes special categories of personal data, the conditions it relies on for processing such data as listed in Article 9 of the UK GDPR are as follows:

• 9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
• 9(2)(h) – Processing is necessary for health or social care (with a basis in law)
• 9(2)(i) – Processing is necessary for public health (with a basis in law)
• 9(2)(j) – Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  
  

The UK GDPR defines special category data as:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Please note that not all the above lawful bases and special category conditions will apply for each type of processing activity that the Trust may undertake. However, when processing any personal data for any particular purpose, one or more of the above legal bases will apply.

Privacy notice regarding children and young people

The personal data that we collect about your child may include:

• Full name, address and contact details
• Date of birth, gender and age
• Parental responsibility details
• Appointment and inpatient records
• Treatment records and clinical notes
• Test results (e.g. x-rays, scans, blood tests)
• Information from research/ clinical trials
• Test results (e.g. x-rays, scans, blood tests)
• Information from health professionals, social workers, relatives and carers
• Sageguarding status

We may also collect information about race or ethnic origin, religion and disability status.

Why do we collect your child’s and family personal data?

We collect personal data about you and your child to support the delivery of appropriate healthcare and treatment. In order to provide high quality care, we must keep records about your child, their health and the care that we provide, or plan to provide them. This may include certain information about you or family members. It is important for us to have a complete picture as this data enables us to provide the right care to meet a child’s individual needs and this can include social care information.

If you ever have any questions as to why certain data is collected, our Information Governance team will be happy to discuss this with you and can be contacted on LG.IG@nhs.net.

LGT Portal

Please see the Privacy Notice for the LGT Portal app:

LGT Portal Privacy Notice July 2021

London Care Record

The London Care Record enables health and care staff to have one secure shared view of a person’s relevant heath and care information. Even if a person’s details are held in other London care organisations, information can still be accessed safely and securely. For example, if someone from Peckham (South East London) attends A&E at Chelsea and Westminster Hospital (North West London), staff involved can access the information they need to treat that person quickly and safely. This could include information on allergies, current medications, or existing long-term conditions.

With the progress of data sharing across London and beyond, the system formerly known as “Connect Care” has been renamed to “The London Care Record”.

Information is transferred securely, via a health information exchange system - this enables more effective care at the first point of contact.

Please note - If you previously requested your information not be shared in Connect Care this is still honoured in London Care Record. If you prefer your health and care information not to be shared in the London Care Record, please download and complete this form and inform your health and care professional.

Why we collect information about you

The people who care for you use your information and records to:

• provide a good basis for all health decisions made by you and your care professionals
• allow you to work with those providing care
• make sure your care is safe and effective
• work effectively with those providing you with care Others in the NHS may also need to use records about you to:
• check the quality of care (called clinical audit)
• collect data regarding public health matters
• ensure NHS funding is being allocated appropriately
• help investigate any concerns or complaints you may have about your health care
• teach healthcare workers and help with research and planning.
  
  

Research and planning – data opt-out

Your health records contain confidential patient information, which can be used to support research, planning, and service improvement. You can choose to stop your information being used in this way, including for children under 13, and your choice only applies to health and care services in England. Identifiable information used for your individual care is not affected. Under the UK GDPR and Data Protection Act 2018, all secondary uses of health and care information are lawful, transparent, and monitored with safeguards to protect your privacy.

Confidential patient information may be used for approved research, health system planning, and policy evaluation. Your choice will not affect your individual care, and organisations are required to follow strict governance and auditing procedures to respect your preferences. For guidance on making or changing your choice, visit the Your NHS Data Matters website or call the national helpline on 0300 303 5678. You can change your mind about your choice at any time.

Most of the time, anonymised data is used for research and planning so that you cannot be identified. In which case, your confidential patient information is not needed and your data protection rights are not affected.

Federated Data Platform (FDP)

The NHS Federated Data Platform is a secure system that brings together health information in one place to help Lewisham and Greenwich NHS Trust staff provide better care. Frontline teams can quickly see the most up-to-date patient information, manage waiting lists, schedule treatments, and plan care more effectively.

For further information, please see NHS England » Frequently asked questions (FAQs)

How long do we hold information for?

Records are retained in accordance with national guidance from the Department of Health and Social Care and the Records Management Code of Practice for Health and Social Care 2020.

Retention periods vary depending on the type of record (for example, adult health, maternity, children’s or mental health records).

Records are securely destroyed when no longer required.

Download The NHS Records Management Code of Practice for Health and Social Care.

Information sharing

We many need to share information from your health records with other organisations such as:

• GP Practices
• Other NHS Trusts and hospitals
• Community healthcare providers
• Social care services
• NHS England and Integrated Care Boards
• Approved research organisations (where lawful)
• Regulators and auditors
• Law and enforcements agencies where legally required

We will normally seek your permission for uses outside direct care unless:

• There is a serious risk of harm
• There is a legal requirement
• A court order applies
• There a legitimate police request relating to serious crime

Where personal data is transferred internationally, this will only occur where appropriate safeguards are in place in accordance with UK GDPR.

Where processing is likely to result in a high risk to individuals' privacy interests, the Trust will conduct a Data Protection Impact Assessment (DPIA). The aim of a DPIA is to identify and minimise the data protection risks of a project.

How do I access information recorded about me?

What are your rights?

Under the UK GDPR, individuals have rights in relation to information that is held about them by an organisation. The UK GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

For further information, or if you wish make an Individual Rights Request(s), please contact the Trust Information Governance Team Lg.ig@nhs.net, or call the Trust on the numbers provided below and ask for the Information Governance Team in the first instance.

Alternatively, if you are not happy with the response to your Individual Rights Requests, please contact the Head of Information Governance and Assurance at lg.ig@nhs.net or call the one of the numbers below.

University Hospital Lewisham
High Street, Lewisham, London, SE13 6LH

Phone: 020 8333 3000

Queen Elizabeth Hospital
Stadium Road, Woolwich, London, SE18 4QH

Phone: 020 8836 6000

How do I raise a concern?

To raise any concern with us, please contact the Patient Advice and Liaison Service (PALS).

If you are looking for information about privacy, please contact Lg.ig@nhs.net