Skip to content

View navigation

Data Requests and Your Privacy

Access your information

In the UK by law you have a right to access your information under what is called a Subject Access Request. Simply complete the online form below and ensure the requested documents are attached such as Photographic ID and address verification so we can ensure you are who you say you are. You may be telephoned by one of the team to check some details from the record only you would know for security. We by law have to process this within 30 days.

Alternatively download the form here and email to or post to our address listed on our Contact us.

Access someone else’s information

If you are not a public body (Police, Fire or GP etc.), executor of an individual’s estate or for any other reason you will usually need a Lasting Power of Attorney for Health and Wellbeing. Public bodies usually require a Court Order, or a special request previously known as a Section 29 to detect and prevent crime. If in doubt, simply complete the online data request form above and one of the team will come back to you initially usually within 48 hours.

If the individual is deceased, your information request would fall under the Access to Health Records Act 1990 and more information can be found on the NHS website here.

In order to provide you with a copy or of your personal information, or invoke your individual rights as outlined below, we require two forms of identification; one photographic and one that confirms your current address. Please view our guidance on providing ID below.

Note: We will not release your information without the correct identification.

If you require any information outside the remit of Leeds Community Healthcare NHS Trust such as GP or Hospital information, please contact the relevant organisations directly.

Individual Rights Requests

If you wish to invoke your Individual Rights under the Data Protection Act 2018, this includes requesting an amendment or deletion to your personal information held by Leeds Community Healthcare NHS Trust, please download and complete the form here and email to

Please view the Guidance on providing ID information here  

Freedom of Information

Please complete the Online Data Request Form above. 

The Freedom of Information Act 2000 (FOIA) gives members of the public the right to request information that is held by public sector organisations such as NHS Trusts and local councils. You have the right to request information we hold under the FOIA.

The aim of the FOIA is to create a climate of openness in public services so that people can understand how operational decisions are made and how public funds are spent.

The FOIA does not permit the release of personal information such as health or employment records. If you require personal information held by the Trust, please submit a Subject Access request under the Data Protection Act 2018.

The FOIA covers all information held in a recorded format. The deadline to respond to requests made under the FOIA is 20 working days, although there are some circumstances where this may be extended under the terms of the legislation.

If the information you require is not available on our website via our Publication Scheme, please send us your Freedom of Information request via email or post (please see contacts box for details).

Our publications

A Publication Scheme is a legal requirement under Section 19 of the Freedom of Information Act.

A publication scheme gives people access to information an organisation routinely publishes. This includes plans, management arrangements, performance, inspection reports, policies and procedures and the minutes of key meetings. We aim to make as much information as possible available directly via our website, however as we continue to build our publication scheme, some content will be supplied on request.

How we use your information (Privacy Notice)

We respect your privacy and are committed to protecting your personal data. This privacy notice will tell you how we look after your personal data and about your privacy rights and protection in law.

  • Leeds Community Healthcare NHS Trust (LCH) is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018 because we collect, store and use personal data to provide healthcare services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

    Our registered address is Stockdale House, Victoria Road, Leeds. LS6 1PF

    Information Commissioner’s Office (ICO) registration:  Z258777X

    We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to make sure the personal data we are responsible for, whether this is computerised or in paper form is kept securely.

    At Trust board level we have a Senior Information Risk Owner (SIRO) who is accountable for the management of the Trust’s information assets and a Caldicott Guardian who is responsible for the management of patient data and patient confidentiality. We also have a Data Protection Officer who ensures the Trust is accountable and complies with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

    The Data Protection Officer details are show on the top right of this page.

  • LCH is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. Our business is based on statutory powers which underpin the legal bases that apply for the purposes of the GDPR. The legal bases for the majority of our processing are:

    • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:

    • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

    Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

    • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

    Where we process special categories data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:

    • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

    Where we process special categories data for employment or safeguarding purposes the condition is:

    • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
  • The health professionals caring for you keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you or other care providers e.g. GP, social care or hospital. The maintenance of these records will ensure that you receive the best possible care. These may be written down on paper or held on a computer and they include:

    • Basic personal details about you such as name, address, date of birth, next of kin etc
    • Contacts we have had with you such as appointment or clinic visits
    • Notes and reports about your health, treatment and care
    • Results of x-rays, scans and laboratory tests
    • Relevant information from people who care for you and know you well such as health professionals, relatives and carers.

    It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

  • Your health records are used to direct, manage and deliver the care you receive to ensure that:

    • The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
    • Healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive
    • Appropriate information is available if you see another health professional, or are referred to a specialist or another part of the NHS

    Your information will also be used to help manage the NHS and protect the health of the public by being used to:

    • Review the care we provide to ensure it is of the highest standard and quality
    • Protect the health of the general public
    • Manage the health service
    • Ensure our services can meet patient needs in the future
    • Investigate patient queries, complaints and legal claims
    • Ensure the health care providers receive payment for the care you receive
    • Prepare statistics on NHS performance
    • Audit NHS accounts and services
    • Undertake health research and development

    Help train and educate healthcare professionals

  • We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have been considered.

    All records held by Leeds Community Healthcare NHS will be kept for the duration specified by national guidance from the Department of Health & Social Care found in the Records management: NHS code of practice for health and social care 2016.

  • Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

    We will share information with the following main partner organisations:

    You may be receiving care from other people as well as the NHS, for example social care services. We may need to share some information about you with them if they have a genuine need for it so we can all work together for your benefit.

    Therefore, we may also share your information, subject to your permission and strict agreement about how it will be used, with:

    • Social care services
    • Education services
    • Local authorities
    • Voluntary and private sector providers working with the NHS

    To support the right information being available to the right healthcare practitioner at the right time, Leeds Community Healthcare may share your data via the Leeds Care Record. Leeds Care Record is a secure virtual health and social care record used only by health and care organisations providing direct patient care. A list of these organisations with access is listed on the Leeds Care Record website and is available to view via the following link: Leeds Care Record pulls key information about you from the different health and social care records and displays it in one combined record. This enables clinical and care staff involved in your direct care to find all the key information for your care in one place, helping them provide the best care to you as a patient or service user. To do this, it is essential that clinical and care staff have access to the most up-to-date information including alerts. The Leeds Care Record Privacy Notice can be found here.

    We will not disclose your information to any other third parties unless:

    • We have your permission
    • We have to share by law
    • We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse
    • We hold information that is essential to prevent, detect, investigate or punish a serious crime

    If you have any concerns or would like further information please ask the staff caring for you or contact the Data Protection Officer at the address given at the top of this page.

  • We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

    We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

  • Sometimes your data may be processed outside of the UK, in most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within the UK. When this is outside the EEA we will identify the data protections in place prior to transfer.

  • Under certain circumstances, you have rights under data protection laws in relation to your personal data. We ensure that these rights are respected.

    Right to be informed

    You have a right to be informed if your personal data is being used. Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

    Right of access

    You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR (commonly known as a subject access request), although there are exceptions to what we are obliged to disclose.

    A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

    Further information and to submit a subject access request

    Right to rectification

    You have the right to ask us to rectify any inaccurate data that we hold about you.This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

    Right to erasure (‘right to be forgotten’)

    You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

    Right to object

    You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. E.g. we will not be able to stop the processing of your data if it is necessary to provide you with direct patient care.

    Right in relation to automated individual decision-making

    You have the right to object to being subject to a decision based solely on automated processing, including profiling.

    Right to notification

    You have the right to be notified if there has been a breach with regards to your personal data that we hold. This right is enforced if the breach is likely to result in a high risk of adversely affecting your rights and freedom.

    Right to complain to the Information Commissioner

    You have the right to complain to the Information Commissioner if you are not happy with any aspect of Leeds Community Healthcare’s processing of personal data or believe that we are not meeting our responsibilities as a data controller. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact the Data Protection officer at first instance.

    The contact details for the Information Commissioner are:

    Information Commissioner’s Office
    Wycliffe House
    Water Lane,
    Wilmslow SK9 5AF


  • impact on individuals must be considered.  High risk could result from either a high probability of some harm, or a lower possibility of serious harm.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.

    The DPIA must:

    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.

    Here at Leeds Community Healthcare NHS Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.

    View a summary below of all DPIAs carried out since 25 May 2018 when this became a data protection requirement.  The lists will be periodically updated with new completed DPIAs but if you would like more information about our process, or those listed below, please contact

    DPIA Number 

    Name of DPIA

    Services involved

    Date Approved 



    Childhood Flu Vaccination

    Childrens Business Unit




    Forward App

    Musculoskeletal Service




    Cerebral Palsy Integrated Pathway (CPIP) patient management system





    E-consent system in School Immunisation Team

    School Immunisation Team









    Requesting SystmOne record Sharing outside of Leeds 

    Clinical Systems Management




    Leeds Mental Wellbeing Service (LMWS)

    LMWS System Integration Work Stream




    Lone Working 

    Risk & Security




    Community Pain Service

    Community Pain









    Attend Anywhere





    MS Teams - Video Recording 





    WhatsApp use for sex workers 

    Sexual Health 




    Zoom for LMWS










    ICE for ICAN

    Childrens Business Unit




    Antibody Testing 





    Zoom - Leeds Sexual Health 

    Sexual Health 



  • Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

    The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

    • improving the quality and standards of care provided
    • research into the development of new treatments
    • preventing illness and diseases
    • monitoring safety
    • planning services

    This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

    Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

    You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

    To find out more or to register your choice to opt out, please visit  On this web page you will:

    • See what is meant by confidential patient information
    • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
    • Find out more about the benefits of sharing data
    • Understand more about who uses the data
    • Find out how your data is protected
    • Be able to access the system to view, set or change your opt-out setting
    • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
    • See the situations where the opt-out will not apply

    You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

    You can change your mind about your choice at any time.

    Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

    Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

    Our organisation is currently compliant with the national data opt-out policy.

  • This notice was last updated October 2020

    Supplement privacy notice for Patients/Service Users

    This notice describes how we may use your information in accordance with the Coronavirus Act 2020 to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available on the Trusts internet page.
    The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

    Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on here and some FAQs on this law are available here.

    During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

    In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email. During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

    We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. All required processing will be centrally controlled. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.

    NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

    In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

    This notice will expire on 31 March 2022. The date at the top of this page will be amended each time this notice is updated.

  • The Trust is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

    The Cabinet Office is responsible for carrying out data matching exercises.

    Your personal data will be subject to the following automated profiling (as defined in Article 4, paragraph 4 GDPR):

    Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

    The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the GDPR.

    Data matching by the Cabinet Office is subject to a Code of Practice.

    View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

    For further information on this data matching exercise contact the Trusts Counter Fraud Specialist, Nikki Cooper; mobile 07872 988939 or email:

  • Leeds Community Healthcare NHS Trust utilises Closed Circuit Television (CCTV) cameras in and around the Trust’s sites.

    The legal basis for collection of CCTV images is that processing is necessary for the purpose of the legitimate interests pursued by the controller, the Trust (GDPR Article 6(1) (f)). Our legitimate interest in doing so is in order to:

    • Protect staff, patients, visitors and Trust property
    • Assist in the identification, apprehension and prosecution of offenders and provide evidence in support of criminal or civil action in the courts.
    • Provide a deterrent effect and reduce unlawful activity
    • Help provide a safer environment for our staff
    • Help to identify practices that jeopardise the health and safety of other staff, patients or visitors

    All areas where CCTV is in use will be clearly signed to comply with data protection legislation. This is to alert people that they are about to enter an area monitored by CCTV cameras or remind them they are still in an area covered by CCTV. The signs will also act as an additional deterrent. We do not perform any covert surveillance.

    We MAY when necessary, lawful and fair share personal data / images to:

    • Police and other law enforcement agencies
    • Other emergency services
    • Public bodies with regulatory functions (which includes Council services)
    • Legal representatives, Courts, Hearings and Tribunals linking to legal proceedings
    • Ombudsman and Regulatory bodies
    • Insurance companies
    • Individuals / organisations requesting information where there is a lawful basis for disclosure under legislation such as the Data Protection Act 2018, Freedom of Information Act 2000

    CCTV images will not be released or used for entertainment purposes.

    Images will not routinely be transferred to recipients outside of the UK.

    CCTV images are normally kept for no longer than 31 days.

    Images supplied as evidence supplied to the police and other agencies etc will be kept for longer.

    You have the right to access the personal data we hold about you; to request we rectify or erase your personal data; to object to or restrict processing in certain circumstances; and a right of data portability in certain circumstances.

    If you wish to request access to CCTV footage please follow the Subject Access Request Process, for Public Bodies such as the police please email your data request and completed authorisation form to:

Data Protection Officer

Steve Creighton
Leeds Community Healthcare NHS Trust
White Rose Office Park, Building 3
Millshaw Park Lane
Leeds, LS11 0DL


Information Governance Team    

Leeds Community Healthcare NHS Trust
White Rose Office Park, Building 3
Millshaw Park Lane
Leeds, LS11 0DL


What to do if you need to speak to someone urgently...