Privacy Notice

Northern Gambling privacy notice

As a provider of a healthcare service, the Service’s main processing of personal information relates to the provision of healthcare to our Service Users. Our Privacy Notice, explaining how we process information relating to our Service Users, is set out below.

Separate Privacy Notices for HR / Workforce and other corporate functions will be provided to those whose data is processed as part of the “business-as-usual” processes of our various departments. Feel free to contact the Trust Data Protection Officer for more information.

Leeds and York Partnership NHS Foundation Trust (“the Trust”) are the accountable Data Controller for the information we hold. Our contact addresses are as follows;

Head Office
St Mary’s House, Main House
St Mary’s Road

Carl Starbuck – Data Protection Officer
1st Floor, North Wing, St Mary’s House
St Martins View
Leeds LS7 3LA

Processing information relating to our Service Users, for healthcare purposes.

The legal basis for this is UK-GDPR Article 9, subsection 2(h)

“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”.

To provide high-quality, effective care that is safe, responsive, timely, and efficient, we will both receive and share relevant and necessary information with other health and social care professionals involved in our Service Users’ care, on the same legal basis.

Privacy notice: National Fraud Initiative (NFI)

The Service is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds or where undertaking a public function in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing sets of data held by one body against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.

We are a mandatory participant in the Cabinet Office’s NFI, a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching each exercise, as detailed on the Government website.

The processing of data by the Cabinet Office in a data matching exercise is carried out with a statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or UK-GDPR.

Data matching by the Cabinet Office is subject to a code of data matching practice.

The Cabinet Office has published its privacy notice which sets out how the Cabinet Office will use your personal data and your rights. The notice is made under Article 14 of the UK General Data Protection Regulation (UK-GDPR).

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

For further information on data matching at this organisation, please email Carl Money. Full information and details regarding the initiative can be found on the Government website.

The Service does not process healthcare data outside the European Economic Area.

The Service will retain and subsequently securely dispose of personal information aligned with the requirements & retention schedules of the NHS Records Management Code of Practice 2021.

The UK General Data Protection Regulation (UK-GDPR) gives those who personal information we hold certain rights. These rights are set out and explained below.

  • The right to be informed

The information in this Privacy Notice should inform our Service Users how their information is processed by the Service.

  • The right of access

Service Users have a right to make a request to receive a copy of the information we hold about them, however the Service has a legal obligation to have an appropriate healthcare professional review the information before it is released, to ensure that information likely to cause harm or distress to the Service User or anyone else is removed.

  • The right to rectification

If factual inaccuracies are found and agreed, these will be corrected.

  • The right to erasure

This right does not apply in all circumstances, and does not apply to information held for healthcare purposes. Service User records are retained according to the requirements of the NHS Records Management Code of Practice 2021.

  • The right to restrict processing

This right does not apply in all circumstances. The Trust will record and act upon any restrictions a service user wishes to place on the sharing of their information – e.g. with family members etc., but will share relevant and necessary information with other health and social care professionals involved in our service user’s care, or when otherwise required to do so by law.

  • The right to data portability

This right does not apply in all circumstances. As we do not process healthcare information by automated means or on the basis of consent, it does not apply to healthcare information. We will however respond to Subject Access Requests and provide the information requested in a format of the Service User’s choice when it is reasonable to do so.  

  • The right to object

This right does not apply in all circumstances. As we process Service User information on the legal basis provided above, this right does not apply.

We will however be honouring choices expressed through the National Data Opt-Out Programme, to prevent use of patient data for planning and research purposes.

  • Rights in relation to automated decision making and profiling.

No automated decision making or profiling is carried out using service user information.

  • The right to lodge a complaint with a supervisory authority.

If anyone feels the Trust has failed to uphold any of the above rights, or has other concerns relating to the handling of their information, they may lodge a complaint with the Information Commissioner’s Office. The ICO’s contact details are included below:

Information Commissioner’s Office

Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 (geographic rate number)

The ICO’s website for raising concerns relating to the handling of personal information is:

Service users are not under a statutory or contractual obligation to provide their information, but we do however require service users to provide us with all necessary and relevant information so that we can in turn provide them with safe and effective care.


Get in Touch

You can contact us directly by telephone, by email, or via the contact form