Fair Processing and Privacy Notice

Essex Partnership University NHS Trust (EPUT)

Address:

The Lodge
Lodge Approach
Wickford
SS11 7XX

Telephone: 0300 123 0808

Email: [email protected]

Data Protection Officer (DPO): [email protected]

(The DPO mailbox is monitored by authorised members of the DPO team)

Our Trust is registered with the Information Commissioner’s Office

Registration number: ZA242481

Essex Partnership University Trust provides mental health, community health, and learning disability services for over 3.2 million people in Bedfordshire, Essex, and Suffolk. We employ over 5,000 staff across 200+ sites, including home and community-based care.

We take your privacy and confidentiality very seriously. This notice explains how we collect, use, share, and store your personal information. It also sets out how we are accountable to you under the UK GDPR and the Data Protection Act 2018.

How will we meet the Principles of the GDPR and UK Data Protection Act

• We use your information only when the law allows. This is usually to give you care or manage health services.
• We do not need your consent to use information for your care, because the law allows it.
• We only collect information needed for your care and treatment.
• We keep your information only as long as the law requires.
• We may share information with other professionals, like social workers or NHS teams, when it is necessary to support your care.
• We keep a record of how we use your information to make sure it is handled safely and correctly. Your information is stored securely and only shared safely.
• We respect your right to privacy under Article 8 of the Human Rights Act 1998.
• We follow UK GDPR, the Data Protection Act 2018, and NHS Caldicott Principles to keep your information safe.
• If there are concerns about a child or vulnerable adult, we may share information only when needed to keep them safe.

Our legal responsibilities

We handle your information in line with:

• UK GDPR & Data Protection Act 2018
• Human Rights Act 1998 (Article 8 – right to privacy)
• Common law duty of confidentiality
• Health & Social Care Act 2012 / Health and Social Care (Safety and Quality) Act 2015
• Mental Health Act 1983 (as amended 2007) / Mental Capacity Act 2005
• Records Management Code of Practice for Health and Social Care 2016
• Safeguarding legislation Children Act 1989/2004, Care Act 2014
• NHS Calidcott Principles
• Privacy and Electronic Communications Regulations 2003 (PECR)
• Freedom of Information Act 2000 (applies only to non-personal information)

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on our Facebook page and updating the effective date.

Your health records

Your care team and other health professionals keep records about your health and the care you receive.

These records help us:

• Provide safe, effective, and personalised care
• Protect your health and the health of others
• Plan and improve services, conduct audits, and train staff
• Respond to complaints, legal queries, or public inquiries
• Records may be on paper or stored electronically.

What information we collect

We only collect information needed to provide care safely. This may include:

• Name, address, date of birth, NHS number
• Phone, email, and next-of-kin details
• Medical history, diagnoses, treatments, tests, care plans
• Visits, day care, and therapy sessions
• Notes from other health professionals, social care teams, family, or carers
• Surveys, feedback, or other voluntary input

Information about your next of kin

We keep next-of-kin details (name, phone, relationship) so we can contact them in emergencies or to keep you safe. Your next of kin also has rights under UK GDPR, including the right to:

• See the information we hold about them
• Ask us to correct anything that is wrong
• Ask us to limit how we use their information
• Object to certain ways we use it

We only use next-of-kin information when necessary, store it safely, and share it only with people who need it for your care or safety.

Lawful bases for processing

We process your information to assess your needs, provide treatment, and support your care. The law requires us to provide healthcare, and we cannot provide safe or effective care without using this information.

This includes:

• Keeping clinical records
• Sharing information with other health professionals involved in your care
• Making referrals
• Planning and reviewing treatment

Safeguarding and public health

We may also use your information to:

• Protect you or others from serious harm
• Safeguard children or vulnerable adults
• Manage risks or prevent the spread of serious illnesses

We share only what is necessary to keep everyone safe. Where possible, identifying details are removed, and if not, strict safeguards are applied.

Your information helps the Trust provide safe, high-quality care, protect your health, and improve our services. We handle it carefully and lawfully under UK GDPR and the Data Protection Act 2018, and we follow NHS standards for mental health care.

Why we use your information

• Provide safe and effective care and treatment
• Protect your safety and the safety of others
• Plan, monitor, and improve services for patients
• Investigate questions, complaints, or legal claims
• Prepare reports and statistics to help the Trust understand its performance (these are usually anonymised)
• Conduct audits, research, or training for healthcare staff
• Research with identifiable information is voluntary and requires your consent, which you can withdraw at any time
• Test and maintain patient and clinical systems to make sure they work properly
• Respond to public inquiries, such as the Lampard Inquiry into mental health deaths in Essex

Sharing information with partners

When we share information with partners or external organisations, it is done under formal agreements. These agreements require them to:

• Keep your information secure and confidential
• Follow the same high standards as the Trust

Third-party contracts

When we share information with partners or external organisations, it is done under formal agreements. These agreements require them to keep your information secure and confidential and follow the same high standards as the Trust.

Everyone working within the NHS has a legal and professional duty to keep your information confidential and secure. This duty arises under:

• Common law duty of confidentiality
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Human Rights Act 1998 (Article 8)

Any organisation or individual who receives information from us is also required to keep it confidential and use it only for lawful and authorised purposes.

Access to patient information is strictly controlled, logged, and routinely monitored. Staff receive regular training in information governance and data protection, and mental health records are handled with particular care due to their sensitive nature.

We only share your information when it is necessary and allowed by law, for example:

• With other health professionals involved in your care
• With social care teams, local authorities, or your family/carers if it helps your care or safety
• For audits, research, or public health purposes (data is anonymised whenever possible)
• With regulators or external auditors, if legally required 

We only share information when it is necessary and lawful and we may share information with:

• NHS Trusts and Foundation Trusts
• GPs
• Dentists, opticians, pharmacists
• Private healthcare providers
• Voluntary sector providers
• Ambulance services
• Integrated Care Board and Integrated Care System providers
• Social care services
• NHS England
• Local authorities
• Education services
• Fire and Rescue Services
• Police and judicial services
• Other approved organisations working on your care

When your information may be shared without consent

We may process or disclose personal information where necessary to comply with statutory obligations or lawful requests, for example:

• Under the Mental Health Act 1983
• In response to a court order
• To fulfil safeguarding duties under the Care Act 2014 or Children Act 1989

The lawful basis under UK GDPR is:

• Article 6(1)(c) – legal obligation
• Article 6(1)(e) – public task
• For health data: Article 9(2)(h) – health or social care purposes, and Article 9(2)(g) – substantial public interest
• Schedule 1 of the Data Protection Act 2018

We ensure any sharing is lawful, necessary, proportionate, and limited to what is required.

Examples of this may include:

• Safeguarding a child or vulnerable adult
• Court or legal authority orders
• Informing a nearest relative if you are detained under the Mental Health Act 1983
• Public health or legal reporting requirements (e.g., infectious disease)
• Investigation of serious crimes

Shared Care Records (SCR)

Shared Care Records (formerly Local Health and Care Records) allow health and social care professionals involved in your care to access relevant information safely and securely.

This helps provide better coordinated care when moving between services.

You can learn more about Shared Care Records on the NHS England website NHS England » Shared care records

We are committed to keeping your information safe, secure, and confidential. This applies to information stored on paper or electronically. We handle your data in line with the law, including UK GDPR Articles 5, 6, 9, and 32, and the Data Protection Act 2018.

We review our security measures and policies regularly to keep them up to date. Mental health records receive extra safeguards, including restricted access, enhanced logging, and staff training.

Who Can access your information

• Only staff who need it to provide your care or carry out their duties can see your records.
• All access is monitored and logged, and logs are reviewed regularly to ensure information is handled correctly.
• Mental health records are only accessible to staff with specific authorisation, and access is reviewed regularly.
• All staff receive training in handling sensitive data, and any breach of access rules may lead to disciplinary action.

Keeping information secure

We only use the personal information about you that is necessary for a specific purpose and do not collect or process anything beyond what is required. This helps protect your privacy and keep your information secure.

We retain records only for as long as necessary to meet legal, regulatory, or clinical requirements. When records are no longer needed, they are securely destroyed or archived in accordance with NHS Records Management: Code of Practice and relevant statutory obligations.

We follow NHS data security standards, including:

• Data Security and Protection Toolkit (DSPT) – an NHS tool that checks how NHS organisations protect patient information. Learn more here: https://www.dsptoolkit.nhs.uk

All staff and partner organisations must keep information confidential. Any breach may result in disciplinary or contractual action.

Monitoring and audit

We regularly check how we handle and protect your information. This includes internal audits of security practices, access logs, and compliance with policies, to make sure your data stays safe.

Incident and breach handling

We take any loss, theft, or accidental release of your information very seriously. If a breach happens, we investigate it quickly and take action to reduce any risk. Serious breaches are reported to the Information Commissioner’s Office (ICO), in line with legal requirements, and affected patients will be informed if necessary

Cross-border data transfers

All our servers are in the UK. If your information ever needs to leave the UK, it is kept just as safe as it would be in the UK, using legal safeguards like standard contractual clauses or adequacy agreements. We never transfer your data without these protections

We follow our Trust’s policies and NHS guidance on how long we keep information. This includes both paper and electronic records. We handle your data in line with UK GDPR Articles 5 and 6, Article 9 for sensitive health data, and the Data Protection Act 2018.

NHS record keeping standards

• All NHS records are managed according to the Records Management Code of Practice for Health and Social Care 2021 and NHSE Records Management Code of Practice 2023.
• This guidance sets out how long different types of patient information should be kept and how it must be safely destroyed or archived when no longer needed.
• Safe disposal means that paper records are securely shredded, and electronic records are deleted or anonymised to protect your privacy.

Why we keep information

Some information must be kept by law or for patient safety. This helps us provide safe care, meet legal obligations, and protect your health and safety.

Certain health and care records cannot be deleted due to legal or clinical requirements. Even in these cases, your information is always kept secure, confidential, and used only for care, legal, or safety purposes.

Temporary retention requirements

At the moment, because of the Lampard Inquiry, we are not allowed to delete any information until the Inquiry has finished.

Once the Inquiry concludes, records will return to normal retention schedules in line with NHS guidance.

During this time, your information remains secure and is only used for care, legal, or safety purposes.

More information about the Lampard Inquiry

Typical retention periods

We keep your mental health records for as long as needed to provide safe care, meet legal obligations, and protect your safety.

We follow NHS and legal guidance on retention and safe disposal:

• Records Management Code of Practice for Health and Social Care 2021 https://transform.england.nhs.uk/information-governance/guidance/records-management-code/
• NHS England Records Management Code of Practice 2023 https://transform.england.nhs.uk/media/documents/NHSE_Records_Management_CoP_2023_V5.pdf
• Mental Health Act 1983 (as amended by the Mental Health Act 2007) and the Mental Health Act Code of Practice
• https://www.gov.uk/government/publications/code-of-practice-mental-health-act-1983
• Children Act 1989 / 2004 – https://www.legislation.gov.uk/ukpga/1989/41/contents
• Data protection rules (UK GDPR & DPA 2018) – https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-storage-limitation/

Your information is always kept secure and will only be used for your care, legal purposes, or safety reasons. When it is no longer needed, it is securely destroyed or anonymised.

We use a variety of digital tools and platforms to support your care, improve safety, and help staff work effectively. All tools are used in line with UK GDPR, the Data Protection Act 2018, and NHS security standards, and your information is kept safe, secure, and confidential.

Patients Know Best (PKB)

PKB is a patient portal that lets you view your health information, communicate with your care team, and manage appointments.

Essex Partnership University Trust and Mid and South Essex NHS Foundation Trust work with PKB under strict data sharing agreements.

Legal basis

• GDPR Article 6(1)(e) (public task) and Article 9(2)(h) (health data).

Your rights

• You can access your data, correct it, or withdraw consent where applicable.

Please see Patients Know Best for more information.

SOPHIA (AI Safety Support)

SOPHIA helps make safety plans clear and supports learning to improve patient safety. It uses patient information only in line with NHS safety rules.

Legal basis

• GDPR Article 9(2)(h) – health and safety purposes.

Safeguards

• Access is limited, logged, and monitored.

Beautiful Voice (Speech & Language)

Supports people with speech or language difficulties by giving exercises at home and tools for therapists. Participation is voluntary, and data is handled securely.

Legal basis

• GDPR Article 6(1)(e) / Article 9(2)(h) for clinical care.

Accurx Ambient Scribe (AI‑Supported Clinical Documentation)

Accurx Ambient Scribe is a digital tool that can help clinicians by transcribing and summarising conversations during consultations. It is used to support accurate clinical note‑taking and allow clinicians to focus more on listening to patients.

Important points

• Audio is not stored and is deleted immediately after transcription
• The tool does not make decisions, diagnoses, or treatment recommendations
• It does not replace professional judgement
• You can choose not to have this tool used during your consultation

Legal basis UK

• GDPR Article 6(1)(e) – public taskUK GDPR Article 9(2)(h) – provision and management of health careSafeguards
• Used only for direct patient care
• Access is restricted to authorised healthcare professionals
• Data is encrypted and access is logged
• The system does not use patient data to train AI models

Realwear Headsets and SimplyVideo

Clinicians may use voice-activated headsets to get real-time support during your care. The clinician will explain what the device is and why it is used.

Safeguards

• Data is encrypted, only accessed by authorised staff, and logged.

vCreate Neuro (Seizure Video Sharing for Children)

Lets patients and clinicians securely upload and share videos/photos to help manage epilepsy. Patients or carers do not have to register if they choose not to use it.

Legal basis

• GDPR Article 6(1)(a) – consent; Article 9(2)(h) – health purposes.

Safeguards

• Only authorised clinicians access the videos, data is encrypted, and retention is limited to clinical need.

Glooko – Diabetes Data Platform

Collects data from devices like insulin pumps and glucose monitors to support care planning. You control which devices are linked.

Legal basis

GDPR Article 6(1)(e) / Article 9(2)(h) for health care.

Safeguards

Data is encrypted, securely stored, and only shared with authorised HCPs.

Important information about your data

• All digital platforms we use meet NHS security standards, including encryption, access logging, and regular audit monitoring.
• We only share or process the minimum information necessary for the intended purpose.
• Any third-party providers who handle your information must comply with strict data sharing agreements and UK GDPR requirements.
• You have the right to access, correct, or request deletion of your personal information where applicable under UK GDPR and the Data Protection Act 2018.
• All staff are trained to handle sensitive mental health information securely and confidentially, in line with NHS policies and legal obligations.
• The Trust carries out Data Protection Impact Assessments (DPIAs) for all software and monitoring systems, to ensure that personal data is processed lawfully, safely, and in line with data protection legislation.

CCTV (Closed-Circuit Television)

CCTV cameras are installed in and around our buildings to help keep everyone safe. You will see signs to let you know cameras are in operation.

CCTV is used to

• Protect staff, patients, and visitors
• Prevent and detect crime or unsafe behaviour
• Collect evidence if a crime or incident occurs
• Prevent, detect, and investigate fraud

Legal basis

• GDPR Article 6(1)(e) – public task; Article 9(2)(h) – health and safety purposes.

Body-Worn Video (BWV)

Some Mental Health staff may wear Body-Worn Video cameras on wards to manage safety risks. Cameras are only switched on if staff believe there is a safety concern, and staff will explain if a camera is being used

BWV is used to:

• Protect staff, patients, and visitors
• Prevent and detect crime or unsafe behaviour
• Collect evidence if a crime or incident occurs

Legal basis

GDPR Article 6(1)(e) – public task; Article 9(2)(h) – health and safety.

Important notes

• All CCTV and BWV footage is encrypted, access-controlled, and monitored in line with UK GDPR, DPA 2018, and NHS security standards.
• Footage is used only for safety, care, or legal purposes.
• Access is logged and audited, and breaches are taken very seriously.

You have rights over the personal information the Trust holds about you. These rights help you see, control, and correct your information.

Your rights include:

• Access
  • You can see the information we hold about you.
• Correction
  • You can ask us to correct any mistakes in your records.
• Erasure
  • You can ask us to delete your personal information in certain circumstances.
• Restriction
  • You can ask us to limit how we use your information.
• Objection
  • You can object to how we use your information, for example for research or planning.
• Data portability
  • You can request your information in a format that allows it to be transferred to another service.

Accessing your information

You can ask to see the information we hold about you, whether on paper or electronically.

Some information cannot be shared, for example if it:

• Was provided by someone else who has not given permission for you to see it
• Relates to criminal offences
• Is being used to detect or prevent crime
• Could cause physical or mental harm to you or someone else

How to make a request for your records

Health records

To request a copy of your health records, please visit: Access to Health Records – EPUT

Corporate records

Information outside your medical record, such as emails, letters, telephone call logs, or complaints, can also be requested. These requests are handled through a Subject Access Request (SAR). We will provide access while keeping other people’s information confidential and secure.

To make a request:

Email: [email protected]

Correction, erasure, restriction, objection, and data portability

If you want to exercise any of these rights, or just want advice about your information, you can contact our Data Protection Officer (DPO). They will explain your options and help you.

Data Protection Officer (DPO)

Email: [email protected]

Freedom of Information Act 2000

The Freedom of Information Act 2000 allows the public to request information about how public authorities work. Freedom of Information only applies to non-personal information.

To make a Freedom of Information (FOI) request, please visit: Freedom of Information – Essex Partnership University NHS Foundation Trust

The Trust can only use your personal information when there is a lawful reason. This ensures your information is handled safely, securely, and appropriately in line with UK GDPR and the Data Protection Act 2018.

Lawful reasons include:

Providing care and treatment

We use your information to deliver safe and effective healthcare and to support your treatment. This processing is carried out under Article 6(1)(e) – public task and, for health data, Article 9(2)(h) – health or social care purposes.

Protecting health or safety

We may use your information to protect your safety or the safety of others. This is done under Article 6(1)(e) – public task and Article 9(2)(g) – substantial public interest, as well as our common law duty of care.

Legal obligations

Sometimes the law requires us to process information, for example, to comply with court orders, safeguarding duties, or public health requirements. This is based on Article 6(1)(c) – legal obligation.

Public interest

Your information may be used for research, service planning, or improving health services, always in line with data protection laws and NHS guidelines. This is generally processed under Article 6(1)(e) – public task and, where health data is involved, Article 9(2)(j) – research in the public interest.

Consent

For some activities, such as participating in research studies or using optional digital tools, we rely on your consent. You can withdraw consent at any time.

Some mental health care and treatment does not rely on consent; clinical care is processed under other lawful bases, such as public task or health and safety purposes, to ensure you receive safe and timely care.

Vital interests

In emergencies, we may process or share your information to protect someone’s life or prevent serious harm. This is done under Article 6(1)(d) – vital interests and, for health data, Article 9(2)(c) – vital interests of the data subject or another person.

We always handle your data according to data protection laws to ensure it is safe, secure, and used appropriately.

For more information please visit Our lawful reasons for using your data – Essex Partnership University NHS Foundation Trust 

To find out more or register your choice, visit Your NHS Data Matters or call the national helpline on 0300 303 5678.

You can choose whether your confidential patient information is used for research and planning:

If you are happy for it to be used, you don’t need to do anything.

If you opt out, your information will still be used to support your individual care, but not for research or planning.

Giving feedback:

You may be asked to give feedback on your experience with us.

Outpatients may be contacted by text or voicemail by an NHS-approved company.

Inpatients may be given a questionnaire on paper or on a Trust tablet.

You can choose not to take part in feedback, either for a single hospital visit or permanently. Just tell a member of staff, and they will remove your consent.

Appointment reminders:

We may ask for your phone number to send appointment reminders or important information by SMS. You can opt out anytime, and we will note your choice. Your contact details are kept safe and only used for your care.

We may use Artificial Intelligence (AI) technology to support your care, improve safety, and help our staff make better decisions. AI can review information, highlight possible health issues, or identify risks, but it cannot replace the professional judgment of your clinician.

Any AI processing is carried out in line with UK GDPR, the Data Protection Act 2018, and NHS information governance standards, ensuring your personal and health information remains secure, confidential, and used appropriately.

How we use AI
Supporting Clinical Care

• AI may be used to help clinicians provide safe and effective care, review information, and highlight areas that need attention.

Safeguards and compliance
All AI we use is carefully monitored to ensure it:

• Supports safe clinical decisions and does not replace clinician judgment
• Follows UK data protection laws (UK GDPR and DPA 2018)
• Protects sensitive mental health information
• Complies with ICO guidance on AI and NHS England AI standards
• We apply the principle of using the minimum information necessary for each task.
• Where possible, AI processing is anonymised or pseudonymised, especially for research, system testing, or service improvement.

Governance and oversight

• All AI systems are reviewed and approved by Trust governance committees responsible for ethics, safety, and data protection.

Your rights

• You have the right to access information processed by AI if it is part of your health record.
• AI tools that require your consent (e.g., optional apps or research projects) will only process data once you agree, and you can withdraw consent at any time.
• Most of your mental health care does not rely on consent; clinical processing is done under public task and health purposes lawful bases.

Guidance we follow

We follow official guidance and best practice to ensure AI is safe, ethical, and respects your privacy:

• GOV.UK: A Guide to Good Practice for Digital and Data-Driven Health Technologies
  https://www.gov.uk/government/publications/code-of-conduct-for-data-driven-health-and-care-technology/initial-code-of-conduct-for-data-driven-health-and-care-technology
• Information Commissioner’s Office (ICO): Artificial Intelligence guidance
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/
• NHS England: Artificial Intelligence (AI) and machine learning guidance
  https://www.england.nhs.uk/long-read/artificial-intelligence-ai-and-machine-learning/

Introduction

This notice explains how EPUT uses the LIO patient monitoring system to support the care and safety of patients receiving inpatient mental health services.

LIO is a digital monitoring system used within certain inpatient environments to support clinical staff in observing patients safely. It is designed to assist staff in monitoring patient wellbeing and responding promptly where clinical concerns arise.

This notice should be read alongside the Trust’s main privacy notice, which explains how we use and protect personal information more broadly.

Who we are

EPUT is the organisation responsible for providing your care and is the Data Controller for the personal information processed through the LIO system.

If you have questions about how your personal data is used, you can contact:

Data Protection Officer (DPO)

Email: [email protected]

What LIO Is and why we use it

LIO is a non-contact patient monitoring system that uses specialised sensors within certain inpatient bedrooms to help clinical staff monitor patient wellbeing and safety.

The system may be used to support:

• Patient safety and safeguarding
• Monitoring of patient wellbeing
• Detection of potential clinical deterioration
• Reducing the need for intrusive physical observations during rest periods
• Supporting staff in responding quickly to safety concerns

The system is designed to support clinical decision-making and does not replace direct clinical care or observation by staff.

What information the system uses

The system analyses movement and environmental data within the room in order to support clinical monitoring.

The information generated may include:

• Movement patterns
• Breathing rate
• Pulse rate estimates
• Time spent in bed
• Periods of inactivity
• Alerts relating to potential safety concerns

This information is associated with the patient occupying the room and forms part of the patient’s care information. The system does not use facial recognition technology. Where relevant information informs clinical care, it may be referenced within the patient’s clinical record.

Use of sensors

The sensors used in LIO analyse patterns of movement within a room using specialised technology.

The system does not produce conventional video recordings in the same way as CCTV and is designed to focus on movement and physiological monitoring rather than identifiable imagery.

The Trust uses the system in a way that aims to balance patient privacy with patient safety.

Our legal basis for using this information

We process personal information through LIO in order to provide health care and ensure patient safety.

The lawful basis for this processing is:

UK GDPR Article 6

Article 6(1)(e) – Public task

Processing is necessary for the performance of a task carried out in the public interest, namely the provision of health care services.

UK GDPR Article 9

Because this information relates to health, it is considered special category data.

Processing is permitted under:

Article 9(2)(h) – provision of health or social care and treatment.

Relevant legislation

This processing is also supported by obligations under:

• UK GDPR
• Data Protection Act 2018
• Health and Social Care Act 2012
• NHS confidentiality and information governance standards.

Who can access the information

Access to LIO information is restricted to authorised staff who are involved in patient care or the safe operation of clinical systems.

This may include:

• Clinical staff responsible for patient care
• Authorised technical staff responsible for maintaining the system
• Staff involved in patient safety reviews

Access is controlled through role-based permissions, and activity within the system may be logged and audited.

Organisations that support the system

The Trust works with approved technology suppliers to provide and maintain the LIO system.

Where suppliers process personal information on behalf of the Trust, they do so under strict contractual agreements and act only on the Trust’s instructions.

These organisations must comply with NHS security and data protection standards, including the Data Security and Protection Toolkit.

How we protect your information

The Trust takes a number of measures to protect personal information used within the LIO system, including:

• Strict access controls
• Secure NHS IT infrastructure
• Encryption and secure data transmission
• Monitoring and audit of system access
• Contractual safeguards with suppliers
• Regular information governance oversight

We also undertake Data Protection Impact Assessments (DPIAs) for technologies such as this.

How long we keep the information

Information generated through the LIO system is retained in accordance with NHS records management guidance.

Where information forms part of a patient’s clinical record, it will be retained in line with the NHS Records Management Code of Practice.

Any system data that is not required for clinical records is retained only for the period necessary to support safe system operation and investigation of incidents.

Your data protection rights

Under data protection law, you have rights regarding how your personal information is used.

These include the right to:

• Request access to your personal information
• Request correction of inaccurate information
• Request restriction of processing in certain circumstances
• Raise concerns about how your data is used

Some rights may be limited where information is required to provide safe healthcare.

How to raise concerns

If you have questions or concerns about how your personal information is used within the LIO system, please contact:

Data Protection Officer (DPO)

Email: [email protected]

You also have the right to raise concerns with the Information Commissioner’s Office.

Further information

More information about how the Trust uses personal information can be found in our main Trust privacy notice, available on our website.

We are helping the Lampard Inquiry, which is looking into deaths in mental health inpatient facilities, or within three months after discharge, across NHS Trusts in Essex between 1 January 2000 and 31 December 2023. For more information please visit The Lampard Inquiry – Essex Partnership University NHS Foundation Trust.

You may be contacted by the Inquiry to:

• Share information about the Inquiry
• Ask for your help in sharing your experiences

We will respond to all requests from the Inquiry that meet legal requirements. The Inquiry has its own Privacy Notice, which you can read here: Privacy Information Notice – The Lampard Inquiry – investigating mental health deaths in Essex

If you have any questions regarding your information and how it is used, please contact the below department and we will do our best to help:

Data Protection Officer (DPO)

Email: [email protected]

If your issues cannot be resolved by the DPO regarding your query, and you are still not happy with our response, Please visit Complaints & Compliments – Essex Partnership University NHS Foundation Trust to contact our Trust Complaints department

Information Commissioner’s Office

You can also contact the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection, for advice or to raise a concern:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Alternatively you can call 0303 123 1113 or visit https://ico.org.uk/concerns/handling

Information Commissioner’s Office

National Health Service Act 2006

Confidentiality: NHS Code of Practice

Confidentiality Advisory Group

The NHS Constitution

NHS Choices

Personal information
Any information that can identify you, such as your name, date of birth, address, or NHS number.

Special category data
Sensitive information about your health, race, religion, or sexual orientation that requires extra protection.

Processing
Any activity we do with your information, such as collecting, storing, using, sharing, or deleting it.

Consent
Your agreement for us to use your information for a specific purpose, like research or receiving appointment reminders.

Direct care
The care and treatment you receive from doctors, nurses, or other health professionals.

Research and planning
Using anonymised information to improve health services, train staff, or carry out studies. You can choose not to participate.

Data controller
The organisation (EPUT) that decides how and why your personal information is used.

Data processor
A company or service (like PKB or Glooko) that helps EPUT process your information securely.

Subject Access Request (SAR)
Your right to ask to see the personal information we hold about you.

Opt-Out
Your choice to say “no” to certain uses of your personal information, like research or SMS reminders.

Anonymised / pseudonymised data
Information that has been changed so you cannot be identified. Anonymised = fully unidentifiable, Pseudonymised = partly masked.

CCTV / Body Worn Video (BWV)
Cameras used to help keep patients, staff, and visitors safe, and to collect evidence if needed.

Shared Care Records (SCR)
A secure record system that lets different healthcare and social care professionals share information safely to provide better care.

Patient portal
A secure online system (like PKB) where you can view and manage your health information.

Freedom of Information (FOI)
Your right to request non-personal information about how the Trust works.

Lawful basis
The legal reason EPUT can use your personal information, for example, for your care, legal obligations, or public interest.

Lampard Inquiry
A public investigation into mental health deaths in Essex. Some information from patient records is shared with this Inquiry where legally required.

Data protection officer (DPO)
The person at EPUT responsible for protecting your personal information and helping you understand your rights.

AI (Artificial Intelligence)
Technology used to assist clinicians with decision-making, risk alerts, or system monitoring, but does not replace professional judgment.

Records retention
The period for which your information is kept before it is securely deleted or anonymised, according to law and policy