Welcome to the Access to Information Team intranet page. We support colleagues across NHS University Hospitals of Liverpool Group to ensure personal and corporate information is handled lawfully, fairly and securely. We provide practical advice, coordinate statutory requests, and help teams meet their Data Protection responsibilities.

Need advice?

If you are unsure whether something is a data protection, information rights or disclosure issue, please contact us early — we are here to help.

  • Subject Access Requests (SARs) – patient and staff/HR requests
  • Individual rights under UK GDPR (e.g., rectification, restriction, objection, erasure where applicable)
  • Data Protection Office support – including individual rights complaints and ICO liaison
  • Freedom of Information (FOI) requests and internal reviews
  • Conflicts (Declarations) of Interest support and guidance
  • Data Security Awareness mandatory training support.

Management accountability for Access to Information sits with Daniel Scheffer, Group Chief Corporate Affairs Officer and Company Secretary (Data Protection Officer) for NHS University Hospitals of Liverpool Group. Access to Information functions are delivered on behalf of the Trust by the Access to Information Team.

  • Team structure (link): Corporate Information Compliance / Access to Information organisational structure (Nov 2024)
  • ATI Department Contacts
  • Individual rights and Subject Access Requests (SARs)
  • Privacy notices
  • Raising a concern
  • Freedom of Information (FOIA) Guidance for staff
  • Managing Conflicts of interest
  • Data Security Awareness training.

Individual Rights (Including Subject Access Requests)

People have legal rights over their personal data under UK GDPR and the Data Protection Act 2018. The most common request we receive is a Subject Access Request (SAR) — a request for copies of personal data we hold about the requester.

  • Do not delay: if you receive an individual rights request (including a SAR), forward it to the Access to Information Team the same day wherever possible
  • Requests can be verbal (in person or by phone) or written (by email or letter). Treat any clear request for copies of information about someone as a SAR and route it to the ATI team.
  • Do not ask the requester why they want the information — this is not required
  • We may need to verify identity and/or clarify the scope to ensure we provide the right information safely
  • The standard response timescale is one calendar month from receipt of a valid request; extensions may apply for complex requests.

Patients/service users – Patient health records SARs:

Employees – Staff/HR records SARs:

  • Right to be informed – via privacy notices and transparency information
  • Right to rectification – correct inaccurate personal data
  • Right to restriction – limit processing in specific circumstances
  • Right to object – in limited circumstances (e.g., certain public task processing, marketing)
  • Right to erasure – applies in limited circumstances (not an absolute right in the NHS context)
  • Right to data portability – rarely applicable in NHS settings.

Any enquiries should be made directly to the Data Protection Office - DPO@liverpoolft.nhs.uk | Telephone: 0151 529 8878 / 0151 529 6562.

Privacy notices

Privacy notices explain how we use personal information, the lawful basis for processing, who we share information with, and individuals’ rights. Privacy notices are available on the Trust website and should be offered to patients/service users who request a printed copy or need help accessing them.

  • Privacy notices are available online via the Group website
  • Staff should know how to locate and print a privacy notice when requested.
  • If you are unsure which notice applies, contact the Access to Information Team for advice.

Raising a concern (Data Protection Complaints)

Individuals have the right to raise concerns or complain if they are unhappy about how their information has been used or shared. We encourage concerns to be raised with the Trust in the first instance so we can investigate and respond promptly.

  • Email: dpo@liverpoolft.nhs.uk
  • Telephone: 0151 529 8878
  • Post: Access to Information Department, First Floor, Aintree House, Aintree University Hospital NHS Foundation Trust, Lower Lane, Fazakerley, Liverpool, L9 7AL.

If an individual remains dissatisfied after receiving the Trust’s response, they can complain to the Information Commissioner’s Office (ICO), the UK regulator for information rights. ICO contact details are available at www.ico.org.uk or via 0303 123 1113.

Investigations by the Information Commissioner’s Office (ICO)

The ICO is the UK’s independent regulator for data protection and information rights. The Trust cooperates with ICO enquiries and investigations where required, and aims to resolve concerns promptly and transparently.

  • If you receive any contact from the ICO, do not respond directly
  • Forward the correspondence immediately to the Access to Information Team / Data Protection Office
  • The team will coordinate the Trust response and provide guidance on evidence gathering and timelines.

Internal contact: dpo@liverpoolft.nhs.uk (mark subject line “ICO enquiry” where applicable).

Freedom of Information Act 2000 (FOIA) – guidance for staff

The Freedom of Information Act 2000 (FOIA) gives the public the right to request recorded corporate information held by the Trust. FOI applies to non-personal information. The Trust must respond within 20 working days.

The main principle behind FOIA legislation is the public have a “right to know” about the activities of public authorities.

  • Do not respond directly to the requester
  • Forward the request immediately to FOIRequests@liverpoolft.nhs.uk
  • If the Access to Information Team asks you to locate information, please respond promptly (normally within seven days) to allow time for review and approval.

If a request is unclear, the Access to Information Team can seek clarification.

If you receive a request to collate data on behalf of the Trust and you need more information to help you locate the data requested, we are able to ask the applicant for clarification on any part of their request.

If you receive the request and feel it is unclear or you are unable to determine exactly what the applicant is asking to receive please let us know at the earliest convenience.

When clarity is requested, the request is paused, meaning you do not need to complete any further work on this request until we receive clarity from the applicant.

If we don’t hear back from an applicant within three calendar months then the request is closed.

  • Information is not held - we can only disclose recorded information we hold; we are not required to create new information
  • Personal data: where an FOI request includes personal data, exemptions may apply and the request may be handled under data protection rules instead
  • Commercially sensitive information: may be exempt in specific circumstances; the Access to Information Team will assess this.

An applicant may ask for any information that is held by a public authority. However, this does not mean you are always obliged to provide the information. In some cases, there will be a good reason why we should not make public some or all of the information requested.

FOIA contains a number of exemptions that allows the Trust to withhold information from an applicant.

The Trust can withhold information because an exemption applies only if the exemption is ‘absolute’. This may be, for example, information you receive from the security services, which is covered by an absolute exemption. However, most exemptions are not absolute but require the Trust to apply a public interest test. This means the Trust must consider the public interest arguments before deciding whether to disclose the information. So in some cases the Trust may have to disclose information in spite of an exemption, where it is in the public interest to do so.

Some examples of exemptions that are commonly applied are:

  • Section 1 – Information Not Held
  • Section 21 – Accessible via Other Means
  • Section 31 – Law Enforcement
  • Section 38 – Health & Safety
  • Section 40 – Personal Data 
  • Section 43 – Commercial Interests.

Who can ask for information under FOIA?

Anyone, any member of the public, organisations, businesses. You do not have to be a Liverpool resident to ask us for information.

Should we be releasing this information under FOIA?

Some information may be exempt from disclosure as part of a request, this is dealt with on a case-by-case basis.

Requests for information that is not held/collated does not mean that the information has to be created, if the information is not recorded then we are unable to comply with the request and the team would cite Section 1 of the FOIA - Information Not Held.

Please refer to the above section regarding Exemptions for further information.

Do we release Staff Names and Contact Details under FOIA?

The Trust must take a balanced view of an individual's right to confidentiality versus the public interest in releasing any information that would identify them.

The Trust has a legal responsibility to balance confidentiality with public interest, when the details requested relate to a role in which the post holder’s information is not published in the public domain, the Trust concludes there is no public interest in the names being released.

If an applicant wishes to contact a member of staff, we ask them to send any correspondence to FOIRequests@liverpoolft.nhs.uk and we will ensure the email is forwarded onto the relevant department/staff member. In line with the Managing Conflicts of Interest Policy:

  • Reasonable expectation based on Decision Making role
  • Names of staff who are in decision making roles and whose details are already available in the public domain via the Trust website will be provided when requested – however we will not provide additional contact details.

How long do I have to collate the data requested?

The Freedom of Information Team have a total of 20 working days to recieve, collate and sign off all requests. Therefore, we ask that information is returned to our team within 7 days to allow us time to collate a response and approach a member of the Executive Team to sign off the proposed response.

How many hours are we expected to dedicate towards an FOI request?

Under FOIA, the Trust has an obligation to work up to 18 hours for any request. At your earliest convenience you must make it clear to the Freedom of Information Team if you believe a request will take you over 18 hours to determine, locate, retrieve and extract.

We will make it clear to the applicant if a Fees Notice is applicable. The Act allows us to make a charge where your request exceeds the ‘appropriate limit’. The ‘appropriate limit’ for public authorities is set at £450 calculated at £25 per person per hour. If a fee is payable, applicants have 3 months to make this payment. The Trust will not action the request until the fee is paid and the 20 working days start from the date we receive payment.

Please note that Section 12 of FOIA allows us to refuse to answer requests for information if the cost of complying would exceed the ‘appropriate limit’.

Do we have to provide this information? Would it be commercially sensitive?

Section 43 of the FOIA - Commercial Interests covers two situations:

  • When information constitutes a trade secret (such as the recipe for a branded product)
  • When complying with the request would prejudice or would be likely to prejudice someone’s commercial interests.

The public interest test applies to this exemption.

The Trust tends to consider this exemption for requests relating to specific contracts for services provided etc.

What is a public interest test?

The FOIA sets out a number of exemptions which can either be; ‘absolute’ or ‘qualified’.

If an absolute exemption applies, the information does not have to be released.

If the exemption is qualified, the public authority must weigh the public interest in maintaining the exemption against the public interest in disclosure.

A public authority can only withhold the information if the public interest in maintaining the exemption outweighs the public interest in disclosure.

Where can I find further information about FOIA?

Additional information is available via: The Information Commissioners (ICO) Website.

  • FOIRequests@liverpoolft.nhs.uk
  • Carla Gillbanks - please refer to contact info at the top/side of this page
  • Chloe Jones – please refer to contact info at the top/side of this page.

Managing Conflicts (Declarations) of Interest

A conflict of interest may arise where a colleague’s ability to make objective decisions could be, or could be perceived to be, influenced by outside interests. Declaring interests helps protect staff and supports transparent decision‑making.

The public rightly expect the highest standard of behaviour in the NHS, and we take our responsibility as custodians of taxpayers’ money very seriously. Decisions involving the use of NHS funds should never be influenced by outside interests or expectations of private gain, but we recognise that conflicts of interest are unavoidable in complex systems.

NHS staff need to be empowered to use good judgement in managing conflicts of interest effectively, and need to be safeguarded so they can continue to work innovatively with partners whilst also providing transparency to the taxpayer.

If you are a decision‑making member of staff (as defined in the Trust Managing Conflicts of Interest Policy, you must submit a declaration of interest or a nil return within 28 days of a new conflict arising and at least annually.

For ease of reference, ‘decision making members of staff’ in the Trust are as follows:

  • Directors (or equivalent roles) who have decision making roles which involve the spending of taxpayers’ money
  • Consultants
  • Members of advisory groups which contribute to direct or delegated decision making on the commissioning or provision of taxpayer funded services
  • Those at Agenda for Change band 8a and above
  • Administrative and clinical staff involved in decision making concerning the commissioning of services, purchasing of goods, medicines, medical devices or equipment and formulary decisions
  • Administrative and clinical staff who have the power to enter into contracts on behalf of the Trust.

As a ‘decision making member of staff’ you are required to declare any conflicts of interest(s) that you may have or provide a ‘nil return’ within 28 days of the conflict arising and in addition on an annual basis.

This information will be collated into a register of interests which will be published on the Trust’s website.

Decision making staff should declare material interests at the earliest opportunity (and in any event within 28 days). As a minimum, an annual declaration must be made, even if there is nothing to declare (NIL return).

The Trust publishes conflicts of interest declarations for all decision making staff on our website or release under the Freedom of Information Act 2000, this is called our Register of Interests.

If you require further guidance or assistance, contact the Access to Information Team via the department contacts page.

For further national guidance, please visit the NHS England website.

Data Security Awareness Mandatory Training

Data Security Awareness (DSA) training is mandatory for all staff annually. It supports safe handling of information and is a key requirement of the NHS Data Security and Protection Toolkit.

  • Complete the module via ESR (My Learning)
  • Please complete Data Security Awareness Level 1
  • If your completion does not appear, keep a screenshot and contact Learning & Development for support.

How do I complete Data Security Awareness and what is the name of the module?

Data Security Awareness is completed via ESR. Please ensure you complete the new Data Security Awareness Level 1. Please take a screenshot of your completion at the end of the test in case your compliance doesn’t pull through on ESR.

Where do I find my modules on ESR?

Your modules will show under the ‘My Learning’ tab in the left hand column. Please visit this link for further guidance.

LUH (M) Data Security Awareness module is not showing on my account?

If LUH Data Security Awareness does not show on your account please contact Learning and Development (L&D) on 0151 529 6224 or learninganddevelopmentdepartment@liverpoolft.nhs.uk and they will enrol you on to the module.

I can’t access my ESR account, how can I reset my password?

Please contact: ESR access - ESR@Liverpoolft.nhs.uk

I am showing as Supervisor on ESR for a member of staff who has moved departments/ left the Trust etc. How do I amend this? Please contact employment@liverpoolft.nhs.uk and they can amend this.

I have completed the module but it is still showing as overdue on ESR?

Please contact L&D to see if it has pulled through their end. If this hasn’t pulled through L&D will request a screenshot of completion be sent to learninganddevelopmentdepartment@liverpoolft.nhs.uk so they can manually update your ESR account.

When to Contact Access to Information – Quick Staff Guide

The Access to Information Team can advise on data protection, disclosures and statutory requests. Early advice prevents delays and reduces the risk of incidents.

  • You receive a Subject Access Request (SAR) or any request for copies of information about an individual (patient or staff)
  • You suspect personal data may have been sent to the wrong person/address or otherwise compromised (potential data breach)
  • You receive correspondence from the Information Commissioner’s Office (ICO)
  • You receive a Freedom of Information (FOI) request or media enquiry seeking corporate information
  • You are asked to share information with an external organisation, and you are unsure about the lawful basis or safeguards.

Before sending a SAR to the Access to Information Team, please include where possible:

  • The requester’s name and contact details
  • Who the request relates to (patient or staff member) and, if applicable, their relationship to the requester
  • What information is being requested and any relevant date ranges
  • Where the information may be held (system, department or service)
  • A copy of the request (email, letter or summary of a verbal request)
  • Any known deadlines or urgency.

Do not delay forwarding a request if some details are missing — the Access to Information Team will support identity checks and clarification where required.

  • You need to redact records or disclose information and are unsure what can be shared
  • You are planning a new process/system that involves personal data (DPIA advice where applicable) – Contact Information Governance via IG@liverpoolft.nhs.uk.
  • You need guidance on privacy notices or transparency information
  • You have questions about conflicts of interest declarations and registers
  • You need help with Data Security Awareness training queries.

Main contact phone numbers: 0151 529 8878 / 6562 (see intranet contacts for named officers).

1. Your name, role, and department

2. A brief description of the issue/request and any deadlines

3. Any reference numbers (e.g., SAR/FOI reference)

4. Where the information is held (system/folder) and who else is involved

5. Attach the request/correspondence (do not forward outside NHS mailboxes).

  • Do not respond directly to FOI or ICO correspondence — forward to the team
  • Do not delay SARs — forward immediately even if the request is informal
  • If in doubt about sharing information, pause and ask for advice.