In the UK, the current Data Protection legislation consists of the UK General Data Protection Regulation 2016 (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The legislation covers the processing of personal data that relates to an identified or identifiable living individual.
Detailed guidance on the legislation is available at the Information Commissioner's Office's (ICO) website.
There are two types of data that the Trust uses: personal and special category. Personal data means any information relating to a person who can be directly (e.g. by name or picture) or indirectly (e.g. by age, gender and post code) recognised. Special category data means any information relating to racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.
There needs to be a clear basis in law for processing personal data and an appropriate legal basis needs to be identified under the Data Protection legislation.
The Trust must have a valid lawful basis (Article 6 condition) in order to process personal data and there are six available lawful bases within the legislation.
When the Trust is processing special category data it must identify both a valid lawful basis for general processing and an additional condition (Article 9 condition) for processing special category data. There are ten special category conditions available within the legislation. Additionally, some of these conditions require additional conditions and safeguards within Schedule 1 of the DPA 2018 to also be met.
In order to process personal information, one of the Article 6 conditions within the UK GDPR must be met. Additionally, under UK GDPR, special category information affords even greater protection due to its sensitivity. As such, in order to share special category information, one of the Article 9 conditions within UK GDPR must also be met.
The Data Protection legislation works in two main ways - it sets out rules for organisations that handle personal information and it gives individuals rights over how their personal information is used.
The legislation requires every organisation to process personal information in accordance with a set of legal rules - the seven Data Protection Principles. These include obligations covering the lawfulness, collection and use, accuracy, security, retention and ultimately deletion of personal information, specifically:
- Lawfulness, fairness and transparency - processed lawfully, fairly and transparently
- Purpose limitation - collected for specified, explicit and legitimate purposes
- Data minimisation - adequate, relevant and limited to what is necessary.
- Accuracy - accurate and, where necessary, kept up-to-date
- Storage limitation - not kept for longer than necessary
- Integrity and confidentiality - processed in a manner that ensures appropriate security
- Accountability - must be able to demonstrate compliance with the principles above.
The Trust collects and processes personal information in order to help provide healthcare services to individuals and ensure that they receive the best possible care from us, and to assist us in meeting our business responsibilities. The information we obtain and hold must comply with the Data Protection legislation and only be used for specific purposes allowed by law. The Trust has a set of procedures to ensure compliance with the legislation.
The legislation provides individuals with eight rights in respect of their own personal information. Please note that the lawful basis used for processing under the Data Protection legislation also affects what rights are available to individuals and some rights will not always apply. The specific rights are:
- To be informed - about the collection and use of their personal data (see our privacy notices).
- Access - access and receive a copy of their personal data. Individuals wishing to access their records should initially contact the relevant divisional Subject Access Request lead.
- Rectification - to have inaccurate personal data rectified or completed if it is incomplete. Individuals wishing to rectify their records should initially contact the Records Team.
- Erasure (also known as 'the right to be forgotten') - to have their personal data erased. Please note that the right of erasure does not apply to health information and health records maintained and held by the Trust or to any special category data processed for health and social care purposes (further guidance on this is available on the ICO's website).
- Restrict processing - to request the restriction or suppression of their personal data.
- Data portability - allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing them to move, copy or transfer personal data easily from one IT environment to another. Please note that this right only applies to information an individual has provided to the Trust (further guidance on this is available on the ICO's website).
- Object - to the processing of their personal data in certain circumstances, including being used for direct marketing. Please note that, except for direct marketing, in other cases where the right to object applies the Trust may be able to continue processing if it can show that it has a compelling reason for doing so (further guidance on this is available on the ICO's website).
- Rights in relation to automated decision making and profiling
Whenever an individual has an appointment with us, we will ask for and obtain information from them that is appropriate and relevant for their care and treatment. It is important that we maintain accurate and up to date information about all our patients and their treatment. This provides health professionals with all the relevant information they require in order to provide them with the best possible care.
This information is either written down or held electronically on computer systems, and is then collected together to make up an individual's unique care record specifically about them and their treatment and care. Each individual's care record contains a unique identifying number and the record ensures that patients are correctly identified and receive the most appropriate and relevant care and treatment for their individual needs. Examples of the types of information that may be recorded and held in a care record include:
- Personal information such as name, address, date of birth, emergency contact, NHS number, GP registered with
- Demographic information such as race, ethnicity, age, gender, employment status, disabilities
- Clinical history
- Details of procedures undertaken
- Details of medicines administered
- Investigation reports such as scans, test results and x-rays
- Nursing records
- Any allergies
When we ask an individual for personal information, we will endeavour to:
- Make sure they know why we need it;
- Only ask for what we need and not collect too much or inappropriate information
- Protect it and make sure nobody has access to it who should not
- Let them know if and why we share it with other organisations and what reason it is shared for
- Make sure we do not keep it longer than necessary.
In return, to ensure their information is reliable and kept up to date, we ask individuals to:
- Provide us with accurate information and inform us as soon as possible if there are any changes
Under the Data Protection legislation, an individual has the legal right to view or ask for a copy of the personal information held about them, and this is known as 'Subject Access'. This means that individuals can ask for the information that the Trust holds about them. This may include information relating to care records, employment and training records - anything which is limited to that individual as a person whether as a patient or employee of any kind. This right of access can also be exercised by an authorised representative on the individual's behalf with that individual's written permission (eg solicitor on behalf of a patient, someone with parental responsibility on behalf of their child).
Similarly, the Access to Health Records Act 1990 provides a right of access to the care records of a deceased patient by an authorised representative. This access is restricted to only two small categories of people namely:
- The deceased patient's personal representative (ie the executor or administrator of the deceased person's estate)
- Any person who can establish they have a claim arising from the patient's death.
Individuals wishing to access their records should contact the relevant divisional Subject Access Request lead.
An individual can make a request verbally or in writing and they will need to provide us with:
- Proof of their identity, for example a copy of their driving licence or passport
- Proof of their address, for example a bill or formal document
- Details of the specific information required to be made available
- Any information necessary to process the request, for example details of the departments and staff that they have had contact with and when
All staff need to be aware of and comply with the Data Protection Act Policy, remain vigilant and be aware that:
- Requests may be received directly by departments, services or teams. In such cases, the request must be forwarded immediately to the relevant divisional Subject Access Request lead
- It is essential that the divisional Subject Access Request leads receive all requests promptly and in good time to ensure they are logged and to comply with the statutory deadlines for responding
- Requests do not have to mention the Data Protection legislation or access to records to be valid
We will not begin to process the request or begin looking for the information until we have received all of the above to ensure the applicant is legitimate and legally permitted to access the information.
We legally have one month to respond to a Subject Access Request (SAR) made under the current Data Protection legislation (if an individual has made a number of requests or their request is complex, we may need extra time to consider their request and we can take up to an extra two months to respond). However, for care records we will endeavour to comply with the request within 21 days as per Department of Health guidance.
Requests to access records can be received from a variety of sources – patients, staff, family members and carers, solicitors, police, courts, coroners, and external NHS or social care organisations.
The individual's written permission is required in order to release patient and staff records, unless the records have been requested:
- By another NHS or social care organisation for the provision of direct care
- Through a court order
- As part of a police investigation
- By an authorised representative (eg power of attorney, person with parental responsibility) acting on behalf of a patient who lacks capacity or on behalf of a child under 12 years of age.
Individuals are encouraged to complete our relevant application form (for either living or deceased individuals) to ensure we have enough information to locate their records and their permission to disclose this information.