While you receive our services, the health and social care professionals who work with you - doctors, nurses, psychologists, occupational therapists and social workers - will keep records about your health and any care and treatment you receive.

Some or all of your records may be held on a computer system. These records may be written (they’re usually called ‘casenotes’) and are held by your care co-ordinator you see or by other professionals involved in your care: this may include your GP. These records may be shared within that team.

Everyone working in health and social services has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it confidential.

Sometimes we may need to share information with other professionals and services concerned in your care. For instance, your care co-ordinator might need to discuss your case with other professionals (who are not in the same team) to plan your care. We do this so we can provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.

There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent. Examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm
  • If there is concern that you are putting another person at risk of serious harm
  • If there is concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a Court
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information, even if you object
  • If your information falls within a category that needs to be notified for public health or other legal reasons e.g. certain infectious diseases.

How the NHS and care services use your information

How the NHS and care services use your information
Surrey and Borders Partnership NHS foundation Trust  is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

•    improving the quality and standards of care provided
•    research into the development of new treatments 
•    preventing illness and diseases
•    monitoring safety
•    planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:
•    See what is meant by confidential patient information
•    Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
•    Find out more about the benefits of sharing data
•    Understand more about who uses the data
•    Find out how your data is protected
•    Be able to access the system to view, set or change your opt-out setting
•    Find the contact telephone number if you want to know any more or to set/change your opt-out by phone 
•    See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Surrey and Borders Partnership NHS Foundation Trust is working towards being able to apply your national data opt-out choice by 2020. This is the government targeted date to ensure Health and care organisations have systems and processes in place so they can apply your national data opt-out choice.

Your Rights

From 25th May 2018, data legislation changes means the Trust has to be open and transparent in what personal data we hold and what we do with the data. It also provides in law additional rights over your own data.

There are 8 data rights, and they apply to all organisations that hold personal information, not only health and social care organisations like us. However there are exemptions and conditions regarding their use. 

The data rights are:

  • The right to be informed.  This is the right, to ask “who gets to see my personal data” For details, refer to the Privacy Notices section below. Our privacy notice tells you what we do with your personal data, who may access it and why we are using it. You can see our Privacy Notice here.
  • The right of access. This is the right to know whether we have personal data concerning you processed and if so, the right access it (This includes Subject Access Requests, more information is available here).
  • The right to rectification. If the information we hold on you is inaccurate, then you have the right to have it corrected.
  • The right to erasure. This is sometimes called the right to be forgotten.
  • The right to restriction of processing. Simply you have a right to limit the processing of your personal data.
  • The right to data portability. This means if we need to be able to provide you your data in a reusable format, subject to limitations.
  • The right to object. The information collected about you can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with improving standards, planning for the future or research into new treatments. Confidential patient information is only used like this where allowed by law and you have a choice about whether you want your information to be used in this way. If you are happy with this you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out visit http://www.nhs.uk/your-nhs-data-matters
  • Rights in relation to automated decision making and profiling. The right not to have any decisions about you made only by computerised decisions.

Data Protection Legislation

The Data Protection Act 2018 gives people who use our services the right to apply for access to their own health records held both electronically and in manual form. The only exceptions could be if:

•    The health or social care professionals responsible for your clinical care believe it is likely to cause serious harm to you or someone else’s physical or mental health. They are not required to tell you if such information is being withheld.

•    The information is provided, or is about, a third party as this may not be released without their consent.

•    The information relates to criminal offences, or is being used to detect or prevent crime.

Applications for access to the records of a living person who uses our services are made under Section 7 of the Act.
The Access to Health Records Act 1990 applies to deceased persons' records. Applications can be made by the deceased persons’ representative or by any person who may have a claim arising out of that person’s death.
Deceased records are still covered by a duty of confidence and are not routinely available for 'anyone' to access. There are circumstances when access is denied.
Your health records are confidential and cannot be shared outside the Trust without your consent.

General Data Protection Regulation (GDPR) 2018:
The General Data Protection Regulation (GDPR) is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.
GDPR applies to ‘personal data’. This means that any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.  GDPR has 6 principles that personal data shall be: 

1. Lawfulness, fairness and transparency
Transparency: People are aware that their personal information is being used and what will happen to it. 
Fair: Making sure personal information is used in the way stated. 
Lawful: That personal information is compliant with GDPR requirements.

2. Purpose limitations
Personal information is only used for specified, explicit and legitimate purposes. So people are aware how their information is being used.

3. Data minimisation 
In other words, no more than the minimum amount of data should be kept or used for the activity outlined..

4. Accuracy
Data must be accurate and where necessary kept up to date.  Meaning when ever the information is changes/updated/corrected, where ever the information is held, it is also changed/updated/corrected.  

5. Storage limitations
In summary, data no longer required should be removed.

6. Integrity and confidentiality
Information should be handled in a secure way, this includes making sure there is protection against unlawful use or access, or accidental loss, destruction or damage.

GDPR is enforced in the UK, by the Information Commissioner’s Office (ICO). For more information on GDPR and the ICO, visit Information Commissioner’s Office


Data Protection Impact Assessments

In order to comply with data protection legislation requirements, Data  Protection Impact Assessments (DPIA) are undertaken within the Trust to assess data privacy risks, the legal basis for data collection, its use and the disclosure of information.

All new projects, initiatives and processes that involve using or sharing personal information will require a completed Data Protection Impact Assessment  at the initial stages and prior to any procurement decision being made. All Data Protection Impact Assessments when completed will be submitted to the Data Protection Officer and/or the Information Governance Group for approval.

The current list of approved Data Protection Impact Assessments are listed in file below:

For more information regarding our  Data  Protection Impact Assessments, email: dpo@sabp.nhs.uk

Privacy Notices

You can also read advice from the ICO (Information Commissioner's Office) on consent, privacy notes and fair processing.

Please ask your care co-ordinator for more information about how we use the information we keep about you and how you can see your records


Information Sharing Polices

​​​​​If you live in the Guildford & Waverley area, this leaflet explains how your records will be used and shared by health and social care providers in the area as part of an information analysis project. The leaflet includes an opt-out form if you do not want your records to be used in this way.


Frequently Asked Questions

Why do you collect my data?
We only collect the personal data we need, so we can give you the health and social care you need.

How long do you hold data about me?
Under the law (The Data Protection Act 1998) we only keep personal data for as long as it is necessary. We have a retention policy which details for the information we hold, and how long we will hold it. To get the policy, click here.

I think my personal data is wrong, or some details are missing. How can I get it updated?
We try to make sure your personal data is accurate and correct. One of your data rights means if you tell us there are mistakes or details missing, we have to reply.
If you think this is the case, please write to us, and clearly say what you believe is wrong and how it should be updated.
Please be aware that we are unable to alter or remove opinions, including medical diagnoses, unless those opinions themselves are based on inaccurate factual information.
If you want to tell us of an error on your personal records, please write to:
Records Management Team, Central Records Library
Surrey and Borders Partnership NHS Foundation Trust
18 Mole Business Park, Randalls Road
Leatherhead, Surrey KT22 7AD
Email: RXX.sabprecordsmanagement@nhs.net

How do I get information held about me deleted? What is the “right to be forgotten”?
Simply put the right to be forgotten means that people will have a right to have their personal data erased, if there are no legitimate reasons to keep it. 
However as personal data is necessary for us to provide you with health and social care, you do not have an automatic right to have personal data deleted.  

I think a decision has been made about me by a computer. What can I do?
The Data Protection Act gives you a limited right to prevent significant decisions being taken about you solely by automatic processing. You can write to an organisation telling it not to make decisions about you on this basis. You should consider sending your letter by recorded delivery and keeping a copy. The organisation has 21 days to respond. It can either reconsider any decision it has made or make a fresh decision not just using a computer. If you are not satisfied with the response, you can go to court and the court can order the organisation to reconsider the decision it has made or take a new decision on a different basis.

I’ve heard a lot in the news about GDPR.
What does GDPR stand for and when does the GDPR take effect?

GDPR is short for the ‘General Data Protection Regulation’. 
GDPR comes into force on 25 May 2018. GDPR is an EU Regulation rather than a Directive. This means that it comes into force automatically across the EU on that date – without each of the member states having to pass a specific law to implement it.

Why is GDPR important?
When the last EU Data Protection Directive was introduced in 1995, it was before Google had started, Amazon was a tiny online bookseller and Mark Zuckerberg of Facebook was still in high school.

A lot has happened in the last 20+ years. More people are online, which means more personal data is also online too. GDPR represents a shake-up of the rules to reflect where we are today.

For people, GDPR sees the introduction of new rights. Consumers will have greater control over the data organisations hold on them – including a say on when it should be deleted or transferred to other parties.

For businesses, they have to make sure that people are able to exercise their data rights. For many firms, this will involve taking a long hard look at not only how we hold people’s personal data but also making sure your personal data is adequately protected.

Don't we already have data protection laws?
Each country in the EU operated under the data protection regulations which had been developed in 1995. In the UK, we passed the Data Protection Act 1998 which set out how your personal information can be used by companies, government and other organisations.

As GDPR changes how personal data can be used, a new Data Protection Bill is due to put the GDPR data protection requirements in to UK law, so it will be used after Brexit .

What is the difference between a data processor and a data controller? 

The data controller is the person (or company) who “calls the shots”; i.e. the one who decides which personal data is collected and the purposes of the processing. The data processor is the person (or company) who processes that data on behalf of the data controller. Examples of typical data processor services include third party data storage, data analytics or marketing.

GDPR places new obligations on data processors, as they can now face fines for non-compliance and claims for compensation from data subjects for GDPR breaches.
GDPR also states that processors may only process personal data where there is a written contract clearly stating the scope and limits of the processing activity.

What type of data is protected under the GDPR?
The definition of personal data is very broad. More or less any data or set of data that, by you or someone else, can be referred to a physical personal who is alive, is considered personal data. If you are not sure whether certain data qualifies as personal data, assume that it does!
This following is examples of personal data:
•    Identity information (e.g. name, address, telephone number, credit card number)
•    Health and genetic records and data Biometric data
•    Racial or ethnic data
•    Data on political opinions
•    Data on sexual orientation
•    Web data (e.g. location data, IP address, cookies and RFID tags)

Who owns personal data under the GDPR? Is it the business that collects and process the data, or the individual to whom it refers?
Well, the GDPR does not deal with the question of data ownership, but it does make clear that data subjects should be in control of how their data is processed.

What does privacy by design mean?
 GDPR demands that you have data privacy in mind right from the outset of any new project - This is called privacy by design. 

Rather than thinking about it later as a bolt-on, you are effectively putting data protection into your processes, tools and projects at the earliest possible stage.
So, if you can identify and deal with privacy issues before they become major problems, it saves costs, time and hassle, while safeguarding people’s data rights.

What is a privacy impact assessment (PIA)?
Linked to the idea of privacy by design, a PIA gives you a framework for identifying, assessing and reviewing privacy risks. Under GDPR, you are required to carry out a PIA for any processing activity that represents a “high risk” to the rights and freedoms of data subjects.
The Regulation makes specific reference to particular high risk activities, among them, the introduction of new tech into the business, the evaluation of data harvested through automated processing and the processing of sensitive data (e.g. medical records).
•    A description of the processing activities and the purposes of such processing,
•    It should assess the necessity and proportionality of the processing,
•    It should assess the risks to the rights and freedoms of data subjects,
•    It should set out the measures you intend to implement to address those risks and ensure GDPR compliance.

What and who is the Data Protection Officer (DPO)?
A Data protection officer (DPO) is someone who is given formal responsibility for data protection and compliance within an organisation. Surrey and Borders Partnership NHS Foundation Trust has a DPO, it is Louis Lau, who may be emailed at: dpo@sabp.nhs.uk.

Who will enforce it in the UK?
GDPR is enforced in the UK, by the Information Commissioner’s Office (ICO).
For more information on GDPR and the ICO:
•    visit Information Commissioner’s Office: https://ico.org.uk/

Accessing My Records

One of your data rights (as detailed above) is the right to access. This means you have the right to request details of personal data we may hold about you.

Information on how to request your records is contained in our ‘Access to Health Records Guidance’ which can be downloaded by clicking the link. To make a request please complete our Right to Access Request form.

Email: records.team@sabp.nhs.uk

Or write to:

Records Manager
Central Records Library
Surrey & Borders Partnership NHS Foundation Trust
18 Mole Business Park
Randalls Road
Surrey KT22 7AD

The Surrey Care Record

The Surrey Care Record will be launched 29th August, 2018. Initially this will allow some information from GP health records to be shared with local A&E departments (St Peter’s, East Surrey, Epsom and Royal Surrey Hospitals) and hospital records will also be available to GP practices. 

Surrey and Borders Partnership NHS foundation trust are not included in the first phase of information sharing. However, the future plan is that the personal information we hold will also be part of the Surrey Care Record and shared with GPs and Surrey Hospitals. 

What are the benefits:- 

  • You will not have to repeat your medical history or social care information every time you deal with a new member of staff or organisation

  • Care professionals will be able to find shared information when they need it, such as test results, helping to avoid unnecessary appointments and further tests. 

  • Ultimately this information sharing will improve the standard of care and the speed of decision making. 

What information is on the care record?

The record will contain summary information from your medical records. This will include:
•    Your postcode, age, details of your GP practise
•    Your NHS number, test results, medications, allergies

Choosing to opt out

You can opt out of sharing your records at any time. If you do want to opt out you will need to speak to your GP practice or any other organisation sharing information via the Surrey Care Record. 

Contact Surrey Heartlands for further information 

Email:                 @enquiries.surreycarerecord@nhs.net
Telephone:         0300 200 1018
SMS Text:          07786 202 545
Webpage:          www.surreyheartlands.uk/surreycarerecord


  • Click here to download our 'Information Sharing' leaflet
  • Click here to download our 'Electronic Health Care Records' leaflet
  • Click here to download our 'Carers Handbook' which includes a chapter on information sharing for carers