Due to the coronavirus pandemic, you may experience a delay in our response to requests made under the Data Protection Act 2018 and Freedom of Information Act 2000.
We apologise for any inconvenience caused. You can find out more about your data rights during this period on the Information Commissioner’s Office (ICO) website.
If you access our services, our health professionals who work with you - doctors, nurses, psychologists, occupational therapists and social workers - will keep records about your care and treatment.
This section helps to explain some of the issues in how we manage your data; how we make sure we comply with our personal data legal responsibilities, and how you can access further information.
What information we hold about you and why
If you access our services, our health and social care professionals will collect information about you to help us provide you with the best possible care and treatment.
However, we only collect the personal data we need in order to give you the support you need.
If you are a carer of someone who uses our services, we will hold a record about you as well as the person you care for. This enables us to help you with your caring role.
Usually this information is held on a secure digital health record system.
Under the current data protection legislation, we only keep personal data for as long as it is necessary. We have a retention policy which details for the information we hold, and how long we will hold it. Details on our policies and procedure are available on our webpage.
Who can access information in your health record
Within the Trust
Only the professionals with a legitimate relationship to your individual care or treatment can view or access your records and we keep a log of this for security purposes.
Regional Shared Care Records
We share a summary of key information in your health record with other authorised health and care professionals involved in your care through our local Shared Care Record programmes.
We share information with:
- Surrey Care Record (for people registered with a GP practices in Surrey Heartlands Health and Care Integrated Care System which covers most of our area). You can view a list of all participating health and care organisations, which includes links to their online privacy notice pages.
- Connected Care (for people regstered with a GP in Farnham, NE Hants and Surrey Heath which is part of the Frimley Health and Care Integrated Care System)
The information we share includes basic information such as your name, address, postcode, NHS Number, age and GP practice details as well as:
- Your referral information – whether you are open to us or not;
- Your diagnosis, if you have one;
- The start, end and review dates of your Care Programme Approach;
- Your care plan and your risk assessment
Other organisations also submit limited information from the health and social care records held by your GP Practice, hospitals and social services such as test results, medications and allergies to create one shared digital record.
All organisations involved with the Shared Care Record are legally required to explain how, why and with whom they share your health and care information, through a privacy statement and provide details if you would like use your right to object to sharing your data. You can read ours in our Privacy Notices section below.
Right to Object: If you do not want your information to be shared you can express your right to object at any time. To do please contact your GP practice. You can also speak to your care co-ordinator or named professional about what this may mean for your care with us.
Surrey Multi-Agency Information Sharing Protocol (MAISP)
We are a member of Surrey Multi-Agency Information Sharing Protocol.
This is set of principles about sharing personal or confidential information that each organisation has signed up to. It sets out the circumstances when we should share information and what our responsibilities are.
See the Surrey County Council website for more information.
Sharing information with the police and the criminal justice system
There may be times when we must share information with the police or law enforcement agencies without your consent. Such as:
- If there is a concern you are putting yourself, or another person, at risk of serious harm
- Where we have been instructed to do so by a court or
- As part of the investigation of a serious crime
You can find our more about how we share information with the criminal justice system in Surrey's Crime and Disorder Information Sharing Protocol.
National Data Opt-Out
The information we collect about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments preventing illness and diseases
- monitoring safety
- planning services
All these uses help to provide better health and care for you, your family and future generations.
Confidential patient information about your health and care is only used like this where allowed by law, when there is a clear legal basis to use this information.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way.
If you are happy with this use of information you do not need to do anything. If you do choose to opt-out, your confidential patient information will still be used to support your individual care.
To find out more or to opt out, visit www.nhs.uk/your-nhs-data-matters. You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
How you can access your health record
One of your data rights is the right to request details of personal data we hold about you.
Please see our ‘Access to Health Records Guidance’ for more information.
To make a request please complete and return our Right to Access Request Form as advised.
If you think your personal data is wrong, or some details are missing
We try to make sure your personal data is accurate and correct.
Under GDPR, there are eight data rights (these are listed in the Your Rights section). If you have an issue, or a query about your data rights, please contact the Records Management team (see the Contacts secion on this webpage) and clearly say what you believe is wrong and how it should be updated.
Please be aware that we are unable to alter or remove opinions, including medical diagnoses, unless those opinions themselves are based on inaccurate factual information.
How we share information with carers
The relationship between the professional and the person using the service is based on having confidence or trust that what is said will not be disclosed without their agreement.
We are required by law not to share information without getting consent from the person using our service. When we get consent we will be ensuring that the person using services understands what it is they are consenting to, and the purpose of sharing it.
There might be risk to the carer if certain information is not shared with them. We understand that these situations may happen and it may be difficult for carers, and we will listen to your views and any concerns you may have about the person that you feel you need to share with us.
We try to find a way of offering support and information without jeopardising the confidentiality of the person. We will ensure we are confident that the person has the capacity to make this decision.
As a carer you are likely to have known the person before they became unwell. We acknowledge that you may have key information relevant to how we provide effective care for them. You will likely be aware of what may influence their wellness.
We will encourage you to share this information because it will help us to provide the best support for the person you care for, as well as giving you a positive
role and confidence in what we are doing.
There may also be times when a carer shares personal information with us about themselves that they do not wish the person to know.
We have the same obligation to not share this personal information without your consent. This includes information you may share with us about how you are feeling or coping in your caring role.
We aim even when the patient continues to withhold consent, to ensure that carers are given sufficient knowledge to enable them to provide effective care. That they are also given the opportunity to discuss any difficulties they are experiencing in their caring role and help to try and resolve these. The
provision of general information about mental illness, emotional and practical support for carers does not breach confidentiality.
There might be circumstances where not sharing essential information might place the carer and other family members at significant risk. If there is a situation that puts other people at risk or the person themselves then acting immediately and in the interests of the person needs to be progressed.
Where possible carers are given general factual information, both verbal and written about:
- The diagnosis
- What behaviour is likely to occur and how to manage it
- Medication, benefits and possible side-effects
- Contact details of the care coordinator
- Local inpatient and community services
- The Care Programme Approach (CPA)
This information is taken from our Carers Handbook which you can view online here or download from the Information Leaflets section of this webpage.
There are eight data rights which provide you with legal rights over your personal data. These are listed below, with links for additional information:
- The right to be informed - see you privacy notice below for more information
- The right of access - see how to access my record above
- The right to rectification
- The right to erasure
- The right to restriction of processing
- The right to data portability
- The right to object - see who we share information with above
- Rights in relation to automated decision making and profiling.
Our legal duty
Making sure we collect and hold data lawfully
Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 , the law now places a greater obligation on how organisations handle personal data (information which can identify a person).
GDPR established six key principles:
- Personal data is to be used according to the law, in a fair and open way.
- Personal data has to be collected for explicit, definite and lawful purposes.
- Data must be adequate, relevant and limited to what is necessary
- Personal data has to be accurate - if it changes it has to be kept up to date.
- Personal data should only be kept as long as it meets its need and purpose.
- Personal data is to be kept safe and secure from unlawful use, loss, destruction and damage.
These changes mean that we have to indicate the lawful basis that your data is being held or used.
This applies whether you use our services, are part of our support team as a carer, are a volunteer or trustee, and for our staff.
Further details can be accessed here on GDPR Lawfulness of using personal data and GDPR Processing of special categories of personal data.
How we make sure we are compliant
To make sure we comply with data protection legislation we complete Data Protection Impact Assessments (DPIA) for all new activities that involve using or sharing personal information at the initial stages.
We do this is to assess the legal basis for data collection and use; data privacy risks and the disclosure of information.
Accessing health records and the law
The Data Protection Act 2018 gives you the right to apply for access to your own health records. The only exceptions could be if:
- If the health or social care professionals responsible for your clinical care believe the release of the data is likely to cause serious harm to you or someone else’s physical or mental health. They are not required to tell you if such information is being withheld.
- If the information was provided, or was about, a third party as this may not be released without their consent.
- If the information related to criminal offences, or was being used to detect or prevent crime.
Applications for access to the records of a living person who uses our services are made under Section 7 of the Act.
Accessing the records of a deceased person
The Access to Health Records Act 1990 applies to deceased persons' records. Applications can be made by the deceased persons’ representative or by any person who may have a claim arising out of that person’s death.
Deceased records are still covered by a duty of confidence and are not routinely available for 'anyone' to access. There are circumstances when access is denied.
Our privacy notices
Privacy Notice for Surrey and Borders Partnership NHS Foundation Trust - GDPR
Additional information on GDPR lawful processing conditions
Our other privacy notices:
- Privacy Notice for Trust Members
- Privacy Notice for Vulnerable People Reporting Service(Link to Surrey County Council, Emergency Management Team - Privacy Notice)
- Privacy Notice for A&E services provided by acute hospitals in Surrey and North East Hampshire
- Privacy Notice for the Community Mental Health Transformation Programme (CMHTP)
- Privacy Notice for Share Care Records - updated July 2020
You may find the following Trust publications helpful:
- Information Sharing – for how we use personal data
- Carers Handbook – see page 13 for how we approach information sharing with carers
The following publications from partner organisations may also be relevant:
For queries relating to access to your health records
Call: 01372 216265
Write to: Records Manager, Central Records Library
Surrey and Borders Partnership NHS Foundation Trust, 18 Mole Business Park, Randalls Road, Leatherhead, Surrey KT22 7AD
To submit a request for information under the Freedom of Information Act.
Data Protection Officer - Louis Lau
The person responsible for data protection and compliance within an organisation. Further information about the DPO role and function is available here.
Write to: Louis Lau - DPO
Surrey and Borders Partnership NHS Foundation Trust, 18 Mole Business Park, Randalls Road, Leatherhead, Surrey KT22 7AD
Frequently asked questions
To help provide additional guidance to data protection issues, the various articles as stated under GDPR are summarised in the links provided.
We have also included additional external reference links for more detailed information.
Q: I don't understand all the jargon being used - what do the various terms mean?
We've summarised the various GDPR terms and what they mean in this summary.
- In our explanations and additional documentation, Surrey and Borders has not used the term 'Data Subjects'. In order to reflect our Vision and Values, we use the term 'people'.
- The GDPR terms are applicable to all EU member states. Following the departure from the EU by the UK, GDPR will continue to have effect, subject to some minor changes, and re-enacted as 'UK-GDPR'.
Q: I’ve heard a lot in the news about data protection and GDPR. But what does 'GDPR' mean?
GDPR is short for the ‘General Data Protection Regulation’.
GDPR came into force on 25 May 2018.
Q: Why is GDPR important?
The previous Data Protection Directive was introduced by the EU in 1995. However in the last 20+ years as more people are online, it meant more personal data was also online too. GDPR aim was to reflect where we are today in terms of how we use personal data and our rights to our own data.
Q: Don't we already have data protection laws?
In the UK the Data Protection Act 1998 set out how your personal information could be used by companies, government and other organisations.
As GDPR changed how personal data should be used, a new Data Protection Bill was introduced in 2018. This put the GDPR data protection requirements in to UK law - so it will be apply after Brexit .
Q: What is the difference between a data processor and a data controller?
The data controller responsibilities is who decides what personal data is collected and the purposes of the processing.
The data processor as the name suggests actually 'processes' that data on behalf of the data controller. GDPR places new obligations on data processors, as they can now face fines for non-compliance and claims for compensation from data subjects for GDPR breaches. GDPR also states that data processors may only process personal data where there is a written contract clearly stating the scope and limits of the processing activity.
Q: What type of data is protected under the GDPR?
The definition of personal data is very broad. This following are examples of personal data:
- Identity information (e.g. name, address, telephone number, credit card number);
- Health and genetic records and data Biometric data;
- Racial or ethnic data;
- Data on political opinions;
- Data on sexual orientation;
- Web data (e.g. location data, IP address, cookies and RFID tags).
Q: Who owns personal data? Is it the business that collects and process the data, or the individual to whom it refers?
Well, the GDPR does not deal with the question of data ownership, but it does make clear that data subjects should be in control of how their data is processed.
Q: What does privacy by design mean?
GDPR demands that data privacy is in mind right from the outset of any new project. This is called data privacy by design and by default.
Data protection is seen as a part of our processes at the earliest possible stage. This means we can identify and deal with privacy issues and an early stage so safeguarding people’s data rights.
Q: How is this privacy by design actually used?
A Data Protection Impact Assessment (DPIA) is the framework we use for identifying, assessing and reviewing privacy risks. Under GDPR, we carry out a DPIA for any processing activity that may represent a “high risk” to the rights and freedoms of data subjects.
The Regulation makes specific reference to particular high risk activities, among them, the introduction of new tech into the business, the evaluation of data harvested through automated processing and the processing of sensitive data (e.g. medical records). More information is available here about the DPIA and how we can contact the ICO for DPIA advice.
Q: What about personal data relating to criminal convictions or offences?
This link provides more details on how personal data is used where it relates to criminal offences.
Q: What about personal data relating to research, statistical and archiving purposes?
This links provides more details on how personal data is used in research, statistical and archival situations.
Q: What happens if something goes wrong? Who will enforce data protection issues in the UK?
GDPR is enforced in the UK, by the Information Commissioner’s Office (ICO). The ICO is the UK's independent body set up to uphold information rights.
If a serious data breach or data complaint is lodged with the ICO, we must co-operate as requested, and ensure those affected by the data breach are notified. A failure to co-operate may result in penalties imposed on the Trust.
Here is more information on when we notify the ICO of personal data breaches.