Due to the unprecedented challenges to Surrey and Borders Partnership NHS Foundation Trust during the Coronavirus (COVID-19) pandemic, you may experience a delay in the acknowledgment and/or response to requests received under the Data Protection Act, 2018 and Freedom of Information Act, 2000.
We apologies for any inconvenience experienced during this period.
You can read about your data rights during this period by visiting the ICO website.
We will endeavour to return to our normal processing timeframes and aim provide an update on your request as soon as we can.
You, your health and your records:
If you use Surrey and Borders services, our health and social care professionals who will be work with you - doctors, nurses, psychologists, occupational therapists and social workers - will keep records about your health and any care and treatment that you receive.
Some or all of your records may be held on a computer system. These records usually called ‘casenotes’ will be held by the care co-ordinator that you see, or by other professionals involved in your care: this may include your GP. These records may be shared within that team.
Our duty of confidentiality:
Everyone working in health and social services has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it confidential.
Sometimes we may need to share information with other professionals and services concerned in your care. For instance, your care co-ordinator might need to discuss your case with other professionals (who are not in the same team) to plan your care. We do this so we can provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.
There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent. Examples of this are:
- If there is a concern that you are putting yourself at risk of serious harm
- If there is concern that you are putting another person at risk of serious harm
- If there is concern that you are putting a child at risk of harm
- If we have been instructed to do so by a Court
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information, even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons e.g. certain infectious diseases
- The sections below helps to explain some of the issues in how we manage your data; how we make sure we comply with our personal data legal responsibilities, and how you can access further information if you require.
- Our information leaflets webpage includes details you can download on 'Information Sharing', our 'Electronic Health Care Record' and 'Carers Handbook' which includes a chapter on information sharing for carers. These are available in easy-read and large print formats, as well as a standard format.
Accessing My Records
One of your data rights (as detailed above) is the right to access. This means you have the right to request details of personal data we may hold about you.
Information on how to request your records is contained in our ‘Access to Health Records Guidance’ which can be downloaded by clicking the link. To make a request please complete our Right to Access Request form.
Or write to:
Central Records Library
Surrey & Borders Partnership NHS Foundation Trust
18 Mole Business Park
Surrey KT22 7AD
To help provide additional guidance to data protection issues, the various articles as stated under GDPR are summarised in the links provided. We have also included additional external reference links for more detailed information.
General Data Protection Regulation (GDPR) and Data Protection Act 2018 places a greater obligations on how organisations, such as Surrey and Borders, handle personal data. It applies to ‘personal data’ which is information which can identify a person, either directly or indirectly by reference to the data. This applies whether you use our services, are part of our support team as a carer, are a volunteer or trustee, and for our staff - the data legislation applies to your data.
GDPR established 6 key principles:
- Personal data is to be used according to the law, in a fair and open way.
- Personal data has to be collected for explicit, definite and lawful purposes.
- Data must be adequate, relevant and limited to what is necessary
- Personal data has to be accurate - if it changes it has to be kept up to date.
- Personal data should only be kept as long as it meets its need and purpose.
- Personal data is to be kept safe and secure from unlawful use, loss, destruction and damage.
More details on the GDPR Principles can be accessed here.
Using personal data.
GDPR introduced the need for organisations which hold, or use personal data to indicate the lawful basis the data is being used.
Further details can be accessed here on GDPR Lawfulness of using personal data and GDPR Processing of special categories of personal data.
There are 8 data rights introduced under GDPR which provides in law additional rights over your personal data. These rights apply to all organisations that hold personal information, not only health and social care organisations like us. However, there are data rights exemptions and conditions regarding their use, as well as data rights notification requirements.
These data rights are listed below, with links for additional information:
- The right to be informed. Our privacy notice tells you what we do with your personal data, who may access it and why we are using it. You can see information on our 'Privacy Notice' section which is located further down this web page.
- The right of access. Information on how to access your records is contained in 'Accessing My Records' which is a section below.
- The right to rectification.
- The right to erasure.
- The right to restriction of processing.
- The right to data portability.
- The right to object. The information collected about you can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with improving standards, planning for the future or research into new treatments.
Confidential patient information is only used like this where allowed by law and you have a choice about whether you want your information to be used in this way. If you are happy with this you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out visit http://www.nhs.uk/your-nhs-data-matters
- Rights in relation to automated decision making and profiling.
- There are exemptions and limitations to data rights.
- More information on GDPR Data Rights, can be accessed here.
Data legislation changes introduced in 2018, means we need to be open, transparent and accountable in the personal data that we collect, hold and use.
Frequently Asked Questions
To help provide additional guidance to data protection issues, the various articles as stated under GDPR are summarised in the links provided. We have also included additional external reference links for more detailed information.
I don't understand all the jargon being used - what do the various terms mean?
We've summarised the various GDPR terms and what they mean in this summary.
- In our explanations and additional documentation, Surrey and Borders has not used the term 'Data Subjects'. In order to reflect our Vision and Values, we use the term 'people'.
- The GDPR terms are applicable to all EU member states. Following the departure from the EU by the UK, GDPR will continue to have effect, subject to some minor changes, and re-enacted as 'UK-GDPR'.
Why do you collect my data?
We only collect the personal data we need, so we can give you the health and social care you need. Please refer to our 'Information Sharing' leaflet for details.
How long do you hold data about me?
Under the current data protection legislation, we only keep personal data for as long as it is necessary. We have a retention policy which details for the information we hold, and how long we will hold it. Details on our policies and procedure are available on our webpage.
I think my personal data is wrong, or some details are missing. How find out more?
We try to make sure your personal data is accurate and correct.
Under GDPR, there are 8 data rights (these are listed in the 'Your Rights' section on this webpage). If you have an issue, or a query about your data rights, please contact the Records Management team and clearly say what you believe is wrong and how it should be updated.
Write: Records Management Team
Surrey and Borders Partnership NHS Foundation Trust
18 Mole Business Park, Randalls Road
Leatherhead, Surrey KT22 7AD
Call: 01372 216265
Please be aware that we are unable to alter or remove opinions, including medical diagnoses, unless those opinions themselves are based on inaccurate factual information.
I’ve heard a lot in the news about data protection and GDPR. But what does 'GDPR' mean?
GDPR is short for the ‘General Data Protection Regulation’.
GDPR came into force on 25 May 2018.
Why is GDPR important?
The previous Data Protection Directive was introduced by the EU in 1995. However in the last 20+ years as more people are online, it meant more personal data was also online too. GDPR aim was to reflect where we are today in terms of how we use personal data and our rights to our own data.
Don't we already have data protection laws?
In the UK the Data Protection Act 1998 set out how your personal information could be used by companies, government and other organisations.
As GDPR changed how personal data should be used, a new Data Protection Bill was introduced in 2018. This put the GDPR data protection requirements in to UK law - so it will be apply after Brexit .
What is the difference between a data processor and a data controller?
The data controller responsibilities is who decides what personal data is collected and the purposes of the processing.
The data processor as the name suggests actually 'processes' that data on behalf of the data controller. GDPR places new obligations on data processors, as they can now face fines for non-compliance and claims for compensation from data subjects for GDPR breaches. GDPR also states that data processors may only process personal data where there is a written contract clearly stating the scope and limits of the processing activity.
What type of data is protected under the GDPR?
The definition of personal data is very broad. This following are examples of personal data:
- Identity information (e.g. name, address, telephone number, credit card number);
- Health and genetic records and data Biometric data;
- Racial or ethnic data;
- Data on political opinions;
- Data on sexual orientation;
- Web data (e.g. location data, IP address, cookies and RFID tags).
Who owns personal data? Is it the business that collects and process the data, or the individual to whom it refers?
Well, the GDPR does not deal with the question of data ownership, but it does make clear that data subjects should be in control of how their data is processed.
What does privacy by design mean?
GDPR demands that data privacy is in mind right from the outset of any new project. This is called data privacy by design and by default.
Data protection is seen as a part of our processes at the earliest possible stage. This means we can identify and deal with privacy issues and an early stage so safeguarding people’s data rights.
How is this privacy by design actually used?
A Data Protection Impact Assessment (DPIA) is the framework we use for identifying, assessing and reviewing privacy risks. Under GDPR, we carry out a DPIA for any processing activity that may represent a “high risk” to the rights and freedoms of data subjects.
The Regulation makes specific reference to particular high risk activities, among them, the introduction of new tech into the business, the evaluation of data harvested through automated processing and the processing of sensitive data (e.g. medical records). More information is available here about the DPIA and how we can contact the ICO for DPIA advice.
What about personal data relating to criminal convictions or offences?
This link provides more details on how personal data is used where it relates to criminal offences.
What about personal data relating to research, statistical and archiving purposes?
This links provides more details on how personal data is used in research, statistical and archival situations.
What and who is the Data Protection Officer (DPO)?
A Data protection officer (DPO) is someone who is given formal responsibility for data protection and compliance within an organisation.
Surrey and Borders Partnership NHS Foundation Trust has a DPO, Louis Lau, who may be emailed at: email@example.com.
Further information about the DPO role and function is available here.
What happens if something goes wrong? Who will enforce data protection issues in the UK?
GDPR is enforced in the UK, by the Information Commissioner’s Office (ICO). The ICO is the UK's independent body set up to uphold information rights.
If a serious data breach or data complaint is lodged with the ICO, we must co-operate as requested, and ensure those affected by the data breach are notified. A failure to co-operate may result in penalties imposed on the Trust.
Here is more information on when we notify the ICO of personal data breaches.
For more information on data protection issues.
- Information Commissioner’s Office: https://ico.org.uk/
- General Data Protection Regulation (GDPR): https://gdpr-info.eu/
- Data Protection Act 2018: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
- NHS GDPR Guidance: https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/gdpr
- Surrey and Borders Information Governance: IGTeam@sabp.nhs.uk
- Surrey and Borders Records Management: firstname.lastname@example.org
How the NHS and care services use your information
We are one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident and Emergency or using community care services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to opt out, visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
- www.hra.nhs.uk/information-about-patients/ (which covers health and care research)
- understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
We are working towards being able to apply your national data opt-out choice by 2020.
This is the government targeted date to ensure Health and care organisations have systems and processes in place so they can apply your national data opt-out choice.
Data Protection Legislation
Data Protection Act 2018:
The Data Protection Act 2018 gives people who use our services the right to apply for access to their own health records held both electronically and in manual form. The only exceptions could be if:
- If the health or social care professionals responsible for your clinical care believe the release of the data was likely to cause serious harm to you or someone else’s physical or mental health. They are not required to tell you if such information is being withheld.
- If the information was provided, or was about, a third party as this may not be released without their consent.
- If the information related to criminal offences, or was being used to detect or prevent crime.
Applications for access to the records of a living person who uses our services are made under Section 7 of the Act.
Access to Heath Records Act 1990:
The Access to Health Records Act 1990 applies to deceased persons' records. Applications can be made by the deceased persons’ representative or by any person who may have a claim arising out of that person’s death.
Deceased records are still covered by a duty of confidence and are not routinely available for 'anyone' to access. There are circumstances when access is denied.
Your health records are confidential and cannot be shared outside the Trust without your consent. Our Information Sharing leaflet contains more information - this is also available in an easy read and large print format.
General Data Protection Regulation (GDPR) 2018:
The General Data Protection Regulation (GDPR) is an EU-wide law that places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018.
GDPR applies to ‘personal data’. This means that any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
GDPR has 6 principles which are:
- Lawfulness, fairness and transparency:
People are aware their personal information was being used, how it was being used and what it would be used for. That personal information used was compliant with GDPR requirements.
- Purpose limitations:
Personal information was only used for specified, explicit and legitimate purposes.
- Data minimisation:
In other words, only the minimum amount of data should be kept or used for the activity outlined.
Data must be accurate and where necessary kept up to date. If information has changed/updated/corrected, where ever the information is being used it is also has to be changed/updated/corrected.
- Storage limitations:
Personal data no longer required should be removed.
- Integrity and confidentiality:
Information should be handled in a secure way, this includes making sure there was protection against unlawful use or access, or accidental loss, destruction or damage.
GDPR and data protection safeguards are enforced in the UK by the Information Commissioner’s Office.
Data Protection Impact Assessments
To comply with data protection legislation requirements, Data Protection Impact Assessments (DPIA) are undertaken within the Trust to assess data privacy risks, the legal basis for data collection, its use and the disclosure of information.
All new projects, initiatives and processes that involve using or sharing personal information will require a completed Data Protection Impact Assessment at the initial stages and prior to any procurement decision being made. All Data Protection Impact Assessments when completed will be submitted to the Data Protection Officer and/or the Information Governance Steering Group for approval.
The current list of approved Data Protection Impact Assessments are listed in file below:
For more information regarding our Data Protection Impact Assessments, email: email@example.com
- Privacy Notice Surrey and Borders NHS Foundation Trust - GDPR
- Additional information on GDPR lawful processing conditions
- Privacy Notice for Trust Members
- Privacy Notice for Vulnerable People Reporting Service
- Privacy Notice for A&E services provided by acute hospitals in Surrey and North East Hampshire
- Privacy Notice for the Community Mental Health Transformation Programme (CMHTP)
For more details please refer to:
- Our Information Sharing leaflet which provides information on how we use personal data.
- Our Electronic Care Record leaflet which outlines how we hold data electronically.
Our leaflets can be accessed here and area also available in easy read and large print formats .
- Please ask your care coordinator for more information about how we use the information we keep about you and how you can see your records.
- The Information Commissioner's Office (ICO) has further information on GDPR.
Information Sharing Polices
- If you live in the Guildford & Waverley area, this leaflet explains how your records will be used and shared by health and social care providers in the area as part of an information analysis project.
The leaflet includes an opt-out form if you do not want your records to be used in this way.
- Surrey's Multi-Agency Information Sharing Protocol
The Surrey Care Record
The Surrey Care Record launched 29th August, 2018 initially will allow some information from GP health records to be shared with local A&E departments (St Peter’s, East Surrey, Epsom and Royal Surrey Hospitals) and hospital records will also be available to GP practices.
Surrey and Borders Partnership NHS foundation trust are not included in the first phase of information sharing. However, the future plan is that the personal information we hold will also be part of the Surrey Care Record and shared with GPs and Surrey Hospitals.
What are the benefits:-
You will not have to repeat your medical history or social care information every time you deal with a new member of staff or organisation
Care professionals will be able to find shared information when they need it, such as test results, helping to avoid unnecessary appointments and further tests.
Ultimately this information sharing will improve the standard of care and the speed of decision making.
What information is on the care record?
The record will contain summary information from your medical records. This will include:
- Your postcode, age, details of your GP practise
- Your NHS number, test results, medications, allergies
Choosing to opt out
You can opt out of sharing your records at any time. If you do want to opt out you will need to speak to your GP practice or any other organisation sharing information via the Surrey Care Record.
Contact Surrey Heartlands for further information