Our core purpose is to work with people and lead communities in improving their mental and physical health and wellbeing for a better life; through delivering excellent and responsive prevention, diagnosis, early intervention, treatment and care.
All the information you need about working for us, recruitment, job opportunities and careers within mental health, learning disability and substance misuse services in Surrey and Hampshire
Our research and development aims are to embed a vibrant research culture within our Trust, increase the opportunities for people to participate in research and ensure that our research benefits people who use services, carers, families and our communities.
You can read about your data rights during this period by visiting the ICO website.
We will endeavour to return to our normal processing timeframes and aim provide an update on your request as soon as we can.
If you use Surrey and Borders services, our health and social care professionals who will be work with you - doctors, nurses, psychologists, occupational therapists and social workers - will keep records about your health and any care and treatment that you receive.
Some or all of your records may be held on a computer system. These records usually called ‘casenotes’ will be held by the care co-ordinator that you see, or by other professionals involved in your care: this may include your GP. These records may be shared within that team.
Everyone working in health and social services has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it confidential.
Sometimes we may need to share information with other professionals and services concerned in your care. For instance, your care co-ordinator might need to discuss your case with other professionals (who are not in the same team) to plan your care. We do this so we can provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.
There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent. Examples of this are:
One of your data rights (as detailed above) is the right to access. This means you have the right to request details of personal data we may hold about you.
Information on how to request your records is contained in our ‘Access to Health Records Guidance’ which can be downloaded by clicking the link. To make a request please complete our Right to Access Request form.
Or write to:
Central Records Library
Surrey & Borders Partnership NHS Foundation Trust
18 Mole Business Park
Surrey KT22 7AD
To help provide additional guidance to data protection issues, the various articles as stated under GDPR are summarised in the links provided. We have also included additional external reference links for more detailed information.
General Data Protection Regulation (GDPR) and Data Protection Act 2018 places a greater obligations on how organisations, such as Surrey and Borders, handle personal data. It applies to ‘personal data’ which is information which can identify a person, either directly or indirectly by reference to the data. This applies whether you use our services, are part of our support team as a carer, are a volunteer or trustee, and for our staff - the data legislation applies to your data.
GDPR established 6 key principles:
More details on the GDPR Principles can be accessed here.
Using personal data.
GDPR introduced the need for organisations which hold, or use personal data to indicate the lawful basis the data is being used.
Further details can be accessed here on GDPR Lawfulness of using personal data and GDPR Processing of special categories of personal data.
There are 8 data rights introduced under GDPR which provides in law additional rights over your personal data. These rights apply to all organisations that hold personal information, not only health and social care organisations like us. However, there are data rights exemptions and conditions regarding their use, as well as data rights notification requirements.
These data rights are listed below, with links for additional information:
Data legislation changes introduced in 2018, means we need to be open, transparent and accountable in the personal data that we collect, hold and use.
I don't understand all the jargon being used - what do the various terms mean?
We've summarised the various GDPR terms and what they mean in this summary.
Why do you collect my data?
We only collect the personal data we need, so we can give you the health and social care you need. Please refer to our 'Information Sharing' leaflet for details.
How long do you hold data about me?
Under the current data protection legislation, we only keep personal data for as long as it is necessary. We have a retention policy which details for the information we hold, and how long we will hold it. Details on our policies and procedure are available on our webpage.
I think my personal data is wrong, or some details are missing. How find out more?
We try to make sure your personal data is accurate and correct.
Under GDPR, there are 8 data rights (these are listed in the 'Your Rights' section on this webpage). If you have an issue, or a query about your data rights, please contact the Records Management team and clearly say what you believe is wrong and how it should be updated.
Write: Records Management Team
Surrey and Borders Partnership NHS Foundation Trust
18 Mole Business Park, Randalls Road
Leatherhead, Surrey KT22 7AD
Call: 01372 216265
Please be aware that we are unable to alter or remove opinions, including medical diagnoses, unless those opinions themselves are based on inaccurate factual information.
I’ve heard a lot in the news about data protection and GDPR. But what does 'GDPR' mean?
GDPR is short for the ‘General Data Protection Regulation’.
GDPR came into force on 25 May 2018.
Why is GDPR important?
The previous Data Protection Directive was introduced by the EU in 1995. However in the last 20+ years as more people are online, it meant more personal data was also online too. GDPR aim was to reflect where we are today in terms of how we use personal data and our rights to our own data.
Don't we already have data protection laws?
In the UK the Data Protection Act 1998 set out how your personal information could be used by companies, government and other organisations.
As GDPR changed how personal data should be used, a new Data Protection Bill was introduced in 2018. This put the GDPR data protection requirements in to UK law - so it will be apply after Brexit .
What is the difference between a data processor and a data controller?
The data controller responsibilities is who decides what personal data is collected and the purposes of the processing.
The data processor as the name suggests actually 'processes' that data on behalf of the data controller. GDPR places new obligations on data processors, as they can now face fines for non-compliance and claims for compensation from data subjects for GDPR breaches. GDPR also states that data processors may only process personal data where there is a written contract clearly stating the scope and limits of the processing activity.
What type of data is protected under the GDPR?
The definition of personal data is very broad. This following are examples of personal data:
Who owns personal data? Is it the business that collects and process the data, or the individual to whom it refers?
Well, the GDPR does not deal with the question of data ownership, but it does make clear that data subjects should be in control of how their data is processed.
What does privacy by design mean?
GDPR demands that data privacy is in mind right from the outset of any new project. This is called data privacy by design and by default.
Data protection is seen as a part of our processes at the earliest possible stage. This means we can identify and deal with privacy issues and an early stage so safeguarding people’s data rights.
How is this privacy by design actually used?
A Data Protection Impact Assessment (DPIA) is the framework we use for identifying, assessing and reviewing privacy risks. Under GDPR, we carry out a DPIA for any processing activity that may represent a “high risk” to the rights and freedoms of data subjects.
The Regulation makes specific reference to particular high risk activities, among them, the introduction of new tech into the business, the evaluation of data harvested through automated processing and the processing of sensitive data (e.g. medical records). More information is available here about the DPIA and how we can contact the ICO for DPIA advice.
What about personal data relating to criminal convictions or offences?
This link provides more details on how personal data is used where it relates to criminal offences.
What about personal data relating to research, statistical and archiving purposes?
This links provides more details on how personal data is used in research, statistical and archival situations.
What and who is the Data Protection Officer (DPO)?
A Data protection officer (DPO) is someone who is given formal responsibility for data protection and compliance within an organisation.
Surrey and Borders Partnership NHS Foundation Trust has a DPO, Louis Lau, who may be emailed at: firstname.lastname@example.org.
Further information about the DPO role and function is available here.
What happens if something goes wrong? Who will enforce data protection issues in the UK?
GDPR is enforced in the UK, by the Information Commissioner’s Office (ICO). The ICO is the UK's independent body set up to uphold information rights.
If a serious data breach or data complaint is lodged with the ICO, we must co-operate as requested, and ensure those affected by the data breach are notified. A failure to co-operate may result in penalties imposed on the Trust.
Here is more information on when we notify the ICO of personal data breaches.
For more information on data protection issues.
We are one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident and Emergency or using community care services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to opt out, visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
You can also find out more about how patient information is used at:
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
We are working towards being able to apply your national data opt-out choice by 2020.
This is the government targeted date to ensure Health and care organisations have systems and processes in place so they can apply your national data opt-out choice.
Data Protection Act 2018:
The Data Protection Act 2018 gives people who use our services the right to apply for access to their own health records held both electronically and in manual form. The only exceptions could be if:
Applications for access to the records of a living person who uses our services are made under Section 7 of the Act.
Access to Heath Records Act 1990:
The Access to Health Records Act 1990 applies to deceased persons' records. Applications can be made by the deceased persons’ representative or by any person who may have a claim arising out of that person’s death.
Deceased records are still covered by a duty of confidence and are not routinely available for 'anyone' to access. There are circumstances when access is denied.
Your health records are confidential and cannot be shared outside the Trust without your consent. Our Information Sharing leaflet contains more information - this is also available in an easy read and large print format.
General Data Protection Regulation (GDPR) 2018:
The General Data Protection Regulation (GDPR) is an EU-wide law that places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018.
GDPR applies to ‘personal data’. This means that any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
GDPR has 6 principles which are:
GDPR and data protection safeguards are enforced in the UK by the Information Commissioner’s Office.
To comply with data protection legislation requirements, Data Protection Impact Assessments (DPIA) are undertaken within the Trust to assess data privacy risks, the legal basis for data collection, its use and the disclosure of information.
All new projects, initiatives and processes that involve using or sharing personal information will require a completed Data Protection Impact Assessment at the initial stages and prior to any procurement decision being made. All Data Protection Impact Assessments when completed will be submitted to the Data Protection Officer and/or the Information Governance Steering Group for approval.
The current list of approved Data Protection Impact Assessments are listed in file below:
For more information regarding our Data Protection Impact Assessments, email: email@example.com
For more details please refer to:
Our leaflets can be accessed here and area also available in easy read and large print formats .
The Surrey Care Record launched 29th August, 2018 initially will allow some information from GP health records to be shared with local A&E departments (St Peter’s, East Surrey, Epsom and Royal Surrey Hospitals) and hospital records will also be available to GP practices.
Surrey and Borders Partnership NHS foundation trust are not included in the first phase of information sharing. However, the future plan is that the personal information we hold will also be part of the Surrey Care Record and shared with GPs and Surrey Hospitals.
What are the benefits:-
You will not have to repeat your medical history or social care information every time you deal with a new member of staff or organisation
Care professionals will be able to find shared information when they need it, such as test results, helping to avoid unnecessary appointments and further tests.
Ultimately this information sharing will improve the standard of care and the speed of decision making.
What information is on the care record?
The record will contain summary information from your medical records. This will include:
Choosing to opt out
You can opt out of sharing your records at any time. If you do want to opt out you will need to speak to your GP practice or any other organisation sharing information via the Surrey Care Record.
Contact Surrey Heartlands for further information
Telephone: 0300 200 1018
SMS Text: 07786 202 545