Privacy and Data Sharing

The European Union General Data Protection Regulations (GDPR) has come into force on 25th May 2018 along with the Data Protection Act 2018.

The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). These are more detailed and specific than in the Data Protection Act 1998 and place an emphasis on being more transparent and accountable

This regulation brings in a number of new elements and significant enhancements to the following;

  • Information an organisation holds
  • Transparency and Acccountability
  • Individuals’ rights
  • Subject access requests
  • Lawful basis for processing personal data
  • Consent
  • Children
  • Data breaches
  • Data Protection by Design and Data Protection Impact Assessments
  • Data Protection Officers
  • International organisations and data

The GDPR/DPA18 covers all personal, confidential and special categories data (sensitive data) and defines personal data as: ‘Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • Name
  • An identification number
  • Location data
  • An online identifier to one or more factors specific to the physical
  • Physiological data
  • Genetic data
  • mental data
  • cultural or social identity of that natural person

Special categories’ of personal data (sensitive personal data) relate to

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data and biometric data
  • Data concerning health
  • Data concerning a natural person's sex life or sexual orientation

What information do we collect about you

Details about you such as:

  • Name
  • Address
  • Date of birth
  • NHS number
  • GP
  • Next of kin

Contacts we have had with you such as:

  • as clinic visits
  • hospital admissions notes
  • reports about your health
  • any treatment and care you need

Details and records about you such as:

  • the treatment and care you receive
  • results of investigations
  • x-rays
  • scans and laboratory tests
  • relevant information from other health professionals
  • relatives or those who care for you and know you well

How will your information be used?

Your doctor, nurse or any other healthcare professional involved in your care has accurate and up-to-date information to assess your health and decide what care you need. When you visit us we can contact you reminding you of health checks (for example, immunisation, cervical smears, breast screening or other preventative treatment), as such we ensure full information is available should you see another doctor, be referred to a specialist or another part of the NHS.

Access to health records

If you want to access copies of your health record held by the Trust, please read the following information.

Firstly the definition of a health record is any record of information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional.

Since April 2011 the Trust has been responsible for all secondary care provided by community services across Warwickshire. Community services such as ‘Child Health Services’ and other secondary care services provided by the Trust will hold separate patient service records.

Therefore, when you request copies of your health record please submit a single request and detail the specific health information you believe is held by an acute or secondary care service belonging to South Warwickshire NHS Foundation Trust.

Providing specific information such as dates, service attended and health professionals seen by you will ensure the Access to Health Records Team (AHR team) are able to deal with your request efficiently.

Please do not submit separate requests simultaneously. Simply state all of the information you require on one request form.

Making a request

Download or print a copy of the new health records form.

Please submit your request to:
Information Governance Department
Warwick Hospital
Lakin Road
Warwick
CV34 5BW
Tel: +44(0)1926 495321 ext. 8351/4141

These forms are not compulsory. You can submit your request in writing to the above address. However, the Trust has provided the forms for your convenience and advises forms will prevent delays in processing the request.

Your GP Record

The Trust will not have information held in your GP records other than copies of key information shared by your GP. Therefore, if you require access to information held in your GP records you must submit a request to the GP Practice that you are registered with.

When you change GPs your GP will transfer all of your GP record to your new GP. This ensures all of your previous medical history is now known to your new GP.

Your Summary Care Record

Any queries concerning your NHS Summary Care Record (SCR) must also be redirected to your GP to answer. They are responsible for the information uploaded to your NHS Summary Care Record. For more information about the NHS SCR click on the following link: NHS electronic care records page.

What is our legal basis for processing your personal data?

For processing to be lawful under the GDPR and the Data Protection Act 2018, South Warwickshire NHS Foundation Trust (SWFT) is obliged to identify a lawful basis before it can process personal data. The obligation requires SWFT to satisfy a condition under Article 6 and where special category data is being processed, also under Article 9.


For lawful processing under Article 6(1)(e) will apply: for the performance of a task carried out in the public interest or in the exercise of official authority’


For necessary processing of special categories, e.g. health data for employment purposes the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’


There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data under Article 6(1)(a)


The table details other reasons we may process and the reasons under the law that support this.


Type of processing

GDPR Article 6 Condition for personal data

GDPR Article 9 Condition for special categories (sensitive data)

Statutory basis or other relevant conditions

Lawful basis for direct care and administrative purposes

All health and adult social care providers are subject to the statutory duty to share information about a patient for their direct care. This would also include

(a) preventive or occupational medicine,

(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care, or

(f) the management of health care systems or services

(g) waiting list management

(h) performance against national targets

(i) activity monitoring

(j) local clinical audit

6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

6(1)(d) is available in life or death situations but should not be necessary for health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.

NHS Trusts National Health Service and Community Care Act 1990

NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers

251B of the Health and Social Care Act 2012

Vital Interest

processing is necessary in order to protect the vital interests of the data subject or of another natural person;

6(1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

9(2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

Generally this only applies to matters of life and death for e.g if an individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.

It is less likely to be appropriate for medical care that is planned in advance.

Lawful basis for commissioning and planning purposes

Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).

Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,

6(1)(c) ‘…for compliance with a legal obligation…’

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance.

The commissioning of individually tailored services, or for example the approval of individual funding requests should operate on the basis of consent for confidentiality purposes.

Lawful basis for research

6(1)(f)’…legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…’

9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …’

Data Protection Act 2018 schedule 2(27)(1)

The listed GDPR provisions do not apply to personal data processed for;

(a) scientific or historical research purposes, or

(b) statistical purposes

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.

Lawful basis for regulatory and public health functions

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

6(1)(c) ‘…necessary for compliance with a legal obligation…

9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008

Clinical Audits

Healthcare Quality Improvement partnership

Some information we have to share is used for statistical, research or audit purposes, and in these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity. Anyone who receives information from us also has a legal duty to keep it confidential and secure.

Lawful basis for safeguarding

6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

Children Acts 1989 and 2004, and the Care Act 2014

Lawful basis for employment purposes

6(1)(b) ‘For the performance of a contract to which the ‘individual’ is a party’

Or

6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’

Safeguarding Vulnerable Groups Act 2006 as a basis for Disclosure and Barring Service (DBS) checks and other processing of such data

Your rights

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data.

Right to request access to your information

Rectification of your personal data

Right to data portability

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

Right to erasure



Who will your information be shared with

In order for the Trust to provide you with high quality health care services we are required to collect and use of your personal data. To support our clinical duties this data can sometimes be shared with relevant departments within the Trust, with other NHS organisations and authorities where required and, at times, it may also be used for training and auditing purposes.

We are committed to processing your personal data in accordance with the law.

South Warwickshire NHS Foundation Trust is the Data Controller for any personal information you provide, if required, the Trust can provide you with information about why your personal data is being processed, how long the Trust will keep it for, who it may be shared with, information about your rights as well as who to contact if you have any queries or concerns.


We may share information about you with the following agencies in order to support the delivery of your care:


  • Department of Health
  • Clinical Commissioning Groups (CCG’s)
  • Other providers involved in your care- such as hospitals
  • General Practitioners (GP’s)
  • Ambulance Service
  • Mental Health Services
  • Social services

We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with (unless there are safeguarding risks or crime prevention, we will have a legal obligation to disclose information about you without seeking consent):


  • NHS Digital
  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector

We may also share your information with others that need to use records about you to carry out the following:


  • Check the quality of treatment of advice we have given you
  • Protect the health of the general public
  • Manage the health service
  • Help investigate any concerns or complaints you or your family have about your healthcare
  • Research
  • Clinical Audits



How do we keep your information confidential?

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in a secure location.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation and the Human Rights Act 1998.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the South Warwickshire NHS Foundation Trust is Dr Charles Ashton.

Data Controller and Contacts

South Warwickshire NHS Foundation Trust (SWFT) is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR.

SWFT as the Data Controller is committed to protecting the rights of individuals in line with the Data Protection Act 2018 (DPA) and the new General Data Protection Regulation(GDPR).

SWFT has a Data Protection Officer (DPO) and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email: dpo.swft@nhs.net

How long do we keep your information

South Warwickshire NHS Foundation Trust is obliged to retain your data in accordance with the Department of Health’s Records Management Code of Practice 2016.

Records Retention Guide


How do I make a complaint

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Data Protection Officer using the contact details above.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision.

The Information Commissioner can be contacted at: -

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Right to make a complaint directly to the ICO

Freedom of Information Requests

The Freedom of Information Act 2000 (FOIA) gives members of the public certain rights to request information from public authorities. The individual right of access applies to all types of recorded information held by public authorities regardless of the date of the information. The Act does, however, set out some exemptions to this right. It also places a number of obligations on public authorities about the way in which they provide information. Subject to the exemptions, anyone making a request must be informed whether the public authority holds the information and, if so, be supplied with it - generally within 20 working days. There is also a duty to provide advice or assistance to anyone seeking information (for example in order to explain what is readily available or to clarify what is wanted).

Download more information on the Freedom of Information Act.

Under Section 19 of the FOIA we have a legal duty to adopt and maintain a publication scheme for the publication of the information we use.

The publication scheme can help you find the following information:

Class 1 - Who we are and what we do
Class 2 - What we spend and how we spend it
Class 3 - What our priorities are and how we're doing
Class 4 - How we make decisions
Class 5 - Our policies and procedures
Class 6 - Lists and registers
Class 7 - The services we offer

Making a request

Please submit any Freedom of Information requests to: FOI@swft.nhs.uk.

Bona Vacantia Enquiries

We make appropriate enquiries to trace relatives of patients who pass away at the hospital with no next of kin. For those who we are unable to trace, their details are forwarded on to: Government Legal Department, Bona Vacantia Division (BVD), PO Box 70165, London WC1A 9HG.

We do not hold any information on the value of any estate the person may have had, nor can we make any additional information available on individual cases through Freedom of Information requests. For further information, please click on the links below:

Download the Governments bona vacantia estates referral form.

View further information on bona vacantia.


Frequently asked questions

To help you understand the implications of these new laws and how it could affect your work, we have compiled the following FAQs. If you have any questions, please contact: dpo.swft@nhs.net

1. What is the GDPR and when does it become applicable?

The GDPR is European Union (EU) legislation that will become directly applicable in

2. What is the difference between the GDPR and the Data Protection (DP) Act 2018?


The GDPR is EU legislation that will be applicable as law in EU member States (e.g. the UK) from 25 May 2018, irrespective of national legislation.

3. How does this affect current UK law on data protection (DPA 1998)?


The DPA 1998 will be completely repealed.

4. What are the penalties for non-compliance?

Fines under the GDPR are up to a maximum of €20 million or 4% of turnover. For health and social care organisations, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure their compliance.


5. How does this affect me?

The GDPR strengthens the controls that organisations (controllers) are required to have in place over the processing of personal data, including pseudonymised personal data.


Headline impacts are:

  • Appointment of Data Protection Officer (DPO) mandatory for all public authorities
  • Organisations obliged to demonstrate that they comply with the new law (the concept of ‘accountability’).
  • Significantly increased penalties possible for any breach of the Regulation – not just data breaches (see above).
  • Legal requirement for security breach notification.
  • Removal of charges, in most cases, for providing copies of records to patients or staff who request them.
  • Requirement to keep records of data processing activities.
  • Data Protection Impact Assessment required for high risk processing (which includes the large-scale processing of health-related personal data).
  • Data protection issues must be addressed in all information processes.
  • Specific requirements for transparency and fair processing.
  • Tighter rules where consent is the basis for processing.

Some of these requirements should be established good practice. Organisations that are performing well in their information governance toolkit scores should have a good baseline to work from. However, these legal requirements require organisations to take specified actions, and have evidence to demonstrate that they have done so.

Organisations should undertake a thorough review of the GDPR requirements, including the helpful and on-going guidance published by the Information Commissioner’s Office (ICO), to ensure you are compliant. This is especially important as areas which were good practice are now legal requirements (e.g. the Data Protection Impact Assessment – see below).

Other issues to think about include the information provided to data subjects. Most health and social care organisations provide privacy notices to their data subjects as standard which explains what they use personal data for and why etc.The ICO have published a code of practice on what should be included. The GPDR / DP Bill now requires specific information be provided to a data subject. Articles 12 – 14 of the GPDR set out what will be required.

6. What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced.

  • When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted. A DPIA should be signed off by an organisation’s Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).
  • A DPIA has to be completed before any new process, system or way of working goes live (i.e. at the business planning stage of a project) where it involves high risk processing.
  • The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR (or new DPA).

7. What/who is the DPO?

The DPO will also be responsible for monitoring the organisation(s) compliance with the GDPR.

It is important to note that data processors that process personal data on behalf of health or social care organisations must appoint a DPO where they either:

  • process special categories data on a large scale OR
  • perform regular or systematic monitoring of data subjects


The DPO reports directly to an organisation’s highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.

8. Who can be a DPO?

Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are ‘public authorities’ taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest. A DPO team with a nominated contact for each organisation is an acceptable approach.

There are specific roles that the DPO cannot perform in conjunction with this new role. As a result it is important to consider EU Guidelines that state:-

9. What guidance does the ICO intend to publish
The ICO has already started to publish useful information and will continue to do so.

10. Do you need to re-seek consent if already obtained for the purposes of sharing data?
Please be aware the ICO have produced draft guidance regarding consent which may be helpful.

Organisations should review their existing consents before May 2018 to ensure that they are GDPR-compliant.

It will not be necessary to seek new consent if your existing consents are already GDPR compliant - although you will need to ensure that you have compliant documentation and consent withdrawal mechanisms in place.

If your existing DPA consents do not meet the GDPR’s requirements, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure the continued processing is transparent and fair (i.e. that the data subjects rights and freedoms are not undermined through a change in processing), or stop the processing.

Any exercise to contact individuals to refresh consent must itself comply with the DPA and Privacy and Electronic Communications Regulations (PECR).

11. How will the right to erasure be applied in a healthcare setting?

A data subject’s right to erasure is a fundamental right. However, it must be applied sensibly. There are legitimate areas under the GDPR where processing can lawfully continue and such a request refused. For example, where there is a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. There are other instances such as public interest in the area of public health (related to specific articles) or archiving.

This right aims to strengthen the ability to remove information made available online especially when made public by a child and making this right available when they are an adult.

A request from a data subject exercising this right should be taken seriously and on a case by case basis. Where it is legitimately not possible to erase the information, this should be communicated to the data subject promptly and as per the requirements under Article 15 (“right of access”).

12. Is there a standard format to giving information held back to the patient?

No. The GDPR describes what information should be provided to the patient but not the format of how it should it be provided.

« Return to Home