Privacy and Data Sharing

The European Union General Data Protection Regulations (GDPR) will come into force on 25th May 2018.

This regulation replaces the current Data Protection Act 1998 and brings in a number of new elements and significant enhancements.

The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the Data Protection Act 1998 and place an emphasis on making privacy notices more transparent, intelligible, written in clear and plain language and easily accessible.

The GDPR defines personal data as the following: ‘Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’ ‘Special categories’ of personal data (sensitive personal data) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

This regulation replaces the current Data Protection Act 1998 and brings in a number of new elements and significant enhancements listed below;

  • Awareness
  • Information you hold
  • Communicating privacy information
  • Individuals’ rights
  • Subject access requests
  • Lawful basis for processing personal data
  • Consent
  • Children
  • Data breaches
  • Data Protection by Design and Data Protection Impact Assessments
  • Data Protection Officers
  • International

What information do we collect about you

  • Basic details about you, such as name, address, date of birth, NHS number, GP and next of kin
  • Contacts we have had with you, such as clinic visits or hospital admissionsnotes and reports about your health and any treatment and care you need
  • Details and records about the treatment and care you receive results of investigations, such as x-rays, scans and laboratory tests relevant information from other health professionals, relatives or those who care for you and know you well

How will your information be used?

Your doctor, nurse or any other healthcare professional involved in your care has accurate and up-to-date information to assess your health and decide what care you need when you visit us we can contact you for health checks (for example, immunisation, cervical smears, breast screening or other preventative treatment) full information is available should you see another doctor, be referred to a specialist or another part of the NHS there is a good basis for assessing the type and quality of care you have received your concerns can be properly investigated if you need to complain.

What is our legal basis for processing your personal data?

For processing to be lawful under the GDPR South Warwickshire NHS Foundation Trust (SWFT) is obliged to identify a lawful basis before it can process personal data. The obligation requires SWFT to satisfy a condition under Article 6 and, where special category data is being processed, also under Article 9. For SWFT's purposes, the following condition, under Article 6, for lawful processing will apply: 6(1)(e) ‘for the performance of a task carried out in the public interest or in the exercise of official authority’.

There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data: 6(1)(a) – Consent of the data subject.

For necessary processing of special categories, e.g. health data for employment purposes the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’.

As information relating to criminal convictions and offences are not special categories.

Your rights

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification of your personal data, If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

Who will your information be shared with

Your personal information will be shared with:
  • NHS Trusts
  • Commissioning Support Units
  • General Practitioners (GPs)
  • Ambulance Services

If it is necessary to share your information with other agencies, it will be subject to strict controls and data sharing agreements describing how your information may be used and what portion of it, for example:
  • NHS Common Service Agencies such as dentists, ophthal mic services etc.
  • Social Care Services
  • Education Services
  • Local Authorities
  • Voluntary or Private Sector Providers


You have the right to access this information to ensure that it is accurate. Please let the Data Protection Officer know if you would like to do this.

Your data is processed in Accordance with the provisions of the General Data Protection Regulations as stated above

How do we keep your information confidential?

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in a secure location.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation and the Human Rights Act 1998.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the South Warwickshire NHS Foundation Trust is Dr Charles Ashton.

Data Controller and Contacts

South Warwickshire NHS Foundation Trust (SWFT) is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR.

SWFT as the Data Controller is committed to protecting the rights of individuals in line with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulation(GDPR).

SWFT has a Data Protection Officer (DPO) and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email: dpo.swft@nhs.net

Information Commissioner

Information Commissioner Advice about GDPR

GDPR Individual Rights

Frequently asked questions

To help you understand the implications of these new laws and how it could affect your work, we have compiled the following FAQs. If you have any questions, please contact: dpo.swft@nhs.net

1. What is the GDPR and when does it become applicable?

The GDPR is European Union (EU) legislation that will become directly applicable in

2. What is the difference between the GDPR and the Data Protection (DP) Bill?

  • The GDPR is EU legislation that will be applicable as law in EU member States (e.g. the UK) from 25 May 2018, irrespective of national legislation.
  • The DP Bill will become law when enacted as the Data Protection Act 2017. It will explicitly bring provisions of the GDPR in to UK law and establish continuity of the GDPR in the UK post Brexit. The Act will legislate in areas where the GDPR allows flexibility at national level. It will also introduce legislation on processing for law enforcement purposes (in support of the EU Law Enforcement Directive) and by the intelligence services, and make provision for the Information Commissioner (the UK regulator).

3. How does this affect current UK law on data protection (DPA 1998)?

  • The DPA 1998 will be completely repealed.


4. What are the penalties for non-compliance?

  • Fines under the GDPR are up to a maximum of €20 million or 4% of turnover. For health and social care organisations, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure their compliance.

5. How does this affect me?

The GDPR strengthens the controls that organisations (controllers) are required to have in place over the processing of personal data, including pseudonymised personal data.

Headline impacts are:

  • Appointment of Data Protection Officer (DPO) mandatory for all public authorities
  • Organisations obliged to demonstrate that they comply with the new law (the concept of ‘accountability’).
  • Significantly increased penalties possible for any breach of the Regulation – not just data breaches (see above).
  • Legal requirement for security breach notification.
  • Removal of charges, in most cases, for providing copies of records to patients or staff who request them.
  • Requirement to keep records of data processing activities.
  • Data Protection Impact Assessment required for high risk processing (which includes the large-scale processing of health-related personal data).
  • Data protection issues must be addressed in all information processes.
  • Specific requirements for transparency and fair processing.
  • Tighter rules where consent is the basis for processing.

Some of these requirements should be established good practice. Organisations that are performing well in their information governance toolkit scores should have a good baseline to work from. However, these legal requirements require organisations to take specified actions, and have evidence to demonstrate that they have done so.

Organisations should undertake a thorough review of the GDPR requirements, including the helpful and on-going guidance published by the Information Commissioner’s Office (ICO), to ensure you are compliant. This is especially important as areas which were good practice are now legal requirements (e.g. the Data Protection Impact Assessment – see below).

Other issues to think about include the information provided to data subjects. Most health and social care organisations provide privacy notices to their data subjects as standard which explains what they use personal data for and why etc.The ICO have published a code of practice on what should be included. The GPDR / DP Bill now requires specific information be provided to a data subject. Articles 12 – 14 of the GPDR set out what will be required.

6. What is a Data Protection Impact Assessment (DPIA)?


A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced.

  • When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted. A DPIA should be signed off by an organisation’s Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).
  • A DPIA has to be completed before any new process, system or way of working goes live (i.e. at the business planning stage of a project) where it involves high risk processing.
  • The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR (or new DPA).

7. What/who is the DPO?

The DPO will also be responsible for monitoring the organisation(s) compliance with the GDPR.

It is important to note that data processors that process personal data on behalf of health or social care organisations must appoint a DPO where they either:

  • process special categories data on a large scale OR
  • perform regular or systematic monitoring of data subjects


The DPO reports directly to an organisation’s highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.
It is envisaged that the DPO will be supported by the organisation’s Information Governance (IG) and/or Information Communication Team (ICT).

8. Who can be a DPO?

Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are ‘public authorities’ taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest. A DPO team with a nominated contact for each organisation is an acceptable approach.

There are specific roles that the DPO cannot perform in conjunction with this new role. As a result it is important to consider EU Guidelines that state:-

9. What guidance does the ICO intend to publish
The ICO has already started to publish useful information and will continue to do so.


10. Do you need to re-seek consent if already obtained for the purposes of sharing data?
Please be aware the ICO have produced draft guidance regarding consent which may be helpful.

Organisations should review their existing consents before May 2018 to ensure that they are GDPR-compliant.

It will not be necessary to seek new consent if your existing consents are already GDPR compliant - although you will need to ensure that you have compliant documentation and consent withdrawal mechanisms in place.

If your existing DPA consents do not meet the GDPR’s requirements, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure the continued processing is transparent and fair (i.e. that the data subjects rights and freedoms are not undermined through a change in processing), or stop the processing.

Any exercise to contact individuals to refresh consent must itself comply with the DPA and Privacy and Electronic Communications Regulations (PECR).

11. How will the right to erasure be applied in a healthcare setting?

A data subject’s right to erasure is a fundamental right. However, it must be applied sensibly. There are legitimate areas under the GDPR where processing can lawfully continue and such a request refused. For example, where there is a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. There are other instances such as public interest in the area of public health (related to specific articles) or archiving.

This right aims to strengthen the ability to remove information made available online especially when made public by a child and making this right available when they are an adult.

A request from a data subject exercising this right should be taken seriously and on a case by case basis. Where it is legitimately not possible to erase the information, this should be communicated to the data subject promptly and as per the requirements under Article 15 (“right of access”).

12. Is there a standard format to giving information held back to the patient?

No. The GDPR describes what information should be provided to the patient but not the format of how it should it be provided.

How long do we keep your information

South Warwickshire NHS Foundation Trust is obliged to retain your data in accordance with the Department of Health’s Records Management Code of Practice 2016.

Any requests or objections should be made in writing to the Data Protection Officer above.

How do I make a complaint

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Data Protection Officer using the contact details above.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision.

The Information Commissioner can be contacted at: -

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

www.ico.org.uk

Freedom of Information Requests

The Freedom of Information Act 2000 (FOIA) gives members of the public certain rights to request information from public authorities. The individual right of access applies to all types of recorded information held by public authorities regardless of the date of the information. The Act does, however, set out some exemptions to this right. It also places a number of obligations on public authorities about the way in which they provide information. Subject to the exemptions, anyone making a request must be informed whether the public authority holds the information and, if so, be supplied with it - generally within 20 working days. There is also a duty to provide advice or assistance to anyone seeking information (for example in order to explain what is readily available or to clarify what is wanted).

Download more information on the Freedom of Information Act.

Under Section 19 of the FOIA we have a legal duty to adopt and maintain a publication scheme for the publication of the information we use.

The publication scheme can help you find the following information:

Class 1 - Who we are and what we do
Class 2 - What we spend and how we spend it
Class 3 - What our priorities are and how we're doing
Class 4 - How we make decisions
Class 5 - Our policies and procedures
Class 6 - Lists and registers
Class 7 - The services we offer

Making a request

Please submit any Freedom of Information requests to: FOI@swft.nhs.uk.

Bona Vacantia Enquiries

We make appropriate enquiries to trace relatives of patients who pass away at the hospital with no next of kin. For those who we are unable to trace, their details are forwarded on to: Government Legal Department, Bona Vacantia Division (BVD), PO Box 70165, London WC1A 9HG.

We do not hold any information on the value of any estate the person may have had, nor can we make any additional information available on individual cases through Freedom of Information requests. For further information, please click on the links below:

Download the Governments bona vacantia estates referral form.

View further information on bona vacantia.

Cost of information

The Trust will charge only for providing hard copies of information or for copying onto a different media (eg a CD). Current photocopying costs are 25p per copy and postage will also be charged at cost. The charges will be reviewed regularly.

« Return to Home