CHIE/HHR and the GDPR

The request was successful.

Dear Portsmouth City Council,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

I understand that your organisation is shortly due to extract and upload personal/sensitive data to the Care & Health Information Exchange, formerly known as the Hampshire Health Record, and to which I shall refer to as CHIE/HHR in this request.

I am interested in how you are intending to ensure compliance with the introduction of the EU GDPR on 25th May, in respect to the processing function of extracting and uploading client records to the CHIE/HHR.

I am assuming that you would not be considering joining this project without having made an assessment of how your obligations as a data controller would subsequently be met in less than 131 days (when the EU GDPR comes into force).

Your organisation is of course the data controller for the records that you hold at the time of processing (extraction and uploading), and will be a data controller in common for the extracted and uploaded data held within the CHIE/HHR database.

Please could you provide me with the following information:

1) Will you obtain explicit consent from data subjects before extracting and uploading their data to the CHIE/HHR database? Or is such processing to take place on an "implied consent" and "opt-out" basis?

2) If you do plan to obtain explicit consent, will it be specific and granular consent (individual consent options for distinct processing operations), as opposed to a vague or "blanket" one? Please can you provide me with a sample consent form

3) How do clients who wish to object to, or withdraw consent from (if you seek explicit consent first), the extraction and uploading (i.e. processing) of their personal data express that to you, the data controller? Or do you have no mechanism in place to respect any such objection/withdrawl of consent made directly to you, and simply direct them to another data controller, such as their GP surgery?

4) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to the CHIE/HHR database) after 25th May

5) If you are planning to seek explicit consent - and rely on 6(1)(a) - then please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism for "obtaining consent" will be compliant with the EU GDPR after 25th May

6) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the processing of their data in this way (i.e. extraction and uploading of their data to the CHIE/HHR database) will be compliant with the EU GDPR after 25th May

7) Are you intending to allow secondary processing (i.e. for research or commissioning) of the data that you extract and upload to CHIE/HHR?

8) If you are to allow secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May?

9) If you are to allow secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the secondary processing of their data in this way will be compliant with the EU GDPR after 25th May

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

FOI, Portsmouth City Council

1 Attachment

 

[1]logo_engInformation Governance  

Community & Communications  Services

Civic Offices, Guildhall Square, Portsmouth, PO1 2AL

Telephone:    023 9268 8482

                                               

                                                                       

 

Reference: FOI2018/0051

 

Dear Dr Bhatia

 

 

FREEDOM OF INFORMATION ACT 2000 - INFORMATION REQUEST ACKNOWLEDGEMENT

 

Thank you for your request for information received on 13^th January 2018.

 

Your request is being considered and, subject to the points made below,
you will receive the information requested as promptly as possible within
the statutory timescale of 20 working days as defined by the Freedom of
Information Act 2000.

 

If we need to obtain more information from you in order to understand what
information you require, we will contact you. If this is the case, the 20
days time limit will not commence until your request has been clarified.

 

The Act defines a number of exemptions that may prevent release of certain
information.  The City Council will consider whether any of these
exemptions apply and, where required by the Act, whether it is in the
public interest to release the information.  If we have to make a public
interest test, the 20 day time limit might be extended. We will inform you
if the time scale has to be extended and if any information is withheld
and of your rights of appeal.

 

The City Council would like to make you aware that disclosure of
information obtained through FOIA is a disclosure into the public domain.

 

The City Council’s standard approach is to provide the information in the
form in which we hold it.  If you require alternative formats, e.g. audio,
large print, etc. or a different language, please let me know and we will
provide it if reasonably practicable to do so. If your request is a
question and we do not hold the answer in recorded form we will try and
provide an answer where we are able unless it requires the creation of new
information.

 

There may be a fee payable for this information request and we will send
you a Fees Notice if this is the case. Any fee must be paid before the
request is provided.  The time between the issue of the Fees Notice and
receipt of payment is excluded from the calculation of the 20 working day
time limit.

 

Any personal information you provide in relation to this request will only
be used for the purposes of processing your request for information.

 

If you have any queries or concerns then please contact the Corporate
Information Governance Officer at Portsmouth City Council, Civic Offices,
Guildhall Square, Portsmouth, Hampshire, PO1 2AL, telephone 023 9268 8482,
e-mail [2][email address].

 

Yours sincerely

 

 

 

Natasha Downer

Corporate Information Governance Officer

 

 

show quoted sections

FOI, Portsmouth City Council

1 Attachment

 

[1]logo_engInformation Governance, Community & Communications Service

Civic Offices, Guildhall Square, Portsmouth, PO1 2AL

Telephone:    023 9268 8482

 

 

Our Ref: FOI2018/0051

 

Dear Dr Bhatia

                                   

INFORMATION REQUEST – FOI2018/0051- CHIE/HHR and the GDPR

 

Thank you for your request for information received on 13^th January 2018,
which was considered under the Freedom of Information Act 2000. 

 

In accordance with the Act, Portsmouth City Council confirms it holds the
information.

 

 

YOUR REQUEST:

 

1) Will you obtain explicit consent from data subjects before extracting
and uploading their data to the CHIE/HHR database? Or is such processing
to take place on an "implied consent" and "opt-out" basis?

 

2) If you do plan to obtain explicit consent, will it be specific and
granular consent (individual consent options for distinct processing
operations), as opposed to a vague or "blanket" one? Please can you
provide me with a sample consent form

 

3) How do clients who wish to object to, or withdraw consent from (if you
seek explicit consent first), the extraction and uploading (i.e.
processing) of their personal data express that to you, the data
controller? Or do you have no mechanism in place to respect any such
objection/withdrawl of consent made directly to you, and simply direct
them to another data controller, such as their GP surgery?

 

4) Please provide me with any information/assessments (including privacy
or data protection impact)/position or discussion paper, or similar, that
you hold to date as to what legal basis from Article 6(1) of the GDPR are
you planning to rely on to process personal data in this way (i.e. extract
and upload it to the CHIE/HHR database) after 25th May

 

5) If you are planning to seek explicit consent - and rely on 6(1)(a) -
then please provide me with any information/assessments (including privacy
or data protection impact)/position or discussion paper, or similar, that
you hold to date as to whether your planned mechanism for "obtaining
consent" will be compliant with the EU GDPR after 25th May

 

6) Please provide me with any information/assessments (including privacy
or data protection impact)/position or discussion paper, or similar, that
you hold to date as to whether your planned mechanism to ensure that data
subjects can withdraw consent from (if that is what you are intending to
rely upon), or to object to, the processing of their data in this way
(i.e. extraction and uploading of their data to the CHIE/HHR database)
will be compliant with the EU GDPR after 25th May

 

7) Are you intending to allow secondary processing (i.e. for research or
commissioning) of the data that you extract and upload to CHIE/HHR?

 

8) If you are to allow secondary processing, please provide me with any
information/assessments (including privacy or data protection
impact)/position or discussion paper, or similar, that you hold to date as
to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you
planning to rely on to process personal data, for secondary purposes, in
this way after 25th May?

 

9) If you are to allow secondary processing, please provide me with any
information/assessments (including privacy or data protection
impact)/position or discussion paper, or similar, that you hold to date as
to whether your planned mechanism to ensure that data subjects can
withdraw consent from (if that is what you are intending to rely upon), or
to object to, the secondary processing of their data in this way will be
compliant with the EU GDPR after 25th May

 

OUR RESPONSE:

 

We can confirm that Portsmouth City Council do not  feed data into the
HHR/CHIE and have no imminent plans to do so.

 

Under the Re- Use of Public Sector Information Regulations 2015 (SI
2015/1415) the supplied information may not be re-used without obtaining
the permission of Portsmouth City Council.

 

We trust that our response fulfils your request, however, you have the
right to appeal against this decision or to complain about our treatment
of your request.  If you wish to do so, please set out in writing your
grounds of complaint and send to the Corporate Information Governance
Officer at Portsmouth City Council, Civic Offices, Guildhall Square,
Portsmouth, Hampshire, PO1 2AL, telephone 023 9268 8482, e-mail
[2][email address].

 

Should you be dissatisfied with the outcome of the complaints decision you
may wish to follow the Portsmouth City Council’s Compliments and
Complaints procedure which can be found on the Portsmouth City Council
website or by contacting the Civic Offices.

 

Once these processes have been exhausted you have a further right of
appeal to the Information Commissioner at:

 

Further information is also available from the Information Commissioner
at:

 

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

[3]https://ico.org.uk

 

Yours sincerely

 

 

 

Natasha Downer

Corporate Information Governance Officer

 

 

show quoted sections

Dr Neil Bhatia left an annotation ()

More information about NHS data sharing, including:

• The Summary Care Record,
• The Hampshire Health Record (CHIE)
• The Berkshire Health Record (Share Your Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Sutton Integrated Digital Care Record
• The Wirral Care Record
• The Dorset Care Record

• Secondary uses of your information
• Local data streaming initiatives
• Remote consultations
• Secure online access to your GP record

can be found at:

www.nhsdatasharing.info