CHIE/HHR and the GDPR - secondary purposes after 25th May

Portsmouth Hospitals University NHS Trust did not have the information requested.

Dear Portsmouth Hospitals NHS Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

I am interested in how your organisation is intending to ensure compliance with the introduction of the EU GDPR on 25th May, in respect to the processing function of extracting and uploading client records to the Care & Health Information Exchange, formerly known as the Hampshire Health Record, and to which I shall refer to as CHIE/HHR in this request, for secondary purposes (research, commissioning).

Your organisation is, of course, the data controller of client records at the time of extraction and uploading (i.e. processing) to the CHIE/HHR database, and is a data controller in common for the uploaded data.

It is now less than 129 days before the EU GDPR comes into force.

You have previously confirmed to me (under FOI) that you permit the secondary processing of uploaded data by the CHIE/HHR for secondary purposes - your organisation has not opted out of this, though it could easily do so.

The CHIE/HHR is acting as a data processor, but you remain the data controller and thus responsible and liable for the lawfulness of such processing, both at the time of extraction and uploading, and subsequently once transferred to the CHIE/HHR database.

Please could you tell me:

Are you intending to continue to allow secondary processing (i.e. for research or commissioning) of the data that you extract and upload to CHIE/HHR beyond the 25th May?

If you have decided to prohibit secondary processing of your uploaded data from 25th May, then please consider this request closed.

If you have not begun to assess your forthcoming compliance with the GDPR, and therefore have not even decided as to whether you are to permit secondary processing beyond the 25th May, then please say so, and I will take it that you hold no information at present, and I will resubmit this request in April.

Otherwise:

1) If you are determined to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May

2) If you are determined to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the secondary processing of their data in this way will be compliant with the EU GDPR after 25th May

If you are not planning to rely on consent, Article 6(1)(a), then I will make further FOI requests in due course about the actual legal basis that you are to rely upon and the mechanism by which data subjects can object to their unconsented secondary processing.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

Portsmouth FOIRequests, Portsmouth Hospitals University NHS Trust



Acknowledgement of Request for information under the Freedom of
Information Act 2000

 

Thank you for your request for information, made under the Freedom of
Information Act 2000 (the Act) which was received today by Portsmouth
Hospitals NHS Trust (the Trust).

 

Under the terms of the Act the Trust will endeavour to respond to your
request within 20 working days. The clock commences on the next working
day following receipt of your request. The Trust will investigate the
nature of your information request;  if clarification is required to
assist the Trust to locate & compile the information you requested,  then
the clock will be suspended until such time as the Trust receives your
clarification.

 

Please note that in accordance with section 12(4) of the Act where
multiple requests for information are received from one person or by
different persons who appear to be acting together, the estimated cost of
complying with any of the requests is to be taken to be the estimated
total cost of complying with all of them. Where applicable, we may deal
with multiple requests for information under a single reference.

 

There are also a number of exemptions which the Act permits with respect
to disclosure of information. The information will be assessed for these
exemptions prior to us releasing it to you. You will be advised if the
Trust is unable to provide the information requested due to exemption(s).

 

Re-use of Public Sector Information Regulations 2005

 

The supply of information under Freedom of Information is intended to be
for personal use only and does not automatically give the recipient the
right to commercially re-use it, for example, the right to publish it or
make it available to a wider audience [SI 2005 No: 1515 4(1)].  Therefore,
if this information is not for your personal use, you must apply in
writing to this Trust. A licence may be issued if the information is under
copyright and the issue of a licence may constitute a charge depending
upon the information released and proposed re-use.

 

Failure to comply with the Regulations may result in legal proceedings
being taken against you.

 

The Trust will only release staff personal information of those who are
grade Band 8 and above.

 

If you have any queries, please do not hesitate to contact this office.

 

Yours sincerely

 

Freedom of Information Team

Room 2.03

De La Court House

Queen Alexandra Hospital

Southwick Hill Road

Portsmouth

Hampshire

PO6 3LY

 

Tel: 023 9228 6000

Ext. 3708

Email:  [1][email address] (Please do not use this
email for further FOI requests)

 

 

 

References

Visible links
1. mailto:[email address]

Dear Portsmouth Hospitals NHS Trust,

Just a polite reminder that your response to my FOI request is now due.

Yours faithfully,

Dr Neil Bhatia

Portsmouth FOIRequests, Portsmouth Hospitals University NHS Trust

2 Attachments

Dear Dr Bhatia,

 

Please find attached Portsmouth Hospitals NHS Trust's letter of completion
for your request made under the Freedom of Information Act 2000.

 

Please Note - The Trust has a new Freedom of Information email address,
please send future requests to – [Portsmouth Hospitals NHS Trust request email]

 

Yours sincerely,

 

Freedom of Information Team

 

Portsmouth Hospitals NHS Trust

Room 2.03 Top Floor

De La Court House

Queen Alexandra Hospital

Southwick Hill Road

Cosham, Portsmouth

Hampshire PO3 6LY

 

02392 286000 Ext. 3708

[1][Portsmouth Hospitals NHS Trust request email] (For further requests only)

[2][email address] (For general enquiries)

[3]www.porthosp.nhs.uk

 

 [4]cid:image001.png@01D11173.1F986F90

"The information contained within this message is intended for the
addressee only and may contain confidential and/or privileged information.
If you are not the intended recipient, you may not peruse, use,
disseminate, distribute or copy this message. If you have received this
message in error, please notify the sender immediately by email, facsimile
or telephone and either return or destroy the original message. The sender
accepts no responsibility for any changes made to this message after it
has been sent by the original author. The views or opinions contained
herein do not necessarily represent the views of Portsmouth Hospitals NHS
Trust. This email or any of its attachments may contain data that falls
within the scope of the Data Protection Acts. You must ensure that any
handling or processing of such data by you is fully compliant with the
terms and provisions of the Data Protection Act 1984 and 1998".

P .......Save a tree..........do you  really need to print this email?

 

References

Visible links
1. mailto:[Portsmouth Hospitals NHS Trust request email]
2. mailto:[email address]
3. http://www.porthosp.nhs.uk/

Dear Portsmouth Hospitals NHS Trust,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Portsmouth Hospitals NHS Trust's handling of my FOI request 'CHIE/HHR and the GDPR - secondary purposes after 25th May'.

You have not answered any of my questions, simply directing me to a general document produced by another organisation.

I asked questions about *your organisation*, I did not seek the questionable "opinion" of another organisation.

*You* are the data controller for the records that you hold. Accordingly, compliance with the Data Protection Act and the GDPR, and respect for the common law of confidentiality, is *your* responsibility.

The CSU is only acting as a data processor, and only upon your instruction.

If you continue to refuse to respond to my questions then I will take this to the ICO.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/c...

Yours faithfully,

Dr Neil Bhatia

Armour Emile - Information Governance Manager, Portsmouth Hospitals University NHS Trust

Dear Dr Bhatia,
Portsmouth Hospitals NHS Trust have not made a decision regarding the secondary processing of our data by CHIA. We will undertake a review of our Data Sharing Agreement in the near future.
Kind regards,
Emile

Emile A. Armour
Information Governance Manager

Portsmouth Hospitals NHS Trust
Room 2.03 Top Floor
De La Court House
Queen Alexandra Hospital
Southwick Hill Road
Cosham, Portsmouth
Hampshire PO3 6LY
 
Tel 02392 286000 Ext. 3708
Email [email address]
NHSmail [email address]
General Enquiries [email address]

Hospital Website www.porthosp.nhs.uk

This email message and any files transmitted with it are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this email message in error, you are advised that any use, dissemination, forwarding, printing, or copying of this email message and any files transmitted with it is strictly prohibited. If you have received this email in error, please notify the sender and remove all copies of this message, including any attachments.

Emails are not considered a secure method for sending personal, sensitive or confidential information outside the Trust unless encrypted and may therefore be at risk.

The information contained in this email may be subject to public disclosure under the Data Protection legislation or the Freedom of Information Act 2000.

show quoted sections

Dear Armour Emile - Information Governance Manager,

Thank you for your response.

I will submit a new FOI request in May then, by which time you will have no doubt decided whether you are to continue to instruct the CSU to process sensitive data for secondary purposes or to simply permit direct care processing only.

Yours sincerely,

Dr Neil Bhatia

Dr Neil Bhatia left an annotation ()

More information about NHS data sharing, including:

• The Summary Care Record,
• The Hampshire Health Record (CHIE)
• The Berkshire Health Record (Share Your Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Sutton Integrated Digital Care Record
• The Wirral Care Record
• The Dorset Care Record
• The Bolton Care Record

• Secondary uses of your information
• Local data streaming initiatives
• Remote consultations
• Secure online access to your GP record

can be found at:

www.nhsdatasharing.info