Dear Bolton NHS Foundation Trust,
I would like to make a request under the FOI Act.
For the purposes of the Act, please take the date of your receipt of this request as Tuesday 6th February 2018.
I note with interest that your organisation extracts and uploads personal and sensitive (special category) data to the Bolton Care Record.
Your organisation is, of course, the data controller for the records that it holds and so is responsible for lawful processing of that data, such as extracting it and uploading to the BCR - a separate database and a data processor.
You are a data controller (in common or joint) for the uploaded information, and I am lead to believe that Bolton CCG is acting as a data processor.
I am interested in how your organisation has assessed likely compliance with the GDPR requirements come May 25th, with respect to this processing.
Please could you provide me with the following information:
1) Any information/assessments (e.g. privacy or data protection impact)/position or discussion papers, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to BCR database) after 25th May?
2) If you currently secure consent (as defined by the GDPR) from patients/clients as a prerequisite for allowing extraction and uploading to the BCR, then please provide me with your consent form
3) Do you currently instruct the data processor to process your patients/clients' uploaded data for secondary purposes (research, commissioning, "population health analytics")?
4) If so, do you seek the explicit consent of patients/clients as a prerequisite to processing their information in this way? If so, then please provide me with your consent form (if different from 2) above)
5) If so, are you intending to continue to allow secondary processing beyond the 25th May?
6) If you are to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May
7) If you are to persist with secondary processing, and you do NOT record the consent of patients/clients as a prequisite for such processing, then please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as how you will set aside the common law of confidentiality in order to process (i.e. extract and upload to the data processor) such data for secondary purposes
If you have not begun to assess your forthcoming compliance with the GDPR, then please say so, and I will take it that you hold no information, and I will resubmit this entire request in April.
I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.
I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).
Thank you once again.
Dr Neil Bhatia
FREEDOM OF INFORMATION
Subject: Bolton Care Record
Thank you for your email dated 06 February 2018 where you requested
information about Bolton Care Record.
The information you requested is enclosed.
The Bolton Care record along with all our other systems and processes
within the Trust are being reviewed as part of our GDPR programme.
Specifically the BCR Information Governance group will be reviewing the
system in light of the GDPR requirements in March 2018. I have attached
our Information sharing and privacy impact assessment report but these
will refer to the legislation as it was enacted last year.
Plese find information sharing protocol and privacy impact assessment
If you have any queries or concerns please do not hesitate to contact the
Freedom of Information Department. It would be helpful to quote the above
reference number in any future communication.
If you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request a review of our decision,
you should write to The Chief Executive, Bolton NHS Foundation Trust, The
Royal Bolton Hospital, Minerva Road, Farnworth, Bolton. BL4 0JR.
If you are not content with the outcome of your complaint you may apply
directly to the Information Commissioner. Generally the Information
Commissioner cannot make a decision unless you have exhausted the
complaints procedure provided by Bolton NHS Foundation Trust. The
Information Commissioner can be contacted at The Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9
The information supplied to you continues to be protected by the Copyright
Design and Patents Act 1998. You are free to use it for your own purposes,
including any non-commercial research you are doing and for the purposes
of news reporting. Any other reuse, for example commercial publication
requires the permission of the Trust. You must ensure you gain the Trust
permission before reproducing any third party information.
Information Governance Department
IT Training Suite
Royal Bolton Hospital
' 01204 390861
8 [email address]
Our Bolton NHS Foundation Trust values
V O I C E
Vision Openess Integrity Compassion Excellence