CHIE/HHR and the GDPR

Dr Neil Bhatia made this Freedom of Information request to Hampshire County Council

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear Hampshire County Council,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

I am interested in how Hampshire County Council is intending to ensure compliance with the introduction of the EU GDPR on 25th May, in respect to the processing function of extracting and uploading client records to the Care & Health Information Exchange, formerly known as the Hampshire Health Record, and to which I shall refer to as CHIE/HHR in this request.

Hampshire County Council is, of course, the data controller of client records at the time of extraction and uploading (i.e. processing) to the CHIE/HHR database, and is a data controller in common for the uploaded data.

It is now less than 131 days before the EU GDPR comes into force.

I note your "consent" form for the sharing of data, that you have previously provided me with:
https://www.whatdotheyknow.com/request/4...

1) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to the CHIE/HHR database) after 25th May? Is it Consent, Article 6(1)(a)?

As you know, the GDPR sets a high standard for consent, and is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It also requires individual (‘granular’) consent options for distinct processing operations. The GDPR gives a specific right to withdraw consent, and data subjects must be offered easy ways to withdraw consent at any time. The ICO makes clear that consent must be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.

2) If you are to reply upon Consent, 6(1)(a), then please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your current mechanism for "obtaining consent" will be compliant with the EU GDPR come May, given that in section 1 on p13 ("My permission to share"):

a) It is blanket consent ("Yes to all") - you do not give individual (‘granular’) options to consent separately to different purposes and types of processing
b) The CHIE/HHR is not even mentioned by name in that section - it is a processing purpose quite distinct from other types of data processing that the council undertakes
c) You request their "objections" - when in fact, they are not "objecting" (which has specific implications in the GDPR) but sort of "not consenting"

3) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your current mechanism to ensure that data subjects can withdraw consent (if that is what you are intending to rely upon) to the processing of their data in this way (i.e. extraction and uploading of their data to the CHIE/HHR database) will be compliant with the EU GDPR (Article 21), in that:

a) Data subjects will be able to withdraw their consent, directly to you, the data controller (and not be required to subsequently apply to, or contact, a different data controller such as their GP surgery)
b) You will make it easy for people to withdraw their consent (currently they are required to ring HCC in person - that is the only mechanism that you offer)
b) You will ensure that no such extraction and uploading (processing) whatsoever of data from the records that you hold about the individual would then take place (no information would leave HCC)

4) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether all your *existing* consents would meet the GDPR standard and, if not, whether there is need to obtain fresh consent from your clients.

If you have not begun to assess your forthcoming compliance with the GDPR, then please say so, and I will take it that you hold no information at present, and I will resubmit this request in April.

If you are not planning to rely on consent, Article 6(1)(a), then I will make further FOI requests in due course about the actual legal basis that you are to rely upon and the mechanism by which data subjects can object to their unconsented processing.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

Adult Services Complaints, Hampshire County Council

Dear Mr Bhatia,

 

Hampshire County Council have received your requests on 15 January 2017
and will send a response within the 20 working days allowed in the Freedom
of Information Act.

 

Regards

 

Adult Services FOI Department

Hampshire County Council

Adult Services

The Castle

Winchester

SO23 8UQ

Fax: (01962) 834500

Email: [email address]

Web: [1]www.hants.gov.uk

 

This email is confidential and privileged. If you are not the intended
recipient please accept our apologies; please do not disclose, copy or
distribute information in this email or take any action in reliance on its
contents: to do so is strictly prohibited and may be unlawful. Please
inform us that this message has gone astray before deleting it.  Thank you
for your co-operation

 

 

*** This email, and any attachments, is strictly confidential and may be
legally privileged. It is intended only for the addressee. If you are not
the intended recipient, any disclosure, copying, distribution or other use
of this communication is strictly prohibited. If you have received this
message in error, please contact the sender. Any request for disclosure of
this document under the Data Protection Act 1998 or Freedom of Information
Act 2000 should be referred to the sender. [disclaimer id:
HCCStdDisclaimerExt] ***

References

Visible links
1. http://www.hants.gov.uk/

Adult Services Complaints, Hampshire County Council

Dear Mr Bhatia,

 

Hampshire County Council have received your requests on 15 January 2017
and will send a response within the 20 working days allowed in the Freedom
of Information Act.

 

Regards

 

Adult Services FOI Department

Hampshire County Council

Adult Services

The Castle

Winchester

SO23 8UQ

Fax: (01962) 834500

Email: [email address]

Web: [1]www.hants.gov.uk

 

This email is confidential and privileged. If you are not the intended
recipient please accept our apologies; please do not disclose, copy or
distribute information in this email or take any action in reliance on its
contents: to do so is strictly prohibited and may be unlawful. Please
inform us that this message has gone astray before deleting it.  Thank you
for your co-operation

 

 

*** This email, and any attachments, is strictly confidential and may be
legally privileged. It is intended only for the addressee. If you are not
the intended recipient, any disclosure, copying, distribution or other use
of this communication is strictly prohibited. If you have received this
message in error, please contact the sender. Any request for disclosure of
this document under the Data Protection Act 1998 or Freedom of Information
Act 2000 should be referred to the sender. [disclaimer id:
HCCStdDisclaimerExt] ***

References

Visible links
1. http://www.hants.gov.uk/

Freedom of Information, Hampshire County Council

1 Attachment

 

Dear Mr Bhatia

 

Please find attached Hampshire County Council’s response to your
information request.

 

Yours sincerely

Amanda Godridge

 

 

 

Amanda Godridge
Senior Information Governance Officer
Corporate Services – Policy/Governance
Hampshire County Council The Castle
Winchester
SO23 8UJ
Telephone: 01962 847374
HPSN2: 847374
[1]www.hants.gov.uk

This email, and any attachments, is strictly confidential and may be
legally privileged. It is intended only for the addressee. If you are not
the intended recipient, any disclosure, copying, distribution or other use
of this communication is strictly prohibited. If you have received this
message in error, please contact the sender.

Any request for disclosure of this document under the Data Protection Act
1998 or Freedom of Information Act 2000 should be referred to the sender.

 

References

Visible links
1. http://www.hants.gov.uk/

Dear HCC,

Thank you for your response.

Unless the new "permission to share" form is clearly in the public domain (i.e. downloadable from your website), I will make another FOI request, nearer to 25th May, to obtain a copy of it.

Kind regards,

Dr Neil Bhatia