Dear Southampton City Council,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

I understand that your organisation is shortly due to extract and upload personal/sensitive data to the Care & Health Information Exchange, formerly known as the Hampshire Health Record, and to which I shall refer to as CHIE/HHR in this request.

I am interested in how you are intending to ensure compliance with the introduction of the EU GDPR on 25th May, in respect to the processing function of extracting and uploading client records to the CHIE/HHR.

I am assuming that you would not be considering joining this project without having made an assessment of how your obligations as a data controller would subsequently be met in less than 131 days (when the EU GDPR comes into force).

Your organisation is of course the data controller for the records that you hold at the time of processing (extraction and uploading), and will be a data controller in common for the extracted and uploaded data held within the CHIE/HHR database.

Please could you provide me with the following information:

1) Will you obtain explicit consent from data subjects before extracting and uploading their data to the CHIE/HHR database? Or is such processing to take place on an "implied consent" and "opt-out" basis?

2) If you do plan to obtain explicit consent, will it be specific and granular consent (individual consent options for distinct processing operations), as opposed to a vague or "blanket" one? Please can you provide me with a sample consent form

3) How do clients who wish to object to, or withdraw consent from (if you seek explicit consent first), the extraction and uploading (i.e. processing) of their personal data express that to you, the data controller? Or do you have no mechanism in place to respect any such objection/withdrawl of consent made directly to you, and simply direct them to another data controller, such as their GP surgery?

4) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to the CHIE/HHR database) after 25th May

5) If you are planning to seek explicit consent - and rely on 6(1)(a) - then please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism for "obtaining consent" will be compliant with the EU GDPR after 25th May

6) Please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the processing of their data in this way (i.e. extraction and uploading of their data to the CHIE/HHR database) will be compliant with the EU GDPR after 25th May

7) Are you intending to allow secondary processing (i.e. for research or commissioning) of the data that you extract and upload to CHIE/HHR?

8) If you are to allow secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal & sensitive data, for secondary purposes, in this way after 25th May?

9) If you are to allow secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the secondary processing of their data in this way will be compliant with the EU GDPR after 25th May

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

Information, Southampton City Council

Thank you for contacting Southampton City Council.

Your enquiry will be passed to the relevant team/officer for action.

If you have made a request for information, you will receive a response
promptly, and within the statutory timeframe for compliance. Once your
request has been logged, you will receive further details of this, and you
may be contacted if we require further information from you.

If you have any queries, please contact the Council's Corporate Legal Team
on 023 8083 2129.

Information, Southampton City Council

Dear Neil Bhatia,

 

Thank you for your Freedom of Information request received on 15/01/2018.
It has been determined that you have requested the following information:

 

1) Will you obtain explicit consent from data subjects before extracting
and uploading their data to the CHIE/HHR database? Or is such processing
to take place on an "implied consent" and "opt-out" basis?

 

2) If you do plan to obtain explicit consent, will it be specific and
granular consent (individual consent options for distinct processing
operations), as opposed to a vague or "blanket" one? Please can you
provide me with a sample consent form

 

3) How do clients who wish to object to, or withdraw consent from (if you
seek explicit consent first), the extraction and uploading (i.e.
processing) of their personal data express that to you, the data
controller? Or do you have no mechanism in place to respect any such
objection/withdrawal of consent made directly to you, and simply direct
them to another data controller, such as their GP surgery?

 

4) Please provide me with any information/assessments (including privacy
or data protection impact)/position or discussion paper, or similar, that
you hold to date as to what legal basis from Article 6(1) of the GDPR are
you planning to rely on to process personal data in this way (i.e. extract
and upload it to the CHIE/HHR database) after 25th May

 

5) If you are planning to seek explicit consent - and rely on 6(1)(a) -
then please provide me with any information/assessments (including privacy
or data protection impact)/position or discussion paper, or similar, that
you hold to date as to whether your planned mechanism for "obtaining
consent" will be compliant with the EU GDPR after 25th May

 

6) Please provide me with any information/assessments (including privacy
or data protection impact)/position or discussion paper, or similar, that
you hold to date as to whether your planned mechanism to ensure that data
subjects can withdraw consent from (if that is what you are intending to
rely upon), or to object to, the processing of their data in this way
(i.e. extraction and uploading of their data to the CHIE/HHR database)
will be compliant with the EU GDPR after 25th May

 

7) Are you intending to allow secondary processing (i.e. for research or
commissioning) of the data that you extract and upload to CHIE/HHR?

 

8) If you are to allow secondary processing, please provide me with any
information/assessments (including privacy or data protection
impact)/position or discussion paper, or similar, that you hold to date as
to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you
planning to rely on to process personal & sensitive data, for secondary
purposes, in this way after 25th May?

 

9) If you are to allow secondary processing, please provide me with any
information/assessments (including privacy or data protection
impact)/position or discussion paper, or similar, that you hold to date as
to whether your planned mechanism to ensure that data subjects can
withdraw consent from (if that is what you are intending to rely upon), or
to object to, the secondary processing of their data in this way will be
compliant with the EU GDPR after 25th May

 

If this is not correct, please contact [1][email address]
to clarify your request as soon as possible.

 

Unless clarified otherwise, your request is being dealt with under the
terms of the Freedom of Information Act 2000, and will be forwarded to the
service area(s) holding the information. Your request will be answered
promptly, and within twenty working days of the date your request was
received.

 

Please note, the service area(s) holding the information may need further
information from you to locate the information sought once they have
received the request, and you will be contacted again should this be
necessary.

 

If you have any queries about this request do not hesitate to contact me.
Please remember to quote the reference number above in any future
communications.

 

The Council now publishes responses to requests made to it under the
Freedom of Information Act 2000 and the Environmental Information
Regulations 2004. These responses are available on the Council’s website
– 

 

[2]http://www.southampton.gov.uk/council-de...

 

The Council also routinely publishes information on its Publication
Scheme:

 

[3]http://www.southampton.gov.uk/council-de...

 

If the information you have requested in your current request has been
requested recently then it is likely that our response to that request is
already available to you via the disclosure log or via the Publication
Scheme. You may wish to view our disclosure log and Publication scheme to
ascertain whether the information you are seeking is already published. If
you find the information you are seeking, please let us know accordingly
and we will close your request. If we do not hear from you further we will
continue to process your request in accordance with the relevant
legislation.

Regards,

 

Rianna Farrow
Modern Apprentice (Legal Administration)

Legal & Governance

Southampton and Fareham Legal Services Partnership
Southampton City Council
Tel: 023 8083 3000 (switchboard)

[4]@SouthamptonCC    [5]facebook.com/SotonCC

 

This email is confidential but may have to be disclosed under the Freedom
of Information Act 2000, the Data Protection Act 1998, or the
Environmental Information Regulations 2004. If you are not the person or
organisation it was meant for, apologies, please ignore it, delete it, and
notify us. SCC does not make legally binding agreements or accept formal
notices/proceedings by email. E-mails may be monitored. This email (and
its attachments) is intended only for the use of the person(s) to whom it
is addressed, and may contain information that is privileged and/or
confidential. If it has come to you in error, you must take no action
based on it, nor must you copy or show it to anyone.

 

FOI-1718-1078-022378/00764393

References

Visible links
1. mailto:[email address]
2. http://www.southampton.gov.uk/council-de...
3. http://www.southampton.gov.uk/council-de...
4. http://www.twitter.com/SouthamptonCC
5. http://www.facebook.com/SotonCC

Dear Information,

Just a polite reminder that your response to my FOI request is now due.

Yours sincerely,

Dr Neil Bhatia

Information, Southampton City Council

Thank you for contacting Southampton City Council.

Your enquiry will be passed to the relevant team/officer for action.

If you have made a request for information, you will receive a response
promptly, and within the statutory timeframe for compliance. Once your
request has been logged, you will receive further details of this, and you
may be contacted if we require further information from you.

If you have any queries, please contact the Council's Corporate Legal Team
on 023 8083 2129.

Information, Southampton City Council

1 Attachment

Dear Dr Bhatia,

 

Thank you for your email below.

 

I can confirm that a response to your request is currently being drafted,
and I have requested that the response be sent out to you today.

 

My apologies for the delay in response to your request.

 

Regards,

 

Nathan Matterson

Junior Legal Assistant

Southampton & Fareham Legal Partnership

Southampton City Council

Tel: 023 8083 2129

Fax: 023 8083 2308

Email:  [1][email address]

GCSX: [2][email address]

 

This e-mail (and its attachments) is intended only for the use of the
person(s) to whom it is addressed and may contain information which is
privileged and/or confidential.  If it has come to you in error you must
take no action based on it, nor must you copy or show it to anyone.

 

This email is confidential but may have to be disclosed under the Freedom
of Information Act 2000, the Data Protection Act 1998 or the Environmental
Information Regulations 2004. If you are not the person or organisation it
was meant for, apologies, please ignore it, delete it and notify us.  SCC
does not make legally binding agreements or accept formal
notices/proceedings by email. E-mails may be monitored.

 

 

FOI-1718-1078-022378/00786362

 

show quoted sections

Giany, Gurpreet, Southampton City Council

3 Attachments

Dear Neil

 

Please find attached Southampton City Council’s response to your Freedom
of Information request.

 

Kind regards

 

 

Gurpreet Giany

Business Support Officer

Business Support Service

Southampton City Council

 

[1]welfarescc1200px2

 

[2]STAY CONNECTED LOGO - email size

Southampton City Council has an e-alerts system called ‘Stay Connected’.
It can keep you updated on a range of topics from major events to bin
collections. [3]Sign up here. Please share with others and [4]let us know
what you think.

 

This email is confidential but may have to be disclosed under the Freedom
of Information Act 2000, the Data Protection Act 1998 or the Environmental
Information Regulations 2004. If you are not the person or organisation it
was meant for, apologies, please ignore it, delete it and notify us. SCC
does not make legally binding agreements or accept formal
notices/proceedings by email. E-mails may be monitored. This email (and
its attachments) is intended only for the use of the person(s) to whom it
is addressed, and may contain information that is privileged and/or
confidential. If it has come to you in error, you must take no action
based on it, nor must you copy or show it to anyone.

------------------------------------------------------------------------------------
P Think of the environment...please don't print this e-mail unless you
really need to

 

References

Visible links
1. http://www.southampton.gov.uk/benefits-w...
2. https://public.govdelivery.com/accounts/...
3. https://public.govdelivery.com/accounts/...
4. mailto:[email address]

Dear Gurpreet,

Thank you for your response.

Since you seem unable to respond in any meaningful way, I will resubmit this request in April.

Yours sincerely,

Dr Neil Bhatia

Giany, Gurpreet, Southampton City Council

Hello

Please do so as we may be able to accommodate your request better than this time.

Kind regards

Gurpreet Giany
Business Support Officer
Business Support Service
Southampton City Council
Tel: 023 8083 4390
[email address]

Southampton City Council has an e-alerts system called ‘Stay Connected’. It can keep you updated on a range of topics from major events to bin collections. Sign up here. Please share with others and let us know what you think.

This email is confidential but may have to be disclosed under the Freedom of Information Act 2000, the Data Protection Act 1998 or the Environmental Information Regulations 2004. If you are not the person or organisation it was meant for, apologies, please ignore it, delete it and notify us. SCC does not make legally binding agreements or accept formal notices/proceedings by email. E-mails may be monitored. This email (and its attachments) is intended only for the use of the person(s) to whom it is addressed, and may contain information that is privileged and/or confidential. If it has come to you in error, you must take no action based on it, nor must you copy or show it to anyone.

show quoted sections

P Think of the environment...please don't print this e-mail unless you really need to

References

Visible links
1. http://www.southampton.gov.uk/benefits-w...
2. https://urldefense.proofpoint.com/v2/url...
3. https://urldefense.proofpoint.com/v2/url...
4. mailto:[email address]

-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #456898 email]

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://urldefense.proofpoint.com/v2/url...

For more detailed guidance on safely disclosing information, read the latest advice from the ICO:
https://urldefense.proofpoint.com/v2/url...

Please note that in some cases publication of requests and responses will be delayed.

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org