CHIE/HHR and the GDPR - secondary purposes after 25th May

The request was successful.

Dear The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

I am interested in how your organisation is intending to ensure compliance with the introduction of the EU GDPR on 25th May, in respect to the processing function of extracting and uploading client records to the Care & Health Information Exchange, formerly known as the Hampshire Health Record, and to which I shall refer to as CHIE/HHR in this request, for secondary purposes (research, commissioning).

Your organisation is, of course, the data controller of client records at the time of extraction and uploading (i.e. processing) to the CHIE/HHR database, and is a data controller in common for the uploaded data.

It is now less than 129 days before the EU GDPR comes into force.

You have previously confirmed to me (under FOI) that you permit the secondary processing of uploaded data by the CHIE/HHR for secondary purposes - your organisation has not opted out of this, though it could easily do so.

The CHIE/HHR is acting as a data processor, but you remain the data controller and thus responsible and liable for the lawfulness of such processing, both at the time of extraction and uploading, and subsequently once transferred to the CHIE/HHR database.

Please could you tell me:

Are you intending to continue to allow secondary processing (i.e. for research or commissioning) of the data that you extract and upload to CHIE/HHR beyond the 25th May?

If you have decided to prohibit secondary processing of your uploaded data from 25th May, then please consider this request closed.

If you have not begun to assess your forthcoming compliance with the GDPR, and therefore have not even decided as to whether you are to permit secondary processing beyond the 25th May, then please say so, and I will take it that you hold no information at present, and I will resubmit this request in April.

Otherwise:

1) If you are determined to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May

2) If you are determined to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the secondary processing of their data in this way will be compliant with the EU GDPR after 25th May

If you are not planning to rely on consent, Article 6(1)(a), then I will make further FOI requests in due course about the actual legal basis that you are to rely upon and the mechanism by which data subjects can object to their unconsented secondary processing.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

Freedom of Information, The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Ref No: FOI 170505

Dear Dr Bhatia

Thank you for your email of 15 January 2018 where you requested information about CHIE/HHR and the GDPR from The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust (RBCH).

Your request is being dealt with under the terms of the Freedom of Information Act 2000 and will be answered within twenty working days. Please note that the FOI Act covers all recorded information held by a public authority, and does not require that authority to create new information for the purposes of responding to your request.

Please note that the processing of requests under the FOI Act carries a financial cost for the organisations dealing with them. Therefore, if you no longer require the information that you have requested please notify us as soon as possible so that we can stop processing your request.

If you have any queries about this request do not hesitate to contact us. Please remember to quote the reference number above in any future communications.

Yours sincerely,

Freedom of Information Team
The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust
[The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust request email]

Dear Freedom of Information,

Just a polite reminder that your response to my FOI request is now due.

Yours sincerely,

Dr Neil Bhatia

Dear The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust,

Your response to my FOI request is overdue.

I do not have to tell you that you are in breach of s10(1) of the Act.

Yours faithfully,

Dr Neil Bhatia

Freedom of Information, The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Dear Dr Bhatia

Please accept my apologies for the delay in responding to your request - a final response will be provided to you later today

Yours sincerely,

Freedom of Information Team
The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust
[The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust request email]

show quoted sections

Freedom of Information, The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Ref No: FOI 170505

 

Dear Dr Bhatia,

 

Thank you for your email of 15 January 2018 where you requested
information about CHIE/HHR and the GDPR from The Royal Bournemouth and
Christchurch Hospitals NHS Foundation Trust (RBCH).

 

The information you requested is below with answers provided in bold, blue
text:

 

Please could you tell me:

 

Are you intending to continue to allow secondary processing (i.e. for
research or commissioning) of the data that you extract and upload to
CHIE/HHR beyond the 25th May?

 

If you have decided to prohibit secondary processing of your uploaded data
from 25th May, then please consider this request closed.

 

If you have not begun to assess your forthcoming compliance with the GDPR,
and therefore have not even decided as to whether you are to permit
secondary processing beyond the 25th May, then please say so, and I will
take it that you hold no information at present, and I will resubmit this
request in April.

 

Otherwise:

 

1) If you are determined to persist with secondary processing, please
provide me with any information/assessments (including privacy or data
protection impact)/position or discussion paper, or similar, that you hold
to date as to what legal bases from Article 6(1) and Article 9(2) of the
GDPR are you planning to rely on to process personal data, for secondary
purposes, in this way after 25th May

 

2) If you are determined to persist with secondary processing, please
provide me with any information/assessments (including privacy or data
protection impact)/position or discussion paper, or similar, that you hold
to date as to whether your planned mechanism to ensure that data subjects
can withdraw consent from (if that is what you are intending to rely
upon), or to object to, the secondary processing of their data in this way
will be compliant with the EU GDPR after 25th May

 

If you are not planning to rely on consent, Article 6(1)(a), then I will
make further FOI requests in due course about the actual legal basis that
you are to rely upon and the mechanism by which data subjects can object
to their unconsented secondary processing.

 

As advised previously, RBCH makes very limited use of the CHIE as a
Dorset-based hospital. RBCH’s only interaction with CHIE in terms of data
sharing is to upload pdf copies of clinic letters relating to
Hampshire-based patients where a record already exists for that patient
within the CHIE. RBCH does not create new records within the CHIE, and
does not handle opt-outs from patients in relation to the CHIE, which are
manged primarily by the patient’s GP.

 

The information that RBCH uploads to the CHIE is shared for exercise of
public function/public task (for personal data) and medical purposes (for
sensitive/special category data), i.e. for the direct provision of
healthcare. The legal bases for this is as defined within Schedules 2 and
3 of the DPA and Articles 6 and 9 of the GDPR, respectively.

 

The information that RBCH provides to the CHIE is not used for secondary
purposes; the data transferred from the CHIE to Care and Health
Information Analytics (CHIA) for secondary use is GP clinical codes and
diagnostic codes which form the results of investigations for pathology
and radiology from University Hospitals Southampton and Portsmouth
Hospitals. As such, this does not pertain to any data where RBCH is a data
controller, and your questions regarding secondary use are not relevant to
RBCH. Should this change, RBCH will review its position.

 

 

The information supplied to you continues to be protected by copyright.
You are free to use it for your own purposes, including for private study
and non-commercial research, and for any other purpose authorised by an
exception in current copyright law. Documents (except photographs) can be
also used in the UK without requiring permission for the purposes of news
reporting. Any other reuse, for example commercial publication, would
require the permission of the copyright holder.

 

If you are dissatisfied with the handling of your request, you have the
right to ask for an internal review. Internal review requests should be
submitted within two months of the date of receipt of the response to your
original letter and should be addressed to:

 

[1][email address], or

 

Information Governance Manager

The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Castle Lane East

Bournemouth

BH7 7DW

 

Please remember to quote the reference number above in any future
communications.

 

If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision. The Information Commissioner can be contacted at:

 

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Yours sincerely,

 

Freedom of Information Team

The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

[2][email address]

 

References

Visible links
1. mailto:[email address]
2. mailto:[email address]

Dear Freedom of Information,

Thank you very much for your response.

Kind regards,

Dr Neil Bhatia

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org