CHIE/HHR and the GDPR - secondary purposes after 25th May

The request was partially successful.

Dear University Hospital Southampton NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

I am interested in how your organisation is intending to ensure compliance with the introduction of the EU GDPR on 25th May, in respect to the processing function of extracting and uploading client records to the Care & Health Information Exchange, formerly known as the Hampshire Health Record, and to which I shall refer to as CHIE/HHR in this request, for secondary purposes (research, commissioning).

Your organisation is, of course, the data controller of client records at the time of extraction and uploading (i.e. processing) to the CHIE/HHR database, and is a data controller in common for the uploaded data.

It is now less than 129 days before the EU GDPR comes into force.

You have previously confirmed to me (under FOI) that you permit the secondary processing of uploaded data by the CHIE/HHR for secondary purposes - your organisation has not opted out of this, though it could easily do so.

The CHIE/HHR is acting as a data processor, but you remain the data controller and thus responsible and liable for the lawfulness of such processing, both at the time of extraction and uploading, and subsequently once transferred to the CHIE/HHR database.

Please could you tell me:

Are you intending to continue to allow secondary processing (i.e. for research or commissioning) of the data that you extract and upload to CHIE/HHR beyond the 25th May?

If you have decided to prohibit secondary processing of your uploaded data from 25th May, then please consider this request closed.

If you have not begun to assess your forthcoming compliance with the GDPR, and therefore have not even decided as to whether you are to permit secondary processing beyond the 25th May, then please say so, and I will take it that you hold no information at present, and I will resubmit this request in April.

Otherwise:

1) If you are determined to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May

2) If you are determined to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the secondary processing of their data in this way will be compliant with the EU GDPR after 25th May

If you are not planning to rely on consent, Article 6(1)(a), then I will make further FOI requests in due course about the actual legal basis that you are to rely upon and the mechanism by which data subjects can object to their unconsented secondary processing.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

FreedomOfInformation,

Dear Dr Bhatia,

 

I am writing to acknowledge receipt of your e-mail dated 15^th January
2018, sent by you at 7:17 pm, requesting information under the Freedom of
Information Act 2000 regarding GDPR.

                          

We will endeavour to respond to your request within the twenty working day
timescale requirement set by the FOI Act (by 13^th February 2018). We will
tell you whether the Trust holds the information you have requested, and
we will contact you as soon as possible if for some reason we are delayed
in our response or if we require further information from you in order to
complete your request.

 

 

With regards,

 

Freedom of Information Officer

Informatics

University Hospital Southampton NHS Foundation Trust

 

show quoted sections

Dear FreedomOfInformation,

Just a polite reminder that your response to my FOI request is now due.

Yours sincerely,

Dr Neil Bhatia

FreedomOfInformation,

1 Attachment

Dear Dr Bhatia,

 

Please find attached the Trust's response to your recent Freedom of
Information request.

 

 

With regards,

 

Freedom of Information Officer

Informatics

University Hospital Southampton NHS Trust

 

show quoted sections

Dear University Hospital Southampton NHS Foundation Trust,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of University Hospital Southampton NHS Foundation Trust's handling of my FOI request 'CHIE/HHR and the GDPR - secondary purposes after 25th May'.

You have not answered any of my questions, simply directing me to a general document produced by another organisation.

I asked questions about *your organisation*, not the questionable "opinion" of another organisation.

If you continue to refuse to respond to my questions then I will take this to the ICO.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/c...

Yours faithfully,

Dr Neil Bhatia

Dear FreedomOfInformation,

You are the data controller for the records that you hold. Accordingly, compliance with the Data Protection Act and the GDPR, and respect for the common law of confidentiality, is *your* responsibility.

The CSU is only acting as a data processor, and only upon your instruction.

Yours sincerely,

Dr Neil Bhatia

Dear FreedomOfInformation,

Just a reminder that I am still waiting for the outcome of your internal review.

Yours sincerely,

Dr Neil Bhatia

Pillinger-Cork, Jonathan,

Dear Dr Bhatia

 

Thank you for your request for an internal review of our handling of your
Freedom of Information request concerning the new General Data Protection
Regulation and the information processed for secondary purposes by the
Care and Health Information Exchange (CHIE).

 

In response to your original request we provided the following document
[1]which sets out how CHIE and CHIE analytics are compliant with the new
GDPR regulations.  It also sets out how patient identifiable information
is only used 'to support direct care to patients' and that the information
used for secondary purposes in CHIA is pseudonymised to ensure patient
confidentiality.  The document clearly sets out what the legal basis under
GDPR will be for processing of both identifiable and pseudonymised
information.  The report highlights that “It is not possible to identify
any patient by looking at the ‘pseudonymised’ data on the CHIA database.
People who have access to CHIA do not have access to CHIE”.

 

You are correct in saying that the document provided was not authored by
UHS, but it does, we feel, provide a high level of assurance that CHIE has
been and continues to be compliant with data protection law and an
important tool that aides treatment and research.  It also sets out very
clearly what the legal basis for sharing information with CHIE is under
GDPR and that have been put in place to ensure that patient information is
protected at all times.  It also sets out the ability of participants to
withdraw consent, something which I understand from your request was a
concern for you.

 

As we held the document at it was publicly available we provided it to
you. 

 

We have not carried out any independent assessment of the processing
carried out by and for CHIE, however at this stage given the commitments,
processes and assurances set out in the provided document we have
confident that CHIE is and will remain in compliance with data protection
regulations.

 

As part of our process of ensuring compliance with the GDPR, we will
review all our processes that involve processing of personal information. 
Once this review has been completed I will of course share any available
documents with you.

 

I hope you find this information useful, if you have any further questions
please let me know.

 

 

Kind Regards

 

 

 

Jonathan Pillinger-Cork

Trust Information Governance Manager

 

show quoted sections

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org