GDPR & the Hampshire Health Record/CHIE

The request was successful.

Dear The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Tuesday 24th April 2018.

I remain interested in how The Royal Bournemouth Hospital is planning to comply with the EU GDPR requirements for the data that it processes (extracts & uploads) to the Hampshire Health Record (HHR/CHIE).

My understanding remains that you extract and upload data to the HHR purely for direct care purposes (i.e. you do not permit secondary uses).

You have previously responded to a FOI request of mine:

https://www.whatdotheyknow.com/request/c...

"....does not handle opt-outs from patients in relation to the CHIE, which are
manged primarily by the patient’s GP"

That of course must now change from 25th May.

I am requesting the following information:

1) Please could you tell me which lawful basis, as set out in Article 6 of the GDPR, will you be relying upon to enable processing of personal data in this way?

2) Please could you provide me with the procedure that patients must follow in order to express their right to object to such processing (as is their right under Article 21).
Please could you provide me with:

a) the form that they must fill in, or a description of the information that you require from them in order to process their objection

b) to whom they must send their objection (e.g. department, address or email address)

c) confirmation that patients will not simply be told to "go and see your GP" when expressing their right to object (i.e. that *you*, as the data controller, will deal with their objection as per Article 21 and Recital 69)

d) confirmation that any upheld objection will ensure that no data about the patient will be extracted and uploaded to the HHR by your organisation, yet still allowing the patient to have a HHR consisting of records derived from the other contributing organisations (including their GP practice)

e) any such policy that you have that, in part or whole, details how HHR "right to object" expressions will be managed by *your* organisation

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Yours faithfully,

Dr Neil Bhatia

Freedom of Information, The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Ref No: FOI 18190043

Dear Neil

Thank you for your email of 24 April 2018 where you requested information about the EU GDPR requirements for the data that it processes (extracts & uploads) to the Hampshire Health Record (HHR/CHIE) from The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust (RBCH).

Your request is being dealt with under the terms of the Freedom of Information Act 2000 and will be answered within twenty working days. Please note that the FOI Act covers all recorded information held by a public authority, and does not require that authority to create new information for the purposes of responding to your request.

Please note that the processing of requests under the FOI Act carries a financial cost for the organisations dealing with them. Therefore, if you no longer require the information that you have requested please notify us as soon as possible so that we can stop processing your request.

If you have any queries about this request do not hesitate to contact us. Please remember to quote the reference number above in any future communications.

Yours sincerely,

Freedom of Information Team
The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust
[The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust request email]

Freedom of Information, The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Ref No: FOI 18190043

 

Dear Neil

 

Thank you for your email of 24 April 2018 where you requested information
about the EU GDPR requirements for the data that it processes (extracts &
uploads) to the Hampshire Health Record (HHR/CHIE) from The Royal
Bournemouth and Christchurch Hospitals NHS Foundation Trust (RBCH).

 

The information you requested is below with answers provided in bold, blue
text:

 

I would like to make a request under the FOI Act.

 

For the purposes of the Act, please take the date of your receipt of this
request as Tuesday 24th April 2018.

 

I remain interested in how The Royal Bournemouth Hospital is planning to
comply with the EU GDPR requirements for the data that it processes
(extracts & uploads) to the Hampshire Health Record (HHR/CHIE).

 

My understanding remains that you extract and upload data to the HHR
purely for direct care purposes (i.e. you do not permit secondary uses).

 

You have previously responded to a FOI request of mine:

 

[1]https://www.whatdotheyknow.com/request/c...

 

"....does not handle opt-outs from patients in relation to the CHIE, which
are manged primarily by the patient’s GP"

 

That of course must now change from 25th May.

 

I am requesting the following information:

 

Please note that the law does not change until 25 May and as such the
Trust has yet to publish all new policies/procedures associated with this.

 

1) Please could you tell me which lawful basis, as set out in Article 6 of
the GDPR, will you be relying upon to enable processing of personal data
in this way?

6(e) Public task: “the processing is necessary for you to perform a task
in the public interest or for your official functions, and the task or
function has a clear basis in law”.

 

2) Please could you provide me with the procedure that patients must
follow in order to express their right to object to such processing (as is
their right under Article 21).

   Please could you provide me with:

 

a) the form that they must fill in, or a description of the information
that you require from them in order to process their objection

No such form exists.

 

b) to whom they must send their objection (e.g. department, address or
email address)

The Data Protection Officer at RBCH.

 

c) confirmation that patients will not simply be told to "go and see your
GP" when expressing their right to object (i.e. that *you*, as the data
controller, will deal with their objection as per Article 21 and Recital
69)

This information is not held in recorded format.

 

d) confirmation that any upheld objection will ensure that no data about
the patient will be extracted and uploaded to the HHR by your
organisation, yet still allowing the patient to have a HHR consisting of
records derived from the other contributing organisations (including their
GP practice)

This information is not held in recorded format. As per previous
responses, RBCH does not have any influence over whether a patient has a
CHIE record and its only input is a single flow of data of GP discharge
letters. If these letters were not added to the CHIE, they would be sent
to the GP via an alternate route as part of the conclusion of the direct
care of the patient.

 

e) any such policy that you have that, in part or whole, details how HHR
"right to object" expressions will be managed by *your* organisation

No specific policy exists. The Trust is in the process of updating its
Privacy Notice and policies in readiness for the forthcoming changes in
the law.

 

Please help us to improve our FOI service by completing a short
[2]questionnaire.

 

The information supplied to you continues to be protected by copyright.
You are free to use it for your own purposes, including for private study
and non-commercial research, and for any other purpose authorised by an
exception in current copyright law. Documents (except photographs) can be
also used in the UK without requiring permission for the purposes of news
reporting. Any other reuse, for example commercial publication, would
require the permission of the copyright holder.

 

If you are dissatisfied with the handling of your request, you have the
right to ask for an internal review. Internal review requests should be
submitted within two months of the date of receipt of the response to your
original letter and should be addressed to:

 

[3][email address], or

 

Information Governance Manager

The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

Castle Lane East

Bournemouth

BH7 7DW

 

Please remember to quote the reference number above in any future
communications.

 

If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision. The Information Commissioner can be contacted at:

 

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Yours sincerely,

 

Freedom of Information Team

The Royal Bournemouth and Christchurch Hospitals NHS Foundation Trust

[4][email address]

 

 

References

Visible links
1. https://www.whatdotheyknow.com/request/c...
2. http://www.surveymonkey.com/s/KBKTXN3
3. mailto:[email address]
4. mailto:[email address]

Dear Freedom of Information,

Thank you for your prompt response.

I note that you are in the process of updating your Privacy Notice and policies in readiness for the forthcoming changes in the law, and look forward to seeing that updated notice on your website on 25th May.

Kind regards

Dr Neil Bhatia

Dr Neil Bhatia left an annotation ()

More information about NHS data sharing, including:

• The Summary Care Record,
• The Hampshire Health Record (CHIE)
• The Berkshire Health Record (Share Your Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Sutton Integrated Digital Care Record
• The Wirral Care Record
• The Dorset Care Record
• The Bolton Care Record

• Secondary uses of your information
• Local data streaming initiatives
• Remote consultations
• Secure online access to your GP record

can be found at:

www.nhsdatasharing.info

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org