GDPR & the Hampshire Health Record/CHIE

Dr Neil Bhatia made this Freedom of Information request to University Hospital Southampton NHS Foundation Trust

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear University Hospital Southampton NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Wednesday 25th April 2018.

I remain interested in how UHS NHS FT is planning to comply with the EU GDPR requirements for the data that it processes (extracts & uploads) to the Hampshire Health Record (HHR/CHIE).

My understanding remains that you extract and upload data to the HHR for both direct care and secondary uses purposes, and that this intends to continue after 25th May.

You have previously responded to a FOI request of mine:

https://www.whatdotheyknow.com/request/c...

where you did not provide me (or were unable to provide me) with the lawful bases that I requested. I am sure that you are now in a position to do so, as well as the process for managing objections (which is what this request is mainly about).

I am requesting the following information:

DIRECT CARE:

1) Please could you tell me which lawful basis, as set out in Article 6 of the GDPR, will *your* organisation be relying upon to enable processing of personal data for direct care purposes?

2) Please could you provide me with the procedure that patients must follow in order to express their right to object to such processing (as is their right under Article 21).
Please could you provide me with:

a) the form that they must fill in, or a description of the information that you require from them in order to process their objection

b) to whom they must send their objection (e.g. department, address or email address)

c) confirmation that patients will not simply be told to "go and see your GP" when expressing their right to object (i.e. that *you*, as the data controller, will deal with their objection as per Article 21 and Recital 69)

d) confirmation that any upheld objection will ensure that no data about the patient will be extracted and uploaded to the HHR by your organisation, yet still allowing the patient to have a HHR consisting of records derived from the other contributing organisations (including their GP practice)

e) any such policy that you have that, in part or whole, details how HHR "right to object" expressions for direct care will be managed by *your* organisation

SECONDARY USES:

3) Please could you tell me which lawful basis, as set out in Article 6 of the GDPR, will *your* organisation be relying upon to enable processing (extraction and uploading) of personal data for secondary uses?

4) Please could you tell me which lawful basis, as set out in Article 9 of the GDPR, will *your* organisation be relying upon to enable processing (extraction and uploading) of special category data for secondary uses?

5) Please could you provide me with the procedure that patients must follow in order to express their right to object to such secondary uses processing (as is their right under Article 21).

Please could you provide me with:

a) the form that they must fill in, or a description of the information that you require from them in order to process their objection

b) to whom they must send their objection (e.g. department, address or email address)

c) confirmation that patients will not simply be told to "go and see your GP" when expressing their right to object (i.e. that *you*, as the data controller, will deal with their objection as per Article 21 and Recital 69)

d) any such policy that you have that, in part or whole, details how HHR "right to object" expressions for secondary uses will be managed by *your* organisation

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request - that is, by the end of May 24th.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Yours faithfully,

Dr Neil Bhatia

FreedomOfInformation,

Dear Neil,

 

I am writing to acknowledge receipt of your e-mail dated 25^th April 2018,
requesting information under the Freedom of Information Act 2000 regarding
GDPR compliance.

                          

We will endeavour to respond to your request within the twenty working day
timescale requirement set by the FOI Act (by 24^th May 2018). We will tell
you whether the Trust holds the information you have requested, and we
will contact you as soon as possible if for some reason we are delayed in
our response or if we require further information from you in order to
complete your request.

 

 

With regards,

 

Freedom of Information Officer

Informatics

University Hospital Southampton NHS Foundation Trust

 

show quoted sections

FreedomOfInformation,

2 Attachments

Dear Neil,

 

Please find attached the Trust's response to your recent Freedom of
Information request.

 

 

With regards,

 

Freedom of Information Officer

Informatics

University Hospital Southampton NHS Trust

 

show quoted sections

Dr Neil Bhatia

Dear FreedomOfInformation,

Thank you for your response.

I note that patients cannot opt-out of just UHS uploading data to the CHIE with the form you link to.

It is "all or nothing" - opt out of the CHIE entirely (including GP data) or not at all.

Yours sincerely,

Dr Neil Bhatia

Dr Neil Bhatia left an annotation ()

More information about NHS data sharing, including:

• The Summary Care Record,
• The Hampshire Health Record (CHIE)
• The Berkshire Health Record (Share Your Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Sutton Integrated Digital Care Record
• The Wirral Care Record
• The Dorset Care Record
• The Bolton Care Record

• Secondary uses of your information
• Local data streaming initiatives
• Remote consultations
• Secure online access to your GP record

can be found at:

www.nhsdatasharing.info