HHR/CHIE after 25th May

Solent NHS Trust did not have the information requested.

Dear Solent NHS Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 15th January 2018.

As far as I know, Solent NHS Trust continues to extract and upload personal and sensitive data from its patient/client records to the Hampshire Health Record (HHR) database, now known as the CHIE.

In previous FOI responses you have very kindly to me that confirmed that:

a) Solent NHS Trust permits the HHR/CHIE to process uploaded data for both direct care and secondary (research/commissioning) purposes
b) Data from individuals is extracted on an "implied consent" basis, with patients having to "opt-out" of such data sharing should they object.

I am interested in how you intend to continue such processing after the introduction of the EU GDPR on 25th May. It is now less than 131 days before the EU GDPR comes into force.

Solent NHS Trust is, of course, the data controller for the records that it holds and so is responsible for lawful processing of that data - such as extracting it and uploading to a separate database. It is a data controller in common for the uploaded information, and so the HHR/CHIE is only acting as a data processor, leaving the data controller responsible (and liable) for any subsequent processing of uploaded data.

Please could you provide me with the following information:

DIRECT CARE

1) Any information/assessments (e.g. privacy or data protection impact)/position or discussion papers, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to the HHR/CHIE database) after 25th May?

2) Any information/assessments (e.g. privacy or data protection impact)/position or discussion papers, or similar, that you hold to date as to what legal basis from Article 9(2) of the GDPR are you planning to rely on to process sensitive data in this way (i.e. extract and upload it to the HHR/CHIE database) after 25th May?

3) If you are intending to change your process from 25th May to securing explicit consent (as defined by the GDPR) from patients/clients, in order to be able to rely on Article 6(1)(a) and Article 9(2)(a), then please provide me with any information/assessments (e.g. privacy or data protection impact)/position or discussion papers, or similar, that you hold to date as to whether you will need to obtain fresh, explicit consent from all your existing clients/patients (who have, after all, never consented)

SECONDARY PURPOSES

4) Are you intending to continue to allow secondary processing (i.e. for research or commissioning) of the data that you extract and upload to CHIE/HHR beyond the 25th May?

5) If you are to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May

4) If you are to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to whether your planned mechanism to ensure that data subjects can withdraw consent from (if that is what you are intending to rely upon), or to object to, the secondary processing of their data in this way will be compliant with the EU GDPR after 25th May

If you have not begun to assess your forthcoming compliance with the GDPR, then please say so, and I will take it that you hold no information, and I will resubmit this entire request in April.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Kind regards,

Dr Neil Bhatia

Solent FOI, Solent NHS Trust

This is an automated response.

 

Thank you for submitting a request for information under the Freedom of
Information Act 2000.

 

Please note: The start date of your request will be the next working day.
A working day is considered Monday – Friday, 9am – 5pm.

 

You will receive a formal acknowledgement letter and reference number
within two working days.

 

show quoted sections

Solent FOI, Solent NHS Trust

This is an automated response.

 

Thank you for submitting a request for information under the Freedom of
Information Act 2000.

 

Please note: The start date of your request will be the next working day.
A working day is considered Monday – Friday, 9am – 5pm.

 

You will receive a formal acknowledgment letter and reference number
within two working days.

 

show quoted sections

Information Governance Team, Solent NHS Trust

2 Attachments

Dear Dr. Bhatia,

 

Our Ref: FOI 237 17/18_IGT

 

Thank you for your enquiry dated 14/01/2018 where you requested
information regarding the HHR/CHIE process of uploading data after GDPR.

 

Your request is being dealt with under the terms of the Freedom of
Information Act 2000 and will be answered within twenty working days.

 

If you have any queries about this request do not hesitate to contact me.
Please remember to quote the reference number above in any future
communications.

 

For frequently asked questions and previously released FOI’s please see
our website:
[1]http://www.solent.nhs.uk/page.asp?fldAre...

 

  Information Governance Team

   

  Team: 0300 123 3919

Solent NHS Trust  

Trust Headquarters Email : [2][email address]

Highpoint Venue Email : [3][email address]

Burseldon Rd  

Southampton [4]Description: Description: Description: Combined

Hampshire  

SO19 8BR

 

 

[5]Description: Description: Description:
https://www.solent.nhs.uk/../images/sole...

 

show quoted sections

Information Governance Team, Solent NHS Trust

4 Attachments

Dear Dr. Neil Bhatia,

 

Thank you for your enquiry requesting information under the Freedom of
Information Act 2000.

 

Please find our response to your request attached.

 

If you have a few moments to spare, please complete and return the
attached questionnaire as your feedback will ensure the Trust continues to
provide a good service or make improvements where necessary. Thank you in
advance for your assistance.

 

The information supplied to you continues to be protected by copyright.
You are free to use it for your own purposes, including for private study
and non-commercial research, and for any other purpose authorised by an
exception in current copyright law. Documents (except photographs) can be
also used in the UK without requiring permission for the purposes of news
reporting. Any other reuse, for example commercial publication, would
require the permission of the copyright holder.

 

If you are dissatisfied with the handling of your request, you have the
right to ask for an internal review. Internal review requests should be
submitted within two months of the date of receipt of the response to your
original letter and should be addressed to: Sadie Bell, Head of
Information Governance, Solent NHS Trust Headquarters, Highpoint Venue,
Bursledon Road, Southampton, SO19 8BR, or
[1][email address]

 

Please remember to quote the reference number above in any future
communications.

 

  Information Governance Team

   

  Team: 0300 123 3919

Solent NHS Trust  

Trust Headquarters Email : [2][email address]

Highpoint Venue Email : [3][email address]

Burseldon Rd  

Southampton [4]Description: Description: Description: Combined

Hampshire  

SO19 8BR

 

 

[5]Description: Description: Description:
https://www.solent.nhs.uk/../images/sole...

 

show quoted sections

Dear Information Governance Team,

Thank you very much for your response.

I will send another FOI request to you in April/May, requesting your DPIA and the subsequent answers to my questions.

Kind regards,

Dr Neil Bhatia

Dr Neil Bhatia left an annotation ()

More information about NHS data sharing, including:

• The Summary Care Record,
• The Hampshire Health Record (CHIE)
• The Berkshire Health Record (Share Your Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Sutton Integrated Digital Care Record
• The Wirral Care Record
• The Dorset Care Record

• Secondary uses of your information
• Local data streaming initiatives
• Remote consultations
• Secure online access to your GP record

can be found at:

www.nhsdatasharing.info