You have a right to privacy and to expect the NHS to keep your information confidential and secure.
Under the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulations The Trust must ensure that your data is processed on a fair and lawful basis and in a transparent manner.
Right to be informed
The information we supply about the processing of personal data must be:
- intelligible and easily accessible
- written in clear and plain language if addressed to a child
- free of charge
Right of access
You can find out if we hold any personal information by making a ‘subject access request’ under the DPA 2018. If we do hold information about you, we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible format
Right to rectification (correction)
You are entitled to have personal data rectified if it is inaccurate or incomplete. If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.
We have one month to respond to a request for rectification. This can be extended by two months where the request for rectification is complex. If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority.
Right to erasure (to be forgotten)
The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances.
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- when you withdraw consent
- when you object to the processing and there is no overriding legitimate interest for continuing the processing.
- the personal data was unlawfully processed (i.e. otherwise in breach of the DPA 2018 and GDPR)
- the personal data has to be erased in order to comply with a legal obligation
- the personal data is processed in relation to the offer of information society services to a child
This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority
- for public health purposes in the public interest e.g. archiving purposes in the public interest, scientific research, historical research or statistical purposes or the exercise or defence of legal claims
Please note that the right to be forgotten is not absolute and does not apply to special category data i.e. medical records.
Right to restrict processing
We will be required to restrict the processing of personal data in the following circumstances:
- where you contest the accuracy of the personal data, we should restrict the processing until the accuracy of the personal data has been verified
- where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests) and we are considering whether we have legitimate grounds to override your rights
- when processing is unlawful and you oppose erasure and request restriction instead
- if we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
Please note that the right to restrict processing regarding direct healthcare purposes will be decided on a case by case basis and is not an absolute right.
Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to personal data you have provided to the Trust
- where the processing is based on your consent or for the performance of a contract and when processing is carried out by automated means
Right to object
You must have an objection on ‘grounds relating to your particular situation’ in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There is no grounds to refuse.
You have the right to object to the following:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics
We will stop processing the personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
- the processing is for the establishment, exercise or defence of legal claims
We do not carry out profiling and/or automated decision-making. This is documented in our data protection policy.
We will not charge a fee for providing your information. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with request for further copies of the same information. The fee will be based on the administrative cost of providing the information.
The Trust will endeavour to deal with your request within a 21 day time limit (NHS best practice). However, by law we have 30 days to response, if this is likely to take longer, the applicant will be warned and an explanation of the delay provided.
For further information please contact the Information Governance T