You have a right to privacy and to expect the NHS to keep your information confidential and secure.
Under the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulations The Trust must ensure that your data is processed on a fair and lawful basis and in a transparent manner.
Right to be informed
The information we supply about the processing of personal data must be:
Right of access
You can find out if we hold any personal information by making a ‘subject access request’ under the DPA 2018. If we do hold information about you, we will:
Right to rectification (correction)
You are entitled to have personal data rectified if it is inaccurate or incomplete. If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.
We have one month to respond to a request for rectification. This can be extended by two months where the request for rectification is complex. If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority.
Right to erasure (to be forgotten)
The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances.
This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
Please note that the right to be forgotten is not absolute and does not apply to special category data i.e. medical records.
Right to restrict processing
We will be required to restrict the processing of personal data in the following circumstances:
Please note that the right to restrict processing regarding direct healthcare purposes will be decided on a case by case basis and is not an absolute right.
Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
Right to object
You must have an objection on ‘grounds relating to your particular situation’ in order to exercise your right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There is no grounds to refuse.
You have the right to object to the following:
We will stop processing the personal data unless:
We do not carry out profiling and/or automated decision-making. This is documented in our data protection policy.
We will not charge a fee for providing your information. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with request for further copies of the same information. The fee will be based on the administrative cost of providing the information.
The Trust will endeavour to deal with your request within a 21 day time limit (NHS best practice). However, by law we have 30 days to response, if this is likely to take longer, the applicant will be warned and an explanation of the delay provided.
For further information please contact the Information Governance T