When receiving care from the Trust we may have to keep certain information about you. It's your right to know what we do with it, how we store it and how you can access it. You can find out more about what information we store on this page.
You may be unable to consent to the care that you need. If this is the case, you will be detained under the Mental Health Act which will help us to ensure we can provide the right level of care that you need at the right time.
Hampshire and Isle of Wight Healthcare NHS Foundation Trust takes confidentiality and privacy issues very seriously. The Trust has to ask for personal confidential information in order to provide quality care and treatment.
If you wish to contact any of the below please email sadie.bell@solent.nhs.uk.
Paula Anderson
Chief Finance Officer and Deputy Chief Executive
Senior Information Risk Owner (SIRO)
The Senior Information Risk Owner (SIRO) is an executive board member with allocated lead responsibility for the organisations information risks. They provide the focus for the management of information risk at board level.
The SIRO must provide the chief executive with assurance that information risk is being managed appropriately and effectively across the organisation and any services contracted by the organisation.
Caldicott Team
We have implemented a team of Caldicotts, which can be contacted via CaldicottGuardian@Solent.nhs.uk
The Caldicott Guardian has overall responsibility for protecting the confidentiality of personally identifiable data (PID). They play a key role in ensuring that the organisation, and partner organisations, abide by the highest level of standards of handling PID.
The Caldicott Guardians are responsible for ensuring their organisation adheres to the Caldicott Principles. It is the responsibility of the Caldicott Guardians to feedback any information governance issues to the appropriate senior management board.
Sadie Bell
Director of Information Governance & Cyber Security Assurance and Data Protection Officer
The Data Protection Officer (DPO) should have professional experience and knowledge of data protection law proportionate to the type of processing that the organisation carries out. The DPO’s minimum tasks are:
- to inform and advise the organisation and its employees about their obligations to comply with the General Data Protection Regulation (GDPR) and other data protection laws
- to monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, patients, service users etc).
Individuals should be informed of how their data will be used. This applies to both patient and staff data. For more information on how data is used, please refer to the Trust's privacy notices.
Individuals have the right to access their personal data, which is referred to as a Subject Access Request (SAR).
All requests of this nature should be submited via accesstorecords@southernhealth.nhs.uk.
Find out how to request your information, within the 'how to access your personal information' tab.
Personal data can be rectified if it is inaccurate or incomplete.
Find out more about your right for data held about you to be rectified and destroyed.
This is often referred to as the 'right to be forgotten' and it only applies in certain circumstances:
- the basis for lawful processing is consent and this has been withdrawn, and there is no other legal ground for processing
- the individuals whose data is being processed objects and there are no overriding legitimate grounds
- the personal data has been collected in relation to information society services
- the personal data is no longer necessary for the purposes for which it was collected for.
Find out more about your right for data held about you to be rectified and destroyed.
Individuals have the right to require organisations to restrict processing where:
- accuracy is contested by the individual
- processing is unlawful and the subject opposes erasure
- the organisation no longer needs the data, but the subject requires it to be kept for legal claims
- the individual has objected, pending verification of legitimate grounds.
If you feel this is the case, please contact InformationGovernanceTeam@solent.nhs.uk.
Individuals have the right to receive personal data about them in a ‘commonly used and machine-readable format.’
This right is only available where the processing is based on consent and the processing is automated.
Please note, this is not the legal basis for the majority of Hampshire and Isle of Wight Healthcare NHS Foundation Trust's data processing. Therefore, with regards to most of the data held by Hampshire and Isle of Wight Healthcare NHS Foundation Trust, this right does not apply.
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics.
Profiling analysis aspects of an individual’s personality, behaviour, interests, and habits to make predictions or decisions about them.
Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data.
Automated decision-making often involves profiling, but it does not have to.
Everyone has a right to access their health or personal data, this is known as a 'Subject Access Request.' Access requests are processed under the Data Protection Act 2018 or Access to the Health Records Act 1990.
Clinical records
Your clinical records are an important part of your care and treatment. In most cases, the Trust will store your medical records electronically.
Electronic records mean that information about your care can be stored safely in one place, with no need to move paper records between our sites and services.
Our staff may also access information that is included in the Care and Health Information Exchange (CHIE) and the NHS Summary Care Record.
Primary care services
Hampshire and Isle of Wight healthcare NHS Foundation Trust runs four Primary Care (GP practices) services; The Willow Group in Gosport, Shakespeare Road Medical Practice in Basingstoke, Solent GP Surgery in Southampton and Medina Healthcare on the Isle of Wight. If you are trying to access your records for these please contact the practice directly.
- The Willow Group: Online Access | The Willow Group
- Shakespeare Road Medical Practice: hiowicb-hsi.srmp@nhs.net
- Solent GP surgery: Contact us (solentgp.nhs.uk)
- Medina Healthcare: Medina Healthcare Surgery - Providing NHS Services
What am I entitled to access?
Under Data Protection Regulation, or Access to Health Records Act 1990 (in respect of deceased persons) you are entitled to access your health and personal records (staff only) and any other personal information held about you, either in electronic or paper form. You are also allowed to authorise other people to access that information with your written consent.
How to apply for a copy of your health and personal records?
All applications for access to health and personal records must be made in writing (which can be by letter or email), or you may wish to use the Trust’s Subject Access Request Form (which is linked below and also explains who to write to and what identification you will need to supply). If someone else is applying for a copy of your records (for example a solicitor), a request should be made in writing and MUST include a permission to share form from you.
You will need to provide two forms of identification, so that we can satisfy ourselves that you are the correct person to be making the request, as we need to ensure that we do not release information to someone unauthorised to access your information. Identification required is;
- Proof of address e.g. utility bill, bank statement, etc…
- Proof of identity e.g. birth certificate, passport, license, etc…
- If you are making a request on behalf of someone else you will also need to provide proof of entitlement e.g. parental responsibility, power of attorney over health, etc…
If I give my written permission, what information does that entitle someone to access?
You can be as specific or general as you wish. For example, you may wish to allow a Solicitor to either access only one particular period or illness in your health and personal records, or allow them to have a copy of all your records
What happens after I have made a request or given my written permission?
After you, or the person you have nominated to have access to your health and personal records, have returned the correct identification and where applicable consent, the Trust completes a tracking log which will ensure that:
- your request is actioned within a one month – the Trust will contact you in the event that your request may take longer to process
- the appropriate steps are completed in accordance with the Trust’s Subject Access Requests and Disclosure of Personal Data Procedure
- the correct identified information is copied and electronically held information printed
- records will then be reviewed, as there are certain exemptions to the release of information that would be redacted, such as;
- Information provided about you by someone else if they haven’t given permission for you to see it
- Information that relates to criminal offences
- Information that is being used to detect or prevent crime
- Information that could cause physical or mental harm to you or someone else. Under the Data Protection Legislation, a relevant Consultant or Healthcare Professional may make the decision to withhold information contained in your records if they feel it may be detrimental to your, or another person’s, physical or mental health. They may also invite you in to view your records
How does the Trust safeguard my health and personal records?
Hampshire and Isle of Wight Healthcare NHS Foundation Trust has a nominated Caldicott Guardian whose responsibility it is to ensure your confidentiality in accordance with your legal rights. In addition, the Trust’s Information Governance Team, work within a framework of a number of Trust policies to ensure that:
- your records are safely held
- access, other than by yourself, is strictly controlled
- your privacy and confidentiality is always upheld
Where are my records kept?
- All your records are held in Trust premises, as well as in the electronic patient record.
- When your records are no longer required, for example, after you have been discharged, your records are kept securely at the last place you had contact with the service, or at a secure off-site storage facility.
- After a specified period of years in storage, if your records have not been recalled to provide you with a service, they are securely destroyed
Who can access my health and personal records?
Hampshire and Isle of Wight Healthcare NHS Foundation Trust has arrangements in place with local hospital trusts, local authorities and neighbouring Primary Care Trusts (e.g. commissioning bodies), to share information. This will ensure that you have continuity of care throughout the Hampshire and Isle of Wight areas. Only staff directly involved with your care will have access to your clinical information.
Further information
Our Access to Records team can provide further information and advice. Please contact them on 023 8087 4189 or via accesstorecords@southernhealth.nhs.uk
You can also contact the Information Commissioner's Office (ICO).
Forms and policies
Code of Confidentiality Consent and how this differs from Data Protection (GDPR) Consent
NHS organisations are obligated to follow the requirements of the NHS Code of Confidentiality; one aspect of this is consent.
Consent under this Code of Practice refers to and requires NHS providers to inform patients who they share information with and seek confirmation that the patient is happy for this information to be shared. This is often done in the form of “consent” e.g. are you happy for us to share information with other health care providers, social care, safeguarding, education, etc?
This can be done in the form of “informed consent”, which refers to you being informed of the sharing and not objecting. Or in the form of “explicit consent” which refers to being asked to give permission.
However, this consent can be overridden if there is a legitimate reason to do so. Please see the next page for information on how this is legal.
Consent under the NHS Code of Confidentiality differs from the consent requirements of the Data Protection Regulations. Under the legislation Hampshire and Isle of Wight Foundation Healthcare NHS Trust is not required to obtain consent for the processing of your data for healthcare-related purposes or employment purposes. The legal basis in these instances are:
Article 6 – Processing Personal Data
- (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Staff Information
- (e) Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller: Provision of medical services
Article 9 – Process Special Category Data
- (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject: Staff Information
- (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent: Medical emergencies
As a result of this, rights that are associated with consent under GDPR do not apply in these instances.
For more detailed information on how Hampshire and IOW Healthcare NHS Foundation Trust are complying with Data Protection Legislation - please click on this document.
How is your data used?
*under construction
This section details a number of ways in which your data maybe used.
Over recent years, there has been a growing perception that Information Governance is often cited as a reason not to share information, even when this is in the best interests of the patient or service user.
But as the nature of treatment and service delivery changes and there is an increasing emphasis on community care, health and social care organisations are becoming more inter-dependent and more reliant upon the sharing of information to provide services.
Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of patients. Without assurances of confidentiality, patients may be reluctant to provide the information needed for their treatment and care. Patients have a right to expect that information about them will be held in confidence and is always protected against improper use and disclosure.
Patients have the right to know with whom information is going to be shared, and why. They also have the right to request that information is not shared – and staff must record these decisions in the clinical record.
*This section of our website is currently under construction.
Contact information
- Please telephone: 0300 123 3919
- Please email: InformationGovernanceTeam@solent.nhs.uk
Further information
In order to comply with article 30 of the UK General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, the Trust is required to publish a record of its processing activities and to complete Data Protection Impact Assessments (DPIAs).
DPIA is a process which helps assess privacy risks to individuals and identifies the legal basis for the collection, use and disclosure of information, known as processing.
All new projects, initiatives and processes that involve using or sharing personal information will require a completed Data Protection Impact Assessment at the initial stages and prior to any procurement decision being made. All Data Protection Impact Assessments when completed will be submitted to the Data Protection Officer and/or the Information Governance Group for approval.
Name and contact details of the Controller: |
Hampshire and Isle of Wight NHS Foundation Trust |
Name and contact details of the Data Protection Officer: |
Sadie Bell (Interim), Head of Information Governance and Cyber Security Assurance Telephone: 0300 123 3919 |
Purposes of the Processing: |
We process personal information to enable us to provide a range of NHS health services to local people in the Hampshire area, which include:
|
Description of the categories of data subjects: |
We process personal information about:
|
Categories of personal data: |
We process information relevant to the above reasons/purposes which may include:
We also process sensitive classes of information that may include:
|
Categories of recipients to whom personal data have been or will be disclosed |
Where allowed by law, necessary or required by law we may share information with?
|
Transfers of personal data to a third country and safeguards: |
Transfers may take place when:
|
Time limits for erasure: |
The Trust works to the NHS Records Management Code of Practice. |
Technical and organisational security measures: |
The Trust takes organisational security measures such as, but not limited to:
|
All Hampshire and Isle of Wight Healthcare NHS Foundation Trust contracts will require any data processor to also keep a record, in writing, of the above when it is processing data on behalf of the Trust unless it is an enterprise or organisation that employs fewer than 250 staff; AND
- The processing it carries out is unlikely to result in a risk to the rights and freedoms of data subjects
- The processing is occasional, or
- The processing does not include special categories of data or personal data relating to criminal convictions and offences
This written Record of Processing Activities shall be made available to the relevant supervisory authority on request, and forms part of the Information Asset Management Framework.
* This section of our website is currently under construction.
Contact information
- Please telephone: 0300 123 3919
- Please email: InformationGovernanceTeam@solent.nhs.uk
Policies and procedures
Trust privacy notices
A privacy notice is a statement made to an individual (data subject) that describes how the organisation collects, uses, retains, and discloses personal information. It is also sometimes referred to as a privacy statement, a fair processing statement, or a privacy policy.
The Trust's overarching Privacy Notice explains how information about you will be collected, processed, transferred and stored securely and legally.
However, you can also find copies of our system and service specific privacy notices below, enabling you to have greater insight and knowledge into how Hampshire and Isle of Wight Healthcare NHS Foundation Trust maybe processing your data.
If you wish to obtain a verbal privacy notice, please contact the Information Governance team.
*under construction
Further information
Please see below for definitions of terminology used throughout this page:
What is Personally Identifiable Data (PID) or special category data?
PID stands for Personally Identifiable Data – anything that either on its own or with other information would enable a person’s identity to become known. Examples of PID include but are not limited to;
- Name
- Address
- Postcode
- NHS number
- Email address
- IP address
- Date of birth
- Driving license
Special category data – previously known as sensitive data. This data is classified as data that an individual would only expect to be processed under certain circumstances and not as routine. Examples of special categories include but are not limited to;
- Race
- Ethnic origin
- Politics
- Religion
- Trade union membership
- Sex life
- Sexual orientation
- Genetics
- Health
- Biometrics (where used for ID purposes)
Who is a data subject?
A 'data subject' is an individual who is the subject of personal data.
For example, Hampshire and Isle of Wight Healthcare NHS Foundation Trust holds personal data about patients, making each patient a data subject under the terms of the law.
Who is a data controller?
'Data controller' means a person who (either alone, or jointly, or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In short, Hampshire and Isle of Wight Healthcare NHS Foundation Trust is a data controller as we identify the purpose of our data and control the manner in which it is used.
Who is a data processor?
A 'data processor.' in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
This includes all sub-contractors of Hampshire and Isle of Wight Healthcare NHS Foundation Trust, who we share information with, for the sole purpose of data processing and providing a service to you as the 'data subject'.
Who is a third party?
Third party, in relation to personal data, means any person other than -
(a) the data subject,
(b) the data controller, or
(c) any data processor or other person authorised to process data for the data controller or processor.
For example, other organisations we work with e.g. other health or social care providers, or others who we are legally required to share information with e.g. Department of Working Pensions, Police, etc.
Information Governance team
Information Governance team
Highpoint Venue
Bursledon Road
Southampton
SO19 8BR
Telephone: 0300 123 3919
Email: informationgovernanceteam@solent.nhs.uk
Records team
Access to Records team
Sterne 4 - 6,
Tatchbury Mount
Calmore
Southampton SO40 2RZ
Telephone: 023 8087 4189
Email: accesstorecords@southernhealth.nhs.uk