Your information, your rights

When receiving care from the Trust we may have to keep certain information about you. It's your right to know what we do with it, how we store it and how you can access it. You can find out more about what information we store on this page.

You may be unable to consent to the care that you need. If this is the case, you will be detained under the Mental Health Act which will help us to ensure we can provide the right level of care that you need at the right time.


Hampshire and Isle of Wight Healthcare NHS Foundation Trust takes confidentiality and privacy issues very seriously. The Trust has to ask for personal confidential information in order to provide quality care and treatment. 

If you wish to contact any of the below please email sadie.bell@solent.nhs.uk.

Paula Anderson
Chief Finance Officer and Deputy Chief Executive
Senior Information Risk Owner (SIRO)

The Senior Information Risk Owner (SIRO) is an executive board member with allocated lead responsibility for the organisations information risks. They provide the focus for the management of information risk at board level.

The SIRO must provide the chief executive with assurance that information risk is being managed appropriately and effectively across the organisation and any services contracted by the organisation.

Caldicott Team

We have implemented a team of Caldicotts, which can be contacted via CaldicottGuardian@Solent.nhs.uk

The Caldicott Guardian has overall responsibility for protecting the confidentiality of personally identifiable data (PID). They play a key role in ensuring that the organisation, and partner organisations, abide by the highest level of standards of handling PID.

The Caldicott Guardians are responsible for ensuring their organisation adheres to the Caldicott Principles. It is the responsibility of the Caldicott Guardians to feedback any information governance issues to the appropriate senior management board.

 

Sadie Bell
Director of Information Governance & Cyber Security Assurance and Data Protection Officer

The Data Protection Officer (DPO) should have professional experience and knowledge of data protection law proportionate to the type of processing that the organisation carries out. The DPO’s minimum tasks are:

  • to inform and advise the organisation and its employees about their obligations to comply with the General Data Protection Regulation (GDPR) and other data protection laws
  • to monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits
  • to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, patients, service users etc).

Individuals should be informed of how their data will be used. This applies to both patient and staff data. For more information on how data is used, please refer to the Trust's privacy notices.

Individuals have the right to access their personal data, which is referred to as a Subject Access Request (SAR).

All requests of this nature should be submited via accesstorecords@southernhealth.nhs.uk.

Find out how to request your information, within the 'how to access your personal information' tab.

Personal data can be rectified if it is inaccurate or incomplete.

Find out more about your right for data held about you to be rectified and destroyed.

This is often referred to as the 'right to be forgotten' and it only applies in certain circumstances:

  • the basis for lawful processing is consent and this has been withdrawn, and there is no other legal ground for processing
  • the individuals whose data is being processed objects and there are no overriding legitimate grounds
  • the personal data has been collected in relation to information society services
  • the personal data is no longer necessary for the purposes for which it was collected for.

Find out more about your right for data held about you to be rectified and destroyed.

Individuals have the right to require organisations to restrict processing where:

  • accuracy is contested by the individual
  • processing is unlawful and the subject opposes erasure
  • the organisation no longer needs the data, but the subject requires it to be kept for legal claims
  • the individual has objected, pending verification of legitimate grounds.

If you feel this is the case, please contact InformationGovernanceTeam@solent.nhs.uk.

Individuals have the right to receive personal data about them in a ‘commonly used and machine-readable format.’

This right is only available where the processing is based on consent and the processing is automated.

Please note, this is not the legal basis for the majority of Hampshire and Isle of Wight Healthcare NHS Foundation Trust's data processing. Therefore, with regards to most of the data held by Hampshire and Isle of Wight Healthcare NHS Foundation Trust, this right does not apply.

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • direct marketing (including profiling)
  • processing for purposes of scientific/historical research and statistics.

Profiling analysis aspects of an individual’s personality, behaviour, interests, and habits to make predictions or decisions about them.

Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data.

Automated decision-making often involves profiling, but it does not have to.

Everyone has a right to access their health or personal data, this is known as a 'Subject Access Request.' Access requests are processed under the Data Protection Act 2018  or Access to the Health Records Act 1990

Clinical records

Your clinical records are an important part of your care and treatment. In most cases, the Trust will store your medical records electronically.

Electronic records mean that information about your care can be stored safely in one place, with no need to move paper records between our sites and services.

Our staff may also access information that is included in the Care and Health Information Exchange (CHIE) and the NHS Summary Care Record

Primary care services

Hampshire and Isle of Wight healthcare NHS Foundation Trust runs four Primary Care (GP practices) services; The Willow Group in Gosport, Shakespeare Road Medical Practice in Basingstoke, Solent GP Surgery in Southampton and Medina Healthcare on the Isle of Wight. If you are trying to access your records for these please contact the practice directly.

What am I entitled to access?

Under Data Protection Regulation, or Access to Health Records Act 1990 (in respect of deceased persons) you are entitled to access your health and personal records (staff only) and any other personal information held about you, either in electronic or paper form. You are also allowed to authorise other people to access that information with your written consent.

How to apply for a copy of your health and personal records?

All applications for access to health and personal records must be made in writing (which can be by letter or email), or you may wish to use the Trust’s Subject Access Request Form (which is linked below and also explains who to write to and what identification you will need to supply). If someone else is applying for a copy of your records (for example a solicitor), a request should be made in writing and MUST include a permission to share form from you.

You will need to provide two forms of identification, so that we can satisfy ourselves that you are the correct person to be making the request, as we need to ensure that we do not release information to someone unauthorised to access your information. Identification required is;

  • Proof of address e.g. utility bill, bank statement, etc…
  • Proof of identity e.g. birth certificate, passport, license, etc…
  • If you are making a request on behalf of someone else you will also need to provide proof of entitlement e.g. parental responsibility, power of attorney over health, etc…

If I give my written permission, what information does that entitle someone to access?

You can be as specific or general as you wish. For example, you may wish to allow a Solicitor to either access only one particular period or illness in your health and personal records, or allow them to have a copy of all your records

What happens after I have made a request or given my written permission?

After you, or the person you have nominated to have access to your health and personal records, have returned the correct identification and where applicable consent, the Trust completes a tracking log which will ensure that:

  • your request is actioned within a one month – the Trust will contact you in the event that your request may take longer to process
  • the appropriate steps are completed in accordance with the Trust’s Subject Access Requests and Disclosure of Personal Data Procedure
  • the correct identified information is copied and electronically held information printed
  • records will then be reviewed, as there are certain exemptions to the release of information that would be redacted, such as;
    • Information provided about you by someone else if they haven’t given permission for you to see it
    • Information that relates to criminal offences
    • Information that is being used to detect or prevent crime
    • Information that could cause physical or mental harm to you or someone else. Under the Data Protection Legislation, a relevant Consultant or Healthcare Professional may make the decision to withhold information contained in your records if they feel it may be detrimental to your, or another person’s, physical or mental health. They may also invite you in to view your records

How does the Trust safeguard my health and personal records?

Hampshire and Isle of Wight Healthcare NHS Foundation Trust has a nominated Caldicott Guardian whose responsibility it is to ensure your confidentiality in accordance with your legal rights. In addition, the Trust’s Information Governance Team, work within a framework of a number of Trust policies to ensure that:

  • your records are safely held
  • access, other than by yourself, is strictly controlled
  • your privacy and confidentiality is always upheld

Where are my records kept?

  • All your records are held in Trust premises, as well as in the electronic patient record.
  • When your records are no longer required, for example, after you have been discharged, your records are kept securely at the last place you had contact with the service, or at a secure off-site storage facility.
  • After a specified period of years in storage, if your records have not been recalled to provide you with a service, they are securely destroyed

Who can access my health and personal records?

Hampshire and Isle of Wight Healthcare NHS Foundation Trust has arrangements in place with local hospital trusts, local authorities and neighbouring Primary Care Trusts (e.g. commissioning bodies), to share information. This will ensure that you have continuity of care throughout the Hampshire and Isle of Wight areas. Only staff directly involved with your care will have access to your clinical information.

Further information

Our Access to Records team can provide further information and advice. Please contact them on 023 8087 4189 or via accesstorecords@southernhealth.nhs.uk

You can also contact the Information Commissioner's Office (ICO).

Forms and policies 

Code of Confidentiality Consent and how this differs from Data Protection (GDPR) Consent

NHS organisations are obligated to follow the requirements of the NHS Code of Confidentiality; one aspect of this is consent.

Consent under this Code of Practice refers to and requires NHS providers to inform patients who they share information with and seek confirmation that the patient is happy for this information to be shared. This is often done in the form of “consent” e.g. are you happy for us to share information with other health care providers, social care, safeguarding, education, etc?

This can be done in the form of “informed consent”, which refers to you being informed of the sharing and not objecting. Or in the form of “explicit consent” which refers to being asked to give permission.

However, this consent can be overridden if there is a legitimate reason to do so. Please see the next page for information on how this is legal.

Consent under the NHS Code of Confidentiality differs from the consent requirements of the Data Protection Regulations. Under the legislation Hampshire and Isle of Wight Foundation Healthcare NHS Trust is not required to obtain consent for the processing of your data for healthcare-related purposes or employment purposes. The legal basis in these instances are:

Article 6 – Processing Personal Data

  • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Staff Information
  • (e) Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller: Provision of medical services

Article 9 – Process Special Category Data

  • (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject: Staff Information
  • (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent: Medical emergencies

As a result of this, rights that are associated with consent under GDPR do not apply in these instances.

 

 

For more detailed information on how Hampshire and IOW Healthcare NHS Foundation Trust are complying with Data Protection Legislation - please click on this document.


How is your data used?

*under construction

This section details a number of ways in which your data maybe used.

Over recent years, there has been a growing perception that Information Governance is often cited as a reason not to share information, even when this is in the best interests of the patient or service user.

But as the nature of treatment and service delivery changes and there is an increasing emphasis on community care, health and social care organisations are becoming more inter-dependent and more reliant upon the sharing of information to provide services.

Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of patients. Without assurances of confidentiality, patients may be reluctant to provide the information needed for their treatment and care. Patients have a right to expect that information about them will be held in confidence and is always protected against improper use and disclosure.

Patients have the right to know with whom information is going to be shared, and why.  They also have the right to request that information is not shared – and staff must record these decisions in the clinical record.

*This section of our website is currently under construction.

In order to comply with article 30 of the UK General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, the Trust is required to publish a record of its processing activities and to complete Data Protection Impact Assessments (DPIAs). 

DPIA is a process which helps assess privacy risks to individuals and identifies the legal basis for the collection, use and disclosure of information, known as processing. 

All new projects, initiatives and processes that involve using or sharing personal information will require a completed Data Protection Impact Assessment  at the initial stages and prior to any procurement decision being made. All Data Protection Impact Assessments when completed will be submitted to the Data Protection Officer and/or the Information Governance Group for approval.

Name and contact details of the Controller: 

Hampshire and Isle of Wight NHS Foundation Trust 
Trust HQ, Sterne 7, Tatchbury Mount, Calmore, Southampton SO40 2RZ 

Name and contact details of the Data Protection Officer: 

Sadie Bell (Interim), Head of Information Governance and Cyber Security Assurance
Hampshire and Isle of Wight Healthcare NHS Foundation Trust, Highpoint Venue, Burseldon Road, Southampton SO18 8BR      

Telephone: 0300 123 3919
Email: sadie.bell@solent.nhs.uk

Purposes of the Processing: 

We process personal information to enable us to provide a range of NHS health services to local people in the Hampshire area, which include: 

  • Maintaining clinical records to the patients we provide NHS services to 
  • Maintaining our own accounts and records 
  • Supporting and managing our employees 
  • Promoting the services we provide 
  • Carrying out health and public awareness campaigns 
  • Managing our property 
  • Carrying out surveys 
  • Use of CCTV systems for public safety, protection of life and property management 
  • Corporate administration and all activities we are required to carry out as a data controller and public authority 
  • Undertaking health research 
  • Internal financial support and corporate functions 
  • Managing archived records for historical and research reasons 
  • Protection of life and property 
  • Management of information technology systems 
  • Prevention and control of disease within the community 
  • Management of public relations, journalism, advertising and media 
  • Any duty or responsibility of the Trust arising from common or statute law 

Description of the categories of data subjects: 

We process personal information about: 

  • Patients/service users/clients 
  • Staff, persons contracted to provide a service 
  • Suppliers 
  • Claimants 
  • Complainants, enquirers or their representatives 
  • Professional advisers and consultants 
  • Students 
  • Carers or representatives 
  • People captured by CCTV images 
  • Representatives of other organisations 
Categories of personal data: 

We process information relevant to the above reasons/purposes which may include: 

  • Personal details 
  • Family details 
  • Clinical information relating to the delivery of patient care 
  • Goods and services 
  • Financial details 
  • Employment details 
  • Visual images, personal appearance and behaviour 
  • Licences or permits 
  • Business activities 

We also process sensitive classes of information that may include: 

  • Physical or mental health details 
  • Childrens’ clinical data 
  • Racial or ethnic origin 
  • Trade union membership 
  • Offences 
  • Religious or other beliefs of a similar nature 
  • Criminal proceedings, outcomes and sentences 
Categories of recipients to whom personal data have been or will be disclosed 

Where allowed by law, necessary or required by law we may share information with? 

  • Customers/patients/service users 
  • Family, associates or representatives of the person whose personal data we are processing 
  • Current, past and prospective employers 
  • Healthcare, social and welfare organisations 
  • Providers of goods and services 
  • Financial organisations 
  • Service providers 
  • Local and central government 
  • Ombudsman and regulatory authorities 
  • Press and the media 
  • Professional advisers and consultants 
  • Courts and tribunals 
  • Trade unions 
  • Professional bodies 
  • Survey and research organisations 
  • Police forces 
  • Housing associations and landlords 
  • Voluntary and charitable organisations 
  • Religious organisations 
  • Data processors 
  • Other police forces, non-home office police forces 
  • Courts, prisons 
  • Other healthcare providers – including private and commissioning bodies 
  • Current, past and prospective employers 
  • Legal representatives, defence solicitors 
  • Police complaints authority 
  • The disclosure and barring service 
  • Charities and not for profit partners 
Transfers of personal data to a third country and safeguards: 

Transfers may take place when: 

  • Technical and organisational security measures have been put in place via contract, or 
  • With the consent of the data subject; or 
  • Where required by law 
Time limits for erasure: 

The Trust works to the NHS Records Management Code of Practice.

Technical and organisational security measures: 

The Trust takes organisational security measures such as, but not limited to: 

  • Compliance with NHSD Data Security and Protection Toolkit 
  • Encryption 
  • Pseydonymisation 
  • Anonymisation 
  • Business Continuity Plans and resilience planning including backups 
  • Robust security updates including timely patching and anti-virus software 
  • User access controls 
  • Physical security e.g. security fobs; clear desk policy 
  • Penetration testing 
  • Data Protection Impact Assessments 
  • Staff training 
  • Contractual requirements 
  • Maintaining an Information Asset Management Framework – including data flow risk assessments 

 

All Hampshire and Isle of Wight Healthcare NHS Foundation Trust contracts will require any data processor to also keep a record, in writing, of the above when it is processing data on behalf of the Trust unless it is an enterprise or organisation that employs fewer than 250 staff; AND 

  • The processing it carries out is unlikely to result in a risk to the rights and freedoms of data subjects 
  • The processing is occasional, or 
  • The processing does not include special categories of data or personal data relating to criminal convictions and offences 

This written Record of Processing Activities shall be made available to the relevant supervisory authority on request, and forms part of the Information Asset Management Framework. 

* This section of our website is currently under construction.


Trust privacy notices

A privacy notice is a statement made to an individual (data subject) that describes how the organisation collects, uses, retains, and discloses personal information. It is also sometimes referred to as a privacy statement, a fair processing statement, or a privacy policy.

The Trust's overarching Privacy Notice explains how information about you will be collected, processed, transferred and stored securely and legally. 

However, you can also find copies of our system and service specific privacy notices below, enabling you to have greater insight and knowledge into how Hampshire and Isle of Wight Healthcare NHS Foundation Trust maybe processing your data.

If you wish to obtain a verbal privacy notice, please contact the Information Governance team.

*under construction

 

 

 

 


Further information

Please see below for definitions of terminology used throughout this page:

What is Personally Identifiable Data (PID) or special category data?

PID stands for Personally Identifiable Data – anything that either on its own or with other information would enable a person’s identity to become known. Examples of PID include but are not limited to;

  • Name
  • Address
  • Postcode
  • NHS number
  • Email address
  • IP address
  • Date of birth
  • Driving license

Special category data – previously known as sensitive data. This data is classified as data that an individual would only expect to be processed under certain circumstances and not as routine. Examples of special categories include but are not limited to;

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Trade union membership
  • Sex life
  • Sexual orientation
  • Genetics
  • Health
  • Biometrics (where used for ID purposes)

Who is a data subject?

A 'data subject' is an individual who is the subject of personal data.

For example, Hampshire and Isle of Wight Healthcare NHS Foundation Trust holds personal data about patients, making each patient a data subject under the terms of the law.

Who is a data controller?

'Data controller' means a person who (either alone, or jointly, or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

In short, Hampshire and Isle of Wight Healthcare NHS Foundation Trust is a data controller as we identify the purpose of our data and control the manner in which it is used.

Who is a data processor?

A 'data processor.' in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

This includes all sub-contractors of Hampshire and Isle of Wight Healthcare NHS Foundation Trust, who we share information with, for the sole purpose of data processing and providing a service to you as the 'data subject'.

Who is a third party?

Third party, in relation to personal data, means any person other than -
(a) the data subject,
(b) the data controller, or
(c) any data processor or other person authorised to process data for the data controller or processor.

For example, other organisations we work with e.g. other health or social care providers, or others who we are legally required to share information with e.g. Department of Working Pensions, Police, etc.

Information Governance team 

Information Governance team
Highpoint Venue
Bursledon Road
Southampton
SO19 8BR

Telephone: 0300 123 3919
Email: informationgovernanceteam@solent.nhs.uk

Records team

Access to Records team
Sterne 4 - 6,
Tatchbury Mount 
Calmore
Southampton SO40 2RZ

Telephone: 023 8087 4189 
Email: accesstorecords@southernhealth.nhs.uk

Accessibility tools

Return to header