Your rights

You have a right to privacy and to expect the NHS to keep your information confidential and secure.

Under the Data Protection Act 2018 it becomes a legal right to ensure that your data is processed on a fair and lawful basis and in a transparent manner.

The right to be informed

You have the right to be informed about the collection and use of your personal information

We must provide you with information including: our purposes for processing your personal information, our retention periods for that personal information, and who it will be shared with. We call this ‘privacy information’.

Our privacy notices can be viewed here.

The right to request access

Subject access requests

You can find out if we hold any personal information by making a subject access request under the Data Protection Act 2018. If we do hold information about you we will:

give you a description of it
tell you why we are holding it
tell you who it could be disclosed to; and
let you have a copy of the information in an intelligible format.

Fees

We will not charge a fee for providing your information, however, we may charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

The trust will try to deal with your request within a 21 day time limit (NHS best practice). However, by law we have 30 days to respond If this is likely to take longer the applicant will be warned and an explanation of the delay provided.

You can request access to your information by following this link.

The right to request rectification

When should personal data be rectified?

You are entitled to have personal data rectified if it is inaccurate or incomplete.

If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.

How long do we have to comply with a request for rectification?

We must respond within one month.

This can be extended by two months where the request for rectification is complex. If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority.

For further information please contact the Information Governance team.

Right to erasure (to be forgotten)

The right to erasure does not provide an absolute right to be forgotten. You have a right to have personal data erased and to prevent processing in specific circumstances:

where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
when you withdraws consent
when you object to the processing and there is no overriding legitimate interest for continuing the processing
the personal data was unlawfully processed (i.e. otherwise in breach of the DPA 2018 and GDPR)
the personal data has to be erased in order to comply with a legal obligation
the personal data is processed in relation to the offer of information society services to a child.

This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

to exercise the right of freedom of expression and information
to comply with a legal obligation for the performance of a public interest task or exercise of official authority or public health purposes in the public interest; archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims.

Please note that the right to be forgotten does not apply to special category data. i.e. your medical record.

For further information please contact the Information Governance team.

The right to restrict processing

When does the right to restrict processing apply?

We will be required to restrict the processing of personal data in the following circumstances:

where you contest the accuracy of the personal data, we should restrict the processing until verifying the accuracy of the personal data
where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have legitimate grounds to override your rights
when processing is unlawful and you oppose erasure and request restriction instead
if we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.

For further information or to apply for a restriction please contact the Information Governance team.

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

When does the right to data portability apply?

The right to data portability only applies:

to personal data you have provided to the trust
where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means

For further information please contact the Information Governance team

The right to object

You have the right to object to the following:

processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.

You must have an objection on grounds relating to your particular situation.

We will stop processing the personal data unless:

We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims
Your right to object to the processing of personal data for direct marketing purposes.
We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.
Your right to object to processing personal data for research purposes

You must have grounds relating to your particular situation in order to exercise your right to object to processing for research purposes.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

For further information please contact the Information Governance team

Right to know if we carry out automated decision making and profiling

We do not carry out profiling and/or automated decision-making and document this in our data protection policy.

For further information please contact the Information Governance team

Further information

About us

Access to healthcare records

Every living person or their authorised representative, has the right to apply for access to their healthcare record.

About us

Purposes for using your information

We want to be clear about the purpose or purposes for which we hold personal data.

About us

Privacy notices

Here you can read our privacy notices

About us

Personal data and what we hold about you

Personal data means, any information relating to an identified or identifiable natural person (a living individual).