UK GDPR Individual Rights

Under the UK General Data Protection Regulation (UKGDPR) and The Data Protection Act 2018 (DPA18) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification of your personal data, If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. 

Personal information held for patients consists of your name, date of birth, marital status, National Health Service number, address, contact telephone numbers, medical condition, your next of kin and a contact number for them.

For more information on GDPR, check the ICO's guidance and resources.

 

Your Individual Rights

 

The right to be informed
  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR/DPA18.
  • Individuals must be provided with information including: our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • Individuals must be provided with privacy information to individuals at the time you collect their personal data from them.
  • If personal data is obtained from other sources, individuals must be provided with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when people do not need to be provided with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • Information provided to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

For more information, visit our privacy notices page.

The right of access
  • Individuals have the right to access their personal data and supplementary information.
  • The right of access allows individuals to be aware of and verify the lawfulness of the processing.
  • Under the UK GDPR/DPA18, individuals you have the right to obtain:
    • confirmation that your data is being processed;
    • access to your personal data and other supplementary information – this should   correspond to the information that should be provided in a privacy notice.
  • A copy of the information must be provided free of charge. However, a reasonable fee can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  • Information must be provided without delay and at the latest within one month of receipt.
  • The period of compliance can be extended by a further two months where requests are complex or numerous. If this is the case, we must inform you within one month of the receipt of the request and explain why the extension is necessary.
  • Where requests are manifestly unfounded or excessive, in particular because they are repetitive:
    • a reasonable fee can be charged considering the administrative costs of providing the information, or
    • we can refuse to respond.
  • The identity of the person making the request must be verified, using ‘reasonable means’. If there are any doubts about the identity of the person making the request, more information will be requested to confirm their identity by the submission of proof of identification and or signatures.
  • If the request is made electronically, the information should be provided in a commonly used electronic format.
  • The UK GDPR/DPA18 permits us to ask you to specify the information the request relates to, where a large quantity of information is processed about you.
  • The UK GDPR/DPA18 does not include an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.

If you wish to make a request for a copy of the personal data held about you, learn more about accessing healthcare records.

The right to rectification
  • The UK GDPR/DPA18 includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. This may involve providing a supplementary statement to the incomplete data known as an annotation.
  • You can make a request for rectification verbally or in writing.
  • We have one calendar month to respond to a request; in certain circumstances a request for rectification can be refused.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the UK GDPR/DPA18. Although there will be steps in the data processing to ensure that the personal data was accurate when it was obtained, this right imposes a specific obligation to reconsider the accuracy upon request.
  • If a request is received for rectification, we will take reasonable steps to satisfy that the data is accurate and to rectify the data if necessary. What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The Trust will ensure that every effort is made into checking its accuracy and, if necessary, taking steps to rectify it. Arguments and evidence provided by you, the data subject will be considered.
  • The UK GDPR/DPA18 does not give a definition of the term accuracy. However, the Data Protection Bill states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
  • If there are any doubts about the identity of the person making the request, more information will be requested to confirm their identity by the submission of proof of identification and or signatures.
  • If we have disclosed the personal data to others, we will contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort.
  • The UK GDPR/DPA18 defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

If you wish to make a request under your right to rectification or have further questions please contact the Information Access Team directly on 01795 514525 or via kmpt.infoaccess@nhs.net

The right to erasure
  • The UK GDPR/DPA18 introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • The Trust has one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • Individuals have the right to have their personal data erased if:
    • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
    • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
    • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
    • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
    • you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
    • you have to do it to comply with a legal obligation; or you have processed the personal data to offer information society services to a child.
  • The right to erasure does not apply if processing is necessary for one of the following reasons:
    • to exercise the right of freedom of expression and information;
    • to comply with a legal obligation;
    • for the performance of a task carried out in the public interest or in the exercise of official authority;
    • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or for the establishment, exercise or defence of legal claims.
  • The UK GDPR/DPA18 also specifies two circumstances where the right to erasure will not apply to special category data:
    • if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices);or
    • if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
  • If there are any doubts about the identity of the person making the request, more information will be requested to confirm their identity by the submission of proof of identification and or signatures.
  • In certain circumstances we can refuse to comply with a request for erasure, but must inform the individual without undue delay and within one month of receipt of the request. You should inform the individual about:
    • the reasons we are not taking action – justify the decision;
    • their right to make a complaint to the ICO or another supervisory authority;
    • and their ability to seek to enforce this right through a judicial remedy.

If you wish to make a request under your right to erasure or have further questions please contact the Information Access Team directly on 01795 514525 or via kmpt.infoaccess@nhs.net

The right to restrict processing
  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances. This means that you can limit the way that the trust uses your data. This is an alternative to requesting the erasure of your data.
  • When processing is restricted, we are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing. We have one calendar month to respond to a request.
  • This right has close links to the right to rectification and the right to object.
  • Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.
  • Individuals have the right to request you restrict the processing of their personal data in the following circumstances: - the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
    • the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
    • you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
    • the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
  • Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing: - if an individual has challenged the accuracy of their data and asked for you to rectify it, they also have a right to request you restrict processing while you consider their rectification request; or if an individual exercises their right to object, they also have a right to request you restrict processing while you consider their objection request.
  • Therefore, as a matter of good practice we will automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
  • In certain circumstances we can refuse to comply with a request for erasure, and must inform the individual without undue delay and within one month of receipt of the request. We will inform you about: - the reasons ywe are not taking action – justify the decision; - your right to make a complaint to the ICO or another supervisory authority; and your ability to seek to enforce this right through a judicial remedy.

If you wish to make a request under your right to restrict processing or have further questions please contact the Information Access Team directly on 01795 514525 or via kmpt.infoaccess@nhs.net

The right to data portability
  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • The right to data portability only applies:
    • to personal data an individual has provided to a controller;
    • where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means.
  • We must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
  • The information must be provided free of charge.
  • If the you request it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.
  • We must respond without undue delay, and within one month.
  • This can be extended by two months where the request is complex or we receive a number of requests. We must inform you within one month of the receipt of the request and explain why the extension is necessary.
  • Where we are not taking action in response to a request, we must explain why to the you, informing you of your right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

If you wish to make a request under your right to data portability or have further questions please contact the Information Access Team directly on 01795 514525 or via kmpt.infoaccess@nhs.net

The right to object
  • Individuals have the right to object to:
    • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
    • direct marketing (including profiling); and
    • processing for purposes of scientific/historical research and statistics.
  • We do not need to comply with the right to object the processing of personal data is for the performance of a legal task or the organisation’s legitimate interests, provided we can:
    • demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or
    • the processing is for the establishment, exercise or defence of legal claims.
  • You must have an objection on “grounds relating to your particular situation”.
  • We must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
  • This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information
  • If we are processing personal data for direct marketing purposes we must stop processing personal data as soon as we receive an objection. There are no exemptions or grounds to refuse.
  • We must deal with an objection to processing for direct marketing at any time and free of charge.
  • If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
  • We must offer a way for individuals to object online, if any of your processing activities fall into any of the above categories and are carried out online.

If you wish to make a request under your right to object or have further questions please contact the Information Access Team directly on 01795 514525 or via kmpt.infoaccess@nhs.net

Further information

About us

Your rights

Your rights - Further Information

You have a right to privacy and to expect the NHS to keep your information confidential and secure.

Read more

About us

Purposes for using your information

Purposes for using your information - Further Information

We want to be clear about the purpose or purposes for which we hold personal data.

Read more

About us

Privacy notices

Privacy notices - Further Information

Here you can read our privacy notices

Read more

About us

Personal data and what we hold about you

Personal data and what we hold about you - Further Information

Personal data means, any information relating to an identified or identifiable natural person (a living individual).

Read more