Data protection – your rights
Find out more about your rights under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
The data protection legislation provides 8 main rights for individuals and builds upon and strengthens those rights previously given under the Data Protection Act 1998, meaning the Trust must be transparent about how data is processed and make it easy to exercise the individual rights under the legislation.
Individuals are entitled to make requests based on their rights, verbally and in writing and these requests must be dealt with within one month and provided free of charge. However, under certain rights listed below a reasonable fee can be charged when a request is clearly unfounded or excessive or particularly repetitive.
What are the rights?
The Right to be Informed: It is about providing individuals with clear and concise information about what we do with their personal data. This is usually given by our Privacy Notice on our website (see overleaf).
The Right of Access: Gives the individual access to their personal data regardless of the format or location of the data in the Trust and the right to obtain a copy of their personal data as well as other supplementary information. This is usually known as making a Subject Access Request.
The Right to Rectification: Individuals are entitled to have their personal information corrected where it is inaccurate or incomplete and also imposes a specific obligation to reconsider the accuracy upon request. This right cannot be used for information that is not factual (e.g. opinions) and should be referred to a Clinician for changes to the content of health records.
The Right to Erasure: The broad principle underpinning this right is to enable an individual to request the deletion where there is no good reason to continue holding personal data. This right is not absolute and only applies in certain circumstances. If the trust still requires the data for a valid legal basis these requests can be rejected, e.g. to comply with a legal obligation for the performance of a public interest task or exercise of official authority, for public health purposes in the public interest.
The Right to Restrict Processing: Individuals have the right to request that the Trust restricts the processing of their personal data when they believe their data is not accurate or have issues on how we have processed their data. Processing can restart when the accuracy has been verified. This is not an absolute right and only applies in certain circumstances.
The Right to Data Portability: The right to Data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without making it harder to use. This does not apply to paper records or electronic data created by the Trust.
The Right to Object: Individuals have the right to object to the processing of their data, but this only applies in certain circumstances and depends on the purposes for processing. The individual does not have a right to object if the lawful basis for processing is public task because it is necessary for the performance of a task carried out in the public interest.
The Right to object to automated decision making (including profiling): This right provides protection to individuals against the risk that a potentially damaging decision is taken by computers or by humans. This does not apply if the decision is necessary for entering or performing a contract between the Trust and the individual; or where the decision does not have a legal or significant effect on the individual
What is a Privacy Notice/ Fair Processing Notice?
The UK General Data Protection Regulation and the Data Protection Act 2018 require that data controllers provide certain information to people whose personal data they hold and use, as individuals have the right to be informed. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
The privacy notice explains the purposes for which personal data are collected and used, how long the data is kept and how and with whom it may be shared. Contact details for the Trust Data Protection Officer are also included.
View the Trust’s Privacy Notice/Fair Processing Notice
More details and guidance on Individuals’ Rights can be found in the Information Commissioners Office (ICO) guide to GDPR
Visit the national website: www.gov.uk-data-protection