We need to  be able to provide you with healthcare services. In order to do this we need to be able to collect information about you. This is in accordance with the statutory obligations under the NHS Act 2006.Health and Social Care Act 2012 and Data Protection Act 2018.   

The information that we collect is used for medical purposes that include:

• preventative medicine
• medical diagnosis
• medical research
• provision of direct care and treatment 

We collect your personal and sensitive information so that your care team has access to accurate and up-to-date information to support you with your treatment.

Download privacy notice document for young people.

The General Data Protection Regulation (GDPR) is a relatively new law which allows and regulates the processing of personal data. This includes where health and social care data are processed by a public authority, such as Sussex Partnership NHS Foundation Trust.  

Mental health data is special category data, which requires special protection and is subject to additional controls. Public providers of health and care are expected to: 

1. demonstrate satisfaction of conditions set out in Article 6 of the GDPR
2. satisfy a condition under Article 9 of the GDPR when processing special categories of data, ie data concerning health 

Under Article 6, processing is permitted where it is:

Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) (e)). 

Commercial suppliers that work on behalf of the NHS (e.g. technology third-party suppliers to NHS Trusts), or private sections of public providers may also rely upon an alternative lawful basis. For example, where processing is necessary for the purposes of their ‘legitimate interests’ (Article 6(1)(f)). 

Article 9(2) sets out the circumstances in which the processing of special categories of data, including data concerning health, which is otherwise prohibited, may take place. NHS Trusts as public bodies with healthcare provision as their statutory purpose, may process personal data where necessary to fulfil their public healthcare provision function, provided that they satisfy one of the following conditions: 

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional 

Article 9(2) also sets out the circumstances in which the processing of data concerning health may take place in academic organisations. Universities as public bodies with research either incorporated in their core function or as their statutory purpose may process personal data where necessary to fulfil their public research function, provided that they satisfy one of the following conditions: 

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional 

and 

9(2)(i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross- border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices. 

Article 9 allows for the processing of a special category of personal data for health research where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (Article 9(2)(j)) 

This means that where it is necessary to process special categories of data, such as data concerning health, for research purposes, then that processing is permitted by the GDPR (under Article 9(2)(j)).

Most of the information we collect about you is from:

• your GP
• directly from you or a friend or relative
• other health and care organisations 

Information also comes from local authorities, schools and other government agencies.  

Typically, we can get information by referral. For example, if your GP decides you need an appointment with a mental health team or health and social care professional, they will provide those professionals with necessary information about you so that you can be supported appropriately. This may include identifiers, history, diagnosis and medications. This information is increasingly being made available electronically to improve the quality, safety and speed of delivery of care. 

All care professionals and others working with them in care services have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential. 

We will share your information with those health and care partners who are directly involved in your care. These may include: 

• local NHS hospitals
• your GP practice
• local voluntary and private care providers
• urgent and emergency care services, such as NHS 111 and the London Ambulance Service 

You may be receiving care from other people as well as the NHS, for example social care services. Health and social care providers may need to receive or share some information about you if they have a genuine need. This may help them form a complete picture of your health needs and provide care and treatment that is most suited to your needs and preferences. They should only share information with your permission. 

We will not normally give your information to any other third party for any reason outside your individual care and treatment without your permission. However, there may be exceptional circumstances where we may do so, such as if someone’s health and safety is at risk or if the law requires us to pass on information. 

This short animation explains how your personal data is used in health and care:

We have a list of organisations who we share information with in order to deliver certain services. These can be found on our Data Protection Page. 

People often access a range of services available to them to support their health and care needs. Care organisations are increasingly providing services in regional partnerships.

If care services do not share information about you, then they may be making decisions without the best available information. This may affect the quality and safety of care they give you.

You have a legal right to opt out of having your data shared between your care professionals. However, you should be aware of the risks to the safety and the quality of the care you receive.

Sharing information helps care professionals to work together across organisational boundaries. Up to date information about your health and care improves the quality of clinical decision making by care professionals. Health and care providers are increasingly using digital technology, subject to strict rules, to further improve your health. We will make every effort to inform you about new digital technology and point you to resources to help you access and use it securely. We will always respect your right to opt out if you do not wish to make use of it.

For a full list of information sharing agreements we hold with other organisations, please see our Data Protection Page.

• Commissioning. This is when organisations plan and pay for health care services. Healthcare commissioners need information from your GP practice, hospitals and other care providers about your treatment to review and plan health services. To do this, they need to be able to see information about your care but they do not need to know who you are.
• NHS Digital, formally known as the Health and Social Care Information Centre (HSCIC), can provide coded data about your care securely to commissioners under the Health and Social Care Act (2012).
• Service evaluation. This contributes to the overall quality and effectiveness of clinical services to you and a group of people with a similar condition. This routine quality assessment of care services falls outside the scope of your direct care. It covers care services management, preventative care and medicine and health and social care research

Most of these uses of data are routinely undertaken using anonymised data unless stated otherwise by law. Where identifiable information is to be used, we will always do it lawfully and securely in a way that will always protect your privacy.   

Most care teams are working with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is always kept secure and confidential.

Where possible, researchers will make efforts to take out any information that could identify you, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit permission (consent).

We work with healthcare partners, researchers and technical experts to develop computer systems, encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research. 

Research recruitment (consent for contact)

You can give your clinician an advance permission for researchers to contact you in the future if you match the criteria of a trial. Your advance permission, known as ‘consent for contact’ will be noted in your health records. You will only hear from a research nurse, who will explain what that study will entail in more detail. 

We are required by the Department of Health to keep your records for a certain amount of time after you have finished receiving care from us. This amount of time depends upon the type of care you have received from us and helps us continue your care if you need to use our services again in the future. The retention periods are set out here.

Any information that is shared should not be held for longer than necessary to fulfil the purpose for which it was collected. All organisations that Sussex Partnership NHS Foundation Trust work with have been assessed to ensure they have appropriate records management procedures in place and guidelines for records retention.

We may also use your personal data in the following areas: 

• any complaints you have made about services
• any incidents you may have been involved in while you were receiving treatment and care from us
• any paid, unpaid work with us, including your involvement in volunteering, public engagement or other projects (for example social, community, art, consultation) we run solely or with partners
• any training, education, supervision delivered to you by us
• CCTV (closed-circuit television) and use of multimedia device

As a mental health trust, we store and use large volumes of sensitive personal data every day, such as your health records. Your health records are stored electronically. 

Other personal data and computerised information are stored on various other systems across your health and care providers. These systems are managed by NHS IT departments or under contract with an approved public framework supplier.  

A list of our software can be found on our Data Protection Page. 

The information we collect is used by people in their work for the purposes stated in this notice. We take our duty to protect your personal information and confidentiality very seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. We:

• have a dedicated expert Information Governance and Security Team at the Trust
• encrypt all outgoing email containing personal data
• have an Information Asset Framework which reviews all our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems
• provide training to all staff on how to handle all types of data
• have the Cyber Essentials Plus certificate
• have recently been audited by the ICO (Information Commissioner's Office) and were provided with a Reasonable Assurance Rating
• ensure all staff have read and understood policies and procedures relating to the management of personal information.

At the most senior level, we have a: 

• senior information risk owner who is accountable for the management of all information and any associated risks and incidents
• Caldicott guardian who is responsible for the management of patient information and patient confidentiality
• Data Protection Officer who is responsible for overseeing the information governance arrangements and framework across the Trust
• Head of Information Governance who manages and oversees all activities related to the use of data. They make sure data use is done within the law and best practice 

As an employer Sussex Partnership NHS Foundation Trust (SPFT) must meet its contractual, statutory and administrative obligations. We are committed to ensuring that the personal data of our employees is handled in accordance with the priniciples set out in the Information Commissioner’s Guide to Data Protection.

This privacy notice tells you what to expect when SPFT collects personal information about you. It applies to all employees, ex-employees, bank staff, agency staff, contractors, secondees and non-executive directors. However, the information we will process about you will vary depending on your specific role and personal circumstances.

Staff Privacy Notice

You have several rights under the data protection law:

Right to be informed: you have a right to be informed about uses of your information, with an emphasis on transparency. This privacy notice, in support of other privacy notices makes sure that your right to be informed is upheld.

Right of access: you have a right to receive:

• confirmation of what information is recorded about you
• confirmation of how your information is used
• access to your personal health information and other information we hold

To exercise your right of access, you will be asked to complete a Subject Access Request application form, provide proof of identification and you may be asked to explain exactly what information you require.

Your request must be made to the Health Records Team on health.records@sussexpartnership.nhs.uk  

You will not be charged for this service. 

Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs if it decides you cannot manage them yourself. 

Please see the Subject Access Request section on this page for more information on how to apply. 

Right to rectification: rectification means correcting inaccuracies or incomplete data we hold about you. This often applies to factual information only such as identifiers and next of kin. We are unable to remove or alter professional opinions that you may disagree with. You do however have the right to include your personal statements alongside professional opinions. 

To rectify your information please contact your clinical team. 

Right to deletion: in some circumstances you can request that we delete the information we hold about you. This right will apply only if the processing has been based on consent which is withdrawn, the processing of data is found not to be lawful or the information is no longer required. We will tell you about activities to which this right applies .

There are exceptions to the right to deletion. Your health and care providers are legally required to maintain your records in accordance with the retention guide in the record management code of practice for health and social care 

Right to object: you do not have a general right to object to processing of your personal information for your individual care, however you can object if the information is used for a secondary purpose, such as:

• marketing
• scientific or historical research
• statistical purposes
• purposes in the public interest or under an official authority (eg NHS Act 2006)
• public patient involvement groups 

Right to restrict processing: the right to restrict processing means that, if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but not allow other uses until the dispute is settled. To request restriction to processing, please contact the data protection officer.

We will respect your rights under the data protection legislation whether you are an adult or a child. We will respect the wishes of parents’ (or legal guardians’) in respect of data rights of children who are younger than 14 years old.

You should also tell us how you would like us to contact you. Your preferences may include post, text messaging and phone. You should notify your care team about your preferences and ask it to be recorded in your health and care record. You can change your mind later as long as you give timely notifications to your care team about any changes to your preferences.

Everyone has the right to access their own information. This is called a 'Subject Access Request'.

If you require access to your records you will need to complete one of the below application forms and return to the Health Records Team with the relevant documents. Individuals are entitled to exercise their rights verbally as well as in writing but will need  to provide relevant documentation. 

Once the team have received your information they will process your request. This can take up to one month to complete.

In some circumstances we may request an extension if you have a large amount of information.

All our information is reviewed and redacted by our in house specialist Health Records Team and sent out either password protected in an email or sent recorded delivery in the post.

Form A - Service user aged 13+ and employees

Form B - Patient's representative

Form C - Young person's representative (age 0-12)

Form D - For a patient who lacks capacity (age 13+)

Form E - Request about a deceased patient

We collect information on all staff we employ, as well as volunteers, people with honorary contracts and agency staff for the purposes of running our services. We use the information for administrative, academic and statutory purposes and to support health and safety. 

The information we collect includes: 

What is Patient Knows Best? 

Each organisation (primary care, hospitals, mental health services, social care etc.) needs different IT systems to manage its patients and business. These systems don’t interconnect and, what’s more, they can’t. This is because:

(1) the many different IT vendors are competing against each other and
(2) connecting everyone to everyone else doesn’t work – there are far too many connections to make. 

Patients Know Best (PKB) was created to solve this problem and deliver unified data, stored in a single integrated digital patient record for each citizen that can be shared across the entire care system.

PKB works by receiving a copy of the health information held about an individual and creating one integrated patient-controlled record. The patient or a professional (with appropriate consent) can invite whomever they want to view the record, from clinicians to carers, as well as charities and support groups. 

Service users are in full control of who has access to their information. These can involve sharing with; other health, social care and community services. The individual can provide consent for organisations to review their record and can remove access rights at any time. When a new request for access is made all individuals involved are notified immediately and requested to review. 

This brings together all care providers from community care, to primary and acute care providers, as well as charities and local authorities. 

Legal basis for processing information 

The professionals who are working with you will if you are competent to understand your control over the record. You can make the decision over your interest in managing this control, i.e. you may decide to delegate this management to your carers, or back to the professional.

No new protocols are required for this informed consent, they are the same as those for when you consent as a patient for any other procedure, and have the same exclusions for patients who are children; who have temporary mental health problems; or who have dementia and thus with power of attorney to a delegate to a carer(s).

PKB forms part of the healthcare record. Our legal basis for processing information within PKB is under the following basis:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Who else uses it?

• Western Sussex Hospitals NHS Trust
• Dartford and Gravesham NHS Trust
• Brighton and Sussex University Hospitals
• East London NHS Foundation Trust
• East Sussex Healthcare Trust
• Imperial College Healthcare Trust

Sharing information

Every authorised user is either a patient or a professional. A patient can add any information they want into their record but they are only authorised to access information from organisations after an identity verification process. 

The process is different for each organisation. A professional is a user whose employer (e.g. NHS hospital or county council social worker) has identified and authorised them to use the system. The patient may choose to invite a carer or professional who has not been formally identified, but these unverified accounts cannot be used with any other patients. There is a full audit trail of who gave who access to which accounts.

Individuals rights 

Each organisation follows its own processes around rights of individuals. Please contact the relevant organisation delivering your care to find out their internal processes and policies for rights around your personal information.  

How can you gain access?

Speak to your healthcare professional and ask them about our Patient Knows Best Patient Portal. 

The personal information provided by candidates and volunteers for their applications and registration is used for the purpose stated in each case. The Voluntary Services Department may analyse statistical trends based on the information given however, this analysis does not include identifiable personal information.

Volunteer records are stored in accordance with the Trust’s Information Governance Policy and will conform to the Data Protection Act 2018.

There are some exceptional circumstances where we must share information with official bodies or other organisation about employees without their express permission. These include circumstances owing to a legal or statutory obligation. These bodies may include: 

• Disclosure and Barring Service
• Home Office
• Her Majesty’s Revenue and Customs (HMRC)
• financial institutes, for example banks and building societies for approved mortgage references
• educational, training and academic bodies
• Department for Work and Pensions (DWP)
• Care Quality Commission (CQC)

If you think that information in your NHS health records is wrong, please talk to the health professional looking after you and ask to have the record amended. You can also ask for the information to be amended by contacting the Information Governance team. You will find contact details in the 'Further information' section.

If your request to have your records amended is turned down because the information is not wrong, we will add a statement of your views to the record. 

If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act. For details of how to do this: 

• visit the ICO website at www.ico.org.uk
• telephone 0303 123 1113

Information Governance Team
0300 304 2025
information.governance@sussexpartnership.nhs.uk 

Health Records Team
0300 304 2210
health.records@sussexpartnership.nhs.uk 

Information Commissioner's Office
0303 123 1114
ico.org.uk