We need to be able to provide you with healthcare services. In order to do this we need to be able to collect information about you. This is in accordance with the statutory obligations under the NHS Act 2006.Health and Social Care Act 2012 and Data Protection Act 2018.   

The information that we collect is used for medical purposes that include:

• preventative medicine
• medical diagnosis
• medical research
• provision of direct care and treatment 

We collect your personal and sensitive information so that your care team has access to accurate and up-to-date information to support you with your treatment.

Download privacy notice document for young people.

Download confidentiality booklet.

The General Data Protection Regulation (GDPR) is a relatively new law which allows and regulates the processing of personal data. This includes where health and social care data are processed by a public authority, such as Sussex Partnership NHS Foundation Trust.  

Mental health data is special category data, which requires special protection and is subject to additional controls. Public providers of health and care are expected to: 

1. demonstrate satisfaction of conditions set out in Article 6 of the GDPR
2. satisfy a condition under Article 9 of the GDPR when processing special categories of data, ie data concerning health 

Under Article 6, processing is permitted where it is:

Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) (e)). 

Commercial suppliers that work on behalf of the NHS (e.g. technology third-party suppliers to NHS Trusts), or private sections of public providers may also rely upon an alternative lawful basis. For example, where processing is necessary for the purposes of their ‘legitimate interests’ (Article 6(1)(f)). 

Article 9(2) sets out the circumstances in which the processing of special categories of data, including data concerning health, which is otherwise prohibited, may take place. NHS Trusts as public bodies with healthcare provision as their statutory purpose, may process personal data where necessary to fulfil their public healthcare provision function, provided that they satisfy one of the following conditions: 

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional 

Article 9(2) also sets out the circumstances in which the processing of data concerning health may take place in academic organisations. Universities as public bodies with research either incorporated in their core function or as their statutory purpose may process personal data where necessary to fulfil their public research function, provided that they satisfy one of the following conditions: 

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional 

and 

9(2)(i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross- border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices. 

Article 9 allows for the processing of a special category of personal data for health research where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (Article 9(2)(j)) 

This means that where it is necessary to process special categories of data, such as data concerning health, for research purposes, then that processing is permitted by the GDPR (under Article 9(2)(j)).

Category	Data type
Identifiers	Your name, date of birth, NHS number
Contact details	Your address, telephone number, email address (if provided)
Support contact details	Names, contact details of carers, relevant close relatives, next of kin, representatives
Physical, social or mental health situation or condition	Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving
Protected characteristics	Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way for the

 

Most of the information we collect about you is from:

• your GP
• directly from you or a friend or relative
• other health and care organisations 

Information also comes from local authorities, schools and other government agencies.  

Typically, we can get information by referral. For example, if your GP decides you need an appointment with a mental health team or health and social care professional, they will provide those professionals with necessary information about you so that you can be supported appropriately. This may include identifiers, history, diagnosis and medications. This information is increasingly being made available electronically to improve the quality, safety and speed of delivery of care. 

All care professionals and others working with them in care services have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential. 

We will share your information with those health and care partners who are directly involved in your care. These may include: 

• local NHS hospitals
• your GP practice
• local voluntary and private care providers
• urgent and emergency care services, such as NHS 111, ambulance services and Police

You may be receiving care from other people as well as the NHS, for example social care services. Health and social care providers may need to receive or share some information about you if they have a genuine need. This may help them form a complete picture of your health needs and provide care and treatment that is most suited to your needs and preferences. They should only share information with your permission. 

We will not normally give your information to any other third party for any reason outside your individual care and treatment without your permission. However, there may be exceptional circumstances where we may do so, such as if someone’s health and safety is at risk or if the law requires us to pass on information. 

This short animation explains how your personal data is used in health and care:

 

We have a list of organisations who we share information with in order to deliver certain services. These can be found on our Data Protection Page. 

People often access a range of services available to them to support their health and care needs. Care organisations are increasingly providing services in regional partnerships.

If care services do not share information about you, then they may be making decisions without the best available information. This may affect the quality and safety of care they give you.

You have a legal right to opt out of having your data shared between your care professionals. However, you should be aware of the risks to the safety and the quality of the care you receive.

Sharing information helps care professionals to work together across organisational boundaries. Up to date information about your health and care improves the quality of clinical decision making by care professionals. Health and care providers are increasingly using digital technology, subject to strict rules, to further improve your health. We will make every effort to inform you about new digital technology and point you to resources to help you access and use it securely. We will always respect your right to opt out if you do not wish to make use of it.

Information may be shared with local authorities, regulatory bodies, urgent and emergency care services such as NHS 11, ambulance services and Police for the following purposes: 

1. the safeguarding, and management of risk to, potentially vulnerable adults or children who are/have very recently been detained in police custody 
2. the delivery of health and/or social care services
3. the prevention of the commission of offences (crime reduction) 

For a full list of information sharing agreements we hold with other organisations, please see our Data Protection Page.

• Commissioning. This is when organisations plan and pay for health care services. Healthcare commissioners need information from your GP practice, hospitals and other care providers about your treatment to review and plan health services. To do this, they need to be able to see information about your care but they do not need to know who you are.
• NHS Digital, formally known as the Health and Social Care Information Centre (HSCIC), can provide coded data about your care securely to commissioners under the Health and Social Care Act (2012).
• Service evaluation. This contributes to the overall quality and effectiveness of clinical services to you and a group of people with a similar condition. This routine quality assessment of care services falls outside the scope of your direct care. It covers care services management, preventative care and medicine and health and social care research

Most of these uses of data are routinely undertaken using anonymised data unless stated otherwise by law. Where identifiable information is to be used, we will always do it lawfully and securely in a way that will always protect your privacy.   

As an NHS Trust it is important to keep updated with the latest developments in technology and communications. Our text reminder service allows service users to be informed of their next appointment, supporting them to attend and preventing wasted appointments slots. It was found in a recent study that the use of text message reminders can reduce the rates of wasted appointments by up to 25%, allowing these appointments to be offered to others in need.

When entering into our services, you provide contact information which allows you to be informed and updated on your care or treatment. We use this consent to provide you with up to date appointment reminders by text. We also understand that text isn’t always for everyone and if you do not wish to use our text reminder service, you can withdraw your consent by contacting your clinician sending a request to information.governance@sussexpartnership.nhs.uk. 

Most care teams are working with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is always kept secure and confidential.

Where possible, researchers will make efforts to take out any information that could identify you, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit permission (consent).

We work with healthcare partners, researchers and technical experts to develop computer systems, encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research. 

Research recruitment (consent for contact)

You can give your clinician an advance permission for researchers to contact you in the future if you match the criteria of a trial. Your advance permission, known as ‘consent for contact’ will be noted in your health records. You will only hear from a research nurse, who will explain what that study will entail in more detail. 

Research recruitment (Everyone counts)

Sussex Partnership NHS Foundation Trust has the Everyone Counts scheme in place for contact about research opportunities. This is an 'opt out' scheme whereby if you match the criteria for a research study you may be contacted by the Sussex Partnership research team, with information about what that study will entail in more detail. The lawful basis for processing personal data in relation to the Everyone Counts scheme is ‘public task’. If you would not like to be contacted about research opportunities you can let us know:

• By email: research@sussexpartnership.nhs.uk
• By telephone: 0300 304 0088 

For more information on Everyone Counts go to: www.sussexpartnership.nhs.uk/getting-involved-research-research 

We are required by the Department of Health to keep your records for a certain amount of time after you have finished receiving care from us. This amount of time depends upon the type of care you have received from us and helps us continue your care if you need to use our services again in the future. The retention periods are set out here.

Any information that is shared should not be held for longer than necessary to fulfil the purpose for which it was collected. All organisations that Sussex Partnership NHS Foundation Trust work with have been assessed to ensure they have appropriate records management procedures in place and guidelines for records retention.

We may also use your personal data in the following areas: 

• any complaints you have made about services
• any incidents you may have been involved in while you were receiving treatment and care from us
• any paid, unpaid work with us, including your involvement in volunteering, public engagement or other projects (for example social, community, art, consultation) we run solely or with partners
• any training, education, supervision delivered to you by us
• CCTV (closed-circuit television) and use of multimedia device

As a mental health trust, we store and use large volumes of sensitive personal data every day, such as your health records. Your health records are stored electronically. 

Other personal data and computerised information are stored on various other systems across your health and care providers. These systems are managed by NHS IT departments or under contract with an approved public framework supplier.  

A list of our software can be found on our Data Protection Page. 

The information we collect is used by people in their work for the purposes stated in this notice. We take our duty to protect your personal information and confidentiality very seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. We:

• have a dedicated expert Information Governance and Security Team at the Trust
• encrypt all outgoing email containing personal data
• have an Information Asset Framework which reviews all our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems
• provide training to all staff on how to handle all types of data
• have the Cyber Essentials Plus certificate
• have recently been audited by the ICO (Information Commissioner's Office) and were provided with a Reasonable Assurance Rating
• ensure all staff have read and understood policies and procedures relating to the management of personal information.

At the most senior level, we have a: 

• senior information risk owner who is accountable for the management of all information and any associated risks and incidents
• Caldicott guardian who is responsible for the management of patient information and patient confidentiality
• Data Protection Officer who is responsible for overseeing the information governance arrangements and framework across the Trust
• Head of Information Governance who manages and oversees all activities related to the use of data. They make sure data use is done within the law and best practice 

As an employer Sussex Partnership NHS Foundation Trust (SPFT) must meet its contractual, statutory and administrative obligations. We are committed to ensuring that the personal data of our employees is handled in accordance with the priniciples set out in the Information Commissioner’s Guide to Data Protection.

This privacy notice tells you what to expect when SPFT collects personal information about you. It applies to all employees, ex-employees, bank staff, agency staff, contractors, secondees and non-executive directors. However, the information we will process about you will vary depending on your specific role and personal circumstances.

Staff Privacy Notice

You have several rights under the data protection law:

Right to be informed: you have a right to be informed about uses of your information, with an emphasis on transparency. This privacy notice, in support of other privacy notices makes sure that your right to be informed is upheld.

Right of access: you have a right to receive:

• confirmation of what information is recorded about you
• confirmation of how your information is used
• access to your personal health information and other information we hold

To exercise your right of access, you will be asked to complete a Subject Access Request application form, provide proof of identification and you may be asked to explain exactly what information you require.

Your request must be made to the Health Records Team on health.records@sussexpartnership.nhs.uk  

You will not be charged for this service. 

Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs if it decides you cannot manage them yourself. 

Please see the Subject Access Request section on this page for more information on how to apply. 

Right to rectification: rectification means correcting inaccuracies or incomplete data we hold about you. This often applies to factual information only such as identifiers and next of kin. We are unable to remove or alter professional opinions that you may disagree with. You do however have the right to include your personal statements alongside professional opinions. 

To rectify your information please contact your clinical team. 

Right to deletion: in some circumstances you can request that we delete the information we hold about you. This right will apply only if the processing has been based on consent which is withdrawn, the processing of data is found not to be lawful or the information is no longer required. We will tell you about activities to which this right applies .

There are exceptions to the right to deletion. Your health and care providers are legally required to maintain your records in accordance with the retention guide in the record management code of practice for health and social care 

Right to object: you do not have a general right to object to processing of your personal information for your individual care, however you can object if the information is used for a secondary purpose, such as:

• marketing
• scientific or historical research
• statistical purposes
• purposes in the public interest or under an official authority (eg NHS Act 2006)
• public patient involvement groups 

Right to restrict processing: the right to restrict processing means that, if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but not allow other uses until the dispute is settled. To request restriction to processing, please contact the data protection officer.

We will respect your rights under the data protection legislation whether you are an adult or a child. We will respect the wishes of parents’ (or legal guardians’) in respect of data rights of children who are younger than 14 years old.

You should also tell us how you would like us to contact you. Your preferences may include post, text messaging and phone. You should notify your care team about your preferences and ask it to be recorded in your health and care record. You can change your mind later as long as you give timely notifications to your care team about any changes to your preferences.

IMPORTANT: PLEASE READ

Please note, we are currently experiencing significant IT issues due to a recent clinical system update. We are working very hard to resolve this however, this is creating a delay in responses to emails, disclosure of records as well as a backlog of work . 

Please be assured that this has been reported to the Information Commissioner's Office (ICO) and we will continue to monitor and update requestors where possible. We thank you for your ongoing support and patience whilst we work to fix this issue. 

Everyone has the right to access their own information. This is called a 'Subject Access Request'.

If you require access to your records you will need to complete one of the below application forms and return to the Health Records Team with the relevant documents. Individuals are entitled to exercise their rights verbally as well as in writing but will need  to provide relevant documentation. 

Once the team have received your information they will process your request. This can take up to one month to complete.

In some circumstances we may request an extension if you have a large amount of information.

All our information is reviewed and redacted by our in house specialist Health Records Team and sent out either password protected in an email or sent recorded delivery in the post.

Please ignore the first page, this application form is also used should individuals wish to receive a copy by post, you do not need to complete the letter template.

Form A - Service user aged 13+, representative or lacking capacity

Form B - Parent request for child aged 0-12

Form C - Request about a deceased service user

Form D - Employee request

We collect information on all staff we employ, as well as volunteers, people with honorary contracts and agency staff for the purposes of running our services. We use the information for administrative, academic and statutory purposes and to support health and safety. 

The information we collect includes: 

Data type	Purpose of collecting
Names, addresses and telephone numbers	Employment contracting
Spouse, partner, emergency contact, close relative, next of kin names, address, telephone and email details	Emergency contact
Employment records (including professional memberships, references, appraisals, professional development plans, education and training records)	Statutory requirement of employment, performance management, professional development
Bank, National Insurance number and pension details	Payment of salaries and other expenditure claims
Nationality / domicile	Proof of eligibility to work in the UK
Ethnicity	Equality monitoring, equal opportunities
Medical information including physical health or mental condition	Appropriate adjustments to work arrangements, management of disability rights and other occupational health services
Religious beliefs	Spiritual support, equal opportunities, equality monitoring

 

What is My Health and Care Record? 

Each organisation (primary care, hospitals, mental health services, social care etc.) needs different IT systems to manage its patients and business. These systems don’t interconnect and, what’s more, they can’t. This is because:

1. the many different IT vendors are competing against each other and
2. connecting everyone to everyone else doesn’t work – there are far too many connections to make. 

My Health and Care Record (MCHR) was created to solve this problem and deliver unified data, stored in a single integrated digital patient record for each citizen that can be shared across the entire care system.

My Health and Care Record (MCHR)  works by receiving a copy of the health information held about an individual and creating one integrated patient-controlled record. The patient or a professional (with appropriate consent) can invite whomever they want to view the record, from clinicians to carers, as well as charities and support groups. 

Service users are in full control of who has access to their information. These can involve sharing with; other health, social care and community services. The individual can provide consent for organisations to review their record and can remove access rights at any time. When a new request for access is made all individuals involved are notified immediately and requested to review. 

This brings together all care providers from community care, to primary and acute care providers, as well as charities and local authorities. 

Legal basis for processing information 

Every user has full control over their record and they are responsible for who they wish to share information with. Initially, users provide consent to share their email address for clinicians to invite them to use MHCR. 

The information held within MHCR is not a complete set of the users medical records but as such they are treated as part of their medical record. 

No new protocols are required for this informed consent, they are the same as those for when you consent as a patient for any other procedure, and have the same exclusions for patients who are children; who have temporary mental health problems; or who have dementia and thus with power of attorney to a delegate to a carer(s). My Health and Care Record (MCHR) forms part of the healthcare record. Our legal basis for processing information within My Health and Care Record (MCHR)  is under the following basis:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 

Who else uses it?

• Western Sussex Hospitals NHS Trust
• Dartford and Gravesham NHS Trust
• Brighton and Sussex University Hospitals
• East London NHS Foundation Trust
• East Sussex Healthcare Trust
• Imperial College Healthcare Trust

Sharing information

Every authorised user is either a patient or a professional. A patient can add any information they want into their record but they are only authorised to access information from organisations after an identity verification process. 

The process is different for each organisation. A professional is a user whose employer (e.g. NHS hospital or county council social worker) has identified and authorised them to use the system. The patient may choose to invite a carer or professional who has not been formally identified, but these unverified accounts cannot be used with any other patients. There is a full audit trail of who gave who access to which accounts.

Individuals rights 

Each organisation follows its own processes around rights of individuals. Please contact the relevant organisation delivering your care to find out their internal processes and policies for rights around your personal information.  

How can you gain access?

All applications for access to your ‘My Health and Care Record’ must be sent to MHCRAccess@sussexpartnership.nhs.uk.

How your vital health and care information is shared through Plexus

Sharing your health and care information is critical in supporting your care and treatment. In Sussex we are introducing a Shared Care Record called Plexus Care Record (also referred to as Plexus). This is part of a national programme to transform information sharing across health and social care known as the Shared Care Record (ShCR) programme. Plexus will be used by health and social care services within Sussex, which includes your GP practice, community, mental health, hospital services and social care. It shares important information about your health and care and allows health and social care practitioners, easy access to information, which is critical to support decision-making about your care and treatment. It means that you won’t have to keep repeating your medical history to each practitioner in different organisations, care plans can be followed more consistently and practitioners will be better equipped to plan care more effectively to meet patients’ needs. This initiative is funded in partnership with the Sussex Health and Care Partnership and NHS England's Shared Care Record programme.

More information about Plexus

Each health and social care organisation collects information about you and keeps records about the care and services they provide. Plexus allows health and social care staff to find key information about your health and care in one place, which helps them to make the most informed decisions and provide the best care to you as a patient or service user. It is also essential that health and social care staff have access to the most up to date information.

The types of personal information shared through Plexus

Personal information (or Personal Data) means any information about an individual from which that person can be identified. The Personal Data that is shared includes:

• Identifying Data: Forename, Surname, Address, Date of Birth, Gender, Age,Postal Address, Postcode, Telephone Number and NHSNumber.

Other categories of Personal Data include:

• A list of diagnosed conditions – to make sure your clinical and care staff have an accurate record of yourcare
• Medication – so everyone treating you can see what medicines you have been prescribed
• Allergies – to make sure you’re not prescribed or given any medicines you can have an adverse reaction to
• Test results – to speed up treatment and care and to ensure tests are not repeated
• Referrals, clinical letters and discharge information – to make sure the people caring for you have all the information they need about other care and treatment you are having elsewhere
• Care plans (where available) – for health and care workers involved in your care to view a joined-up plan of care and the wishes you’ve asked for in relation to your care
• Relevant information about people that care for you and know you well
• Basic details about associated people e.g. children, partners, carers, relatives etc.

What is the lawful basis for the sharing of information?

Health and social care organisations have a duty to share personal data under the Health and Social Care Act 2012 and as amended by the Health and Care (Safety and Quality) Act 2015 where it is:

a) likely to facilitate the provision to the individual of health services or social care in England,and

b) in the individual’s bestinterests.

NHS and Social Care Services are official authorities with a public duty to care for its patients and service users and data Protection Laws, such as the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Common Law Duty of Confidentiality, provide a legal basis for sharing information for health and care purposes.

UK General Data Protection Regulation 2016 and Data Protection Act 2018

GDPR Article 6 - Lawfulness of processing: Article 6(1)(e) Performance of a public task and

GDPR Article 9 - Processing of special categories of personal data: Article 9(2)(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.  

Organisations who can access your personal information through Plexus

Personal Data will only be shared between relevant health and social care organisations in Sussex involved in your care. These include:

• Primary care (e.g. your GP practice, out of hours)
• Secondary care (e.g. hospitals)
• Community services
• Mental health services
• Social care departments
• Specialist services (e.g. ambulances)

Plexus makes your patient information easily accessible for the purposes of your care and treatment. 

How is information in Plexus?

A record of care is held on each organisation’s secure electronic system (local record) e.g. a GP practice will have their own system for recording patient information as will the hospital, or community or social care service. Sussex Health and Care Partnership has designed a secure system that can read and combines data from those multiple electronic health and care systems to provide an up to date summary of that data to relevant health and care practitioners when required for the purposes of direct care. 

How will the information be made available in Plexus?

Health and care information is presented either as a read-only view, or added into the receiving organisation’s record system. The originating information remains within each organisation’s record system and cannot be changed.

Strict access controls and policies ensures that practitioners can only see information regarding patients or service users that they are treating or have been referred to them for treatment.

How long with the data be held in Plexus?

As Plexus is an integrated health and care record that pulls together vital patient data from several health and social care providers, only data currently visible in each of the local systems will be visible in Plexus.

Each partner organisation sharing through Plexus has local retention rules set by the NHS Records Management Code of Practice for Health and Social Care.

Within the governance framework for Plexus, any system supplier is also contractually obliged to comply with any requests by the partners to remove/delete data when instructed to do so.

How is your personal information kept safe and secure in Plexus?

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information. Appropriate technical and security measures in place to protect Plexus include:

• Complying with Data Protection Legislation
• Implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
• A requirement for organisations to complete the Data Security and Protection (DSP) Toolkit or equivalent, introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements
• Use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under Plexus are auditable against an individual accessing Plexus
• Ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of data and are under contractual or statutory obligations of confidentiality concerning the Personal Data. The Common Law Duty of Confidentiality and Data Protection Laws apply to all health and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

All staff with access to Personal Data are trained to ensure information is kept confidential.

What are your rights regarding information held in Plexus?

Under the Data Protection Legislation, you have the right to:

• Be informed of our uses of your data (the purpose of this privacy notice)
• Request copies of your personal information, commonly referred to as a Subject Access Request (SAR)
• Have any factual inaccuracies corrected
• Request the restriction or suppression of your personal data. This is not an absolute right and only applies in certaincircumstances·not be subject to automated decision making or profiling. There is no automated decision making or profiling in the summary careplan·complain about the handling of your data to an organisation’s data protection officer or to theregulator·also have the right to object to processing of your personal data in certain circumstances.

Details of how to exercise your rights are shown below.

How can I access the information you keep about me?

To access your Personal Data, you should contact the organisations holding the data you wish to see, typically your GP Practice, Hospital, Local Authority (social Care) or NHS Service.

How can I object to my data being shared via Plexus?

You have a legal right to object to your data being shared. Please contact your health and/or social care provider(s) to discuss this further. This could be your GP practice or the health or care staff that provided, or are currently providing, your treatment and care. Your objection will be considered on a case-by-case basis. You will be asked to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you when you most need it. When considering your objection, your practitioner will discuss this with you and consider whether you can still be provided with safe individual care. Your objections may be overruled where required in law (eg safeguarding purposes).

Your right to complain

Please contact your local appropriate health or social care organisation and their Data Protection Officer to raise a complaint. You can get further advice or report a concern directly to: 

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK95AF

Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)

Email: ico.org.uk/concerns/handling/

Further information about the way in which the NHS uses personal information and your rights

• NHS Constitution - The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.
• NHS Digital - NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England. 
• National Data Opt-Out - A service that allows patients to opt out of their confidential patient information being used for research and planning.

The personal information provided by candidates and volunteers for their applications and registration is used for the purpose stated in each case. The Voluntary Services Department may analyse statistical trends based on the information given however, this analysis does not include identifiable personal information.

Volunteer records are stored in accordance with the Trust’s Information Governance Policy and will conform to the Data Protection Act 2018.

There are some exceptional circumstances where we must share information with official bodies or other organisation about employees without their express permission. These include circumstances owing to a legal or statutory obligation. These bodies may include: 

• Disclosure and Barring Service
• Home Office
• Her Majesty’s Revenue and Customs (HMRC)
• financial institutes, for example banks and building societies for approved mortgage references
• educational, training and academic bodies
• Department for Work and Pensions (DWP)
• Care Quality Commission (CQC)

If you think that information in your NHS health records is wrong, please talk to the health professional looking after you and ask to have the record amended. You can also ask for the information to be amended by contacting the Information Governance team. You will find contact details in the 'Further information' section.

If your request to have your records amended is turned down because the information is not wrong, we will add a statement of your views to the record. 

If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act. For details of how to do this: 

• visit the ICO website at www.ico.org.uk
• telephone 0303 123 1113

Information Governance Team
0300 304 2025
information.governance@sussexpartnership.nhs.uk 

Health Records Team
0300 304 2210
health.records@sussexpartnership.nhs.uk 

Information Commissioner's Office
0303 123 1114
ico.org.uk