Patient information and how we use it

Requesting to see a Health Record

Under data protection laws, patients have the right to request access to the information contained in their health record.

Current patients can ask a member of staff and they can make an appointment to view their health record.

Where patients are no longer in contact with us, they can still request access to their health record, but we will need some additional details in order to locate them.

Patients will not be able to take away the original health record, but a copy can be made. This request will need to be put in writing. A member of staff can help with this if necessary.

We will try to make sure any requests are dealt with within 21 days, but by law we should provide these within one month of the request unless it is a complex request.

Legally we are able to withhold any parts of health records that, in our professional medical opinion, are likely to cause serious harm to the physical or mental health to the patient or any other person.

To make a formal application, please complete this application form in PDF or MS Word format and send to:

Information Governance Team – Access to Records
Bramber Building
Brighton General Hospital
Elm Grove

or email

Why we collect patient information

Healthcare professionals keep health records about the care and treatment of a patient in order to provide the best possible care. Health records may be stored in paper format or electronically; and may include information such as:

  • Name; address; and date of birth
  • Next of kin or named emergency contacts
  • Appointments
  • Information about a patient’s health; care plan; treatment and/or procedures and other relevant information to support the provision of health care
  • Test results – e.g. laboratory and X-ray results

Health records are used to ensure:

  • There is a documented record of care.
  • Healthcare professionals have accurate and up-to date information to help assess and decide on the care and treatments required.
  • We are able to assess how well our patients have been looked after, including assessing health conditions against a set of factors to ensure patients are receiving the best possible care
  • Any concerns can be properly investigated in the case of a complaint or incident.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care.

A number of services provided by Sussex Community NHS Foundation Trust are now using an electronic health record system called SystmOne.

Patient confidentiality and information security

 By law everyone working for or on behalf of the NHS, must respect patient confidentiality and keep patient information secure.

  • We can provide assurance that the computer systems we use are subject to strict controls and only staff who are involved in a patient’s care have access to those records.
  • When we do share patient information we will only share the information that is relevant and always use the most secure method available.

Where patients are being cared for by one of our services using SystmOne, any other Sussex Community NHS Foundation Trust service directly involved in the patient’s care (accessing SystmOne) will also be able to access the health record on a need-to-know basis. 

Sharing this information between services means that our staff will be able to get up-to-date information about a patient’s care and are able to treat them safely and efficiently. It will also mean that healthcare professionals do not have to keep asking patients the same questions.

Patient care may be provided through a multi-disciplinary care team. This might include people from other organisations such as general practice; social care; education; or other care organisations. We will inform patients if this is the case.

Where we have the ability to share a patient’s full health record with other healthcare professionals involved in a patient’s care (such as another NHS services or the GP), we will ask permission to do so.

The GP, or other health professionals, may also ask whether a patient would like services at Sussex Community NHS Foundation Trust to be able to view their health records when treating them. 

Patients can change these sharing preferences at any time by discussing this with the Health Professional involved in their care.

How patient information is used to help the NHS 

Patient information is also used to assist with:

  • Reviewing our care provision to ensure it is of the best quality.
  • Teaching and training healthcare professionals.
  • Conducting clinical audits as part of the quality improvement process, review and service development.
  • Reporting and investigating complaints, claims and untoward incidents.
  • Creating statistical information to look after the health and wellbeing of the general public.
  • Planning services to meet the needs of the population including sharing information with local health and care providers to review and improve patient routes through health and social care services.
  • Conducting health research and development.
  • Reporting on our performance to the Department of Health and NHS England.
  • Supporting the funding of a patient’s care.

We have a legal requirement to provide information to NHS Digital to collate and analyse in order to produce anonymised reports to allow the effective monitoring of national and local service standards, including efficiency, equity and effectiveness of services and improve data quality. Patients have the right to opt-out of their data being used in this way. 

Legal Responsibilities

The legal basis for the processing of data for health care purposes under data protection laws (such as the General Data Protection Regulations (GDPR) and the Common Law Duty of Confidentiality) is that the NHS is an official authority with a public duty to care for its patients. The Department of Health and data protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.

If we need to use a patient’s personal information for any reason beyond those stated above, we will discuss this with them.

At times we have a legal duty to share information which identifies patients without obtaining permission.

Examples of these are:

  • To protect children or vulnerable adults who are not able to decide for themselves whether their information should be shared.
  • Reporting serious crime to the police.
  • A court orders us to do so.
  • Reporting events to the appropriate authorities, such as serious incidents, notification of infectious diseases or birth notifications.

Where patients have queries on the uses of their information in the provision of direct care, they should speak to their health professional.

For queries on other uses of their information contact our Data Protection Officer / Information Governance Team on 01273 666473 or email

Data Protection – Individuals Rights

Data Protection Laws give individuals certain rights in respect of the personal information that is held about them.  These are:

  • To be informed why, where and how we use their information.
  • To ask for access to their information.
  • To ask for their information to be corrected if it is inaccurate or incomplete.
  • To ask for their information to be deleted or removed where there is no need to continue processing it.
  • To ask to restrict the use of their information.
  • To ask to copy or transfer their information from one IT system to another in a safe and secure way, without impacting the quality of the information.
  • To object to how their information is used.
  • To challenge any decisions made without human intervention (automated decision making)

Some of these rights are absolute and we must follow them. Others will need to be carefully reviewed as we have other legal duties so they do not apply in all circumstances.

Requesting information in a health record to be corrected or deleted.

In the first instance a patient should discuss this with the Health Professional involved in their care with details of the information and the reason for the correction, deletion or restriction.

Where it is agreed that corrections are necessary these will be made.  If, however, after professionally reviewing the information, the health professional considers this to be correct, we will discuss this with the patient and note the concerns in the record. 

We have a legal duty to record information gathered although information can be corrected, we will need to keep an audit trail of the correction.  Where it is requested that information is fully deleted from a record, we would in most case, request a court order to do so. 

Objections to processing or asking for processing to be restricted. 

In most cases we have a legal duty to collect and use information to ensure that the patient receives the best, most efficient and effective healthcare provision.

If a patient wishes to objects or restricts the use of their information this should initially be discussed with the health professional. 

Where the use of information is for the patient’s direct healthcare, the health professionals will discuss the reasons for this.  Where the restriction on use or sharing would not impact the patient’s direct care, this would be respected and documented in the record. 

It will be explained to the patient that there may be cases where their objection or restriction may be overridden if there is a legal reason to do so.  Examples of these are safeguarding children and vulnerable adults, the prevention and detection of crime or if a court orders us to do so.

If a patient wants to object or restrict their data being processed for other reasons other than direct patient care (secondary uses) they should contact the Information Governance Team to discuss. 

Data Protection Impact Assessments (DPIA)

As part of SCFT’s Privacy by Design and Default requirements under Data Protection Legislation, a Data Protection Impact Assessment (DPIA) is completed to evaluate and manage any risks to personal data. To view a list of our current DPIAs, please click here.

Contact us

For further information or for queries relating to any of the above, please initially speak to your service.

To contact the Data Protection Officer / The Information Governance Team:

Telephone 01273 666473 or email

For advice, or to make a comment about our services, facilities or staff, please contact our Patient Advice Liaison Service (PALS) on 01273 242292 or email

Here is a handy leaflet explaining more about our use of patient data.