Patient information and how we use it
Requesting to see a Health Record
Under data protection laws, patients have the right to request access to the information contained in their health record.
Current patients can ask a member of staff and they can make an appointment to view their health record.
Where patients are no longer in contact with us, they can still request access to their health record, but we will need some additional details in order to locate them.
Patients will not be able to take away the original health record, but a copy can be made. This request will need to be put in writing. A member of staff can help with this if necessary.
We will try to make sure any requests are dealt with within 21 days, but by law we should provide these within one month of the request unless it is a complex request.
Legally we are able to withhold any parts of health records that, in our professional medical opinion, are likely to cause serious harm to the physical or mental health to the patient or any other person.
To make a formal application, please complete this application form in PDF or MS Word format and send to:
Information Governance Team – Access to Records
Bramber Building
Brighton General Hospital
Elm Grove
Brighton
BN2 3EW
or email sc-tr.accesstorecords@nhs.net
Why we collect patient information
Healthcare professionals keep health records about the care and treatment of a patient in order to provide the best possible care. Health records may be stored in paper format or electronically; and may include information such as:
- Name; address; and date of birth
- Next of kin or named emergency contacts
- Appointments
- Information about a patient’s health; care plan; treatment and/or procedures and other relevant information to support the provision of health care
- Test results – e.g. laboratory and X-ray results
- Your eligibility to receive free NHS care
Health records are used to ensure:
- There is a documented record of care.
- Healthcare professionals have accurate and up-to date information to help assess and decide on the care and treatments required.
- We are able to assess how well our patients have been looked after, including assessing health conditions against a set of factors to ensure patients are receiving the best possible care
- Any concerns can be properly investigated in the case of a complaint or incident.
Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care.
A number of services provided by Sussex Community NHS Foundation Trust are now using an electronic health record system called SystmOne.
Patient confidentiality and information security
- By law everyone working for or on behalf of the NHS, must respect patient confidentiality and keep patient information secure.
- We can provide assurance that the computer systems we use are subject to strict controls and only staff who are involved in a patient’s care have access to those records.
- When we do share patient information we will only share the information that is relevant and always use the most secure method available.
Where patients are being cared for by one of our services using SystmOne, any other Sussex Community NHS Foundation Trust service directly involved in the patient’s care (accessing SystmOne) will also be able to access the health record on a need-to-know basis. Sharing this information between services means that our staff will be able to get up-to-date information about a patient’s care and are able to treat them safely and efficiently. It will also mean that healthcare professionals do not have to keep asking patients the same questions.
Patient care may be provided through a multi-disciplinary care team. This might include people from other organisations such as general practice; social care; education; or other care organisations. We will inform patients if this is the case.
Where we have the ability to share a patient’s full health record with other healthcare professionals involved in a patient’s care (such as another NHS services or the GP), we will ask permission to do so.
The GP, or other health professionals, may also ask whether a patient would like services at Sussex Community NHS Foundation Trust to be able to view their health records when treating them.
Patients can change these sharing preferences at any time by discussing this with the Health Professional involved in their care.
How health records are used to help the NHS
In most cases where information is required to help the NHS other than for direct care, any information which may identify a patient will be removed. Where there is a requirement for us to be able to identify a patient (such as investigating complaints or an incident), we will ask the patient’s permission (unless we are required to disclose information by law).
Health records are also used to assist with:
- Reviewing our care provision to ensure it is of the best quality.
- Teaching and training healthcare professionals.
- Conducting clinical audits as part of efforts to improve, review and develop our services.
- Reporting and investigating complaints, claims and untoward incidents.
- Creating statistical information to look after the health and wellbeing of the general public.
- Planning services to meet the needs of the population including sharing information with local health and care providers to review and improve patient routes through health and social care services.
- Conducting health research and development.
- Reporting on our performance to the Department of Health and NHS England.
- Supporting the funding of a patient’s care.
- Collecting payments from overseas visitors that use NHS services.
We have a legal requirement to provide information to NHS Digital to collate and analyse in order to produce anonymised reports to allow the effective monitoring of national and local service standards, including efficiency, equity and effectiveness of services and improve data quality. Patients have the right to opt-out of their data being used in this way.
Working with Sussex Health and Care Partnership
Sussex Community NHS Foundation Trust is a key part of the Sussex Health and Care Partnership. Across Sussex, the NHS and local councils, who look after social care and public health, are working together to improve health and care.
Sussex Health and Care Partnership brings together 13 organisations into what is known as an integrated care system (ICS), and Sussex Community NHS Foundation Trust is a key part of this partnership to take collective action to improve the health of local people, ensure that health and care services are high-quality and to make the most efficient use of our resources.
In doing so, there are a number of key initiatives involving the use and sharing of information. Details of these initiatives, can be found on Sussex Health and Care Partnership’s Digital Priorities webpage. Further information about how your data is used is also available within each initiative’s page – ‘My Health and Care Record’; Plexus Care Record; and Sussex Integrated Data Set, which are all listed on the Digital Priorities webpage.
Legal Responsibilities
The legal basis for the processing of data for health care purposes under data protection laws (such as the General Data Protection Regulation (GDPR) and the Common Law Duty of Confidentiality) is that the NHS is an official authority with a public duty to care for its patients. The Department of Health and data protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.
If we need to use a patient’s personal information for any reason beyond those stated above, we will discuss this with them.
At times we have a legal duty to share information which identifies patients without obtaining permission.
Examples of these are:
- To protect children or vulnerable adults who are not able to decide for themselves whether their information should be shared.
- Reporting serious crime to the police.
- A court orders us to do so.
- Reporting events to the appropriate authorities, such as serious incidents, notification of infectious diseases or birth notifications.
Where patients have queries on the uses of their information in the provision of direct care, they should speak to their health professional.
Sussex Community NHS Foundation Trust (SCFT) holds and retains health information in paper and electronic formats for specified periods of time to provide high quality patient care and to keep a public record in accordance with the Public Records Act 1958. SCFT adheres to the current national guidance on retention periods set out in the Information Governance Alliance Record Management Code of Practice for Health and Social Care 2016.
The Record Management Code of Practice for Health and Social Care 2021 can be accessed in full using the link provided: https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/
All personal information held and retained by Sussex Community NHS Foundation Trust is processed in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
For queries on other uses of their information contact our Data Protection Officer / Information Governance Team on 01273 666473 or email sc-tr.infogov@nhs.net
Data Protection - Individuals Rights
Data Protection Laws give individuals certain rights in respect of the personal information that is held about them. These are:
- To be informed why, where and how we use their information
- To ask for access to their information
- To ask for their information to be corrected if it is inaccurate or incomplete
- To ask for their information to be deleted or removed where there is no need to continue processing it
- To ask to restrict the use of their information
- To ask to copy or transfer their information from one IT system to another in a safe and secure way, without impacting the quality of the information
- To object to how their information is used
- To challenge any decisions made without human intervention (automated decision making)
Some of these rights are absolute and we must follow them. Others will need to be carefully reviewed as we have other legal duties so they do not apply in all circumstances.
Requesting information in a health record to be corrected or deleted
In the first instance a patient should discuss this with the Health Professional involved in their care with details of the information and the reason for the correction, deletion or restriction.
Where it is agreed that corrections are necessary these will be made. If, however, after professionally reviewing the information, the health professional considers this to be correct, we will discuss this with the patient and note the concerns in the record.
We have a legal duty to record information gathered although information can be corrected, we will need to keep an audit trail of the correction. Where it is requested that information is fully deleted from a record, we would in most case, request a court order to do so.
Objections to processing or asking for processing to be restricted
In most cases we have a legal duty to collect and use information to ensure that the patient receives the best, most efficient and effective healthcare provision.
If a patient wishes to objects or restricts the use of their information this should initially be discussed with the health professional.
Where the use of information is for the patient’s direct healthcare, the health professionals will discuss the reasons for this. Where the restriction on use or sharing would not impact the patient’s direct care, this would be respected and documented in the record.
It will be explained to the patient that there may be cases where their objection or restriction may be overridden if there is a legal reason to do so. Examples of these are safeguarding children and vulnerable adults, the prevention and detection of crime or if a court orders us to do so.
If a patient wants to object or restrict their data being processed for other reasons other than direct patient care (secondary uses) they should contact the Information Governance Team to discuss.
Data Protection Impact Assessments (DPA)
As part of SCFT’s Privacy by Design and Default requirements under Data Protection Legislation, a Data Protection Impact Assessment (DPIA) is completed to evaluate and manage any risks to personal data. To view a list of our current DPIAs, please click here.
How the NHS and care services use your information
Sussex Community NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public. We are part of the Sussex Health and Care Partnership, which is a group of NHS and local councils that look after social care and public health and work together to improve health and care. The Sussex Health and Care Partnership (SHCP) brings together 13 organisations into what is known as an integrated care system (ICS). One of the priorities of the ICS is the “Our Care Connected” programme which seeks to deliver a single health and care record for each person living in Sussex. The “Our Care Connected” programme will introduce the “Plexus Care Record”, a shared care record for care across Sussex and the Sussex Integrated Data Set. Further information about this is available on the Sussex Health and Care Partnership website.
Whenever you use a health or care service provided by Sussex Community NHS Foundation Trust, such as attending a Minor Injury Unit or using one of our community services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this when allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified, in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters or contact NHS Digital Contact Centre 0300 303 5678.
You can also find out more about how patient information is used for health research at:
https://www.hra.nhs.uk/information-about-patients (which covers health and research)
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
Contact us
For further information or for queries relating to any of the above, please initially speak to your service.
To contact the Data Protection Officer / The Information Governance Team:
Telephone 01273 666473 or email sc-tr.infogov@nhs.net
For advice, or to make a comment about our services, facilities or staff, please contact our Patient Advice Liaison Service (PALS) on 01273 242292 or email sc-tr.PALS@nhs.net
Here is a handy leaflet explaining more about our use of patient data.
