Data Protection Legislation

Click here to read our Shared PCN Clinical Services Policy


Data Protection Legislation: Your Rights

  1. Right to be informed:

You have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.

  1. Right of Access:

You have the right to obtain the following:

  • confirmation of whether, and where, the controller is processing their personal data;
  • information about the purposes of the processing;
  • information about the categories of data being processed;
  • information about the categories of recipients with whom the data may be shared;
  • information about the period for which the data will be stored (or the criteria used to determine that period);
  • information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
  • information about the existence of the right to complain to the DPA;
  • where the data were not collected from the data subject, information as to the source of the data; and
  • information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.

Additionally, you may request a copy of the personal data being processed. This information will be provided to you within 30 days of your request, unless we inform you that more time is required, and will be provided Free of Charge. However, if you make repetitive requests or require further copies of the information, you may be charged for this.

  1. Right to Rectification

We must ensure that inaccurate or incomplete data are erased or rectified. You have the right to have inaccurate information corrected or in certain circumstances erased from your records.

  1. Right to Erasure (Right to be Forgotten)

You have the right to erasure of personal data (the “right to be forgotten”) if:

  • the data are no longer needed for their original purpose (and no new lawful purpose exists);
  • the lawful basis for the processing is your consent, and you withdraw that consent, and no other lawful ground exists;
  • You exercises the right to object, and the controller has no overriding grounds for continuing the processing;
  • the data have been processed unlawfully; or erasure is necessary for compliance with EU law or the national law.

The Trust can refuse to erase your data in the following circumstances:

  • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
  • When the Trust is legally obliged to keep hold of your data.
  • When keeping hold of your data is necessary for reasons of public health.
  • When keeping your data is necessary for establishing, exercising or defending legal claims.
  • When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

The majority of processing of healthcare related personal information is undertaken under our statutory duty to provide such care. This means that we are required by law to hold your personal data and you do not have the ability to have that data erased in most circumstances.

  1. Right to Restrict Processing

You have the right to restrict the processing of personal data (meaning that the data may only be held by the controller, and may only be used for limited purposes) if:

  • the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
  • the processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
  • the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights; or
  • if verification of overriding grounds is pending, in the context of an erasure request.

Where we have disclosed personal data to any third parties, and you have subsequently exercised any of the rights of rectification, erasure or blocking, the we must notify those third parties of the data subject’s exercising of those rights.

We are exempt from this obligation if it is impossible or would require disproportionate effort. You are also entitled to request information about the identities of those third parties. Where we have made the data public, and the data subject exercises these rights, the controller must take reasonable steps (taking costs into account) to inform third parties that the data subject has exercised those rights.

  1. Right of Data Portability

You have a right to transfer your personal data between controllers:

The right to data portability only applies when:

  • we are processing your data with consent or for the performance of a contract; and
  • the processing is automated.

The legal basis for processing your information is based on our statutory obligations and not your consent. Data is also not processed by automated means so this right does not apply to the data we hold about you.

  1. Right to Object to Processing

You have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either:

  • public interest; or
  • legitimate interests of the controller.

We must cease such processing unless we can:

  • demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or
  • require the data in order to establish, exercise or defend our legal rights.
  1. Right to Object to Processing for Direct Marketing

You have the right to object to the processing of personal data for the purpose of direct marketing, including profiling. We do not use your personal data for Direct Marketing purposes unless you have provided us with explicit consent to do so.

  1. Right to object to processing for scientific, historical or statistical purposes

Where your personal data are processed for scientific and historical research purposes or statistical purposes, you the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

  1. 10Right to not be evaluated on the basis of automated processing

You have the right not to be subject to a decision based solely on automated processing which significantly affect you. The Trust does not undertake any automated processing of this nature.

Should you require any further information on GDPR this can be found on the Information Commissioner’s Office (ICO) website

Data Protection Office is: Mr James Carroll

Email address: [email protected]

Please note that if you are looking for a subject access request please contact the practice directly and do not use the DPO email address.