Team photo

Home

Privacy Notices

Requests to Access Personal Data

How BCHC processes personal data in relation to Subject Access Requests, Access to Health Records, requests for deceased persons and other similar requests...

Birmingham Community Healthcare NHS Foundation Trust Privacy Notice: Access to Personal Data Procedure

1. Introduction

This Privacy Notice outlines how Birmingham Community Healthcare NHS Foundation Trust (BCHC) processes personal data in relation to Subject Access Requests (SARs), Access to Health Records requests for deceased persons and other similar requests for personal data in compliance with the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 and Access to Health Records Act 1990.


2. Data Controller Contact Details

Birmingham Community Healthcare NHS Foundation Trust
Trust Headquarters
3 Priestley Wharf
Holt Street
Birmingham
B7 4BN

Information Commissioner's registration number: Z243363X


3. Data Protection Officer

Michael Morgan-Bullock

  • Email: bchc.dpo@nhs.net
  • Post: Data Protection Officer, Information Governance Department, Birmingham Community Healthcare NHS Foundation Trust, 3 Priestley Wharf, Holt Street, Birmingham, B7 4BN


4. Purpose of Processing

The primary purpose of processing personal data in the context of a SAR or similar request is to administer and fulfil your request as applicable.


The Trust uses a secure portal called OneTrust which helps BCHC automate data requests. Requestors submit their request through a web form on the Trust’s public website. The requests are then allocated to an appropriate team and are then processed as required. Requestors can use the OneTrust portal to communicate with the Trust and get updates on their request.


When the request is complete the personal information requested is provided to requestors via Egress. Egress is a secure email platform designed to safeguard sensitive information during transmission. Egress sends emails securely by employing end-to-end encryption throughout their entire journey. Egress allows the Trust to confidently exchange sensitive data via email while maintaining compliance with data protection regulations and mitigating the risk of unauthorised access or data breaches.

 

5. Categories of Personal Data Processed

The personal data processed during a request may include, but is not limited to:

  • Contact information of data subject and requestor (if applicable) (name, address, email, phone number)
  • Identification information (Date of Birth, NHS number, Photo ID and proof in the community, for example passport and utility bill)
  • Data Concerning Health (medical records)
  • Staff employment history (personal files, training records)
  • Any other information relevant to the request

 

6. Legal Basis for Processing

The legal basis for processing personal data in response to a SAR is to fulfil our legal obligations under the UK GDPR, specifically under Article 15, which grants data subjects the right of access to their personal data. For other requests for access to personal data, we will fulfil the request in accordance with the relevant data protection legislation as appropriate.

 

7. Recipients of Personal Data

Personal data provided in response to a request may be shared with:

  • The Data Subject or their representative
  • Internal Trust personnel responsible for processing the request
  • Legal advisors for compliance and advice
  • Regulatory authorities, if required by law


8. Data Retention Period

We will retain personal data obtained through a request for the period necessary to fulfil the purpose for which it was collected, including any legal, accounting, or reporting requirements. This will be in accordance with the latest version of the NHS Records Management Code of Practice.


9. Data Subject Rights

Data subjects have the right to:

  • Confirm whether their personal data is being processed (available through this process)
  • Access their personal data (available through this process)
  • Rectify inaccurate personal data
  • Erase personal data
  • Restrict processing of personal data
  • Object to processing of personal data
  • Data portability

 

If you would like to exercise any of the Data Subject Rights (other than access to your personal data) then get in contact with the Information Governance Team via bchc.informationgovernance@nhs.net.

 
Please note: we will review each request made on a case-by-case basis. Some rights may not apply. If this is the case, the Trust’s Information Governance Team will provide you with the necessary information to clarify the reason(s) for this.
More information about Data Subject Rights can be found on the ICO website:

A guide to individual rights | ICO


10. Security Measures

The Trust has implemented appropriate technical and organisational measures to ensure the security and confidentiality of personal data during the request process.

As highlighted, the Trust uses the OneTrust solution and also a secure storage location on its internal file server to handle the administration and management of requests. The Trust utilises Egress to supply requestors with the requested information in response to a SAR/request for personal data securely.

 


11. Complaints

If a data subject believes that their rights under the UK GDPR have been violated, they have the right to lodge a complaint with the Information Commissioner's Office (ICO) at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
Website: https://ico.org.uk

 
12. Changes to this Privacy Notice

This Privacy Notice may be updated from time to time to reflect changes in our request procedures or legal obligations.

Our patients and their carers and families are the reason we're here, so we want to hear your views about the Trust and our services.