For this reason, the ICO indicated that the use of consent as a legal basis for data collection and processing under the GDPR should be avoided by authorities such as healthcare and care providers. Indeed, it is unlikely to be able to meet the strict consent requirements. In particular, it cannot be considered freely granted if access to health and care services depends on it. The ICO recommends using a different legal basis. Where personal data is provided by one organisation to another for purposes beyond the custody of an individual, a data-sharing agreement should be concluded. The agreement confirms who has responsibility and control over the data, called the data controller, and must comply with relevant data protection laws and ICO guidelines on data sharing agreements. For more information, see the ICO Code of Conduct for Data Sharing. In the UK, the legal framework for the retention and processing of patient data is the Data Protection Act (DPA) 2018, which brought into force the EU General Data Protection Regulation (GDPR), and the Common Law Privacy Obligation (CLDC). Our processes remove identifiers and reduce the identification of data provided to the central system, the analytical data set. We determine the retention of this data in our DPIA. that personal data will only be processed if there is a legal basis and the processing is lawful; Under the GDPR, the collection and processing of health and care data must meet the following two conditions: We ensure that we comply with our obligations to be lawful, fair and transparent. See above how we comply with our legal obligations under Schedule 1 for special categories of data.
Transparency is an important element of data protection. You need to make sure your patients know how their data is being used and for what purposes it is being shared. There should be “no surprises” for a patient regarding the use of their data. Data protection laws require that the collection and processing of personal data be fair, lawful and transparent. We regularly monitor, review and update security issues and risks to ensure our security arrangements are robust and improve with the latest information. For example, with changes to the phone`s operating systems that could affect the app. We ensure that DHSC`s secure IT infrastructure only processes anonymized data as soon as it enters the infrastructure, with the exception of a test code and test results that are destroyed within 24-48 hours of receiving test results. Consent to participate in research is not the same as consent as a legal basis for data protection processing. For example, an individual is asked to consent to participate in research, but it is said that the data concerning him or her will be processed for a task in the public interest if he or she agrees to participate. The legal basis for data processing is not consent.
NHS England and NHS Improvement have a comprehensive set of policies and procedures covering all aspects of information governance and privacy. These govern how we ensure that personal data for which we are responsible is lawfully processed and shared and that individuals` privacy rights are respected. Our Data Protection Officer is Kevin Willis, who understands internal compliance monitoring and advises the organisation on its data protection obligations and can be contacted via enquiries@nhsdigital.nhs.uk. If consent is used as a legal basis for processing, the individual must also be granted certain rights, including erasure and portability rights, as defined in the DPA. However, our systems cannot access or process this data, we note this here to support transparency. Data subjects receive clear and transparent privacy information NHS England may also process personal data for the purposes of or in connection with legal proceedings (including future legal proceedings), for the purpose of obtaining legal advice or for the establishment, exercise or defence of legal claims. Where we process personal data for these purposes, the legal basis for doing so is as follows: the availability of some of these rights depends on the legal basis that applies to the processing of your personal data and there are other circumstances in which we are unable to respond to a request to exercise a right. Your rights and how they apply are described below.
This transparency notice informs about our data processing activities. This publication is available at www.gov.uk/government/publications/nhs-covid-19-app-privacy-information/nhs-covid-19-app-our-processing-of-special-categories-of-personal-data Monitoring communicable diseases, for example in the COVID-19 public health emergency, are kept for 5 years (if they contain personal data, which is not the case in this case) and 20 years for anonymous data before each examination. We have developed the app in accordance with the data and further developed the principles of technology protection and standard protection. For more details, see our published Data Protection Impact Assessment (DPIA) Carol has extensive knowledge of data protection laws and practices, as well as a detailed understanding of how NHS England and NHS Improvement handle personal data. As Head of Corporate Information Governance, she leads a dedicated DPO team and information governance staff to support NHS England and NHS Improvement centrally and in our regions. In How We Use Your Data, we describe the main ways in which we may process your personal data for the purposes or as part of our lawful tasks. If you would like to know more about how we process your data, please contact our Customer Contact Centre. You have the right to request that we restrict the processing of the personal data we hold about you. You can ask us to do this, for example if you dispute the accuracy of the data. The Information Commissioner regulates and enforces data protection laws. If the ICO finds that an organisation has failed to comply with data protection laws, it can impose fines of up to £17 million or 4% of global turnover (for the most serious data breaches).
All organizations must not only have a fair and legal basis for data collection and processing, but also be transparent. ensure that our Data Protection Officer is involved in any review of our DPIA and any proposed changes to our processing of personal data We will only process personal data for specified, clear and legitimate purposes. We will not process personal data for purposes incompatible with the original purpose for which it was collected. Although the national data opt-out is more of a political offer than a specific legal requirement, any organisation that does not comply with the national data opt-out policy could be considered a breach of the requirement of fairness and transparency. See 10.5 Compliance with the National Data Opt-out: Position of the ICO in the Operational Policy Guide. We make every effort to ensure that all personal data is accurate and retained. Since personal data is only stored directly on app users` phones, we ensure that systems are in place to allow data to be accurate and retained. As an NHS hospital, we have been authorised by the government to provide healthcare and are required to keep accurate records. Under the GDPR, our legal basis for processing patient data is: we want you to be sure that we process everyone`s personal data in accordance with the law.
If you have any questions about your rights, you can contact us at enquiries@nhsdigital.nhs.uk.