Subject: Bolton Care Record
I would like to make a request under the FOI Act.
For the purposes of the Act, please take the date of your receipt of this request as Tuesday 6th February 2018.
I note with interest that your organisation extracts and uploads personal and sensitive (special category) data to the Bolton Care Record.
Your organisation is, of course, the data controller for the records that it holds and so is responsible for lawful processing of that data, such as extracting it and uploading to the BCR – a separate database and a data processor.
You are a data controller (in common or joint) for the uploaded information, and I am lead to believe that Bolton CCG is acting as a data processor.
I am interested in how your organisation has assessed likely compliance with the GDPR requirements come May 25th, with respect to this processing.
Please could you provide me with the following information:
1) Any information/assessments (e.g. privacy or data protection impact)/position or discussion papers, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to BCR database) after 25th May?
2) If you currently secure consent (as defined by the GDPR) from patients/clients as a prerequisite for allowing extraction and uploading to the BCR, then please provide me with your consent form
3) Do you currently instruct the data processor to process your patients/clients’ uploaded data for secondary purposes (research, commissioning, “population health analytics”)?
4) If so, do you seek the explicit consent of patients/clients as a prerequisite to processing their information in this way? If so, then please provide me with your consent form (if different from 2) above)
5) If so, are you intending to continue to allow secondary processing beyond the 25th May?
6) If you are to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May
7) If you are to persist with secondary processing, and you do NOT record the consent of patients/clients as a prequisite for such processing, then please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as how you will set aside the common law of confidentiality in order to process (i.e. extract and upload to the data processor) such data for secondary purposes
|The Bolton Care record along with all our other systems and processes within the Trust are being reviewed as part of our GDPR programme. Specifically the BCR Information Governance group will be reviewing the system in light of the GDPR requirements in March 2018. I have attached our Information sharing and privacy impact assessment report but these will refer to the legislation as it was enacted last year.
Plese find information sharing protocol and privacy impact assessment attached.
PIA Report – Bolton Care Record v1.0_20170628 [ 1 MB] PDF