Reference 2018-79

REF:           2018-79

Subject:       Bolton Care Record

    

 

Request:

I would like to make a request under the FOI Act.

 

For the purposes of the Act, please take the date of your receipt of this request as Tuesday 6th February 2018.

 

I note with interest that your organisation extracts and uploads personal and sensitive (special category) data to the Bolton Care Record.

http://www.boltoncarerecord.org/about /

 

Your organisation is, of course, the data controller for the records that it holds and so is responsible for lawful processing of that data, such as extracting it and uploading to the BCR – a separate database and a data processor.

You are a data controller (in common or joint) for the uploaded information, and I am lead to believe that Bolton CCG is acting as a data processor.

 

I am interested in how your organisation has assessed likely compliance with the GDPR requirements come May 25th, with respect to this processing.

 

Please could you provide me with the following information:

DIRECT CARE

1) Any information/assessments (e.g. privacy or data protection impact)/position or discussion papers, or similar, that you hold to date as to what legal basis from Article 6(1) of the GDPR are you planning to rely on to process personal data in this way (i.e. extract and upload it to BCR database) after 25th May?

2) If you currently secure consent (as defined by the GDPR) from patients/clients as a prerequisite for allowing extraction and uploading to the BCR, then please provide me with your consent form

 

SECONDARY PURPOSES

3) Do you currently instruct the data processor to process your patients/clients’ uploaded data for secondary purposes (research, commissioning, “population health analytics”)?

4) If so, do you seek the explicit consent of patients/clients as a prerequisite to processing their information in this way? If so, then please provide me with your consent form (if different from 2) above)

5) If so, are you intending to continue to allow secondary processing beyond the 25th May?

6) If you are to persist with secondary processing, please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as to what legal bases from Article 6(1) and Article 9(2) of the GDPR are you planning to rely on to process personal data, for secondary purposes, in this way after 25th May

7) If you are to persist with secondary processing, and you do NOT record the consent of patients/clients as a prequisite for such processing, then please provide me with any information/assessments (including privacy or data protection impact)/position or discussion paper, or similar, that you hold to date as how you will set aside the common law of confidentiality in order to process (i.e. extract and upload to the data processor) such data for secondary purposes

 

 

 

Response:

The Bolton Care record along with all our other systems and processes within the Trust are being reviewed as part of our GDPR programme. Specifically the BCR Information Governance group will be reviewing the system in light of the GDPR requirements in March 2018.  I have attached our Information sharing and privacy impact assessment report but these will refer to the legislation as it was enacted last year.

 

Plese find information sharing protocol and privacy impact assessment attached.

Bolton Care Record – Information Sharing Agreement v1.0 (Final) 20170112… [805 kb] PDF

PIA Report – Bolton Care Record v1.0_20170628 [ 1 MB] PDF

 

Visitor restrictions

To protect you and our staff during the current outbreak of Covid-19 we’ve put in place significant restrictions on hospital visitors.

Full details of these can be found on our website.

We would like to thank you for your understanding and helping us stop the spread of Covid-19.

Read More

Stay Home. Protect the NHS. Save Lives.

Close