quote HEE facebook linkedin twitter bracketDetail search file-download keyboard-arrow-down keyboard-arrow-right close event-note
Workforce, training and education

You are here

  1. Home
  2. About us
  3. Contact us
  4. The General Data Protection Regulation

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and protects the fundamental rights and freedoms of individuals, in particular their ‘Right to the protection of Personal Data’.

Introduction

The GDPR implements the following principles relating to the processing of personal data (Article 5 GDPR) which HEE uses as a framework for its data processing activities.



 

GDPR also introduces a new set of rights that are applicable to data subjects. Some of these rights are similar to the rights that were provided under the Data Protection Act 1998 (DPA) which HEE has been operating and is already familiar with. However, a number of other rights are new, or include important changes from their predecessors in the DPA.

 

The right to be informed

One of the most important rights of data subjects is the right to information. In order to ensure that personal data are processed fairly, HEE must provide certain minimum information to data subjects regarding the collection and further processing of their personal data. This is explained further via our Privacy Notice

 

The right of access

Data subjects have the right to file a subject access request (SAR) and obtain from the data controller a copy of their personal data, together with:

 

  • an explanation of the categories of data being processed;
  • the purposes of such processing;
  • the categories of third parties to whom the data may be disclosed.
  • details of the period for which the data will be stored (or the criteria used to determine that period); and
  • information about other rights of data subjects.

 

Subject Access Requests (SAR)

SARs will be provided free of charge by HEE although we may charge a reasonable fee for any further copies requested.

Where HEE deems a SAR as 'manifestly unfounded or excessive' a fee may be charged.

HEE will respond to your request as quickly as possible but within a maximum period of one month.  However, HEE may extend this by a further two months depending on the breadth of your request and amount of work involved in responding. Where this is the case we will notify you explaining why we need to delay, within the one month timeframe.

 

The right to rectification

Data subjects whose personal information HEE processes have the right to require that HEE corrects errors in personal data that we process.

 

The right to erase

The right to erasure allows data subjects to require data controllers to delete their personal data where those data are no longer needed for their original purpose, or where the processing is based on the consent and the data subject withdraws that consent (and no other lawful basis for the processing exists).

Where an individual wishes to exercise this right, HEE will consider the request, its likely impact and assess whether the data is needed.  If it is not needed, we will erase it without undue delay.  However, HEE will take a pragmatic approach to these requests taking into account some requests might be unreasonably time consuming and cost prohibitive.

 

The right to restrict processing

In certain circumstances in which HEE is unable to delete the relevant personal data because the data are required for the purposes of exercising or defending legal claims, or where the data subject does not wish to have the data deleted, HEE may continue to store the data, but the purposes for which the data can be processed are strictly limited (e.g. the exercise or defence of legal claims; protecting the rights of another person or entity; purposes that serve a substantial public interest; or such other purposes as the data subject may consent to).

In order to comply with this right, HEE will notify you of the steps it is taking to restrict its processing of your data and seek your consent where HEE wishes to undertake any subsequent processing of that data.

 

The right to data portability

This permits the data subject to receive from HEE a copy of his or her personal data in a commonly used machine-readable format, and to transfer their personal data from one data controller to another or have the data transmitted directly between data controllers.

 

The right to object

Data subjects continue to have a right to object to processing of their personal data on certain grounds, in addition to the right to object to processing carried out for the purposes of profiling or direct marketing.

GDPR allows the data subject to raise objections and then requires HEE to demonstrate that we either have compelling grounds for continuing the processing, or that the processing is necessary in connection with our legal rights.

 

Rights in relation to automated decision making and profiling

Subject to certain exemptions, data subjects have the right not to be subject to decisions based solely on automated processing which significantly affect them.

As a data subject, you have the right to request human intervention in that decision-making process.  In order to be GDPR compliant in this area HEE will work towards improving its business processes so that we can facilitate human intervention.

Should you wish to:

  • exercise any of these rights in terms of personal data that is processed by HEE;
  • receive any GDPR related advice or assistance;

Please refer these immediately to HEE’s Data Protection Officers via HEE’s GDPR mailbox at:

GDPR@hee.nhs.uk

If you wish to submit a subject access request under the subject access provisions of the GDPR, please follow the link to our SAR page.

We will endeavour to respond to you as quickly as possible.

Requesting your personal information - General Data Protection Regulation 2016

If you want to ask us for information which we may hold about you personally, your request will be dealt with under the Subject Access Provisions of the General Data Protection Regulation 2016 (GDPR).

As an individual whose personal data HEE processes, you have the right to file a subject access request (SAR) and obtain from HEE a copy of your personal data, together with:

  • an explanation of the categories of data being processed;
  • the purposes of such processing;
  • the categories of third parties to whom the data may be disclosed.
  • details of the period for which the data will be stored (or the criteria used to determine that period); and
  • information about other rights of data subjects.

 

If you wish to make a subject access request relating to your employment or training records, or anything relating to you as an individual you can write to us at:

The Public and Parliamentary Accountability Team

Health Education England

Blenheim House

Duncombe Street

Leeds

LS1 4PL

Or you can email your request through to:  dpa@hee.nhs.uk



Cost

SARs will be provided free of charge by HEE although we may charge a reasonable fee for any further copies that you request.  Please see a copy of our fee schedule at the following link.

Please note that where HEE deems a SAR  'manifestly unfounded or excessive' a fee may be charged. However, we will liaise with you on ways in which you can restrict the request.

 

Excessive requests

If HEE deems your request ‘manifestly unfounded or excessive’ we might refuse to respond.  However, if this is the case, we will provide evidence of how we reached this conclusion.

 

Right to withhold

HEE might withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others'. The recitals to the GDPR note that this could extend to intellectual property rights and trade secrets.

 

Deadlines

HEE will respond to your request as quickly as possible but within a maximum period of one month upon receipt of appropriate proof of ID (see below).

However, HEE may extend this by a further two months depending on the breadth of your request and amount of work involved in responding. Where this is the case we will notify you explaining why we need to delay, within the one month timeframe.

 

What we will need from you

Please specify the kind of information you wish to be made available to you and any pertinent time frames involved.

Please also ensure that you include within your request proof of identity consisting of a copy of a formal document or bill with your name and address on it or your driving licence or passport.

HEE has a duty to ensure that the information it processes is secure and we will only provide the information relating to you if we are satisfied regarding your identity.

 

What to expect from HEE

Certain exemptions from the SAR provisions of the GDPR might mean that we are unable to provide you with full disclosure of certain documents.  For example, other third-party information might be contained within personal data relating to you.

Where this is the case HEE will remove that data or seek consent to release from the third party.

Please be aware that a reference to your name in a document does not mean automatically that the document is personal data relating to you. HEE will however, consider the nature of the documentation and the extent to which it is sufficiently ‘personal’ to you before reaching a decision, guided by Court decisions and the guidance from the Information Commissioner, as to whether the information is personal data relating to you.   

If you are unhappy with any aspect of the way in which we deal with your Subject Access Request, you may complain in writing to the Information Commissioner at:

 

The Office of the Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

https://ico.org.uk/global/contact-us/

HEE is in compliance with the national data opt-out, for more information please see: https://www.nhs.uk/your-nhs-data-matters/

Return to the top of the page.