The Trust is required by law to look after all personal information in compliance with the Data Protection Act 2018 / General Data Protection Regulations and is registered as a "Controller" of personal information with the Office of the Information Commissioner. The Information Commissioner's Office is the UK's independent authority set up to promote access to official information and to protect personal information.
Our registration number is Z6995243. You can look this up on the Data Protection Public Register using the link on the right.
All staff in the Trust, and in the NHS as a whole, are required to keep confidential any personal information that is provided to them in the course of doing their work. This will include any service user or carer information (sometimes called "medical records" in acute hospitals, but we call it your "health and social care record" in mental health trusts). There is a formal Code of Conduct for NHS Staff which tells them how to uphold the rights to privacy and confidentiality of our service users and carers. The full-text document is available by following the link on the right.
The Trust also has a senior person who is appointed to champion privacy and confidentiality, and to make sure that staff understand how to look after personal information. This person is called the Caldicott Guardian. Service users and carers are welcome to contact the Caldicott Guardian in person at the Trust headquarters in Bath to discuss any concerns they might have about privacy or confidentiality.
Staff are personally educated by a member of the information governance team on their responsibility for upholding privacy and confidentiality during their mandatory core induction that is led by the Trust's chair and Chief Executive each month.
Although some confusion has arisen around the Freedom of Information Act of 2000, service users and carers should be assured that nobody can successfully obtain access to health and social care records using an FOI Request.
Health and social care records consist of information relating to your physical or mental health. They are made by, or on behalf of, a health professional in connection with your care.
Under the Data Protection Act 2018 you have the right to see or obtain a copy of health and social care records in manual or computer form, this is known as a subject access request. However, access can be refused under particular special circumstances, for example when:
- The healthcare professional believes that the information would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person
- Access would make known information, which relates to a third person without their permission.
Any of the following people may make an application for access to health records, or to any part of a health record:
- A person authorised in writing by you on your behalf
- A parent or guardian of a child under 16 if this is in the child's best interests and not contrary to a competent child's wishes
- Any person appointed by a court to manage the affairs of those incapable of managing their own affairs
A person needs to apply in writing and prove their identity. They are entitled by law to receive a response no later than 30 days after their application is received. There is no charge for this service.. The copy must be accompanied by an explanation of any terms, which are unintelligible. If you do not understand any part of the record the relevant health profession should arrange to explain it to you.
To make a Subject Access Request, please write to the Health & Social Care Records Department. Their contact details can be found on the right.
The Information Commissioner's website has very clear guidance on Data Protection and Freedom of Information and is worth a visit if you want to know more about the laws governing information in the United Kingdom.