Subject access requests and Freedom of Information requests during the current Coronavirus (COVID-19) pandemic
Guy's and St Thomas' Trust (GSTT) are committed to complying with 'Right of Access' requests made under the Data Protection Act 2018 and the Freedom of Information Act 2000.
However, the NHS is facing unprecedented challenges relating to the coronavirus (COVID-19) pandemic at the current time, and our resources have been prioritised to support our front-line colleagues who are working tremendously hard to provide care for our patients.
The Information Commissioner's Office has recognised the current situation in the NHS as being out of the ordinary.
While it is always our aim to be transparent and to work with a culture of openness, at this time, the care of our patients and the safety of our staff takes precedence. As a result of our prioritisation on supporting front-line colleagues, it is likely that responses to requests for information or records will be delayed, and it may sometimes take up to three months to respond to a subject access request. Therefore, please can we ask that you consider if your request is still required or can be delayed until after the this pandemic is over.
It should also be noted that we will not be able to provide copies of paper health records or have the ability to print or copy health records to complete access requests. For the period of the COVID-19 lockdown, we can only process requests if they, in part or wholly, involve electronic health records systems which staff can access and extract data from. We will therefore suspend all requests that wholly require paper health records to complete. We will also partially suspend any part of a request which requires health records or any other content to be printed and scanned.
We apologise for this in advance, and will endeavour to provide you with as much information as we can, as soon as we are able.
For Freedom of Information requests, the Trust will continue to process these as normal, but again this will be dependent on the availability of staff, which could impact on timely delivery of FOI responses during this challenging period.
If you have a complaint linked to how we are dealing with requests, please contact the Trust Data Protection Officer at firstname.lastname@example.org.
What are health records?
Your health records contain information about your healthcare. They are made by doctors, nurses or other health professionals and can include:
- details about you, for example your date of birth, address, next of kin, gender, language, ethnicity, any disabilities you have
- hand-written clinical notes
- electronic clinical notes
- letters to and from other health professionals
- laboratory reports and results
- imaging scans such as x-rays
- printouts from monitoring equipment
- photographs and other recordings.
For more information, see our leaflet How we use and protect your health information (PDF 35Kb).
Privacy notice on coronavirus (COVID-19)
This notice describes how we may use your information to protect you and others during the (coronavirus) COVID-19 outbreak. It supplements our main privacy notice (PDF 160Kb).
The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital, NHS England and Improvement, arm's length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on the gov.uk website and some frequently asked questions on this law are available on the NHSX website.
During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National data opt-outs. Find out about National data opt-outs on the NHS website. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to subject access requests, freedom of information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, private healthcare providers and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or video-conferencing when this is clinically appropriate. By accepting the invitation and entering the consultation you are consenting to this. Your personal and confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal and confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Visit the NHSX website for further information about the variety of ways that health and care data is being used and shared by other NHS and social care organisations to support the COVID-19 response.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and emergency department (A&E) capacity data as well as data provided by patients themselves on the NHS coronavirus status checker. All the data held in the platform is subject to strict controls that meet requirements of data protection legislation.
For purposes beyond individual care, your information relating to COVID-19 may be shared with other health care providers, with private health care organisations, universities conducting research into COVID-19 and private sector organisations.
If you tell us you're experiencing COVID-19 symptoms, we may need to collect specific health data about you. If we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
How is my information used?
Health and social care services need to share some of your information so that you can receive the best possible care. This happens in a number of ways – letters, phone calls, fax and through secure email and computer systems. Information in your care record includes things like details of your medication and treatments, current and previous care, test results and any other relevant care information.
Health and care staff working in south east London (Bexley, Bromley, Greenwich, Lambeth, Lewisham and Southwark) now have better access to more accurate information, so they can provide safer, faster and more effective care and support.
The Local Care Record (Bromley, Lambeth and Southwark) and Connect Care (Bexley, Greenwich and Lewisham) systems have been linked, connecting 15,000 care professionals across six boroughs. This means relevant information about you can be safely shared between the staff who need it across the whole of south east London. No matter where you receive care in south east London, the staff looking after you will have the most up-to-date information when they need it.
For example, if you live in Lewisham but are receiving treatment from Guy’s and St Thomas’ NHS Foundation Trust, your records are immediately available to the staff looking after you or making the referral.
How does this help with my care?
- You won’t have to tell your story to lots of different professionals.
- You will have fewer unnecessary appointments and tests.
- Transfer of care between services will be smoother.
- Care records are available immediately online.
- Delays in care and treatment will be reduced.
Can I access my health records?
Yes, with very rare exceptions (such as where the member(s) of staff caring for you believe this would cause serious physical or mental harm to you or anyone else).
If you would like to see your health records you can ask the clinician who is treating you, or another member of staff.
If you would like a copy of your health records, please complete the access to records request form (Word 81Kb) and send it to the below address or email it to email@example.com.
St Thomas' Hospital
Westminster Bridge Road
London SE1 7EH
Tel: 020 7188 7525
Is there a charge?
Where we process data about you, you can request to receive a copy of the data free of charge. In some circumstances a fee may be charged, for example if repeated requests are made.
Under the Data Protection Act 2018 we are required to keep your health records secure.
Every member of staff working for, or with the NHS, has an individual duty to keep your information confidential. We will only share it with other organisations in strict accordance with the law and where this will help us in providing high quality care.
See our leaflet How we use and protect your health information (PDF 35Kb) for more information.
The national data opt-out
The national data opt-out was introduced for the health and social care system on 25 May 2018. It gives people more control over how their confidential patient information is used for research and planning purposes. Find out more about confidential patient information on the NHS website.
NHS Trusts are required to be compliant with the national data opt-out policy by March 2020.
What is the national data opt-out?
It is a service that enables the public to register to opt-out of their confidential patient information being used for research and planning. The public can change their national data opt-out choice at any time.
What is confidential patient information?
Confidential patient information is when two types of information from your health records are joined together.
The two types of information are:
- something that can identify you
- something about your health care or treatment.
For example, your name and what medicine you take.
Information that only identifies you, like your name and address, is not considered to be confidential patient information and may still be used. For example, to contact you about your care or change in appointments or to ask you if you want to opt back in for an individual research study you may consider worth opting back in for.
Information about your health or care that is anonymised so that you can no longer be identified is not considered to be confidential patient information.
The choice you make does not apply when your information is used to help with your own treatment and care. For more information on when your choice does not apply visit
Visit the NHS website for more information on when your choice does not apply.
Who needs to comply with national data opt-out policy?
The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation, or the care has been arranged by a public body such as the NHS or a local authority. It does not apply to data related to private patients at private providers.
In summary, the national data opt-out applies to:
- all NHS organisations (including private patients treated within such organisations)
- all local authorities providing publicly funded care
- adult social care providers where the care provided is funded or arranged by a public body
- private or charitable healthcare providers providing NHS funded treatment or arranged care.
Which data disclosures do national data opt-outs apply to?
National data opt-outs apply to a disclosure when an organisation, such as a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation such as an NHS Trust (the data controller). Find out more about the Confidential Advisory Group on the NHS health research authority website.
The CAG approval is also known as a section 251 approval, and refers to section 251 of the National Health Service Act 2006 and its current regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted, so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.