Learn more about Data Sharing

CHIE enables personal data to be shared between health and social care professionals according to the principles set out in Article 5 of the GDPR. This means that it will be:

1. Used lawfully, fairly and transparently
2. Used for specific, explicit and legitimate reasons
3. Only collected for the purposes needed and will not be excessive
4. Accurate and kept up to date
5. Used only for as long as it is needed in a way that identifies you
6. Kept secure with only those requiring access allowed to use it or look at it

The GDPR and other Data Protection Legislation makes it very clear that systems like CHIE must identify a ‘lawful’ basis for processing data. As CHIE is a shared care record, its main purpose is to process personal data in order to share it.

The lawful bases relied upon by the Data Controllers for processing your personal data to support your care are as follows.

1. Under Article 6 (1e) of the GDPR, the ‘[P]rocessing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller’

This means that in order to provide you with safe and appropriate care, health and care professionals are under a duty to share your information where you have not objected to this. CHIE enables this processing and sharing to take place.

2. As the data in CHIE is a special category of personal data (i.e. health data), under Article 9 (2h), the ‘[P]rocessing is necessary for the purposes of preventative medicine, medical diagnosis, the provision of health or social care or treatment and the management of health and social care systems and services’.

This means that the health and care professionals involved in your care can use CHIE to access your information for all of the purposes detailed above.

In addition to the Data Protection Legislation (including the GDPR and the Data Protection Act 2018), those working in health and social care also need to comply with other legislation that also requires the sharing of data for specific purposes. These include (but are not limited to):

• Health and Social Care (Quality & Safety) Act 2015
• Health & Social Care Act 2012
• Care Act 2014
• The Children Act 1989
• The Children Act 2004
• Childcare Act 2006
• Children (Leaving Care) Act 2000
• Children and Families Act 2014
• National Health Service Act 1977
• National Health Service Act 2006
• Education Act 2002
• Special Education Needs and Disability Regulations 2014
• Localism Act 2011
• Immigration and Asylum Act 1999
• Crime and Disorder Act 1998

The common law duty of confidentiality also applies to the records held on CHIE. You can find out more information about this in relation to your health and care record using this link: https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice

Your Rights

The information held within your record in CHIE is about your medical and social care history.   Being the primary ‘subject’ of the information (or data) held on CHIE, means that you have certain rights provided to you under the EU General Data Protection Regulations (GDPR). The 8 rights are:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

You can find out more about GDPR and your rights as a ‘subject’ of data, by following the links below. If you have any concerns about the above, please contact your GP Surgery or the CHIE Systems Team (via the Contact us page).

What is ‘Personal Data’?

Article 4 of the EU General Data Protection Regulation (GDPR) defines personal data as ‘’any information relating to an identified or identifiable natural person (‘data subject’)”.

It adds that:

‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Certain types of personal data are grouped into a Special Category and include: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. The CHIE will process special categories of personal data relating to your health.

You can find out more about GDPR and data sharing here. If you have any concerns about the above, please contact your GP Surgery or the CHIE Systems Team (via the Contact us page).

How my record is kept safe and secure

We take the security of your record very seriously.

The information shared with CHIE is stored in a secure IT database which is managed by the NHS and stored in an NHS location in the UK.

Your CHIE record is only accessed by approved health and social care staff in accordance with our Acceptable Usage Agreement.

If you have any concerns about the above, please contact the CHIE Systems Team via the Contact us page.

For how long do you keep my information?

Your CHIE record is an Electronic Patient Record which contains health and social care data about you. In England this type of information has to be managed following the rules and regulations contained in a document called the Records Management Code of Practice for Health and Social Care 2016. As the Data Controllers are the organisations responsible for the deleting and archiving of your records on their own computer systems, the CHIE system will only hold data about you for as long as the Data Controller does. In most cases this means that once a GP is no longer responsible for your care or you cease being a patient for a practice who uses CHIE, your data will no longer be available in CHIE. NHS England become responsible for GP health records if a patient is unregistered or is deceased. Shortly after CHIE is informed that a patient is deceased or is no longer registered; their data will be withdrawn from use for care purposes.

Appendix 3 of the code of practice specifies the length of time for which different types of information should be kept. More information can be found by following the above link.

Who is the Data Controller?

Any health and care information shared with CHIE has to be owned by what is known as a Data Controller.  Control of this data remains the responsibility of the data controllers of the organisations supplying that data.

As CHIE is supplied with data from many different organisations, these organisations carry out this role together, and are classed as a joint data controller.

Please visit The Information Commissioner’s website to find out more about Data Controllers and their role.

two proofs of ID

Current UK Driving Licence

Or

Current Signed passport
ID card
Birth Certificate

Plus one of the following

Recent utility bill (within last 3 months)
Local Authority Council Tax Bill
Bank/Building Society Statement of personal account

Who is the Data Protection Officer?

Every organisation that processes data has to appoint a Data Protection Officer.

NHS South Central and West Commissioning Support Unit (SCW) acts as the representative.

To opt out of sharing

To opt out of sharing your information to CHIE, complete THIS form and send it with two *proofs of ID, to the CHIE Systems Team at the following address:

CHIE

NHS South, Central and West Commissioning Support Unit

Building 003 Fort Southwick

James Callaghan Drive

Fareham, PO17 6AR

*Acceptable proofs of ID

One each from the following groups:

1. Current UK Driving Licence, Current Signed passport, ID card, Birth Certificate

2. Recent utility bill (within last 3 months), Local Authority Council Tax Bill, Bank/Building Society Statement of personal account

To opt back in

If you would like to re-start sharing your information with CHIE, please complete THIS form and return it, with two *proofs of ID, to the CHIE Systems Team at the following address:

CHIE

NHS South, Central and West Commissioning Support Unit

Building 003 Fort Southwick

James Callaghan Drive

Fareham, PO17 6AR

*Acceptable proofs of ID

One each from the following groups:

3. Current UK Driving Licence, Current Signed passport, ID card, Birth Certificate

4. Recent utility bill (within last 3 months), Local Authority Council Tax Bill, Bank/Building Society Statement of personal account

Who has looked at my record?

To request a copy of the Audit Trail, please complete THIS form and send it with two *proofs of ID, to the CHIE Systems Team at the following address:

CHIE

NHS South, Central and West Commissioning Support Unit

Building 003 Fort Southwick

James Callaghan Drive

Fareham, PO17 6AR

*Acceptable proofs of ID

One each from the following groups:

1. Current UK Driving Licence, Current Signed passport, ID card, Birth Certificate

2. Recent utility bill (within last 3 months), Local Authority Council Tax Bill, Bank/Building Society Statement of personal account

Acceptable Usage Agreement

The following information is provided to all new users of CHIE and is also made available to all users of the system via a dedicated staff website and training guide:

I will ensure that where practical, as a care professional, I will inform the patient before accessing CHIE for patient care. If the patient is unconscious or not present but would benefit from my care, I may use my professional judgement about accessing the information. I accept that a CHIE record may be incomplete and will make my clinical decisions accordingly.

I understand that I am only authorised to access a record in CHIE for a patient with whom I have a legitimate care relationship and that my continued employment and any professional qualifications/registrations may be at risk if I access records inappropriately.  This may also be illegal and subject to criminal proceedings.

I agree to keep my account credentials secure and will not share with anyone else. I will make sure that no one else can access the CHIE in my name.

I am aware that an audit trail will detail my name and date of all records that I have accessed/viewed and that a patient can request a copy of the audit trail of all staff who have accessed their record. I accept that my personal details will be recorded for the purposes of the audit trail.

I accept that disciplinary action may be taken against me if I do not abide by the security & confidentiality policy.

I accept that CHIE is not a complete patient record and is intended as a supplementary resource to my main operating systems. I will confirm information with alternative sources and use clinical judgement prior to any health or care decision making.

If my account is not used for 90 days, my next login will display “Error 500 an Unexpected Error has Occurred” I will then need to contact info.chie@nhs.net to have my account re-activated.