All Clinical users of CHIE should at all time follow the rules laid down in the Acceptable Usage Agreement. All users are expected to abide by the following:
I will ensure that where practical, as a care professional, I will ask the patient before accessing CHIE for patient care. If the patient is unconscious or not present but would benefit from my care, I may use my judgement about accessing the information.
I accept that CHIE may have information missing and will make my clinical decisions accordingly.
I agree to keep my user name and password secure. I will make sure that no one else can access CHIE in my name.
I am aware that an audit trail will detail my name and date of all records that I have accessed/viewed and that a patient can request a copy of the audit trail of all staff who have accessed their record.
I accept that disciplinary action may be taken against me if I do not abide by the security & confidentiality policy.
I accept that my personal details will be recorded to enable the audit trail to work.
As a the ‘subject’ of the data held in your record on CHIE, the General Data Protection Regulations(GDPR) gives you certain rights which protect your privacy and confidentiality.:
The right to be informed encompasses our obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how we use your data. We provide this information via patient leaflets, posters and advertisments in GP practices and local publications.
You have the right to obtain confirmation that your data is being processed, access to your personal data and other supplementary information.
You are entitled to have personal data rectified if it is inaccurate or incomplete and to be informed about any rectification of data supplied to third parties
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it. We can retain just enough information about the individual to ensure that the restriction is respected in future. Visit the ICO website to see the circumstances which require us to restrict the processing of data.
Allows individuals to obtain and reuse their personal data for their own purposes across different services and to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
To request a copy of the Audit Trail, please complete THIS form and send it with two *proofs of ID, to the CHIE Systems Team at the following address:
NHS South, Central and West Commissioning Support Unit
Building 003 Fort Southwick
James Callaghan Drive
Fareham, PO17 6AR
*Acceptable proofs of ID
One each from the following groups:
1. Current UK Driving Licence, Current Signed passport, ID card, Birth Certificate
2. Recent utility bill (within last 3 months), Local Authority Council Tax Bill, Bank/Building Society Statement of personal account
If you would like to re-start sharing your information with CHIE, please complete THIS form and return it, with two *proofs of ID, to the CHIE Systems Team at the following address:
3. Current UK Driving Licence, Current Signed passport, ID card, Birth Certificate
4. Recent utility bill (within last 3 months), Local Authority Council Tax Bill, Bank/Building Society Statement of personal account
To opt out of sharing your information to CHIE, complete THIS form and send it with two *proofs of ID, to the CHIE Systems Team at the following address:
Every organisation that processes data has to appoint a Data Protection Officer.
NHS South Central and West Commissioning Support Unit (SCW) acts as the representative.
Current UK Driving Licence
Current Signed passport
Plus one of the following
Recent utility bill (within last 3 months)
Local Authority Council Tax Bill
Bank/Building Society Statement of personal account
Any health and care information shared with CHIE has to be owned by what is known as a Data Controller. Control of this data remains the responsibility of the data controllers of the organisations supplying that data.
As CHIE is supplied with data from many different organisations, these organisations carry out this role together, and are classed as a joint data controller.
Please visit The Information Commissioner’s website to find out more about Data Controllers and their role.
Your CHIE record is an Electronic Patient Record which contains health and social care data about you. In England this type of information has to be managed following the rules and regulations contained in a document called the Records Management Code of Practice for Health and Social Care 2016. As the Data Controllers are the organisations responsible for the deleting and archiving of your records on their own computer systems, the CHIE system will only hold data about you for as long as the Data Controller does. In most cases this means that once a GP is no longer responsible for your care or you cease being a patient for a practice who uses CHIE, your data will no longer be available in CHIE. NHS England become responsible for GP health records if a patient is unregistered or is deceased. Shortly after CHIE is informed that a patient is deceased or is no longer registered; their data will be withdrawn from use for care purposes.
Appendix 3 of the code of practice specifies the length of time for which different types of information should be kept. More information can be found by following the above link.
We take the security of your record very seriously.
The information shared with CHIE is stored in a secure IT database which is managed by the NHS and stored in an NHS location in the UK.
Your CHIE record is only accessed by approved health and social care staff in accordance with our Acceptable Usage Agreement.
If you have any concerns about the above, please contact the CHIE Systems Team via the Contact us page.
Article 4 of the EU General Data Protection Regulation (GDPR) defines personal data as ‘’any information relating to an identified or identifiable natural person (‘data subject’)”.
It adds that:
‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Certain types of personal data are grouped into a Special Category and include: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. The CHIE will process special categories of personal data relating to your health.
You can find out more about GDPR and data sharing here. If you have any concerns about the above, please contact your GP Surgery or the CHIE Systems Team (via the Contact us page).
The information held within your record in CHIE is about your medical and social care history. Being the primary ‘subject’ of the information (or data) held on CHIE, means that you have certain rights provided to you under the EU General Data Protection Regulations (GDPR). The 8 rights are:
You can find out more about GDPR and your rights as a ‘subject’ of data, by following the links below. If you have any concerns about the above, please contact your GP Surgery or the CHIE Systems Team (via the Contact us page).
CHIE enables personal data to be shared between health and social care professionals according to the principles set out in Article 5 of the GDPR. This means that it will be:
The GDPR and other Data Protection Legislation makes it very clear that systems like CHIE must identify a ‘lawful’ basis for processing data. As CHIE is a shared care record, its main purpose is to process personal data in order to share it.
The lawful bases relied upon by the Data Controllers for processing your personal data to support your care are as follows.
This means that in order to provide you with safe and appropriate care, health and care professionals are under a duty to share your information where you have not objected to this. CHIE enables this processing and sharing to take place.
This means that the health and care professionals involved in your care can use CHIE to access your information for all of the purposes detailed above.
In addition to the Data Protection Legislation (including the GDPR and the Data Protection Act 2018), those working in health and social care also need to comply with other legislation that also requires the sharing of data for specific purposes. These include (but are not limited to):
The common law duty of confidentiality also applies to the records held on CHIE. You can find out more information about this in relation to your health and care record using this link: https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice
All Clinical users of CHIE should at all times follow the rules laid down in the Acceptable Usage Agreement. All users are expected to abide by the following: