[Skip to content]

  • High Contrast
  • High Contrast
  • Normal Contrast
George Eliot Hospital - NHS Trust
Search our Site
Advanced Search How To Find Us
.

General Data Protection Responsibilities - Individual Rights

GDPR Individual Rights

The GDPR provides the following rights for individuals:

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification of your personal data, If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. 

Personal information held for patients consists of your name, date of birth, marital status, National Health Service number, address, contact telephone numbers, medical condition, your next of kin and a contact number for them.

We have included further details about some of the rights listed in the new legislation relevant to our patients.

Further information

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr


  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • Individuals must be provided with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • Individuals must be provided with privacy information to individuals at the time you collect their personal data from them.
  • If personal data is obtained from other sources, individuals must be provided with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when people do not need to be provided with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • Information provided to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
  • Privacy information must be regularly reviewed, and where necessary, update your privacy information. Any new uses of an individual’s personal data must be brought to their attention before you start the processing.
  • Getting the right to be informed correct can help the organisation to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave the organisation open to fines and lead to reputational damage. 

 


  • Individuals have the right to access their personal data and supplementary information.
  • The right of access allows individuals to be aware of and verify the lawfulness of the processing.
  • Under the GDPR, individuals will have the right to obtain:

     - confirmation that their data is being processed;
     -  access to their personal data;and
     - other supplementary  information  –  this largely corresponds to the information that should be provided in a privacy notice.

  • A copy of the information must be provided free of charge. However, a reasonable fee can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  • A reasonable fee may also be charged to comply with requests for further copies of the same information. This does not mean that a charge can be made for all subsequent access requests.
  • The fee must be based on the administrative cost of providing the information.
  • Information must be provided without delay and at the latest within one month of receipt.
  • The period of compliance can be extended by a further two months where requests are complex or numerous. If this is the case, the individual must be informed within one month of the receipt of the request and explain why the extension is necessary.
  • Where requests are manifestly unfounded or excessive, in particular because they are repetitive:

    -   a reasonable fee can be charged taking into account the administrative costs of providing the information;or
    -   refuse to respond.

  • The identity of the person making the request must be verified, using ‘reasonable means’.
  • If the request is made electronically, the information should be provided in a commonly used electronic format.
  • The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well.
  • The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
  • The GDPR permits you to ask the individual to specify the information the request relates to, where a large quantity of information is processed about an individual.
  • The GDPR does not include an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.

 


  • The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. This may involve providing a supplementary statement to the incomplete data.
  • An individual can make a request for rectification verbally or in writing.
  • We have one calendar month to respond to a request; in certain circumstances a request can be refused rectification.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR. although there will be steps in the data processing to ensure that the personal data was accurate when it was obtained, this right imposes a specific obligation to reconsider the accuracy upon request.
  • If a request is received for rectification, reasonable steps should be taken to satisfy that the data is accurate and to rectify the data if necessary. What steps are reasonable will depend,in particular,on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to rectify it. Arguments and evidence provided by the data subject should be taken into account.
  • The GDPR does not give a definition of the term accuracy. However, the Data Protection Bill states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
  • If there are any doubts about the identity of the person making the request, more information can be requested. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
  • If you have disclosed the personal data to others, you must contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
  • The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 


  • The GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data
  • Individuals have the right to have their personal data erased if:
    - the personal data is no longer necessary for the purpose which you originally collected or processed it for;
    - you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
    - you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
    - you are processing the personal data for direct marketing purposes and the individual objects to that processing;
    - you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
    - you have to do it to comply with a legal obligation;or
    you have processed the personal data to offer information society services to a child.

  • The GDPR specifies two circumstances where you should tell other organisations about the erasure of personal data:
    - the personal data has been disclosed to others;or
    - the personal data has been made public in an online environment (for example on social networks, forums or websites).

  • If you have disclosed the personal data to others, you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the  individuals about these recipients.
  • The right to erasure does not apply if processing is necessary for one of the following reasons:
    - to exercise the right of freedom of expression and information;
    - to comply with a legal obligation;
    - for the performance of a task carried out in the public interest or in the exercise of official authority;
    - for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;or
    for the establishment, exercise or defence of legal claims.

 

  • The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
    - if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices);or
    - if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is  being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).

  • If there are any doubts about the identity of the person making the request, more information can be requested. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
  • In certain circumstances we can refuse to comply with a request for erasure, but must inform the individual without undue delay and within one month of receipt of the request. You should inform the individual about:
    - the reasons you are not taking action – justify the decision;
    - their right to make a complaint to the ICO or another supervisory authority;
    - and their ability to seek to enforce this right through a judicial remedy.

 


  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
  • When processing is restricted, you are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing. You have one calendar month to respond to a request.
  • This right has close links to the right to rectification and the right to object.
  • Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.
  • Individuals have the right to request you restrict the processing of their personal data in the following circumstances: - the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
    - the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
    - you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
    - the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
  • Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing: - if an individual has challenged the accuracy of their data and asked for you to rectify it, they also have a right to request you restrict processing while you consider their rectification request; or
    - if an individual exercises their right to object, they also have a right to request you restrict processing while you consider their objection request.
  • Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.
  • In certain circumstances we can refuse to comply with a request for erasure, but must inform the individual without undue delay and within one month of receipt of the request. You should inform the individual about: - the reasons you are not taking action – justify the decision; - their right to make a complaint to the ICO or another supervisory authority; and
    - their ability to seek to enforce this right through a judicial remedy.

 


  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to  usability.
  • Some organisations in the UK already offer data portability through the 'midata' and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
  • It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
  • The right to data portability only applies:

 

       -   to personal data an individual has provided to a controller;

       -   where the processing is based on the individual’s consent or for the performance of a contract;and

       -   when processing is carried out by automated means.

  • You must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use thedata.
  • The information must be provided free of charge.
  • If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.
  • You must respond without undue delay, and within one month.
  • This can be extended by two months where the request is complex or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
  • Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

 


  • Individuals have the right to object to:

 

        -   processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

        -   direct marketing (including profiling);and

        -   processing for purposes of scientific/historical research and statistics.

  • We do not need to comply with the right to object the processing of personal data is for the performance of a legal task or the organisation’s legitimate interests, provided we can:

 

         -   demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual;or

         -   the processing is for the establishment, exercise or defence of legal claims.

  • Individuals must have an objection on “grounds relating to his or her particular situation”.
  • You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
  • This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”
  • If you are processing personal data for direct marketing purposes you must stop processing personal data as soon as you receive an objection. There are no exemptions or grounds to refuse.
  • You must deal with an objection to processing for direct marketing at any time and free of charge.
  • If you are conducting research where the processing of personal data is necessary for the performance of a public interest task, you are not required to comply with an objection to the processing.
  • You must offer a way for individuals to object online, if any of your processing activities fall into any of the above categories and are carried out online.