Your rights under GDPR

What are my rights under the general data protection regulation (GDPR)? 

You have a right to:

  • Confidentiality
  • Access your records. This needs to be in writing and will require photo identification
  • Rectification (to correct inaccuracies)
  • Erasure (deletion of your records). However, if this erasure is seen as harmful to the process of providing health care, or fraudulent in erasing information important to insurance companies etc, it can be refused
  • Restrict processing (limit how your information is shared)
  • Object
  • Data portability


How do you withdraw your consent for us to share information with other organisations? 

Please contact the information governance team on 020 8333 3000 x48650.

If you’re on the hospital site and receiving care, you can also speak to the outpatients or emergency department reception, talk to your clinicians, or ask to speak to someone from the patient advice and liaison service (PALS).


How do I obtain a copy of my medical records?

Under GDPR, all subject access requests will now have to be completed within 30 calendar days as opposed to the 40 calendar days. Also, the Trust cannot charge for any requests (except for postage and packaging). 

Individuals can also request how they would like to receive their information whether it is via email, disc or paper. For further information please contact the relevant medical records department:

University Hospital Lewisham: 020 3192 6114,

Queen Elizabeth Hospital: 020 8836 5539/5540,


Your right to withdraw consent for us to share your personal information

You have the right to refuse/withdraw consent to information sharing at any time.  You need to be specific as to what information you do not wish to share with, for example, your GP or third party organisations etc.  The possible consequences will be fully explained to you and could include delays in receiving care.


Can you get access to your information?

Under GDPR, a person may request access to information (with some exemptions) that is held about them by an organisation. For more information on how get access to the information we hold about you please refer to under our Access to Information  pages.


Consent for adults

A key part of the regulation requires consent to be given by the individual whose data is held.

Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the individual, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed".

The Trust will need to be able to show how and when consent was obtained.  Consent does not need to be explicitly given; it can be implied by the person’s relationship with the Trust. However the data must be for specific and legitimate purposes.  If the Trust wishes to use the data for other purposes it must gain the consent of the individual (whether patient or staff).


Consent for children

Every department that processes children’s data should have a clear privacy notice for children so that they are able to understand what will happen to their personal data and what rights they have.

Children over the age of 13 who understand what is happening to them should be able to have consent over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data amended or erased.  It is important that the child need to understand about the treatment they have to enable them to consent.

Children under the age of 13 will need to get consent from their parent or guardian.


Information sharing

The Trust shares data with a range of organisations. Wherever possible the information is anonymised. However, data may be shared with other organisations for the purposes of caring for a patient. In that case the data has to be identifiable to ensure that all parties are always clear exactly whose data is being used.

We may share your information for health purposes with other NHS organisations, eg health authorities, NHS trusts, general practitioners (GPs), ambulance services and other NHS agencies such as clinical commissioners.


Information sharing with non-NHS organisations

For your benefit, we may also need to share information from your health records with non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. However, we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires the disclosure of information.

There may be occasions where we share basic information about you, such as your name and address to help with statutory duties (such as checking that patients are eligible for free NHS services, or for public health or national audits). In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice (formerly known as Fair Processing Notice), under the General Data Protection Regulations.

Where patient information is shared with other non-NHS organisations, an information sharing agreement is drawn up to ensure information is shared in a way that complies with relevant legislation.

Non-NHS organisations may include, but are not restricted to:

  • Social services
  • Education services
  • Local authorities
  • The police
  • Voluntary sector providers
  • Private sector providers