You have rights under data protection laws in relation to your personal information on the Breast and Cosmetic Implant Registry.
The right to access your personal information
Information held by territorial Scottish health boards, National Services Scotland (NSS), Public Health Scotland (PHS) and NHS Digital can be accessed by patients via a subject access request (SAR) to the relevant party directly.
A SAR should be made to the appropriate data controller’s Data Protection Officer.
Individuals may contact NHS Digital via the contact centre
The right to have personal information rectified if it is inaccurate or incomplete
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
What does data subject mean?
The data subject is you, the patient whose personal information is held in the Breast and Cosmetic Implants Registry.
Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If the data subject wishes to correct their information, it is important that they are aware of which organisations hold their personal data in order that they can contact each organisation separately.
The right to have personal information erased and to prevent processing
The right to erasure (right to be forgotten) will be considered in line with existing processes in the NHS Scotland Board of residence or NHS Digital through liaison with the Board’s Data Protection Officer or NHS Digital’s Data Protection Officer as applicable.
The right is partial and only applies to erasure of pieces of information no longer required by NHS Scotland during its provision of treatment or by NHS Digital in supporting this provision of treatment. Data remaining in digital backups will be erased according to the backup cycle overwrites.
This right will not apply where the processing is necessary “for the establishment, exercise or defence of legal claims” (GDPR article 17(3)(e)) in order to protect future medico-legal disputes. When a decision is taken to erase data, any data remaining in digital backups will be erased according to the backup cycle overwrites.
The right to 'block' or suppress processing of personal information
Where processing has been restricted, such personal data shall only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The exception is storage. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
The data subject shall have the right to obtain restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject
- the processing is unlawful, and the data subject opposes the erasure of the personal data
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
- the data subject has objected to processing pursuant to Article 21(1) subject to confirmation of whether the legitimate grounds of the controller override those of the data subject
The information held is processed as part of the patient’s clinical record and is required by NHS Scotland or NHS Digital to allow clinical audit, ensure safe treatment and ensure recall in the event of safety concerns of an implant/device. It is unlikely that treatment can be undertaken without the processing of key information. For this DPIA, request to restrict the processing of clinical data should be addressed, in the first instance, to the subject’s health board of residence . Requests to restrict processing within the Pilot Registry should be addressed, in the first instance, to the relevant health board.
The subject’s health board of residence may need to work with NSS and/or NHS Digital to investigate a request to restrict processing of data.
Each case will be considered on its own merits.
The right to portability
This is met through the lawful basis for processing being 6(1)(e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
The right to object to the processing
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
However, clinicians involved in giving treatment to data subjects will not have the ability to restrict or stop processing as their personal details are included within the patient record in connection with their professional capacity.
It should be noted that there are circumstances in which the NHS Boards (including PHS, NSS and NHS Digital) would be unable to agree to such a request. The right to object is not absolute. The information held forms part of the patient’s clinical record and is required by NHS Scotland and NHS Digital to allow clinical audit, ensure safe treatment and ensure recall in the event of safety concerns of an implant/device. It is therefore unlikely that treatment can be undertaken without the recording of information. However, patients wishing to object can raise their objection, in the first instance, with the relevant health board. The subject’s health board of residence may need to work with NSS and/or NHS Digital to investigate an objection to processing of data. Each case will be considered on its own merits.
In the context of this Pilot Programme, there is no room for legitimate discontinuation of processing of data unless it is as a result of withdrawal from the clinical service offered by the NHS Scotland territorial health board.
Rights in relation to automated decision making and profiling
There is no automated decision making or profiling during the processing of the data therefore this right does not apply.
Your rights to complain
If you are unhappy with any aspect of the privacy information notice, or how your personal information is being processed in connection with the Breast and Cosmetic Implant Registry, please contact the Scottish Government using the details set out in controllers’ contact details.
If you are unhappy with anything that your territorial health board has done, please contact the relevant territorial health board Data Protection Officer.
If you are unhappy with anything that Public Health Scotland or NHS National Services Scotland have done, please contact the Data Protection Officer of that organisation.
If you are unhappy with anything that NHS Digital has done, please follow the details on the NHS Digital GDPR Register website.
Information Commissioner's Office (ICO)
If you feel any of us have been unable, or unwilling, to resolve your information rights concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). The ICO is the supervisory authority responsible for data protection in the UK.
For further information, including independent data protection advice and information in relation to your rights, you can contact the Information Commissioner at:
The Information Commissioner
Phone: 0303 123 1113
You can also report any concerns to the Information Commissioner's Office online
28 July 2022
Help us improve NHS inform
Feedback Alert Title