Privacy policy

Sussex Partnership is committed to protecting your privacy, in accordance with the Data Protection Act 2018, and will not use any information we may hold about you for any purpose other than that for which it was collected.

We do not automatically capture or store personal information through our websites except in the cases outlined below.

This privacy notice only covers Other sites will have their own privacy notices and we cannot be held responsible or liable for how they may use your data.

At certain times you may be asked to fill in information about yourself on the site, e.g., when filling in a form. This information will only be used for the purpose stated in each case. Sussex Partnership will not distribute personal information collected in this way to any third party, other than in limited cases where it is bound by law to do so.

Sussex Partnership may analyse statistical trends based on responses to forms etc. to help to improve services; however, this analysis will not include identifiable personal information.

Although Sussex Partnership will always treat the information you provide with the strictest confidence, we cannot guarantee the security of the internet. It is possible, though very unlikely, that someone other than Sussex Partnership could access and read information sent to us in this way. If you feel concerned about this, please use another form of contact, e.g., telephone or post.

Sussex Partnership uses cookies to help understand how people use this website and to enhance their experience of it by, for example, capturing which pages are most popular, how long people spend on each page and what links they use to access the information they are seeking.

On occasion Sussex Partnership may embed content from another website, for example a YouTube video. You may be presented with cookies from the third-party website when using a page with this content. Sussex Partnership does not control the dissemination of these cookies. You should check the third-party websites for more information about these.

You can set your browser to warn you before accepting cookies, or you can set it to automatically reject them. Rejecting cookies may inconvenience you in browsing our website.

How we use cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, and sometimes provide useful information to the owners of the site.

There are some cookies necessary to this site functioning, such as interacting with our accessibility toolbar. These cookies will usually remove themselves when you close your browsing session. More information can be found in the ‘Necessary cookies’ section.

We use some additional cookies, such as Google Analytics, to help us gather information and improve the website. You have the option to deny use of these cookies; more information can be found in the ‘Additional cookies’ section.

You can find more information on managing and deleting cookies on the Information Commissioners Office.

Necessary cookies

The following cookies are necessary to our site functioning.

Cookie Purpose Expiry
cookieconsent_status Persistently records your option regarding additional cookies. 1 year

Necessary accessibility cookies

The following necessary cookies allow the functions among our accessibility tools to work optimally.

Cookie Purpose Expiry
accessibility-controls  Records option regarding additional cookies.  End of browsing session
saveFontSize Allows the website (CMS) to record if the user’s font size selection.  End of browsing session
contrast-mode Allows the website (CMS) to record the user’s contrast mode selection. End of browsing session
googtrans Allows the language of page content to be changed and records the language selected. End of browsing session

Additional cookies

In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the using Google Analytics.

You can read Google’s extensive information on data practices in Google Analytics.

You can opt-out of Google Analytics on our website by denying additional cookies or by using the Google Analytics Opt-out Browser Add-on.

Cookie Purpose Expiry
_ga Distinguishes user for Google Analytics. 2 years
_gid  Distinguishes user for Google Analytics. 1 day
_gat Throttles request rate for Google Analytics. 1 minute
_ga_{ID} Persists session state for newer versions of Google Analytics. 2 years
_gat_gtag_UA_{ID} Persists session state for older versions of Google Analytics. 1 minute
__utma Distinguishes user and session for Google Analytics. 2 years
__utmb Determines new session or visit for Google Analytics. 30 minutes
__utmc Determines new session or visit for Google Analytics. End of browsing session
__utmz Stores traffic source for Google Analytics. 6 months

Captcha cookies

We use Google reCAPTCHA in order to verify whether or not you are a human when submitting data to the website. Most of the time, this will only be present on pages containing forms. 

Cookie Source Path Purpose Expiry
Google ( /recaptcha Provides risk analysis to Google spam protection.  6 months


While the information contained in our patient information leaflets has been written and checked by our clinical teams, they are intended to complement the advice of professional healthcare staff only. They should not be used without appropriate medical advice.

Procedures should only be undertaken by healthcare professionals and Sussex Partnership will not be liable for injury, loss or financial impairment as a result of actions taken by individuals after reading the materials.

Care has been taken to describe the treatments in a sensitive manner. Due to their nature, you may find some of the content distressing.

If you have any questions, please contact your GP or consultant. NHS 111 also provides a wealth of health information.

Most information available is in Adobe PDF format and you will need Adobe Acrobat to view it.

All material on this website, including text, graphics and photographs, is copyright of Sussex Partnership unless otherwise stated.

Text and graphics may be freely reproduced for the purpose of personal, educational or private research use. However, all text and graphics contained in the website, including photographs and the Sussex Partnership logo, are not authorised for any purposes unless permission is first obtained from Sussex Partnership.

Sussex Partnership maintains this website and is committed to the highest standards of information quality. While every attempt has been made to provide up-to-date and accurate information, Sussex Partnership gives no warranty, either expressed or implied, as to the accuracy of the information on this website.

Neither does Sussex Partnership confirm that the site will be uninterrupted or error free, or that defects will be corrected. Similarly, confirmation cannot be given that the site is free of computer viruses. As a result, Sussex Partnership accepts no liability for any loss, damage or inconvenience caused as a result of patients, staff and/or members of the public using the site.

Sussex Partnership provides links from this website to other sites to provide you with additional information but cannot guarantee that such links will always work, and makes no representations as to the quality or accuracy of these sites. Sussex Partnership does not endorse any external sites and is not responsible for their content.

Sussex Partnership may name or link to apps which have been developed by a third party. The app's developer is solely responsible for their app's advertisement, compliance and fitness for purpose. Unless stated otherwise, apps are not supplied by the NHS and the NHS is not liable for their use. 

This website is maintained by the Communications team at Sussex Partnership.

We need to be able to provide you with healthcare services. In order to do this we need to be able to collect information about you. This is in accordance with the statutory obligations under the NHS Act 2006.Health and Social Care Act 2012 and Data Protection Act 2018.   

The information that we collect is used for medical purposes that include:

  • preventative medicine
  • medical diagnosis
  • medical research
  • provision of direct care and treatment 

We collect your personal and sensitive information so that your care team has access to accurate and up-to-date information to support you with your treatment.

The General Data Protection Regulation (GDPR) is a relatively new law which allows and regulates the processing of personal data. This includes where health and social care data are processed by a public authority, such as Sussex Partnership NHS Foundation Trust.  

Mental health data is special category data, which requires special protection and is subject to additional controls. Public providers of health and care are expected to: 

  1. demonstrate satisfaction of conditions set out in Article 6 of the GDPR
  2. satisfy a condition under Article 9 of the GDPR when processing special categories of data, ie data concerning health 

Under Article 6, processing is permitted where it is:

Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) (e)). 

Commercial suppliers that work on behalf of the NHS (e.g. technology third-party suppliers to NHS Trusts), or private sections of public providers may also rely upon an alternative lawful basis. For example, where processing is necessary for the purposes of their ‘legitimate interests’ (Article 6(1)(f)). 

Article 9(2) sets out the circumstances in which the processing of special categories of data, including data concerning health, which is otherwise prohibited, may take place. NHS Trusts as public bodies with healthcare provision as their statutory purpose, may process personal data where necessary to fulfil their public healthcare provision function, provided that they satisfy one of the following conditions: 

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional 

Article 9(2) also sets out the circumstances in which the processing of data concerning health may take place in academic organisations. Universities as public bodies with research either incorporated in their core function or as their statutory purpose may process personal data where necessary to fulfil their public research function, provided that they satisfy one of the following conditions: 

9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional 


9(2)(i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross- border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices. 

Article 9 allows for the processing of a special category of personal data for health research where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (Article 9(2)(j)) 

This means that where it is necessary to process special categories of data, such as data concerning health, for research purposes, then that processing is permitted by the GDPR (under Article 9(2)(j)).

Category Data type
Identifiers Your name, date of birth, NHS number
Contact details Your address, telephone number, email address (if provided)
Support contact details Names, contact details of carers, relevant close relatives, next of kin, representatives
Physical, social or mental health situation or condition Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving
Protected characteristics Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way



Most of the information we collect about you is from:

  • your GP
  • directly from you or a friend or relative
  • other health and care organisations 

Information also comes from local authorities, schools and other government agencies.  

Typically, we can get information by referral. For example, if your GP decides you need an appointment with a mental health team or health and social care professional, they will provide those professionals with necessary information about you so that you can be supported appropriately. This may include identifiers, history, diagnosis and medications. This information is increasingly being made available electronically to improve the quality, safety and speed of delivery of care. 

All care professionals and others working with them in care services have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential. 

We will share your information with those health and care partners who are directly involved in your care. These may include: 

  • local NHS hospitals
  • your GP practice
  • local voluntary and private care providers
  • urgent and emergency care services, such as NHS 111, ambulance services and Police

You may be receiving care from other people as well as the NHS, for example social care services. Health and social care providers may need to receive or share some information about you if they have a genuine need. This may help them form a complete picture of your health needs and provide care and treatment that is most suited to your needs and preferences. They should only share information with your permission. 

We will not normally give your information to any other third party for any reason outside your individual care and treatment without your permission. However, there may be exceptional circumstances where we may do so, such as if someone’s health and safety is at risk or if the law requires us to pass on information. 

This short animation explains how your personal data is used in health and care:


There are some exceptional circumstances where we must share information with official bodies or other organisation about employees without their express permission. These include circumstances owing to a legal or statutory obligation. These bodies may include: 

  • Disclosure and Barring Service
  • Home Office
  • Her Majesty’s Revenue and Customs (HMRC)
  • financial institutes, for example banks and building societies for approved mortgage references
  • educational, training and academic bodies
  • Department for Work and Pensions (DWP)
  • Care Quality Commission (CQC)

People often access a range of services available to them to support their health and care needs. Care organisations are increasingly providing services in regional partnerships.

If care services do not share information about you, then they may be making decisions without the best available information. This may affect the quality and safety of care they give you.

You have a legal right to opt out of having your data shared between your care professionals. However, you should be aware of the risks to the safety and the quality of the care you receive.

Sharing information helps care professionals to work together across organisational boundaries. Up to date information about your health and care improves the quality of clinical decision making by care professionals. Health and care providers are increasingly using digital technology, subject to strict rules, to further improve your health. We will make every effort to inform you about new digital technology and point you to resources to help you access and use it securely. We will always respect your right to opt out if you do not wish to make use of it.

Information may be shared with local authorities, regulatory bodies, urgent and emergency care services such as NHS 11, ambulance services and Police for the following purposes: 

  1. the safeguarding, and management of risk to, potentially vulnerable adults or children who are/have very recently been detained in police custody 
  2. the delivery of health and/or social care services
  3. the prevention of the commission of offences (crime reduction) 

For a full list of information sharing agreements we hold with other organisations, please see our confidentiality page.

  • Commissioning. This is when organisations plan and pay for health care services. Healthcare commissioners need information from your GP practice, hospitals and other care providers about your treatment to review and plan health services. To do this, they need to be able to see information about your care but they do not need to know who you are.
  • NHS Digital, formally known as the Health and Social Care Information Centre (HSCIC), can provide coded data about your care securely to commissioners under the Health and Social Care Act (2012).
  • Service evaluation. This contributes to the overall quality and effectiveness of clinical services to you and a group of people with a similar condition. This routine quality assessment of care services falls outside the scope of your direct care. It covers care services management, preventative care and medicine and health and social care research.
  • Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored in our case management system. This data is retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice.

Most of these uses of data are routinely undertaken using anonymised data unless stated otherwise by law. Where identifiable information is to be used, we will always do it lawfully and securely in a way that will always protect your privacy.   

As an NHS Trust it is important to keep updated with the latest developments in technology and communications. Our text reminder service allows service users to be informed of their next appointment, supporting them to attend and preventing wasted appointments slots. It was found in a recent study that the use of text message reminders can reduce the rates of wasted appointments by up to 25%, allowing these appointments to be offered to others in need.

When entering into our services, you provide contact information which allows you to be informed and updated on your care or treatment. We use this consent to provide you with up to date appointment reminders by text. We also understand that text isn’t always for everyone and if you do not wish to use our text reminder service, you can withdraw your consent by contacting your clinician sending a request to

Most care teams are working with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is always kept secure and confidential.

Where possible, researchers will make efforts to take out any information that could identify you, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit permission (consent).

We work with healthcare partners, researchers and technical experts to develop computer systems, encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research. 

Research recruitment (consent for contact)

You can give your clinician an advance permission for researchers to contact you in the future if you match the criteria of a trial. Your advance permission, known as ‘consent for contact’ will be noted in your health records. You will only hear from a research nurse, who will explain what that study will entail in more detail. 

Research recruitment (Everyone counts)

Sussex Partnership NHS Foundation Trust has the Everyone Counts scheme in place for contact about research opportunities. This is an 'opt out' scheme whereby if you match the criteria for a research study you may be contacted by the Sussex Partnership research team, with information about what that study will entail in more detail. The lawful basis for processing personal data in relation to the Everyone Counts scheme is ‘public task’. If you would not like to be contacted about research opportunities you can let us know:

For more information see our get involved in research page

We are required by the Department of Health to keep your records for a certain amount of time after you have finished receiving care from us. This amount of time depends upon the type of care you have received from us and helps us continue your care if you need to use our services again in the future.

Any information that is shared should not be held for longer than necessary to fulfil the purpose for which it was collected. All organisations that Sussex Partnership NHS Foundation Trust work with have been assessed to ensure they have appropriate records management procedures in place and guidelines for records retention.

We may also use your personal data in the following areas: 

  • any complaints you have made about services
  • any incidents you may have been involved in while you were receiving treatment and care from us
  • any paid, unpaid work with us, including your involvement in volunteering, public engagement or other projects (for example social, community, art, consultation) we run solely or with partners
  • any training, education, supervision delivered to you by us
  • CCTV (closed-circuit television) and use of multimedia device.

As a mental health trust, we store and use large volumes of sensitive personal data every day, such as your health records. Your health records are stored electronically. 

Other personal data and computerised information are stored on various other systems across your health and care providers. These systems are managed by NHS IT departments or under contract with an approved public framework supplier.  

A list of our software can be found on our Data Protection Page

The information we collect is used by people in their work for the purposes stated in this notice. We take our duty to protect your personal information and confidentiality very seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. We:

  • have a dedicated expert Information Governance and Security Team at the Trust
  • encrypt all outgoing email containing personal data
  • have an Information Asset Framework which reviews all our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems
  • provide training to all staff on how to handle all types of data
  • have the Cyber Essentials Plus certificate
  • have recently been audited by the ICO (Information Commissioner's Office) and were provided with a Reasonable Assurance Rating
  • ensure all staff have read and understood policies and procedures relating to the management of personal information.

At the most senior level, we have a: 

  • senior information risk owner who is accountable for the management of all information and any associated risks and incidents
  • Caldicott guardian who is responsible for the management of patient information and patient confidentiality
  • Data Protection Officer who is responsible for overseeing the information governance arrangements and framework across the Trust
  • Head of Information Governance who manages and oversees all activities related to the use of data. They make sure data use is done within the law and best practice 

As an employer Sussex Partnership NHS Foundation Trust (SPFT) must meet its contractual, statutory and administrative obligations. We are committed to ensuring that the personal data of our employees is handled in accordance with the priniciples set out in the Information Commissioner’s Guide to Data Protection.

This privacy notice tells you what to expect when SPFT collects personal information about you. It applies to all employees, ex-employees, bank staff, agency staff, contractors, secondees and non-executive directors. However, the information we will process about you will vary depending on your specific role and personal circumstances.

You have several rights under the data protection law:

Right to be informed: you have a right to be informed about uses of your information, with an emphasis on transparency. This privacy notice, in support of other privacy notices makes sure that your right to be informed is upheld.

Right of access: you have a right to receive:

  • confirmation of what information is recorded about you
  • confirmation of how your information is used
  • access to your personal health information and other information we hold

To exercise your right of access, you will be asked to complete a Subject Access Request application form, provide proof of identification and you may be asked to explain exactly what information you require.

Your request must be made to the Health Records Team on  

You will not be charged for this service. 

Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs if it decides you cannot manage them yourself. 

Please see the Subject Access Request section on this page for more information on how to apply. 

Right to rectification: rectification means correcting inaccuracies or incomplete data we hold about you. This often applies to factual information only such as identifiers and next of kin. We are unable to remove or alter professional opinions that you may disagree with. You do however have the right to include your personal statements alongside professional opinions. 

To rectify your information please contact your clinical team. 

Right to deletion: in some circumstances you can request that we delete the information we hold about you. This right will apply only if the processing has been based on consent which is withdrawn, the processing of data is found not to be lawful or the information is no longer required. We will tell you about activities to which this right applies .

There are exceptions to the right to deletion. Your health and care providers are legally required to maintain your records in accordance with the retention guide in the record management code of practice for health and social care 

Right to object: you do not have a general right to object to processing of your personal information for your individual care, however you can object if the information is used for a secondary purpose, such as:

  • marketing
  • scientific or historical research
  • statistical purposes
  • purposes in the public interest or under an official authority (eg NHS Act 2006)
  • public patient involvement groups 

Right to restrict processing: the right to restrict processing means that, if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but not allow other uses until the dispute is settled. To request restriction to processing, please contact the data protection officer.

We will respect your rights under the data protection legislation whether you are an adult or a child. We will respect the wishes of parents’ (or legal guardians’) in respect of data rights of children who are younger than 14 years old.

You should also tell us how you would like us to contact you. Your preferences may include post, text messaging and phone. You should notify your care team about your preferences and ask it to be recorded in your health and care record. You can change your mind later as long as you give timely notifications to your care team about any changes to your preferences.


Please note, we are currently experiencing significant IT issues due to a recent clinical system update. We are working very hard to resolve this however, this is creating a delay in responses to emails, disclosure of records as well as a backlog of work . 

Please be assured that this has been reported to the Information Commissioner's Office (ICO) and we will continue to monitor and update requestors where possible. We thank you for your ongoing support and patience whilst we work to fix this issue. 

Everyone has the right to access their own information. This is called a 'Subject Access Request'.

If you require access to your records you will need to complete one of the below application forms and return to the Health Records Team with the relevant documents. Individuals are entitled to exercise their rights verbally as well as in writing but will need  to provide relevant documentation. 

Once the team have received your information they will process your request. This can take up to one month to complete.

In some circumstances we may request an extension if you have a large amount of information.

All our information is reviewed and redacted by our in house specialist Health Records Team and sent out either password protected in an email or sent recorded delivery in the post.

Please ignore the first page, this application form is also used should individuals wish to receive a copy by post, you do not need to complete the letter template.

We collect information on all staff we employ, as well as volunteers, people with honorary contracts and agency staff for the purposes of running our services. We use the information for administrative, academic and statutory purposes and to support health and safety. 

The information we collect includes: 

Data type  Purpose of collecting
Names, addresses and telephone numbers Employment contracting
Spouse, partner, emergency contact, close relative, next of kin names, address, telephone and email details Emergency contact
Employment records (including professional memberships, references, appraisals, professional development plans, education and training records) Statutory requirement of employment, performance management, professional development
Bank, National Insurance number and pension details Payment of salaries and other expenditure claims
Nationality / domicile Proof of eligibility to work in the UK
Ethnicity Equality monitoring, equal opportunities
Medical information including physical health or mental condition Appropriate adjustments to work arrangements, management of disability rights and other occupational health services
Religious beliefs Spiritual support, equal opportunities, equality monitoring


My Health and Care Record is a secure online system used to store your medical and care information in one place. 

The system meets the same high security standards as for all NHS information and allows you to access your mental and physical health records at any time.

Find out more on our My Health and Care Record page

Read the My Health and Care Record privacy policy here.

How your vital health and care information is shared through Plexus

Sharing your health and care information is critical in supporting your care and treatment. In Sussex we are introducing a Shared Care Record called Plexus Care Record (also referred to as Plexus). This is part of a national programme to transform information sharing across health and social care known as the Shared Care Record (ShCR) programme. Plexus will be used by health and social care services within Sussex, which includes your GP practice, community, mental health, hospital services and social care. It shares important information about your health and care and allows health and social care practitioners, easy access to information, which is critical to support decision-making about your care and treatment. It means that you won’t have to keep repeating your medical history to each practitioner in different organisations, care plans can be followed more consistently and practitioners will be better equipped to plan care more effectively to meet patients’ needs. This initiative is funded in partnership with the Sussex Health and Care Partnership and NHS England's Shared Care Record programme.

More information about Plexus

Each health and social care organisation collects information about you and keeps records about the care and services they provide. Plexus allows health and social care staff to find key information about your health and care in one place, which helps them to make the most informed decisions and provide the best care to you as a patient or service user. It is also essential that health and social care staff have access to the most up to date information.

The types of personal information shared through Plexus

Personal information (or Personal Data) means any information about an individual from which that person can be identified. The Personal Data that is shared includes:

  • Identifying Data: Forename, Surname, Address, Date of Birth, Gender, Age,Postal Address, Postcode, Telephone Number and NHSNumber.

Other categories of Personal Data include:

  • A list of diagnosed conditions – to make sure your clinical and care staff have an accurate record of yourcare
  • Medication – so everyone treating you can see what medicines you have been prescribed
  • Allergies – to make sure you’re not prescribed or given any medicines you can have an adverse reaction to
  • Test results – to speed up treatment and care and to ensure tests are not repeated
  • Referrals, clinical letters and discharge information – to make sure the people caring for you have all the information they need about other care and treatment you are having elsewhere
  • Care plans (where available) – for health and care workers involved in your care to view a joined-up plan of care and the wishes you’ve asked for in relation to your care
  • Relevant information about people that care for you and know you well
  • Basic details about associated people e.g. children, partners, carers, relatives etc.

What is the lawful basis for the sharing of information?

Health and social care organisations have a duty to share personal data under the Health and Social Care Act 2012 and as amended by the Health and Care (Safety and Quality) Act 2015 where it is:

a) likely to facilitate the provision to the individual of health services or social care in England,and

b) in the individual’s bestinterests.

NHS and Social Care Services are official authorities with a public duty to care for its patients and service users and data Protection Laws, such as the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Common Law Duty of Confidentiality, provide a legal basis for sharing information for health and care purposes.

UK General Data Protection Regulation 2016 and Data Protection Act 2018

GDPR Article 6 - Lawfulness of processing: Article 6(1)(e) Performance of a public task and

GDPR Article 9 - Processing of special categories of personal data: Article 9(2)(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.  

Organisations who can access your personal information through Plexus

Personal Data will only be shared between relevant health and social care organisations in Sussex involved in your care. These include:

  • Primary care (e.g. your GP practice, out of hours)
  • Secondary care (e.g. hospitals)
  • Community services
  • Mental health services
  • Social care departments
  • Specialist services (e.g. ambulances)

Plexus makes your patient information easily accessible for the purposes of your care and treatment. 

How is information in Plexus?

A record of care is held on each organisation’s secure electronic system (local record) e.g. a GP practice will have their own system for recording patient information as will the hospital, or community or social care service. Sussex Health and Care Partnership has designed a secure system that can read and combines data from those multiple electronic health and care systems to provide an up to date summary of that data to relevant health and care practitioners when required for the purposes of direct care. 

How will the information be made available in Plexus?

Health and care information is presented either as a read-only view, or added into the receiving organisation’s record system. The originating information remains within each organisation’s record system and cannot be changed.

Strict access controls and policies ensures that practitioners can only see information regarding patients or service users that they are treating or have been referred to them for treatment.

How long with the data be held in Plexus?

As Plexus is an integrated health and care record that pulls together vital patient data from several health and social care providers, only data currently visible in each of the local systems will be visible in Plexus.

Each partner organisation sharing through Plexus has local retention rules set by the NHS Records Management Code of Practice for Health and Social Care.

Within the governance framework for Plexus, any system supplier is also contractually obliged to comply with any requests by the partners to remove/delete data when instructed to do so.

How is your personal information kept safe and secure in Plexus?

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information. Appropriate technical and security measures in place to protect Plexus include:

  • Complying with Data Protection Legislation
  • Implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • A requirement for organisations to complete the Data Security and Protection (DSP) Toolkit or equivalent, introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements
  • Use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under Plexus are auditable against an individual accessing Plexus
  • Ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of data and are under contractual or statutory obligations of confidentiality concerning the Personal Data. The Common Law Duty of Confidentiality and Data Protection Laws apply to all health and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

All staff with access to Personal Data are trained to ensure information is kept confidential.

What are your rights regarding information held in Plexus?

Under the Data Protection Legislation, you have the right to:

  • Be informed of our uses of your data (the purpose of this privacy notice)
  • Request copies of your personal information, commonly referred to as a Subject Access Request (SAR)
  • Have any factual inaccuracies corrected
  • Request the restriction or suppression of your personal data. This is not an absolute right and only applies in certaincircumstances·not be subject to automated decision making or profiling. There is no automated decision making or profiling in the summary careplan·complain about the handling of your data to an organisation’s data protection officer or to theregulator·also have the right to object to processing of your personal data in certain circumstances.

Details of how to exercise your rights are shown below.

How can I access the information you keep about me?

To access your Personal Data, you should contact the organisations holding the data you wish to see, typically your GP Practice, Hospital, Local Authority (social Care) or NHS Service.

How can I object to my data being shared via Plexus?

You have a legal right to object to your data being shared. Please contact your health and/or social care provider(s) to discuss this further. This could be your GP practice or the health or care staff that provided, or are currently providing, your treatment and care. Your objection will be considered on a case-by-case basis. You will be asked to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you when you most need it. When considering your objection, your practitioner will discuss this with you and consider whether you can still be provided with safe individual care. Your objections may be overruled where required in law (eg safeguarding purposes).

Your right to complain

Please contact your local appropriate health or social care organisation and their Data Protection Officer to raise a complaint. You can get further advice or report a concern directly to: 

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK95AF

Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)


Further information about the way in which the NHS uses personal information and your rights

  • NHS Constitution - The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.
  • NHS Digital - NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England. 
  • National Data Opt-Out - A service that allows patients to opt out of their confidential patient information being used for research and planning.

The personal information provided by candidates and volunteers for their applications and registration is used for the purpose stated in each case. The Voluntary Services Department may analyse statistical trends based on the information given however, this analysis does not include identifiable personal information.

Volunteer records are stored in accordance with the Trust’s Information Governance Policy and will conform to the Data Protection Act 2018.

If you think that information in your NHS health records is wrong, please talk to the health professional looking after you and ask to have the record amended. You can also ask for the information to be amended by contacting 

If your request to have your records amended is turned down because the information is not wrong, we will add a statement of your views to the record. 

If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act. For details of how to do this: 

Information Governance Team

Call: 0300 304 2025


Health Records Team

Call: 0300 304 2210


Trust Caldicott Guardian

Dr Peter Aitken, Chief Medical Officer


Information Commissioner's Office

Call: 0303 123 1114