Subject Access Request Policy and Procedure - the Royal Cornwall ...
Subject Access Request Policy and Procedure - the Royal Cornwall ...
Subject Access Request Policy and Procedure - the Royal Cornwall ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Peninsula Community Health<br />
<strong>Subject</strong> <strong>Access</strong> <strong>Request</strong><br />
<strong>Policy</strong> <strong>and</strong> <strong>Procedure</strong><br />
Title:<br />
<strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> <strong>Policy</strong> <strong>and</strong><br />
<strong>Procedure</strong><br />
Procedural Document Type:<br />
<strong>Policy</strong><br />
Reference:<br />
CO-IG-P08<br />
CQC Outcome: Outcome 21<br />
Version: VERSION 1<br />
Approved by:<br />
Information Governance Sub<br />
Committee<br />
Ratified by:<br />
Clinical Quality <strong>and</strong> Safety Committee<br />
Date ratified:<br />
7 th August 2012<br />
Freedom of Information:<br />
This document can be released<br />
Name of originator/author:<br />
Alan Gerrish<br />
Name of responsible team:<br />
Records Management Team<br />
Review Frequency:<br />
3 Years<br />
Review Date:<br />
7 th August 2015<br />
Target Audience:<br />
All staff<br />
Executive Signature (Hard Copy Only):<br />
Registered in Engl<strong>and</strong> <strong>and</strong> Wales No: 7564579<br />
Registered office: Peninsula Community Health CIC,<br />
Sedgemoor Centre, Priory Road, St Austell PL25 5AS<br />
www.peninsulacommunityhealth.co.uk<br />
Quality care, closer to you<br />
Peninsula Community Health is a not for profit<br />
Community Interest Company responsible for<br />
providing NHS adult community health<br />
services<br />
in <strong>Cornwall</strong> <strong>and</strong> <strong>the</strong> Isles of Scilly
Contents<br />
1 Introduction ..................................................................................................4<br />
2 Definitions ....................................................................................................5<br />
2.1 The <strong>Access</strong> to Health Records Act 1990......................................................5<br />
2.2 The <strong>Access</strong> to Medical Reports Act 1988.....................................................5<br />
2.3 The Data Protection Act (DPA) 1998............................................................5<br />
2.4 The Freedom of Information Act 2000..........................................................5<br />
2.5 The Human Rights Act 1998 ........................................................................6<br />
3 Duties & Responsibilities..............................................................................6<br />
3.1 Caldicott Guardian........................................................................................6<br />
3.2 Data Protection Officer .................................................................................6<br />
3.3 All Managers ................................................................................................6<br />
3.4 All staff .........................................................................................................7<br />
4 <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> <strong>Procedure</strong>.............................................................7<br />
4.1 Power to disclose .........................................................................................7<br />
4.2 Police Power ................................................................................................7<br />
4.3 <strong>Request</strong> to view CCTV images ....................................................................7<br />
4.4 <strong>Request</strong> for access to records......................................................................7<br />
4.5 On receipt of a telephone call requesting access to health records .............8<br />
4.6 On receipt of a written subject access request.............................................8<br />
4.7 When received by a Locality/Service administrator or <strong>the</strong> member of staff<br />
nominated to deal with such requests: ...............................................................9<br />
4.7.1 For information on living individuals ......................................................9<br />
4.7.2 For information on deceased patients .................................................10<br />
4.7.3 <strong>Request</strong>s by Police .............................................................................10<br />
4.7.4 <strong>Request</strong>s relating to a pending litigation claim ....................................10<br />
4.7.5 All o<strong>the</strong>r requests ................................................................................11<br />
5 Confidentiality.............................................................................................12<br />
6 Legal Advice...............................................................................................13<br />
7 Risk Management Strategy Implementation...............................................13<br />
7.1 Implementation & Dissemination................................................................13<br />
7.2 Training <strong>and</strong> Support..................................................................................13<br />
7.3 Document Control & Archiving Arrangements............................................13<br />
7.4 Equality Impact Assessment & Human Rights Act .....................................13<br />
8 Process for Monitoring Effective Implementation .......................................13<br />
9 Associated Documentation.........................................................................14<br />
Appendix 1 .......................................................................................................15<br />
<strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> Application form (Health Records) ............................15<br />
Appendix 2 .......................................................................................................20<br />
<strong>Access</strong> to Health Records Act 1990 Advice Form (<strong>Request</strong> for advice) ...........20<br />
Appendix 3 .......................................................................................................22<br />
DPA 1998 Advice Form (<strong>Request</strong> for advice)...................................................22<br />
Application for <strong>Access</strong> to CCTV Image.............................................................24<br />
Appendix 5 .......................................................................................................27<br />
2 of 27
Please Note <strong>the</strong> Intention of this Document<br />
This <strong>Policy</strong> <strong>and</strong> <strong>Procedure</strong> sets out how Peninsula Community Health (PCH) staff will<br />
manage <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s (SAR’s) effectively <strong>and</strong> ensure procedures are in<br />
place to deal with subject access requests under The <strong>Access</strong> to Health Records Act<br />
1990 (AHR), The <strong>Access</strong> to Medical Reports Act 1988 (AMR) <strong>and</strong> The Data Protection<br />
Act (DPA) 1998.<br />
This policy aims to improve <strong>the</strong> uniformity of procedures used in complying with relevant<br />
legislation in respect of <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s.<br />
Review <strong>and</strong> Amendment Log<br />
Version No<br />
Type of<br />
Change<br />
Date<br />
1 Creation 18/05/2012 First issue<br />
Description of change<br />
Consultation:<br />
Company Secretary<br />
Information Governance Sub Committee<br />
3 of 27
1 Introduction<br />
A <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> (SAR) is a request from a person asking an organisation to<br />
provide <strong>the</strong>m with <strong>the</strong> information relating to that person which is held or processed by<br />
<strong>the</strong> organisation.<br />
These are normally requests for medical or staff records held by us on a patient or staff<br />
member by <strong>the</strong> individual or by <strong>the</strong>ir personal representative or solicitor. O<strong>the</strong>r requests<br />
for information relating to individuals will also be <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s although it<br />
may not be immediately apparent. Examples of such requests are:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To view CCTV images (see 4.3 below);<br />
For copies of CCTV images, photographs, video or audio recordings;<br />
For a report in support of an employment, benefit or insurance claim;<br />
For copies of x-rays or moulds;<br />
For records relevant to crime <strong>and</strong> taxation e.g. for <strong>the</strong> prevention <strong>and</strong> detection of<br />
crime from <strong>the</strong> Police, HM Revenue <strong>and</strong> Customs, Local Counter Fraud<br />
Specialist, NHS Protect, Nursing <strong>and</strong> Midwifery Council etc;<br />
For evidential statements;<br />
For copies of employment references; <strong>and</strong><br />
For <strong>the</strong> personal details of an individual or individual’s residing at a specific<br />
location;<br />
This is not an exhaustive list, but demonstrates that <strong>the</strong> definition of personal data goes<br />
beyond paper records <strong>and</strong> includes any media from which an individual can be<br />
identified.<br />
Any disclosure of personal data must have regard to both common <strong>and</strong> statute law, for<br />
example defamation, <strong>the</strong> common law duty of confidence, <strong>and</strong> <strong>the</strong> data protection<br />
principles – unless <strong>and</strong> to <strong>the</strong> extent that any Data Protection Act exemptions apply.<br />
The principles require that personal information is obtained <strong>and</strong> processed fairly <strong>and</strong><br />
lawfully; is only disclosed in appropriate circumstances; is accurate, relevant, <strong>and</strong> not<br />
held longer than necessary; <strong>and</strong> is kept securely.<br />
Individuals have <strong>the</strong> right under <strong>the</strong> Data Protection Act 1998 to make a request in<br />
writing for a copy of <strong>the</strong> information we hold about <strong>the</strong>m on a computer <strong>and</strong> in writing.<br />
This is called a subject access request. <strong>Request</strong>s are often received by a community<br />
staff member at a hospital or health office where <strong>the</strong> adult/child/patient is receiving or<br />
has received care.<br />
The request to disclose personal data may be direct as in <strong>the</strong> request for a copy of a<br />
health record or may form part of an investigation as in <strong>the</strong> request for a statement<br />
made by <strong>the</strong> Police. They may also be vague or imprecise <strong>and</strong> may be relevant to a<br />
claim against <strong>the</strong> organisation. A complaint may have o<strong>the</strong>r implications that are not<br />
immediately apparent.<br />
It is important that action is taken promptly as legislation dictates that <strong>the</strong> organisation<br />
has only 40 calendar days to make <strong>the</strong> disclosure.<br />
4 of 27
<strong>Request</strong>s for disclosure are normally made to <strong>the</strong> organisation under legislation covered<br />
in <strong>the</strong> main by three Acts of Parliament, <strong>the</strong> subject access provisions of The Data<br />
Protection Act 1998, The <strong>Access</strong> to Health Records Act 1990 <strong>and</strong> The <strong>Access</strong> to<br />
Medical Reports Act 1988.<br />
Applications cannot be made under <strong>the</strong> Freedom of Information Act for access to<br />
medical records because <strong>the</strong> information requested is personal information <strong>and</strong><br />
<strong>the</strong>refore exempt under <strong>the</strong> Act. See 2.4 below.<br />
2 Definitions<br />
2.1 The <strong>Access</strong> to Health Records Act 1990<br />
This Act has been repealed to <strong>the</strong> extent that it now only affects <strong>the</strong> health records of<br />
deceased patients. It applies only to records created since 1st November 1991.<br />
Applications for disclosure of <strong>the</strong> records of deceased patients should only be granted<br />
to <strong>the</strong> personal representatives of <strong>the</strong> estate or to someone having a claim arising out of<br />
<strong>the</strong> death.<br />
There are additional provisions for withholding disclosure e.g. <strong>the</strong> deceased person may<br />
have specifically prohibited disclosure or when information was provided in <strong>the</strong><br />
expectation that it would not be disclosed to <strong>the</strong> applicant.<br />
2.2 The <strong>Access</strong> to Medical Reports Act 1988<br />
The aim of <strong>the</strong> Act is to allow individuals to see medical reports written about <strong>the</strong>m, for<br />
employment or insurance purposes, by a doctor or clinician who <strong>the</strong>y usually see in a<br />
‘normal’ doctor/patient capacity. This right can be exercised ei<strong>the</strong>r before or after <strong>the</strong><br />
report is sent.<br />
2.3 The Data Protection Act (DPA) 1998<br />
The Data Protection Act gives an individual several rights in relation to <strong>the</strong> information<br />
held about <strong>the</strong>m.<br />
<strong>Access</strong> covers <strong>the</strong> right to obtain a copy of <strong>the</strong> record in permanent form, unless <strong>the</strong><br />
supply of a copy would involve disproportionate effort or <strong>the</strong> individual agrees that<br />
his/her access rights can be met some o<strong>the</strong>r way, for example by viewing <strong>the</strong> record.<br />
<strong>Access</strong> must be given promptly <strong>and</strong> in any event within 40 days of receipt of <strong>the</strong> fee <strong>and</strong><br />
request. If <strong>the</strong> application does not include sufficient details to identify <strong>the</strong> person<br />
making <strong>the</strong> request or to locate <strong>the</strong> information, those details should be sought promptly<br />
<strong>and</strong> <strong>the</strong> 40-day period begins when <strong>the</strong> details have been supplied.<br />
This right of access is only exercisable by <strong>the</strong> individual; making a written application to<br />
<strong>the</strong> organisation holding <strong>the</strong> records, providing such fur<strong>the</strong>r information as <strong>the</strong><br />
organisation may require to sufficiently identify <strong>the</strong> individual <strong>and</strong> paying <strong>the</strong> relevant<br />
fee.<br />
2.4 The Freedom of Information Act 2000<br />
Personal data of <strong>the</strong> applicant is exempt under section 40(1) of <strong>the</strong> Freedom of<br />
Information Act 2000 <strong>and</strong> <strong>the</strong>se requests will instead be dealt with as Data Protection<br />
Act <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s. Personal data of ano<strong>the</strong>r person is exempt under section<br />
40(2) of <strong>the</strong> Freedom of Information Act 2000 if disclosure would breach one of <strong>the</strong> data<br />
protection principles. In <strong>the</strong> case of <strong>the</strong> deceased <strong>the</strong>re are limited alternative rights<br />
under <strong>the</strong> <strong>Access</strong> to Health Records Act 2000.<br />
5 of 27
2.5 The Human Rights Act 1998<br />
Article 8.1 of <strong>the</strong> Human Rights Act 1998 provides that “everyone has <strong>the</strong> right to<br />
respect for his private <strong>and</strong> family life, his home <strong>and</strong> his correspondence”. This is<br />
however, a qualified right i.e., <strong>the</strong>re are specified grounds upon which it may be<br />
legitimate for authorities to infringe or limit those rights <strong>and</strong> Article 8.2 provides “<strong>the</strong>re<br />
shall be no interference by a public authority with <strong>the</strong> exercise of this right as it is in<br />
accordance with <strong>the</strong> law <strong>and</strong> is necessary in a democratic society in <strong>the</strong> interests of<br />
national security, public safety, or <strong>the</strong> economic well-being of <strong>the</strong> country, for <strong>the</strong><br />
prevention of disorder or crime, for <strong>the</strong> protection of health or morals or for <strong>the</strong><br />
protection of <strong>the</strong> rights <strong>and</strong> freedom of o<strong>the</strong>rs”.<br />
This is only a précis of <strong>the</strong> relevant parts of <strong>the</strong> Acts - for fur<strong>the</strong>r information or advice<br />
contact <strong>the</strong> Data Protection Officer.<br />
3 Duties & Responsibilities<br />
This section includes an overview of individual roles, departmental <strong>and</strong> committee<br />
duties including levels of responsibility.<br />
The Peninsula Community Health Services Chief Executive has delegated overall<br />
responsibility for <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s to <strong>the</strong> Caldicott Guardian <strong>and</strong> <strong>the</strong> Data<br />
Protection Officer.<br />
The Data Protection Officer will ensure that links between <strong>the</strong> Caldicott Guardian,<br />
records management <strong>and</strong> information governance are maintained.<br />
3.1 Caldicott Guardian<br />
Will oversee all aspects of disclosures in relation to <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s<br />
within <strong>the</strong> organisation with specific attention to disclosures in accordance with<br />
<strong>the</strong> Confidentiality: NHS Code of Practice 2003.<br />
3.2 Data Protection Officer<br />
Will ensure that systems <strong>and</strong> procedures are in place to support access to<br />
records across <strong>the</strong> organisation.<br />
Act as a co-ordinator for all <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s arising within Peninsula<br />
Community Health.<br />
Review this policy every three years or more frequently if appropriate taking into<br />
account changes to legislation that may occur <strong>and</strong>/or guidance from <strong>the</strong><br />
Department of Health, <strong>the</strong> NHS Executive <strong>and</strong>/or <strong>the</strong> Information Commissioner<br />
3.3 All Managers<br />
Will ensure that all staff:<br />
<br />
<br />
Are aware of this <strong>Policy</strong> <strong>and</strong> <strong>Procedure</strong><br />
Know how to deal with requests for personal / patient identifiable information<br />
Know how to access <strong>and</strong> store personal/patient identifiable information, manual<br />
<strong>and</strong> electronic<br />
6 of 27
3.4 All staff<br />
Will be expected to:<br />
<br />
<br />
Comply with this policy <strong>and</strong> all related systems <strong>and</strong> procedures<br />
Attend training<br />
Ensure that all patient / personal identifiable information is accurate, relevant, up<br />
to date, used correctly whe<strong>the</strong>r in electronic or manual databases<br />
Ensure that all patient / personal identifiable information is kept secure at all<br />
times<br />
4 <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> <strong>Procedure</strong><br />
4.1 Power to disclose<br />
Before a disclosure of information relating to an individual can made it has to be<br />
established whe<strong>the</strong>r <strong>the</strong>re is a power to do so. Such powers exist in law, both common<br />
law <strong>and</strong> in legislated law such as <strong>the</strong> Data Protection Act 1998 <strong>and</strong> <strong>the</strong> <strong>Access</strong> to Health<br />
Records Act 1990.<br />
The power also exists through <strong>the</strong> consent of <strong>the</strong> person to whom <strong>the</strong> information<br />
relates.<br />
4.2 Police Power<br />
The police have an important <strong>and</strong> general power at common law to prevent <strong>and</strong> detect<br />
crime <strong>and</strong> <strong>the</strong> Crime <strong>and</strong> Disorder Act 1998 introduces a number of measures to control<br />
crime <strong>and</strong> disorder.<br />
4.3 <strong>Request</strong> to view CCTV images<br />
If <strong>the</strong> disclosure of personal information is required for <strong>the</strong> prevention or detection of<br />
crime <strong>and</strong> <strong>the</strong> request is urgent, as in a request by <strong>the</strong> police to view CCTV images, <strong>the</strong><br />
officer’s identity should be confirmed <strong>and</strong> <strong>the</strong> viewing allowed. The viewing must be in<br />
<strong>the</strong> presence of <strong>the</strong> senior staff member on duty, recorded on <strong>the</strong> Application for <strong>Access</strong><br />
to CCTV image form (Appendix 4) <strong>and</strong> <strong>the</strong> viewing restricted to only those people that<br />
need to see it.<br />
Such a disclosure should not generally be allowed to anyone o<strong>the</strong>r than a member of a<br />
law enforcement agency <strong>and</strong> no image, digital or o<strong>the</strong>rwise or copy or recording or<br />
equipment is to be removed from <strong>the</strong> premises.<br />
If a copy is required <strong>the</strong>n this must be indicated on <strong>the</strong> application form <strong>and</strong> <strong>the</strong><br />
applicant referred to <strong>the</strong> Data Protection Officer.<br />
4.4 <strong>Request</strong> for access to records<br />
In all cases <strong>the</strong> following procedure is to be followed for any request for access to<br />
records.<br />
All requests for access to records should be made in writing (using Appendix 1 where<br />
necessary) to <strong>the</strong> relevant manager of <strong>the</strong> place where <strong>the</strong> patient received <strong>the</strong><br />
services, for example, <strong>the</strong> hospital, clinic, health office or to:<br />
7 of 27
The Data Protection Officer<br />
Records Management Service<br />
Britannia Lanes Business Centre,<br />
Greenbottom<br />
Chacewater<br />
Truro<br />
<strong>Cornwall</strong><br />
TR4 8QW<br />
On receiving a request for information, <strong>the</strong> following steps should be taken:<br />
Determine if it is a subject access request<br />
Determine whe<strong>the</strong>r <strong>the</strong> persons request will be treated as a routine enquiry or as a<br />
subject access request. Any written enquiry that asks for information we hold about <strong>the</strong><br />
person making <strong>the</strong> request can be construed as a subject access request, but in many<br />
cases <strong>the</strong>re will be no need to treat it as such.<br />
If you would usually deal with <strong>the</strong> request in <strong>the</strong> normal course of business, do so. An<br />
example of such a request might be:<br />
<br />
“I’ve lost <strong>the</strong> date of my next appointment. Can you tell me it please?”<br />
This does not need to be dealt with as a SAR as <strong>the</strong> request relates to <strong>the</strong> person<br />
asking for <strong>the</strong> information; however <strong>the</strong> identity of <strong>the</strong> requester would need to be<br />
confirmed before providing <strong>the</strong> date.<br />
The following must be treated as a formal subject access request:<br />
<br />
<br />
“Please send me a copy of my personal file.”; <strong>and</strong><br />
“I am a solicitor acting on behalf of my client <strong>and</strong> request a copy of <strong>the</strong>ir medical<br />
records. An appropriate authority is enclosed.”<br />
If you are in any doubt, seek <strong>the</strong> advice of <strong>the</strong> Data Protection Officer.<br />
4.5 On receipt of a telephone call requesting access to health records<br />
The requester must be informed that <strong>the</strong> request must be in writing <strong>and</strong> sent <strong>the</strong> form<br />
entitled “Application for <strong>Access</strong> to Health Records” (Appendix 1). This form acts to guide<br />
<strong>the</strong> applicant through <strong>the</strong> request <strong>and</strong> advises <strong>the</strong>m as to <strong>the</strong> legal requirements for<br />
making such a request.<br />
4.6 On receipt of a written subject access request<br />
The request is to be passed to <strong>the</strong> Locality/Service administrator, or <strong>the</strong> member of staff<br />
nominated to deal with such requests immediately. If <strong>the</strong>re is a likelihood of delay in<br />
response or <strong>the</strong> nominated member of staff is unavailable <strong>the</strong> request is to be<br />
acknowledged in writing, within two days of its receipt, by <strong>the</strong> member of staff receiving<br />
<strong>the</strong> correspondence <strong>and</strong> <strong>the</strong> applicant informed that <strong>the</strong> request will be forwarded to <strong>the</strong><br />
Data Protection Officer.<br />
The original request must be forwarded to <strong>the</strong> Data Protection Officer by internal mail as<br />
soon as it is received.<br />
8 of 27
See Appendix 5 for a flow chart of <strong>the</strong> procedure to be followed when a subject access<br />
request is received by a Locality/Service administrator, or <strong>the</strong> member of staff<br />
nominated to deal with such requests.<br />
4.7 When received by a Locality/Service administrator or <strong>the</strong> member of staff<br />
nominated to deal with such requests:<br />
4.7.1 For information on living individuals<br />
If <strong>the</strong> request applies only to <strong>the</strong> location where it is received:<br />
1) Retrieve <strong>the</strong> record.<br />
2) Copy <strong>the</strong> record <strong>and</strong> have it checked by <strong>the</strong> appropriate health professional 1 .<br />
3) Send:<br />
The appropriate health professional checks <strong>the</strong> record for exempted<br />
material i.e.<br />
data that is likely to cause serious harm to <strong>the</strong> physical or mental<br />
health of any o<strong>the</strong>r individual or<br />
relating to, or provided by an individual, o<strong>the</strong>r than <strong>the</strong> patient, who<br />
could be identified from that information (unless <strong>the</strong> individual<br />
concerned has consented or where that individual is a health<br />
professional who has been involved in <strong>the</strong> care of <strong>the</strong> patient) or<br />
that was provided in <strong>the</strong> expectation that it would not be disclosed to<br />
<strong>the</strong> applicant; or information obtained as a result of any examination or<br />
investigation to which <strong>the</strong> patient consented in <strong>the</strong> expectation that <strong>the</strong><br />
information would not be so disclosed or<br />
where <strong>the</strong> data subject has expressly indicated that <strong>the</strong> information<br />
should not be disclosed.<br />
a. The original request;<br />
b. The proof of consent;<br />
c. A copy of <strong>the</strong> record; <strong>and</strong><br />
d. The signed Release Advice Note;<br />
to <strong>the</strong> Data Protection Officer who will record <strong>the</strong> <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> <strong>and</strong><br />
send off all <strong>the</strong> relevant documents to <strong>the</strong> appropriate locations.<br />
There is no requirement for <strong>the</strong> hospital/service to keep copies of <strong>the</strong> <strong>Subject</strong><br />
<strong>Access</strong> <strong>Request</strong> as it will be stored, archived <strong>and</strong> appraised by <strong>the</strong> Records<br />
Management Service.<br />
1 The health professional who is currently or was <strong>the</strong> most recently responsible for <strong>the</strong> clinical care of <strong>the</strong><br />
data subject in connection with <strong>the</strong> matters to which <strong>the</strong> information which is <strong>the</strong> subject of <strong>the</strong> request<br />
relates; or b) where <strong>the</strong>re is more than one such health professional who is <strong>the</strong> most suitable to advise on<br />
<strong>the</strong> matters to which <strong>the</strong> information which is <strong>the</strong> subject of <strong>the</strong> request relates; or where <strong>the</strong>re is no<br />
health professional available falling within paragraph a) or b) a health professional who has <strong>the</strong> necessary<br />
experience <strong>and</strong> qualifications to advise on <strong>the</strong> matters to which <strong>the</strong> information which is <strong>the</strong> subject of <strong>the</strong><br />
request relates<br />
9 of 27
4.7.2 For information on deceased patients<br />
The request is to be acknowledged in writing, within two days of receipt, by <strong>the</strong> member<br />
of staff receiving <strong>the</strong> correspondence <strong>and</strong> <strong>the</strong> applicant informed that <strong>the</strong> request will be<br />
forwarded to <strong>the</strong> Data Protection Officer.<br />
The original request must be forwarded to <strong>the</strong> Data Protection Officer by internal mail as<br />
soon as it is received.<br />
4.7.3 All o<strong>the</strong>r requests, including those from <strong>the</strong> Police.<br />
Although not immediately apparent, <strong>the</strong>se requests are made under <strong>the</strong> Data Protection<br />
Act 1998.<br />
When made on behalf of a victim of crime <strong>the</strong>y must meet <strong>the</strong> same requirements listed<br />
above i.e. <strong>the</strong> request must contain <strong>the</strong> original written request <strong>and</strong>/or authority, signed<br />
by <strong>the</strong> applicant, for <strong>the</strong> release of <strong>the</strong>ir records to <strong>the</strong> police <strong>and</strong> <strong>the</strong> applicant’s<br />
authority for <strong>the</strong>m to act on <strong>the</strong>ir behalf.<br />
Section 29 of <strong>the</strong> Act provides exemptions from <strong>the</strong> first principle for;<br />
<br />
<br />
<br />
<strong>the</strong> prevention or detection of crime,<br />
<strong>the</strong> apprehension or prosecution of offenders, or<br />
<strong>the</strong> assessment or collection of any tax or duty or of any imposition of a similar<br />
nature,<br />
<strong>and</strong> section 35 provides exemptions from <strong>the</strong> non-disclosure provisions of <strong>the</strong> Act;<br />
<br />
<br />
where <strong>the</strong> disclosure is required by or under any enactment, by any rule of law or<br />
by <strong>the</strong> order of a court; or<br />
where <strong>the</strong> disclosure is necessaryo<br />
for <strong>the</strong> purpose of, or in connection with, any legal proceedings (including<br />
prospective legal proceedings), or<br />
o for <strong>the</strong> purpose of obtaining legal advice,<br />
o or is o<strong>the</strong>rwise necessary for <strong>the</strong> purposes of establishing, exercising or<br />
defending legal rights.<br />
In <strong>the</strong> event of any such request, <strong>the</strong> requester e.g. Police, HM Revenue <strong>and</strong> Customs,<br />
Local Counter Fraud Specialist, NHS Protect, Nursing <strong>and</strong> Midwifery Council etc, must<br />
be referred direct to The Data Protection Officer.<br />
4.7.4 <strong>Request</strong>s relating to a pending litigation claim<br />
Where it is considered that a claim against an organisation may arise or one has been<br />
notified (pre-action disclosure), it may be <strong>the</strong> first indication that an incident has<br />
occurred. The incident reporting system should already have alerted <strong>the</strong> organisation to<br />
a potential claim but where any claim has not been previously reported as an incident, it<br />
should immediately be reported so, in order that <strong>the</strong> investigation of <strong>the</strong> claim <strong>and</strong> <strong>the</strong><br />
incident can proceed as a single process to ensure compliance with time limits. Note<br />
however that if any investigation has such a dual purpose, <strong>the</strong> documents arising from it<br />
are likely to be open to disclosure in subsequent litigation.<br />
On receiving a pre-action disclosure <strong>the</strong> Data Protection Officer will inform <strong>the</strong> Company<br />
Secretary of <strong>the</strong> notification immediately. Copies of <strong>the</strong> disclosure will be forwarded to<br />
<strong>the</strong> Company Secretary for litigation purposes.<br />
10 of 27
The Company Secretary will nominate a manager to deal with <strong>the</strong> litigation who will first<br />
request <strong>the</strong> local Clinical Manager to ensure that all relevant originals of medical<br />
records, supplementary documents, recordings, charts etc are collated <strong>and</strong> retained<br />
until <strong>the</strong> conclusion of <strong>the</strong> claim. A copy must <strong>the</strong>n be made of <strong>the</strong> entire medical<br />
records so that <strong>the</strong> retained original can be kept for clinical purposes. If <strong>the</strong> patient is<br />
still receiving treatment/care, <strong>the</strong> local Clinical Manager must send a copy of any new<br />
medical record as it occurs, to be added to <strong>the</strong> copy held by <strong>the</strong> organisation’s Litigation<br />
Manager. Time taken at this stage to produce <strong>and</strong> maintain a good copy will reduce <strong>the</strong><br />
scope for claimant solicitors to generate fur<strong>the</strong>r queries for requests <strong>and</strong> clarification.<br />
The local Clinical Manager may also be asked to request fur<strong>the</strong>r information from <strong>the</strong><br />
relevant clinicians e.g. opinion on <strong>the</strong> allegations, analysis of <strong>the</strong> treatment provided,<br />
any adverse outcome or o<strong>the</strong>r irregular feature of <strong>the</strong> case.<br />
All of this information will be used by <strong>the</strong> Litigation Manager to generate <strong>the</strong> Preliminary<br />
Analysis required by <strong>the</strong> NHS Litigation Authority.<br />
These requests are to be acknowledged <strong>and</strong> <strong>the</strong> applicant informed that <strong>the</strong> request will<br />
be forwarded to <strong>the</strong> Litigation Manager.<br />
The Data Protection Officer will respond to any requests by <strong>the</strong> Litigation Manager in<br />
<strong>the</strong> provision of any relevant records.<br />
4.7.5 All o<strong>the</strong>r requests<br />
These may include requests from or relating to -<br />
<br />
<br />
<br />
<br />
<br />
Department of Social Security<br />
Criminal Injuries Compensation Authority (CICA)<br />
War Pensions Department – Veterans Agency<br />
Insurance companies<br />
Consultants from outside <strong>the</strong> Organisation<br />
Patients on Clinical Trials (often want to know what happened to <strong>the</strong> patient<br />
years later)<br />
These should be sent direct to <strong>the</strong> Data Protection Officer.<br />
The Data Protection Officer will:<br />
Check to ensure that all <strong>the</strong> details have been completed fully <strong>and</strong> correctly by<br />
<strong>the</strong> applicant or by <strong>the</strong> applicant’s representative.<br />
The records should be disclosed within calendar 40 days of receipt of a<br />
completed application form <strong>and</strong>/or fee. However if <strong>the</strong> patient has been treated or<br />
<strong>the</strong>ir medical records have been updated during <strong>the</strong> 40 days immediately<br />
preceding <strong>the</strong> application, no search fee is applicable.<br />
<br />
A record of <strong>the</strong> request will be kept <strong>and</strong> updated accordingly.<br />
Co-ordinate copies of all <strong>the</strong> relevant records <strong>and</strong> consult where necessary, an<br />
appropriate health professional asking for advice on <strong>the</strong> disclosure or reasons for<br />
exemptions. There are 5 statements of approval/rejection of access on <strong>the</strong> form<br />
(please see <strong>the</strong> Appendices), which <strong>the</strong> health professional must consider to<br />
ei<strong>the</strong>r accept or reject <strong>the</strong> request.<br />
11 of 27
The health professional’s advice must be provided by <strong>the</strong> appropriate health<br />
professional on <strong>the</strong> advice form, Appendix 1.<br />
<strong>Subject</strong> to any applicable exemption, <strong>the</strong> applicant must be given a copy of <strong>the</strong><br />
information <strong>and</strong>, where <strong>the</strong> data is not readily intelligible, an explanation (e.g. of<br />
abbreviations or medical terminology).<br />
If access is approved, all requested health records must be collected <strong>and</strong><br />
collated by <strong>the</strong> Data Protection Officer or <strong>the</strong> member of staff who has <strong>the</strong><br />
delegated authority to carry out this procedure who will forward copies to <strong>the</strong><br />
requester; or arrange a meeting for <strong>the</strong> patient to come in <strong>and</strong> examine his/her<br />
records. No original records are to be forwarded to <strong>the</strong> requester.<br />
An invoice will be raised when <strong>the</strong> copies are sent out, if applicable. Please refer<br />
to Appendix 1 regarding charges.<br />
All <strong>the</strong> information regarding <strong>the</strong> request <strong>and</strong> a record of <strong>the</strong> activity in relation to<br />
<strong>the</strong> request must be logged on a central database held by <strong>the</strong> Data Protection<br />
Officer in order to ensure adherence to <strong>the</strong> 40 working day time limit.<br />
Note: If a hard copy or electronic recording of <strong>the</strong> health record cannot be provided,<br />
<strong>the</strong>n every effort should be made to provide an explanation. Applicants may be invited<br />
to attend <strong>the</strong> department <strong>and</strong> view <strong>the</strong> record or recording in person.<br />
Debtor's invoice requests will be forwarded to:<br />
Shared Financial Services<br />
<strong>Cornwall</strong> Partnership Trust<br />
Porthpean Road<br />
St Austell<br />
<strong>Cornwall</strong><br />
PL26 6AD<br />
The Data Protection Act 1998 requires <strong>the</strong> relevant fee to be paid before <strong>the</strong> disclosure.<br />
We do not, except in special circumstances, insist on <strong>the</strong> fee being received before <strong>the</strong><br />
records are released. If you have any concerns about this or <strong>the</strong> request in general,<br />
please contact <strong>the</strong> Data Protection Officer.<br />
If no permanent record is requested, no fee for access may be made to records that are<br />
accessible <strong>and</strong> contain at least some entries made in <strong>the</strong> 40-day time period preceding<br />
<strong>the</strong> request, <strong>and</strong> not, nor intended to be, automatically processed. A fee of £10 may be<br />
charged for viewing records that have not been added to in <strong>the</strong> 40 days prior to <strong>the</strong><br />
access request.<br />
5 Confidentiality<br />
Each member of staff has a duty to observe <strong>the</strong> policy of maintaining confidentiality at<br />
all times.<br />
Staff should not discuss individual patients among <strong>the</strong>mselves <strong>and</strong> must be particularly<br />
discreet in patient areas.<br />
Individual patients should not be identified during training or o<strong>the</strong>r health service<br />
activities.<br />
12 of 27
6 Legal Advice<br />
If staff have any queries regarding a request for access to health records or <strong>the</strong><br />
operation of this <strong>Policy</strong> <strong>and</strong> <strong>Procedure</strong> document, advice should immediately be sought<br />
from <strong>the</strong> Data Protection Officer.<br />
7 Risk Management Strategy Implementation<br />
7.1 Implementation & Dissemination<br />
This policy <strong>and</strong> procedure will be rolled out through <strong>the</strong> organisation by <strong>the</strong><br />
Data Protection Officer through <strong>the</strong> Information Governance Sub Committee.<br />
Relevant individuals who will be expected to receive or deal with subject<br />
access requests will be sent <strong>the</strong> policy <strong>and</strong> procedure by <strong>the</strong>ir line manager.<br />
7.2 Training <strong>and</strong> Support<br />
No formal training has been identified. However, fur<strong>the</strong>r training <strong>and</strong> support<br />
can be obtained from <strong>the</strong> Records Management Team who plan to arrange<br />
regular training sessions.<br />
7.3 Document Control & Archiving Arrangements<br />
Once ratified, this policy will be loaded to <strong>the</strong> documents library. Any<br />
previous versions will be electronically archived by <strong>the</strong> <strong>Policy</strong> Administrator in<br />
<strong>the</strong> electronic <strong>Policy</strong> Drive Archive Folder.<br />
A signed hard copy of <strong>the</strong> policy will be forwarded to <strong>the</strong> <strong>Policy</strong> Administrator<br />
<strong>and</strong> an electronic copy will be saved by <strong>the</strong> <strong>Policy</strong> Administrator in <strong>the</strong><br />
electronic <strong>Policy</strong> Drive. Fur<strong>the</strong>r copies of current <strong>and</strong> archived policies can be<br />
obtained from <strong>the</strong> <strong>Policy</strong> Administrator including versions in large print, Braille<br />
<strong>and</strong> o<strong>the</strong>r languages.<br />
7.4 Equality Impact Assessment & Human Rights Act<br />
Peninsula Community Health aims to design <strong>and</strong> implement services, policies<br />
<strong>and</strong> measures that meet <strong>the</strong> diverse needs of our service, population <strong>and</strong><br />
workforce, ensuring that none are placed at a disadvantage over o<strong>the</strong>rs.<br />
This policy has taken into account <strong>the</strong> rights <strong>and</strong> responsibilities placed under <strong>the</strong><br />
Human Rights Act (1998) <strong>and</strong> in particular Article 8: “The right to respect for<br />
private <strong>and</strong> family life, home <strong>and</strong> correspondence.”<br />
As part of its development, this strategy <strong>and</strong> its impact on equality have been<br />
assessed. The assessment is to minimise <strong>and</strong> if possible remove any<br />
disproportionate impact on employees on <strong>the</strong> grounds of race sex, disability, age,<br />
sexual orientation or religious belief. No detriment was identified.<br />
8 Process for Monitoring Effective Implementation<br />
The organisation will regularly monitor its subject access request practices for<br />
compliance with this framework.<br />
The Data Protection Officer will Audit subject access request databases <strong>and</strong> systems<br />
<strong>and</strong>:<br />
identify areas of operation that are covered by organisational policies <strong>and</strong> identify<br />
which procedures <strong>and</strong>/or guidance should adhere to <strong>the</strong> policy;<br />
13 of 27
follow a mechanism for adapting <strong>the</strong> policy to cover missing areas if <strong>the</strong>se are<br />
critical to <strong>the</strong> creation <strong>and</strong> use of records, <strong>and</strong> use a subsidiary development plan<br />
if <strong>the</strong>re are major changes to be made;<br />
set requirements by implementing new procedures, including obtaining feedback<br />
where <strong>the</strong> procedures do not match <strong>the</strong> desired activity; <strong>and</strong><br />
<br />
highlight where non-conformance to <strong>the</strong> procedures is occurring <strong>and</strong> suggest a<br />
tightening of controls <strong>and</strong> adjustment to related procedures.<br />
Local areas <strong>and</strong> services will audit <strong>the</strong>ir own practices from time to time, at least<br />
annually to measure compliance with this policy or in light of future requirements.<br />
9 Associated Documentation<br />
This document references <strong>the</strong> following supporting documents which should be referred<br />
to in conjunction with <strong>the</strong> document being developed -<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
CCTV <strong>Policy</strong><br />
Data Protection <strong>Policy</strong><br />
Recordings <strong>Policy</strong><br />
Freedom of Information <strong>Policy</strong><br />
Records Management <strong>Policy</strong><br />
Overarching Information Governance <strong>Policy</strong><br />
Anti-Fraud <strong>and</strong> Bribery <strong>Policy</strong><br />
14 of 27
Appendix 1<br />
<strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> Application form (Health Records)<br />
You are entitled to apply for access to your health records or to those of a deceased<br />
patient. Such requests for disclosure are normally made under legislation covered in <strong>the</strong><br />
main by two Acts of Parliament:<br />
1. The Data Protection Act 1998, which gives you <strong>the</strong> right to see or have a copy of<br />
what records we hold on you. The application is made by:<br />
making a written application to <strong>the</strong> holder <strong>the</strong> record(s), Peninsula Community<br />
Health hold records relating to adult health care within <strong>the</strong> <strong>Cornwall</strong> <strong>and</strong> Isles of<br />
Scilly community, not those from GP’s or <strong>the</strong> <strong>Royal</strong> <strong>Cornwall</strong> Hospital, <strong>Cornwall</strong><br />
Partnership Foundation or Plymouth Hospital Trusts;<br />
providing such fur<strong>the</strong>r information as required to sufficiently identify you; <strong>and</strong><br />
paying <strong>the</strong> relevant fee.<br />
This is not a general right of access however, it is a restricted right <strong>and</strong> <strong>the</strong> following<br />
circumstances could limit your access:<br />
If <strong>the</strong> record contains third-party information (ie not about <strong>the</strong> you or <strong>the</strong> treating<br />
clinician) where that third party is not a healthcare professional <strong>and</strong> has not<br />
consented to <strong>the</strong>ir information being disclosed. If possible, you will be provided with<br />
access to <strong>the</strong> part of <strong>the</strong> record that does not contain <strong>the</strong> third-party identifier;<br />
If access to all or part of <strong>the</strong> record will seriously harm <strong>the</strong> physical or mental wellbeing<br />
of you or any o<strong>the</strong>r person. If possible, <strong>the</strong> individual should be provided with<br />
access to that part of <strong>the</strong> record that does not pose <strong>the</strong> risk of serious harm.<br />
2. The <strong>Access</strong> to Health Records Act 1990, if you are <strong>the</strong> personal representative of<br />
<strong>the</strong> estate or someone having a claim arising out of <strong>the</strong> death. Again this is not a<br />
general right of access however, it is a restricted right <strong>and</strong> <strong>the</strong> following<br />
circumstances could limit your access:<br />
If <strong>the</strong>re is evidence that <strong>the</strong> deceased did not wish for any or part of <strong>the</strong>ir information<br />
to be disclosed; or<br />
If disclosure of <strong>the</strong> information would cause serious harm to <strong>the</strong> physical or mental<br />
health of any person;<br />
If disclosure would identify a third party (i.e. not <strong>the</strong> patient nor a healthcare<br />
professional) who has not consented to that disclosure; <strong>and</strong><br />
If disclosure would release information which is not relevant to <strong>the</strong> claim.<br />
Applications cannot be made under <strong>the</strong> Freedom of Information Act 2000, for access to<br />
medical records because <strong>the</strong> information requested is personal information <strong>and</strong><br />
<strong>the</strong>refore exempt under <strong>the</strong> Act under section 40(1) & (2).<br />
The organisation will keep your personal details on a database. This information will be<br />
kept confidential <strong>and</strong> is subject to <strong>the</strong> Data Protection Principles. We will only hold this<br />
information to enable us to deal with your request <strong>and</strong> any follow-up issues or<br />
complaints. We will not use <strong>the</strong> information for any o<strong>the</strong>r purposes without your<br />
permission. It will be used for <strong>the</strong> purpose of carrying out <strong>the</strong> search for your information<br />
in accordance with Section 7 of <strong>the</strong> Data Protection Act 1998.<br />
15 of 27
There is no minimum age for applications. Children can apply for <strong>the</strong>ir own records<br />
provided <strong>the</strong>y are capable of underst<strong>and</strong>ing <strong>the</strong> nature of <strong>the</strong> request.<br />
Parties with parental responsibility can apply for <strong>and</strong> obtain access, within <strong>the</strong> existing<br />
rules, independently of any o<strong>the</strong>r party with parental responsibility.<br />
Peninsula Community Health is only responsible for providing information which is<br />
created <strong>and</strong> held by us. If you feel you would like to discuss your information request<br />
fur<strong>the</strong>r please telephone <strong>the</strong> Data Protection Officer on 01872 562790.<br />
16 of 27
Application for <strong>Access</strong> to Health Records<br />
If you are <strong>the</strong> patient applying to see your own records, please complete sections 1,<br />
4 <strong>and</strong> 6.<br />
If you are applying on behalf of <strong>the</strong> patient, please complete sections 1, 2, 4, <strong>and</strong> 6.<br />
Please ensure that <strong>the</strong> patient has completed <strong>and</strong> signed section 3 in order for you<br />
to act on <strong>the</strong>ir behalf.<br />
1. Details of Patient<br />
Surname............................................................................. Date of Birth (DD/MM/YY).............<br />
Previous Surname (if applicable)........................................ Address ........................................<br />
Fore Name(s) ..................................................................... ......................................................<br />
Contact Tel. No................................................................... Post Code.....................................<br />
2. Details of Applicant<br />
(Please complete this section if you are NOT <strong>the</strong> patient detailed in Section1 but<br />
authorised to act on <strong>the</strong>ir behalf according to Section 3 below)<br />
Surname............................................................................. Address ......................................<br />
Fore Name(s) ..................................................................... ....................................................<br />
Company (If applicable)...................................................... ....................................................<br />
Contact Tel. No................................................................... Post Code...................................<br />
□ I am acting on behalf of <strong>the</strong> patient (see 3 below)<br />
□ I have parental authority <strong>and</strong> <strong>the</strong> subject:<br />
□ Has consented to this request; or<br />
□ Is incapable of underst<strong>and</strong>ing <strong>the</strong> nature of <strong>the</strong> request.<br />
□ I am <strong>the</strong> deceased patient’s representative <strong>and</strong> attach confirmation of my<br />
appointment (i.e. letters of administration or grant of probate)<br />
□ I have a claim arising from <strong>the</strong> patient’s death <strong>and</strong> wish to access information<br />
relevant to my claim. (Please state <strong>the</strong> grounds of <strong>the</strong> claim on a separate sheet)<br />
2. Signature giving consent to <strong>the</strong> applicant to access your records<br />
(Please complete this section to authorise <strong>the</strong> person identified in Section 2 to act of<br />
your behalf)<br />
I hereby authorise Peninsula Community Health to release personal data detailed in<br />
Section 4 below to <strong>the</strong> person detailed in Section 2 above.<br />
Name.................................................................................. Signed ......................................<br />
(Block capitals) ................................................................... Date ..........................................<br />
17 of 27
4. <strong>Access</strong> <strong>Request</strong><br />
Important Note: Under <strong>the</strong> Data Protection Act 1998 you do not have to give a reason<br />
for applying for access to your personal information. However, to help us save time <strong>and</strong><br />
resources, it would be helpful if you could provide details below, informing us of where<br />
<strong>and</strong> when treatment / services was received along with details which you may feel<br />
relevant, such as previous names, addresses etc.<br />
Please provide as much information as possible <strong>and</strong> specify if you only require a<br />
particular part of your personal information. Please use ano<strong>the</strong>r blank sheet if<br />
necessary.<br />
.......................................................................................................................................<br />
.......................................................................................................................................<br />
.......................................................................................................................................<br />
.......................................................................................................................................<br />
.......................................................................................................................................<br />
.......................................................................................................................................<br />
.......................................................................................................................................<br />
5. Identification<br />
If <strong>the</strong> subject of <strong>the</strong> disclosure request is an adult, <strong>the</strong> applicant may be required to<br />
provide proof of identity <strong>and</strong> address. Suitable evidence would be a passport, driving<br />
licence or utility bill.<br />
If <strong>the</strong> subject is a child, we may require a photocopy of <strong>the</strong>ir birth certificate or proof of<br />
parental responsibility.<br />
If you are requesting on behalf of someone else, but are not <strong>the</strong> patient’s legal<br />
representative, we may require identification from both parties.<br />
If you are <strong>the</strong> deceased patient’s representative we will require confirmation of your<br />
appointment (i.e. letters of administration or grant of probate)<br />
Authorisation<br />
I have read this form <strong>and</strong> authorise a subject access request to be carried out. I<br />
underst<strong>and</strong> that a fee may be required prior to release of any information. I declare that<br />
<strong>the</strong> information given by me is correct to <strong>the</strong> best of my knowledge <strong>and</strong> that I am entitled<br />
to apply for access to <strong>the</strong> personal data detailed above.<br />
Applicant’s Signature:....................................................... Date: ..................................<br />
Please send this completed form to:<br />
The Data Protection Officer<br />
Peninsula Community Health<br />
Britannia Lanes Business Centre<br />
Greenbottom<br />
Chacewater<br />
Truro<br />
<strong>Cornwall</strong> TR4 8QW<br />
18 of 27
Scale of Charges:<br />
Please do not send payment with this application. You will be sent an invoice if<br />
appropriate.<br />
Applications under <strong>the</strong> Data Protection Act 1998:<br />
There will be no charge for viewing records if <strong>the</strong>y have been updated in <strong>the</strong> previous<br />
40 days.<br />
For providing a copy of a computerised record £ 10.00<br />
For providing copies of healthcare records<br />
held partially or entirely on paper £ 50.00<br />
Plus per copy sheet (whe<strong>the</strong>r single or double sided) 20 p<br />
Postage <strong>and</strong> packing as appropriate<br />
Please note that <strong>the</strong>re is a maximum limit on charges for providing copies of health<br />
records under <strong>the</strong> Data Protection Act 1998 of £ 50.00<br />
Applications under <strong>the</strong> <strong>Access</strong> to Health Records Act 1990:<br />
There will be no charge for viewing records if <strong>the</strong>y have been updated in <strong>the</strong> previous<br />
40 days.<br />
If <strong>the</strong> records have not been updated in <strong>the</strong> last 40 days, <strong>the</strong> maximum charge for<br />
viewing, whe<strong>the</strong>r <strong>the</strong> records are stored on computer or in ano<strong>the</strong>r form, such as paperbased<br />
records is £ 10.00<br />
For providing copies of healthcare records<br />
held partially or entirely on paper £ 50.00<br />
Plus per copy sheet (whe<strong>the</strong>r single or double sided) 20 p<br />
Postage <strong>and</strong> packing as appropriate<br />
Please note that <strong>the</strong>re is no maximum limit on charges for providing copies of health<br />
records under <strong>the</strong> <strong>Access</strong> to Health Records Act 1990, <strong>the</strong> fee including copies may<br />
exceed £50.00 for large or multiple volume case notes.<br />
19 of 27
Appendix 2<br />
9.1 <strong>Access</strong> to Health Records Act 1990 Advice Form (<strong>Request</strong> for advice)<br />
Our Ref:<br />
Date<br />
Appropriate Health Professional<br />
Location<br />
Data Protection Officer<br />
Britannia Lanes Business Centre<br />
Chacewater<br />
Truro<br />
TR4 8QW<br />
An application has been made for a copy of all <strong>the</strong> health records in our possession<br />
relating to Deceased Person, DOB <strong>the</strong> claim relates to his/her Reason for making<br />
claim.<br />
I believe that one of <strong>the</strong> records PCH holds was created by your Locality/Service Under<br />
<strong>the</strong> <strong>Access</strong> to Health Records Act 1990 <strong>and</strong> I am required to take advice from <strong>the</strong><br />
appropriate health professional before I decide whe<strong>the</strong>r or not to provide access to a<br />
deceased patients record. Could you please arrange for <strong>the</strong> record to be reviewed by<br />
<strong>the</strong> appropriate health professional <strong>and</strong> a copy sent to me as soon as possible via <strong>the</strong><br />
NHS Courier Service with this request appropriately signed at <strong>the</strong> foot of <strong>the</strong> page.<br />
If <strong>the</strong> record includes any note, made at <strong>the</strong> patient’s request, that <strong>the</strong>y did not wish<br />
access to be given on such an application please send <strong>the</strong> full record to me.<br />
If in <strong>the</strong> opinion of <strong>the</strong> appropriate health professional, release of <strong>the</strong> record or any part<br />
of <strong>the</strong> record would disclose;<br />
a) Information likely to cause serious harm to <strong>the</strong> physical or mental health of any<br />
o<strong>the</strong>r individual; or<br />
b) Information relating to, or provided by an individual, o<strong>the</strong>r than <strong>the</strong> patient, who<br />
could be identified from that information (unless <strong>the</strong> individual concerned has<br />
consented or where that individual is a health professional who has been<br />
involved in <strong>the</strong> care of <strong>the</strong> patient).<br />
Please copy <strong>the</strong> relevant record so as to exclude <strong>the</strong> information to which <strong>the</strong>re is no<br />
right of access <strong>and</strong> send <strong>the</strong> prepared copy to me.<br />
If, in <strong>the</strong> opinion of <strong>the</strong> appropriate health professional <strong>the</strong>re is information in <strong>the</strong> record,<br />
that was provided by <strong>the</strong> patient in <strong>the</strong> expectation that it would not be disclosed to any<br />
applicant; or information obtained as a result of any examination or investigation to<br />
which <strong>the</strong> patient consented in <strong>the</strong> expectation that <strong>the</strong> information would not be so<br />
disclosed; or which is not relevant to any claim which has arisen out of <strong>the</strong> patient’s<br />
death <strong>the</strong>n this information should also be excluded.<br />
20 of 27
I have reviewed <strong>the</strong> following record(s) (Type of record e.g. District Nurse, Health<br />
Visitor)<br />
…………………………………………………………………………………………………<br />
<br />
<br />
<br />
<br />
I can advise that <strong>the</strong> record contains no information that would prohibit its release.<br />
I can advise that <strong>the</strong> record contains no information relevant to <strong>the</strong> above stated<br />
claim.<br />
I can advise that <strong>the</strong> record contains information that should be excluded. Please<br />
provide your advice below or on an attached note.<br />
Delete as appropriate.<br />
Signed…………………………………… Name………………………………… (Print)<br />
Designation…………………………………<br />
Date…………………………………<br />
21 of 27
Appendix 3<br />
9.2 DPA 1998 Advice Form (<strong>Request</strong> for advice)<br />
Our Ref:<br />
Date<br />
Appropriate Health Professional<br />
Locality<br />
Data Protection Officer<br />
Britannia Lanes Business Centre<br />
Chacewater<br />
Truro<br />
TR4 8QW<br />
An application has been made under <strong>the</strong> Data Protection Act 1998 for a copy of health<br />
records relating to Name of Person - DOB dd/mm/yyyy<br />
I believe that one of <strong>the</strong> records PCH holds (Name of locality/date etc) was created by<br />
your Locality/Service. It is my duty, where <strong>the</strong> disclosure relates to <strong>the</strong> physical or<br />
mental health or condition of <strong>the</strong> data subject to consult with <strong>the</strong> appropriate health<br />
professional before I decide whe<strong>the</strong>r or not to provide access to <strong>the</strong> record. Could you<br />
please arrange for <strong>the</strong> record to be reviewed by an appropriate health professional <strong>and</strong><br />
a copy sent to me as soon as possible via <strong>the</strong> NHS Courier Service with this request<br />
certificated at <strong>the</strong> foot of <strong>the</strong> page.<br />
If in <strong>the</strong> opinion of <strong>the</strong> appropriate health professional, release of <strong>the</strong> record or any part<br />
of <strong>the</strong> record would disclose Information;<br />
a) Likely to cause serious harm to <strong>the</strong> physical or mental health of any o<strong>the</strong>r<br />
individual; or<br />
b) Relating to, or provided by an individual, o<strong>the</strong>r than <strong>the</strong> patient, who could be<br />
identified from that information (unless <strong>the</strong> individual concerned has consented or<br />
where that individual is a health professional who has been involved in <strong>the</strong> care<br />
of <strong>the</strong> patient); or<br />
c) That was provided in <strong>the</strong> expectation that it would not be disclosed to <strong>the</strong><br />
applicant; or information obtained as a result of any examination or investigation<br />
to which <strong>the</strong> patient consented in <strong>the</strong> expectation that <strong>the</strong> information would not<br />
be so disclosed; or<br />
d) Where <strong>the</strong> data subject has expressly indicated that <strong>the</strong> information should not<br />
be disclosed.<br />
Please copy <strong>the</strong> relevant record so as to exclude <strong>the</strong> information to which <strong>the</strong>re is no<br />
right of access <strong>and</strong> send <strong>the</strong> prepared copy to me along with this advice. If in doubt,<br />
contact <strong>the</strong> Data Protection Officer.<br />
If any of <strong>the</strong> information in <strong>the</strong> copy is not intelligible without explanation, an explanation<br />
of that information must be provided, e.g. where <strong>the</strong> information is in coded form which<br />
cannot be understood without a key, a key to <strong>the</strong> code must be provided.<br />
22 of 27
I have reviewed <strong>the</strong> following record(s) (Type of record e.g. District Nurse, Health<br />
Visitor)<br />
…………………………………………………………………………………………………<br />
<br />
<br />
<br />
I can advise that <strong>the</strong> record contains no information that would prohibit its release.<br />
I can advise that <strong>the</strong> record contains information that should be excluded. Please<br />
provide your advice below or on an attached note.<br />
Delete as appropriate.<br />
Signed………………………………………………...Name…………………………(Print)<br />
Designation………………………………………………Date………………………………<br />
23 of 27
Appendix 4<br />
SUBJECT ACCESS REQUEST<br />
9.3 Application for <strong>Access</strong> to CCTV Image<br />
PLEASE USE BLOCK CAPITALS TO COMPLETE THIS FORM<br />
The Data Protection Act 1998 provides Data <strong>Subject</strong>s (individuals to whom “personal<br />
data” relates) with a right to access data held about <strong>the</strong>mselves, including data held on<br />
Closed Circuit Television (CCTV) systems.<br />
To enable us to deal promptly with your request for access, please complete <strong>the</strong> form,<br />
giving as much information as possible to help us identify your personal data.<br />
1 Why CCTV images are requested 2<br />
Please tick <strong>the</strong> applicable box:<br />
You represent <strong>the</strong> police or o<strong>the</strong>r law enforcement agency, <strong>and</strong> <strong>the</strong> images<br />
are required to prevent/detect a crime <strong>and</strong>/or identify, apprehend or<br />
prosecute offenders.<br />
You represent a prosecution agency <strong>and</strong> require <strong>the</strong> images to prosecute an<br />
offender.<br />
You have legal power to act on behalf of <strong>the</strong> data subject.<br />
You are <strong>the</strong> person who’s image is held on <strong>the</strong> CCTV<br />
2 Title, name <strong>and</strong> address of <strong>the</strong> applicant<br />
......................................................................................................................................<br />
......................................................................................................................................<br />
......................................................................................................................................<br />
......................................................................................................................................<br />
Please give your daytime telephone number.................................................................<br />
If you are <strong>the</strong> Data <strong>Subject</strong> (The person whose information is held by us) please<br />
complete <strong>the</strong> following.<br />
Date of birth……………………………..…..................<br />
Male/Female (Please delete)<br />
2 In compliance with <strong>the</strong> Data Protection Act 1998 ss 29, 35 <strong>and</strong> 7<br />
24 of 27
Are you <strong>the</strong> data subject?<br />
(The person to whom <strong>the</strong> personal data relates)<br />
Yes / No<br />
IF “YES” PLEASE GO DIRECT TO QUESTION 5<br />
IF NO please answer <strong>the</strong> following<br />
3 Do you have <strong>the</strong> data subject’s written authority or confirmation of your<br />
entitlement to act on <strong>the</strong> data subject’s behalf? YES/NO (please delete).<br />
If “YES” please attach a copy of <strong>the</strong> authority <strong>and</strong> enter <strong>the</strong> details required for <strong>the</strong> data<br />
subject in Question 5.<br />
If “NO” please state <strong>the</strong> purpose of <strong>the</strong> request?<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
4 Details of Data <strong>Subject</strong><br />
Enter <strong>the</strong> data subject’s title, name, address, date of birth <strong>and</strong> gender in <strong>the</strong> space<br />
provided:<br />
Male/Female (Please delete)<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
5 TO BE COMPLETED BY ALL APPLICANTS<br />
In order for us to identify what data you require access to, please provide <strong>the</strong> following<br />
information:<br />
1. The exact date, time <strong>and</strong> location of <strong>the</strong> CCTV system containing <strong>the</strong> footage<br />
required:<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
2. Information sufficient to enable identification of <strong>the</strong> Data <strong>Subject</strong> (a full description<br />
including clothing <strong>and</strong>/or a photograph. Use a separate sheet of paper if necessary).<br />
..........................................................................................................................................<br />
..........................................................................................................................................<br />
3. Will you need a copy of <strong>the</strong> images? YES / NO<br />
25 of 27
6 Declaration<br />
I underst<strong>and</strong> that it may be necessary for Peninsula Community Health to obtain more<br />
detailed information in order to be satisfied as to my / <strong>the</strong> data subject’s identity or<br />
locate my / <strong>the</strong> data subject’s personal data.<br />
I certify that I am <strong>the</strong> data subject or authorised to represent <strong>the</strong> company / organisation<br />
/ person listed above <strong>and</strong> <strong>the</strong> images are requested in connection with <strong>the</strong> prevention /<br />
detection of a crime, <strong>the</strong> apprehension or prosecution of offenders, criminal proceedings<br />
or public safety.<br />
Signed: .............................................................................. Dated: .....................................<br />
Position/Rank ....................................................................................................................<br />
Under <strong>the</strong> terms of <strong>the</strong> Data Protection Act 1998, we have 40 days to comply with your<br />
request. The processing commences when we receive your completed form <strong>and</strong> advise<br />
you that a fee of up to £10 may be charged.<br />
Please note that in <strong>the</strong> event that information supplied would seriously prejudice <strong>the</strong><br />
prevention or detection of crime, Peninsula Community Health have <strong>the</strong> right under <strong>the</strong><br />
Data Protection Act to refuse requests for access.<br />
Return this form to The Data Protection Officer, Peninsula Community Health, Britannia<br />
Lanes business Centre, Greenbottom, Chacewater, Truro TR4 8QW<br />
Peninsula Community Health Staff use only<br />
Member of Staff authorising<br />
Name…………………………………………………………….........……… (Print name)<br />
Designation ………………………………………………….........……………………........<br />
Location of viewing ………………………………….........…………………………………<br />
Persons present ..........................................................................................................<br />
......................................................................................................................................<br />
Viewing started …………….……AM/PM <strong>and</strong> ended………………………...... AM/PM<br />
Copy made YES / NO<br />
by………………………………………..……... (Print name)<br />
Signed…………………………………Date……........………Time………………AM/PM<br />
Sent to The Data Protection Officer, Peninsula Community Health, Britannia Lanes<br />
Business Centre, Greenbottom, Chacewater, Truro TR4 8QW on ………………Date<br />
26 of 27
Appendix 5<br />
1.1 <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> received by Hospital / Service<br />
If a living individual<br />
If a deceased patient<br />
If <strong>the</strong> request<br />
applies only to<br />
your<br />
location / Service<br />
Retrieve <strong>the</strong> record <strong>and</strong><br />
obtain <strong>the</strong> advice of an<br />
appropriate health professional<br />
as to whe<strong>the</strong>r <strong>the</strong> record<br />
contains exempted material.<br />
If <strong>the</strong> request applies<br />
to multiple<br />
locations/Services e.g.<br />
requests for all<br />
records relating to an<br />
individual<br />
<strong>Request</strong>s from<br />
Police<br />
Forward to<br />
Data Protection Officer<br />
Britannia Lanes Business<br />
Centre,<br />
Chacewater, Truro<br />
TR4 8QW<br />
01872 562790<br />
The appropriate health professional checks <strong>the</strong><br />
record for exempted material i.e. data:<br />
likely to cause serious harm to <strong>the</strong> physical or<br />
mental health of any o<strong>the</strong>r individual; or<br />
relating to, or provided by an individual, o<strong>the</strong>r<br />
than <strong>the</strong> patient, who could be identified from<br />
that information (unless <strong>the</strong> individual<br />
concerned has consented or where that<br />
individual is a health professional who has<br />
been involved in <strong>the</strong> care of <strong>the</strong> patient); or<br />
that was provided in <strong>the</strong> expectation that it<br />
would not be disclosed to <strong>the</strong> applicant; or<br />
information obtained as a result of any<br />
examination or investigation to which <strong>the</strong><br />
patient consented in <strong>the</strong> expectation that <strong>the</strong><br />
information would not be so disclosed; or<br />
where <strong>the</strong> data subject has expressly indicated<br />
that <strong>the</strong> information should not be disclosed.<br />
Prepare a copy of <strong>the</strong> record removing or<br />
indicating exempted data <strong>and</strong><br />
Sign <strong>the</strong> <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s Advice<br />
form.<br />
Send:<br />
<strong>the</strong> original request;<br />
proof of consent;<br />
a copy of <strong>the</strong> record; <strong>and</strong><br />
<strong>the</strong> signed Advice form;<br />
to <strong>the</strong> Records Management<br />
office.<br />
There is no need for you to<br />
keep copies as <strong>the</strong><br />
original record will remain with<br />
you.<br />
In <strong>the</strong> event that <strong>the</strong> request<br />
cannot be forwarded within 10<br />
working days – could you<br />
please inform <strong>the</strong> Records<br />
Management office as to <strong>the</strong><br />
nature <strong>and</strong> subject of <strong>the</strong><br />
request, <strong>the</strong> requester’s<br />
details <strong>and</strong> <strong>the</strong> reason for <strong>the</strong><br />
delay in responding.<br />
27 of 27
Initial Equality Impact Assessment Screening Form<br />
Initial Equality Impact Assessment<br />
Pro Forma
Section Governance Officer responsible for <strong>the</strong><br />
assessment<br />
Alan Gerrish, Records Manager<br />
Data Protection Officer<br />
Name of <strong>Policy</strong> to<br />
be assessed<br />
<strong>Subject</strong> <strong>Access</strong> <strong>Request</strong> <strong>Policy</strong> <strong>and</strong><br />
procedure<br />
Date of<br />
Assessment 19/05/2009<br />
Is this a new or existing<br />
policy?<br />
New<br />
1. Briefly describe <strong>the</strong> aims, objectives <strong>and</strong><br />
purpose of <strong>the</strong> policy.<br />
This <strong>Policy</strong> <strong>and</strong> <strong>Procedure</strong> sets out how NHS <strong>Cornwall</strong> <strong>and</strong> Isles of Scilly <strong>and</strong> NHS<br />
<strong>Cornwall</strong> <strong>and</strong> Isles of Scilly Community Health Services staff will manage <strong>Subject</strong><br />
<strong>Access</strong> <strong>Request</strong>s effectively <strong>and</strong> ensure procedures are in place to deal with subject<br />
access requests under The <strong>Access</strong> to Health Records Act 1990 (AHR), The <strong>Access</strong><br />
to Medical Reports Act 1988 (AMR) <strong>and</strong> The Data Protection Act (DPA) 1998.<br />
This policy aims to improve <strong>the</strong> uniformity of procedures used in complying with<br />
relevant legislation in respect of <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s.<br />
2. Are <strong>the</strong>re any associated objectives of<br />
<strong>the</strong> policy? Please explain.<br />
3. Who is intended to benefit from this<br />
policy, <strong>and</strong> in what way?<br />
4. What outcomes are wanted from this<br />
policy?<br />
An associated objective is that both organisations achieve compliance with<br />
St<strong>and</strong>ards for Better Health, <strong>the</strong> Information Governance Toolkit <strong>and</strong> national<br />
st<strong>and</strong>ards.<br />
Members of <strong>the</strong> public, patients <strong>and</strong> staff by improving <strong>the</strong> uniformity of procedures<br />
used in complying with relevant legislation in respect of <strong>Subject</strong> <strong>Access</strong> <strong>Request</strong>s.<br />
Adoption of consistent policy <strong>and</strong> procedures across <strong>the</strong> community will improve <strong>the</strong><br />
service to <strong>the</strong> public, patients <strong>and</strong> staff.<br />
5. What factors/forces could<br />
Failure of staff to follow policy <strong>and</strong> procedure resulting in litigation <strong>and</strong> loss.<br />
contribute/detract from <strong>the</strong> outcomes?<br />
6. Who are <strong>the</strong> main<br />
stakeholders in relation to<br />
<strong>the</strong> policy?<br />
Community Services Staff<br />
7. Who implements <strong>the</strong> policy,<br />
<strong>and</strong> who is responsible for <strong>the</strong><br />
policy?<br />
Records Manager<br />
Data Protection Officer<br />
8. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact on RACIAL<br />
groups?<br />
No The policy reflects <strong>the</strong> current legislation, which is designed to protect <strong>the</strong><br />
rights of all, irrespective of racial groups.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
There are no sections within <strong>the</strong> <strong>Policy</strong> <strong>and</strong> Guidelines that distinguish between any<br />
racial groups. The responses in relation to request for information are dealt with<br />
under The Data Protection Act 1998, The <strong>Access</strong> to Health Records Act, The<br />
Human Rights Act 1998, Freedom of Information Act 2000 <strong>and</strong> o<strong>the</strong>r related
legislation.<br />
9. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to GENDER<br />
(including TRANSGENDER)?<br />
No<br />
The policy reflects <strong>the</strong> current legislation, which is designed to protect <strong>the</strong><br />
rights of all, irrespective of gender.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
There are no sections within <strong>the</strong> <strong>Policy</strong> <strong>and</strong> Guidelines that distinguish between<br />
gender or transgender. The responses in relation to request for information are dealt<br />
with under The Data Protection Act 1998, The <strong>Access</strong> to Health Records Act, The<br />
Human Rights Act 1998, Freedom of Information Act 2000 <strong>and</strong> o<strong>the</strong>r related<br />
legislation.<br />
10. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to<br />
DISABILITY?<br />
No<br />
There is no specific concern in relation to disability. Legislation dictates<br />
that requests must be made in writing. However <strong>the</strong>y may be made in<br />
many formats, accounting for disabilities.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
11. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to SEXUAL<br />
ORIENTATION?<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
No request has been refused on <strong>the</strong> grounds of <strong>the</strong> applicant being disabled.<br />
No<br />
Sexual orientation is not relevant to <strong>the</strong> subject of this policy.<br />
No references to sexual orientation are made within <strong>the</strong> legislation governing this<br />
policy.<br />
12. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to <strong>the</strong>ir AGE?<br />
No<br />
Age is dealt with considerably within legislation <strong>and</strong> children receive<br />
special focus in legislation. Confidentiality is a main factor in dealing with<br />
all requests, especially when dealing with children <strong>and</strong> <strong>the</strong> elderly as <strong>the</strong>y<br />
may/may not have <strong>the</strong> capacity to underst<strong>and</strong> <strong>the</strong> nature of <strong>the</strong> request.<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
The Data Protection Officer receives advice from Children Services on all requests<br />
for access to children records.
13. Are <strong>the</strong>re concerns that <strong>the</strong> policy could<br />
have a differential impact due to <strong>the</strong>ir<br />
RELIGIOUS BELIEF?<br />
No<br />
Religious beliefs are not relevant to <strong>the</strong> subject of this policy<br />
What existing evidence (ei<strong>the</strong>r presumed or<br />
o<strong>the</strong>rwise) do you have for this?<br />
No references to Religious beliefs are made within <strong>the</strong> legislation governing this<br />
policy.<br />
14. Could <strong>the</strong> differential<br />
impact identified in 8 – 13<br />
amount to <strong>the</strong>re being <strong>the</strong><br />
potential for adverse impact<br />
in this policy?<br />
15. Can this adverse impact<br />
be justified on <strong>the</strong> grounds of<br />
promoting equality of<br />
opportunity for one group?<br />
Or any o<strong>the</strong>r reason?<br />
16. Should <strong>the</strong> policy<br />
proceed to a full equality<br />
impact assessment?<br />
No<br />
No<br />
No<br />
There is no differential impact identified.<br />
Not applicable.<br />
Signed (completing officer) ……………………………………………………….. Date<br />
Signed (Head of Section) ……………………………………………………….. Date<br />
Please ensure that a signed copy of this form is sent to both <strong>the</strong> Policies Lead <strong>and</strong> <strong>the</strong> Equality <strong>and</strong> Diversity lead to be<br />
placed on <strong>the</strong> Community Health Services website.