Subject Access Request Policy and Procedure - the Royal Cornwall ...

Peninsula Community Health
Subject Access Request
Policy and Procedure
Title:
Subject Access Request Policy and
Procedure
Procedural Document Type:
Policy
Reference:
CO-IG-P08
CQC Outcome: Outcome 21
Version: VERSION 1
Approved by:
Information Governance Sub
Committee
Ratified by:
Clinical Quality and Safety Committee
Date ratified:
7 th August 2012
Freedom of Information:
This document can be released
Name of originator/author:
Alan Gerrish
Name of responsible team:
Records Management Team
Review Frequency:
3 Years
Review Date:
7 th August 2015
Target Audience:
All staff
Executive Signature (Hard Copy Only):
Registered in England and Wales No: 7564579
Registered office: Peninsula Community Health CIC,
Sedgemoor Centre, Priory Road, St Austell PL25 5AS
www.peninsulacommunityhealth.co.uk
Quality care, closer to you
Peninsula Community Health is a not for profit
Community Interest Company responsible for
providing NHS adult community health
services
in Cornwall and the Isles of Scilly

Contents
1 Introduction ..................................................................................................4
2 Definitions ....................................................................................................5
2.1 The Access to Health Records Act 1990......................................................5
2.2 The Access to Medical Reports Act 1988.....................................................5
2.3 The Data Protection Act (DPA) 1998............................................................5
2.4 The Freedom of Information Act 2000..........................................................5
2.5 The Human Rights Act 1998 ........................................................................6
3 Duties & Responsibilities..............................................................................6
3.1 Caldicott Guardian........................................................................................6
3.2 Data Protection Officer .................................................................................6
3.3 All Managers ................................................................................................6
3.4 All staff .........................................................................................................7
4 Subject Access Request Procedure.............................................................7
4.1 Power to disclose .........................................................................................7
4.2 Police Power ................................................................................................7
4.3 Request to view CCTV images ....................................................................7
4.4 Request for access to records......................................................................7
4.5 On receipt of a telephone call requesting access to health records .............8
4.6 On receipt of a written subject access request.............................................8
4.7 When received by a Locality/Service administrator or the member of staff
nominated to deal with such requests: ...............................................................9
4.7.1 For information on living individuals ......................................................9
4.7.2 For information on deceased patients .................................................10
4.7.3 Requests by Police .............................................................................10
4.7.4 Requests relating to a pending litigation claim ....................................10
4.7.5 All other requests ................................................................................11
5 Confidentiality.............................................................................................12
6 Legal Advice...............................................................................................13
7 Risk Management Strategy Implementation...............................................13
7.1 Implementation & Dissemination................................................................13
7.2 Training and Support..................................................................................13
7.3 Document Control & Archiving Arrangements............................................13
7.4 Equality Impact Assessment & Human Rights Act .....................................13
8 Process for Monitoring Effective Implementation .......................................13
9 Associated Documentation.........................................................................14
Appendix 1 .......................................................................................................15
Subject Access Request Application form (Health Records) ............................15
Appendix 2 .......................................................................................................20
Access to Health Records Act 1990 Advice Form (Request for advice) ...........20
Appendix 3 .......................................................................................................22
DPA 1998 Advice Form (Request for advice)...................................................22
Application for Access to CCTV Image.............................................................24
Appendix 5 .......................................................................................................27
2 of 27

Please Note the Intention of this Document
This Policy and Procedure sets out how Peninsula Community Health (PCH) staff will
manage Subject Access Requests (SAR’s) effectively and ensure procedures are in
place to deal with subject access requests under The Access to Health Records Act
1990 (AHR), The Access to Medical Reports Act 1988 (AMR) and The Data Protection
Act (DPA) 1998.
This policy aims to improve the uniformity of procedures used in complying with relevant
legislation in respect of Subject Access Requests.
Review and Amendment Log
Version No
Type of
Change
Date
1 Creation 18/05/2012 First issue
Description of change
Consultation:
Company Secretary
Information Governance Sub Committee
3 of 27

1 Introduction
A Subject Access Request (SAR) is a request from a person asking an organisation to
provide them with the information relating to that person which is held or processed by
the organisation.
These are normally requests for medical or staff records held by us on a patient or staff
member by the individual or by their personal representative or solicitor. Other requests
for information relating to individuals will also be Subject Access Requests although it
may not be immediately apparent. Examples of such requests are:
To view CCTV images (see 4.3 below);
For copies of CCTV images, photographs, video or audio recordings;
For a report in support of an employment, benefit or insurance claim;
For copies of x-rays or moulds;
For records relevant to crime and taxation e.g. for the prevention and detection of
crime from the Police, HM Revenue and Customs, Local Counter Fraud
Specialist, NHS Protect, Nursing and Midwifery Council etc;
For evidential statements;
For copies of employment references; and
For the personal details of an individual or individual’s residing at a specific
location;
This is not an exhaustive list, but demonstrates that the definition of personal data goes
beyond paper records and includes any media from which an individual can be
identified.
Any disclosure of personal data must have regard to both common and statute law, for
example defamation, the common law duty of confidence, and the data protection
principles – unless and to the extent that any Data Protection Act exemptions apply.
The principles require that personal information is obtained and processed fairly and
lawfully; is only disclosed in appropriate circumstances; is accurate, relevant, and not
held longer than necessary; and is kept securely.
Individuals have the right under the Data Protection Act 1998 to make a request in
writing for a copy of the information we hold about them on a computer and in writing.
This is called a subject access request. Requests are often received by a community
staff member at a hospital or health office where the adult/child/patient is receiving or
has received care.
The request to disclose personal data may be direct as in the request for a copy of a
health record or may form part of an investigation as in the request for a statement
made by the Police. They may also be vague or imprecise and may be relevant to a
claim against the organisation. A complaint may have other implications that are not
immediately apparent.
It is important that action is taken promptly as legislation dictates that the organisation
has only 40 calendar days to make the disclosure.
4 of 27

Requests for disclosure are normally made to the organisation under legislation covered
in the main by three Acts of Parliament, the subject access provisions of The Data
Protection Act 1998, The Access to Health Records Act 1990 and The Access to
Medical Reports Act 1988.
Applications cannot be made under the Freedom of Information Act for access to
medical records because the information requested is personal information and
therefore exempt under the Act. See 2.4 below.
2 Definitions
2.1 The Access to Health Records Act 1990
This Act has been repealed to the extent that it now only affects the health records of
deceased patients. It applies only to records created since 1st November 1991.
Applications for disclosure of the records of deceased patients should only be granted
to the personal representatives of the estate or to someone having a claim arising out of
the death.
There are additional provisions for withholding disclosure e.g. the deceased person may
have specifically prohibited disclosure or when information was provided in the
expectation that it would not be disclosed to the applicant.
2.2 The Access to Medical Reports Act 1988
The aim of the Act is to allow individuals to see medical reports written about them, for
employment or insurance purposes, by a doctor or clinician who they usually see in a
‘normal’ doctor/patient capacity. This right can be exercised either before or after the
report is sent.
2.3 The Data Protection Act (DPA) 1998
The Data Protection Act gives an individual several rights in relation to the information
held about them.
Access covers the right to obtain a copy of the record in permanent form, unless the
supply of a copy would involve disproportionate effort or the individual agrees that
his/her access rights can be met some other way, for example by viewing the record.
Access must be given promptly and in any event within 40 days of receipt of the fee and
request. If the application does not include sufficient details to identify the person
making the request or to locate the information, those details should be sought promptly
and the 40-day period begins when the details have been supplied.
This right of access is only exercisable by the individual; making a written application to
the organisation holding the records, providing such further information as the
organisation may require to sufficiently identify the individual and paying the relevant
fee.
2.4 The Freedom of Information Act 2000
Personal data of the applicant is exempt under section 40(1) of the Freedom of
Information Act 2000 and these requests will instead be dealt with as Data Protection
Act Subject Access Requests. Personal data of another person is exempt under section
40(2) of the Freedom of Information Act 2000 if disclosure would breach one of the data
protection principles. In the case of the deceased there are limited alternative rights
under the Access to Health Records Act 2000.
5 of 27

2.5 The Human Rights Act 1998
Article 8.1 of the Human Rights Act 1998 provides that “everyone has the right to
respect for his private and family life, his home and his correspondence”. This is
however, a qualified right i.e., there are specified grounds upon which it may be
legitimate for authorities to infringe or limit those rights and Article 8.2 provides “there
shall be no interference by a public authority with the exercise of this right as it is in
accordance with the law and is necessary in a democratic society in the interests of
national security, public safety, or the economic well-being of the country, for the
prevention of disorder or crime, for the protection of health or morals or for the
protection of the rights and freedom of others”.
This is only a précis of the relevant parts of the Acts - for further information or advice
contact the Data Protection Officer.
3 Duties & Responsibilities
This section includes an overview of individual roles, departmental and committee
duties including levels of responsibility.
The Peninsula Community Health Services Chief Executive has delegated overall
responsibility for Subject Access Requests to the Caldicott Guardian and the Data
Protection Officer.
The Data Protection Officer will ensure that links between the Caldicott Guardian,
records management and information governance are maintained.
3.1 Caldicott Guardian
Will oversee all aspects of disclosures in relation to Subject Access Requests
within the organisation with specific attention to disclosures in accordance with
the Confidentiality: NHS Code of Practice 2003.
3.2 Data Protection Officer
Will ensure that systems and procedures are in place to support access to
records across the organisation.
Act as a co-ordinator for all Subject Access Requests arising within Peninsula
Community Health.
Review this policy every three years or more frequently if appropriate taking into
account changes to legislation that may occur and/or guidance from the
Department of Health, the NHS Executive and/or the Information Commissioner
3.3 All Managers
Will ensure that all staff:
Are aware of this Policy and Procedure
Know how to deal with requests for personal / patient identifiable information
Know how to access and store personal/patient identifiable information, manual
and electronic
6 of 27

3.4 All staff
Will be expected to:
Comply with this policy and all related systems and procedures
Attend training
Ensure that all patient / personal identifiable information is accurate, relevant, up
to date, used correctly whether in electronic or manual databases
Ensure that all patient / personal identifiable information is kept secure at all
times
4 Subject Access Request Procedure
4.1 Power to disclose
Before a disclosure of information relating to an individual can made it has to be
established whether there is a power to do so. Such powers exist in law, both common
law and in legislated law such as the Data Protection Act 1998 and the Access to Health
Records Act 1990.
The power also exists through the consent of the person to whom the information
relates.
4.2 Police Power
The police have an important and general power at common law to prevent and detect
crime and the Crime and Disorder Act 1998 introduces a number of measures to control
crime and disorder.
4.3 Request to view CCTV images
If the disclosure of personal information is required for the prevention or detection of
crime and the request is urgent, as in a request by the police to view CCTV images, the
officer’s identity should be confirmed and the viewing allowed. The viewing must be in
the presence of the senior staff member on duty, recorded on the Application for Access
to CCTV image form (Appendix 4) and the viewing restricted to only those people that
need to see it.
Such a disclosure should not generally be allowed to anyone other than a member of a
law enforcement agency and no image, digital or otherwise or copy or recording or
equipment is to be removed from the premises.
If a copy is required then this must be indicated on the application form and the
applicant referred to the Data Protection Officer.
4.4 Request for access to records
In all cases the following procedure is to be followed for any request for access to
records.
All requests for access to records should be made in writing (using Appendix 1 where
necessary) to the relevant manager of the place where the patient received the
services, for example, the hospital, clinic, health office or to:
7 of 27

The Data Protection Officer
Records Management Service
Britannia Lanes Business Centre,
Greenbottom
Chacewater
Truro
Cornwall
TR4 8QW
On receiving a request for information, the following steps should be taken:
Determine if it is a subject access request
Determine whether the persons request will be treated as a routine enquiry or as a
subject access request. Any written enquiry that asks for information we hold about the
person making the request can be construed as a subject access request, but in many
cases there will be no need to treat it as such.
If you would usually deal with the request in the normal course of business, do so. An
example of such a request might be:
“I’ve lost the date of my next appointment. Can you tell me it please?”
This does not need to be dealt with as a SAR as the request relates to the person
asking for the information; however the identity of the requester would need to be
confirmed before providing the date.
The following must be treated as a formal subject access request:
“Please send me a copy of my personal file.”; and
“I am a solicitor acting on behalf of my client and request a copy of their medical
records. An appropriate authority is enclosed.”
If you are in any doubt, seek the advice of the Data Protection Officer.
4.5 On receipt of a telephone call requesting access to health records
The requester must be informed that the request must be in writing and sent the form
entitled “Application for Access to Health Records” (Appendix 1). This form acts to guide
the applicant through the request and advises them as to the legal requirements for
making such a request.
4.6 On receipt of a written subject access request
The request is to be passed to the Locality/Service administrator, or the member of staff
nominated to deal with such requests immediately. If there is a likelihood of delay in
response or the nominated member of staff is unavailable the request is to be
acknowledged in writing, within two days of its receipt, by the member of staff receiving
the correspondence and the applicant informed that the request will be forwarded to the
Data Protection Officer.
The original request must be forwarded to the Data Protection Officer by internal mail as
soon as it is received.
8 of 27

See Appendix 5 for a flow chart of the procedure to be followed when a subject access
request is received by a Locality/Service administrator, or the member of staff
nominated to deal with such requests.
4.7 When received by a Locality/Service administrator or the member of staff
nominated to deal with such requests:
4.7.1 For information on living individuals
If the request applies only to the location where it is received:
1) Retrieve the record.
2) Copy the record and have it checked by the appropriate health professional 1 .
3) Send:
The appropriate health professional checks the record for exempted
material i.e.
data that is likely to cause serious harm to the physical or mental
health of any other individual or
relating to, or provided by an individual, other than the patient, who
could be identified from that information (unless the individual
concerned has consented or where that individual is a health
professional who has been involved in the care of the patient) or
that was provided in the expectation that it would not be disclosed to
the applicant; or information obtained as a result of any examination or
investigation to which the patient consented in the expectation that the
information would not be so disclosed or
where the data subject has expressly indicated that the information
should not be disclosed.
a. The original request;
b. The proof of consent;
c. A copy of the record; and
d. The signed Release Advice Note;
to the Data Protection Officer who will record the Subject Access Request and
send off all the relevant documents to the appropriate locations.
There is no requirement for the hospital/service to keep copies of the Subject
Access Request as it will be stored, archived and appraised by the Records
Management Service.
1 The health professional who is currently or was the most recently responsible for the clinical care of the
data subject in connection with the matters to which the information which is the subject of the request
relates; or b) where there is more than one such health professional who is the most suitable to advise on
the matters to which the information which is the subject of the request relates; or where there is no
health professional available falling within paragraph a) or b) a health professional who has the necessary
experience and qualifications to advise on the matters to which the information which is the subject of the
request relates
9 of 27

4.7.2 For information on deceased patients
The request is to be acknowledged in writing, within two days of receipt, by the member
of staff receiving the correspondence and the applicant informed that the request will be
forwarded to the Data Protection Officer.
The original request must be forwarded to the Data Protection Officer by internal mail as
soon as it is received.
4.7.3 All other requests, including those from the Police.
Although not immediately apparent, these requests are made under the Data Protection
Act 1998.
When made on behalf of a victim of crime they must meet the same requirements listed
above i.e. the request must contain the original written request and/or authority, signed
by the applicant, for the release of their records to the police and the applicant’s
authority for them to act on their behalf.
Section 29 of the Act provides exemptions from the first principle for;
the prevention or detection of crime,
the apprehension or prosecution of offenders, or
the assessment or collection of any tax or duty or of any imposition of a similar
nature,
and section 35 provides exemptions from the non-disclosure provisions of the Act;
where the disclosure is required by or under any enactment, by any rule of law or
by the order of a court; or
where the disclosure is necessaryo
for the purpose of, or in connection with, any legal proceedings (including
prospective legal proceedings), or
o for the purpose of obtaining legal advice,
o or is otherwise necessary for the purposes of establishing, exercising or
defending legal rights.
In the event of any such request, the requester e.g. Police, HM Revenue and Customs,
Local Counter Fraud Specialist, NHS Protect, Nursing and Midwifery Council etc, must
be referred direct to The Data Protection Officer.
4.7.4 Requests relating to a pending litigation claim
Where it is considered that a claim against an organisation may arise or one has been
notified (pre-action disclosure), it may be the first indication that an incident has
occurred. The incident reporting system should already have alerted the organisation to
a potential claim but where any claim has not been previously reported as an incident, it
should immediately be reported so, in order that the investigation of the claim and the
incident can proceed as a single process to ensure compliance with time limits. Note
however that if any investigation has such a dual purpose, the documents arising from it
are likely to be open to disclosure in subsequent litigation.
On receiving a pre-action disclosure the Data Protection Officer will inform the Company
Secretary of the notification immediately. Copies of the disclosure will be forwarded to
the Company Secretary for litigation purposes.
10 of 27

The Company Secretary will nominate a manager to deal with the litigation who will first
request the local Clinical Manager to ensure that all relevant originals of medical
records, supplementary documents, recordings, charts etc are collated and retained
until the conclusion of the claim. A copy must then be made of the entire medical
records so that the retained original can be kept for clinical purposes. If the patient is
still receiving treatment/care, the local Clinical Manager must send a copy of any new
medical record as it occurs, to be added to the copy held by the organisation’s Litigation
Manager. Time taken at this stage to produce and maintain a good copy will reduce the
scope for claimant solicitors to generate further queries for requests and clarification.
The local Clinical Manager may also be asked to request further information from the
relevant clinicians e.g. opinion on the allegations, analysis of the treatment provided,
any adverse outcome or other irregular feature of the case.
All of this information will be used by the Litigation Manager to generate the Preliminary
Analysis required by the NHS Litigation Authority.
These requests are to be acknowledged and the applicant informed that the request will
be forwarded to the Litigation Manager.
The Data Protection Officer will respond to any requests by the Litigation Manager in
the provision of any relevant records.
4.7.5 All other requests
These may include requests from or relating to -
Department of Social Security
Criminal Injuries Compensation Authority (CICA)
War Pensions Department – Veterans Agency
Insurance companies
Consultants from outside the Organisation
Patients on Clinical Trials (often want to know what happened to the patient
years later)
These should be sent direct to the Data Protection Officer.
The Data Protection Officer will:
Check to ensure that all the details have been completed fully and correctly by
the applicant or by the applicant’s representative.
The records should be disclosed within calendar 40 days of receipt of a
completed application form and/or fee. However if the patient has been treated or
their medical records have been updated during the 40 days immediately
preceding the application, no search fee is applicable.
A record of the request will be kept and updated accordingly.
Co-ordinate copies of all the relevant records and consult where necessary, an
appropriate health professional asking for advice on the disclosure or reasons for
exemptions. There are 5 statements of approval/rejection of access on the form
(please see the Appendices), which the health professional must consider to
either accept or reject the request.
11 of 27

The health professional’s advice must be provided by the appropriate health
professional on the advice form, Appendix 1.
Subject to any applicable exemption, the applicant must be given a copy of the
information and, where the data is not readily intelligible, an explanation (e.g. of
abbreviations or medical terminology).
If access is approved, all requested health records must be collected and
collated by the Data Protection Officer or the member of staff who has the
delegated authority to carry out this procedure who will forward copies to the
requester; or arrange a meeting for the patient to come in and examine his/her
records. No original records are to be forwarded to the requester.
An invoice will be raised when the copies are sent out, if applicable. Please refer
to Appendix 1 regarding charges.
All the information regarding the request and a record of the activity in relation to
the request must be logged on a central database held by the Data Protection
Officer in order to ensure adherence to the 40 working day time limit.
Note: If a hard copy or electronic recording of the health record cannot be provided,
then every effort should be made to provide an explanation. Applicants may be invited
to attend the department and view the record or recording in person.
Debtor's invoice requests will be forwarded to:
Shared Financial Services
Cornwall Partnership Trust
Porthpean Road
St Austell
Cornwall
PL26 6AD
The Data Protection Act 1998 requires the relevant fee to be paid before the disclosure.
We do not, except in special circumstances, insist on the fee being received before the
records are released. If you have any concerns about this or the request in general,
please contact the Data Protection Officer.
If no permanent record is requested, no fee for access may be made to records that are
accessible and contain at least some entries made in the 40-day time period preceding
the request, and not, nor intended to be, automatically processed. A fee of £10 may be
charged for viewing records that have not been added to in the 40 days prior to the
access request.
5 Confidentiality
Each member of staff has a duty to observe the policy of maintaining confidentiality at
all times.
Staff should not discuss individual patients among themselves and must be particularly
discreet in patient areas.
Individual patients should not be identified during training or other health service
activities.
12 of 27

6 Legal Advice
If staff have any queries regarding a request for access to health records or the
operation of this Policy and Procedure document, advice should immediately be sought
from the Data Protection Officer.
7 Risk Management Strategy Implementation
7.1 Implementation & Dissemination
This policy and procedure will be rolled out through the organisation by the
Data Protection Officer through the Information Governance Sub Committee.
Relevant individuals who will be expected to receive or deal with subject
access requests will be sent the policy and procedure by their line manager.
7.2 Training and Support
No formal training has been identified. However, further training and support
can be obtained from the Records Management Team who plan to arrange
regular training sessions.
7.3 Document Control & Archiving Arrangements
Once ratified, this policy will be loaded to the documents library. Any
previous versions will be electronically archived by the Policy Administrator in
the electronic Policy Drive Archive Folder.
A signed hard copy of the policy will be forwarded to the Policy Administrator
and an electronic copy will be saved by the Policy Administrator in the
electronic Policy Drive. Further copies of current and archived policies can be
obtained from the Policy Administrator including versions in large print, Braille
and other languages.
7.4 Equality Impact Assessment & Human Rights Act
Peninsula Community Health aims to design and implement services, policies
and measures that meet the diverse needs of our service, population and
workforce, ensuring that none are placed at a disadvantage over others.
This policy has taken into account the rights and responsibilities placed under the
Human Rights Act (1998) and in particular Article 8: “The right to respect for
private and family life, home and correspondence.”
As part of its development, this strategy and its impact on equality have been
assessed. The assessment is to minimise and if possible remove any
disproportionate impact on employees on the grounds of race sex, disability, age,
sexual orientation or religious belief. No detriment was identified.
8 Process for Monitoring Effective Implementation
The organisation will regularly monitor its subject access request practices for
compliance with this framework.
The Data Protection Officer will Audit subject access request databases and systems
and:
identify areas of operation that are covered by organisational policies and identify
which procedures and/or guidance should adhere to the policy;
13 of 27

follow a mechanism for adapting the policy to cover missing areas if these are
critical to the creation and use of records, and use a subsidiary development plan
if there are major changes to be made;
set requirements by implementing new procedures, including obtaining feedback
where the procedures do not match the desired activity; and
highlight where non-conformance to the procedures is occurring and suggest a
tightening of controls and adjustment to related procedures.
Local areas and services will audit their own practices from time to time, at least
annually to measure compliance with this policy or in light of future requirements.
9 Associated Documentation
This document references the following supporting documents which should be referred
to in conjunction with the document being developed -
CCTV Policy
Data Protection Policy
Recordings Policy
Freedom of Information Policy
Records Management Policy
Overarching Information Governance Policy
Anti-Fraud and Bribery Policy
14 of 27

Appendix 1
Subject Access Request Application form (Health Records)
You are entitled to apply for access to your health records or to those of a deceased
patient. Such requests for disclosure are normally made under legislation covered in the
main by two Acts of Parliament:
1. The Data Protection Act 1998, which gives you the right to see or have a copy of
what records we hold on you. The application is made by:
making a written application to the holder the record(s), Peninsula Community
Health hold records relating to adult health care within the Cornwall and Isles of
Scilly community, not those from GP’s or the Royal Cornwall Hospital, Cornwall
Partnership Foundation or Plymouth Hospital Trusts;
providing such further information as required to sufficiently identify you; and
paying the relevant fee.
This is not a general right of access however, it is a restricted right and the following
circumstances could limit your access:
If the record contains third-party information (ie not about the you or the treating
clinician) where that third party is not a healthcare professional and has not
consented to their information being disclosed. If possible, you will be provided with
access to the part of the record that does not contain the third-party identifier;
If access to all or part of the record will seriously harm the physical or mental wellbeing
of you or any other person. If possible, the individual should be provided with
access to that part of the record that does not pose the risk of serious harm.
2. The Access to Health Records Act 1990, if you are the personal representative of
the estate or someone having a claim arising out of the death. Again this is not a
general right of access however, it is a restricted right and the following
circumstances could limit your access:
If there is evidence that the deceased did not wish for any or part of their information
to be disclosed; or
If disclosure of the information would cause serious harm to the physical or mental
health of any person;
If disclosure would identify a third party (i.e. not the patient nor a healthcare
professional) who has not consented to that disclosure; and
If disclosure would release information which is not relevant to the claim.
Applications cannot be made under the Freedom of Information Act 2000, for access to
medical records because the information requested is personal information and
therefore exempt under the Act under section 40(1) & (2).
The organisation will keep your personal details on a database. This information will be
kept confidential and is subject to the Data Protection Principles. We will only hold this
information to enable us to deal with your request and any follow-up issues or
complaints. We will not use the information for any other purposes without your
permission. It will be used for the purpose of carrying out the search for your information
in accordance with Section 7 of the Data Protection Act 1998.
15 of 27

There is no minimum age for applications. Children can apply for their own records
provided they are capable of understanding the nature of the request.
Parties with parental responsibility can apply for and obtain access, within the existing
rules, independently of any other party with parental responsibility.
Peninsula Community Health is only responsible for providing information which is
created and held by us. If you feel you would like to discuss your information request
further please telephone the Data Protection Officer on 01872 562790.
16 of 27

Application for Access to Health Records
If you are the patient applying to see your own records, please complete sections 1,
4 and 6.
If you are applying on behalf of the patient, please complete sections 1, 2, 4, and 6.
Please ensure that the patient has completed and signed section 3 in order for you
to act on their behalf.
1. Details of Patient
Surname............................................................................. Date of Birth (DD/MM/YY).............
Previous Surname (if applicable)........................................ Address ........................................
Fore Name(s) ..................................................................... ......................................................
Contact Tel. No................................................................... Post Code.....................................
2. Details of Applicant
(Please complete this section if you are NOT the patient detailed in Section1 but
authorised to act on their behalf according to Section 3 below)
Surname............................................................................. Address ......................................
Fore Name(s) ..................................................................... ....................................................
Company (If applicable)...................................................... ....................................................
Contact Tel. No................................................................... Post Code...................................
□ I am acting on behalf of the patient (see 3 below)
□ I have parental authority and the subject:
□ Has consented to this request; or
□ Is incapable of understanding the nature of the request.
□ I am the deceased patient’s representative and attach confirmation of my
appointment (i.e. letters of administration or grant of probate)
□ I have a claim arising from the patient’s death and wish to access information
relevant to my claim. (Please state the grounds of the claim on a separate sheet)
2. Signature giving consent to the applicant to access your records
(Please complete this section to authorise the person identified in Section 2 to act of
your behalf)
I hereby authorise Peninsula Community Health to release personal data detailed in
Section 4 below to the person detailed in Section 2 above.
Name.................................................................................. Signed ......................................
(Block capitals) ................................................................... Date ..........................................
17 of 27

4. Access Request
Important Note: Under the Data Protection Act 1998 you do not have to give a reason
for applying for access to your personal information. However, to help us save time and
resources, it would be helpful if you could provide details below, informing us of where
and when treatment / services was received along with details which you may feel
relevant, such as previous names, addresses etc.
Please provide as much information as possible and specify if you only require a
particular part of your personal information. Please use another blank sheet if
necessary.
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
5. Identification
If the subject of the disclosure request is an adult, the applicant may be required to
provide proof of identity and address. Suitable evidence would be a passport, driving
licence or utility bill.
If the subject is a child, we may require a photocopy of their birth certificate or proof of
parental responsibility.
If you are requesting on behalf of someone else, but are not the patient’s legal
representative, we may require identification from both parties.
If you are the deceased patient’s representative we will require confirmation of your
appointment (i.e. letters of administration or grant of probate)
Authorisation
I have read this form and authorise a subject access request to be carried out. I
understand that a fee may be required prior to release of any information. I declare that
the information given by me is correct to the best of my knowledge and that I am entitled
to apply for access to the personal data detailed above.
Applicant’s Signature:....................................................... Date: ..................................
Please send this completed form to:
The Data Protection Officer
Peninsula Community Health
Britannia Lanes Business Centre
Greenbottom
Chacewater
Truro
Cornwall TR4 8QW
18 of 27

Scale of Charges:
Please do not send payment with this application. You will be sent an invoice if
appropriate.
Applications under the Data Protection Act 1998:
There will be no charge for viewing records if they have been updated in the previous
40 days.
For providing a copy of a computerised record £ 10.00
For providing copies of healthcare records
held partially or entirely on paper £ 50.00
Plus per copy sheet (whether single or double sided) 20 p
Postage and packing as appropriate
Please note that there is a maximum limit on charges for providing copies of health
records under the Data Protection Act 1998 of £ 50.00
Applications under the Access to Health Records Act 1990:
There will be no charge for viewing records if they have been updated in the previous
40 days.
If the records have not been updated in the last 40 days, the maximum charge for
viewing, whether the records are stored on computer or in another form, such as paperbased
records is £ 10.00
For providing copies of healthcare records
held partially or entirely on paper £ 50.00
Plus per copy sheet (whether single or double sided) 20 p
Postage and packing as appropriate
Please note that there is no maximum limit on charges for providing copies of health
records under the Access to Health Records Act 1990, the fee including copies may
exceed £50.00 for large or multiple volume case notes.
19 of 27

Appendix 2
9.1 Access to Health Records Act 1990 Advice Form (Request for advice)
Our Ref:
Date
Appropriate Health Professional
Location
Data Protection Officer
Britannia Lanes Business Centre
Chacewater
Truro
TR4 8QW
An application has been made for a copy of all the health records in our possession
relating to Deceased Person, DOB the claim relates to his/her Reason for making
claim.
I believe that one of the records PCH holds was created by your Locality/Service Under
the Access to Health Records Act 1990 and I am required to take advice from the
appropriate health professional before I decide whether or not to provide access to a
deceased patients record. Could you please arrange for the record to be reviewed by
the appropriate health professional and a copy sent to me as soon as possible via the
NHS Courier Service with this request appropriately signed at the foot of the page.
If the record includes any note, made at the patient’s request, that they did not wish
access to be given on such an application please send the full record to me.
If in the opinion of the appropriate health professional, release of the record or any part
of the record would disclose;
a) Information likely to cause serious harm to the physical or mental health of any
other individual; or
b) Information relating to, or provided by an individual, other than the patient, who
could be identified from that information (unless the individual concerned has
consented or where that individual is a health professional who has been
involved in the care of the patient).
Please copy the relevant record so as to exclude the information to which there is no
right of access and send the prepared copy to me.
If, in the opinion of the appropriate health professional there is information in the record,
that was provided by the patient in the expectation that it would not be disclosed to any
applicant; or information obtained as a result of any examination or investigation to
which the patient consented in the expectation that the information would not be so
disclosed; or which is not relevant to any claim which has arisen out of the patient’s
death then this information should also be excluded.
20 of 27

I have reviewed the following record(s) (Type of record e.g. District Nurse, Health
Visitor)
…………………………………………………………………………………………………
I can advise that the record contains no information that would prohibit its release.
I can advise that the record contains no information relevant to the above stated
claim.
I can advise that the record contains information that should be excluded. Please
provide your advice below or on an attached note.
Delete as appropriate.
Signed…………………………………… Name………………………………… (Print)
Designation…………………………………
Date…………………………………
21 of 27

Appendix 3
9.2 DPA 1998 Advice Form (Request for advice)
Our Ref:
Date
Appropriate Health Professional
Locality
Data Protection Officer
Britannia Lanes Business Centre
Chacewater
Truro
TR4 8QW
An application has been made under the Data Protection Act 1998 for a copy of health
records relating to Name of Person - DOB dd/mm/yyyy
I believe that one of the records PCH holds (Name of locality/date etc) was created by
your Locality/Service. It is my duty, where the disclosure relates to the physical or
mental health or condition of the data subject to consult with the appropriate health
professional before I decide whether or not to provide access to the record. Could you
please arrange for the record to be reviewed by an appropriate health professional and
a copy sent to me as soon as possible via the NHS Courier Service with this request
certificated at the foot of the page.
If in the opinion of the appropriate health professional, release of the record or any part
of the record would disclose Information;
a) Likely to cause serious harm to the physical or mental health of any other
individual; or
b) Relating to, or provided by an individual, other than the patient, who could be
identified from that information (unless the individual concerned has consented or
where that individual is a health professional who has been involved in the care
of the patient); or
c) That was provided in the expectation that it would not be disclosed to the
applicant; or information obtained as a result of any examination or investigation
to which the patient consented in the expectation that the information would not
be so disclosed; or
d) Where the data subject has expressly indicated that the information should not
be disclosed.
Please copy the relevant record so as to exclude the information to which there is no
right of access and send the prepared copy to me along with this advice. If in doubt,
contact the Data Protection Officer.
If any of the information in the copy is not intelligible without explanation, an explanation
of that information must be provided, e.g. where the information is in coded form which
cannot be understood without a key, a key to the code must be provided.
22 of 27

I have reviewed the following record(s) (Type of record e.g. District Nurse, Health
Visitor)
…………………………………………………………………………………………………
I can advise that the record contains no information that would prohibit its release.
I can advise that the record contains information that should be excluded. Please
provide your advice below or on an attached note.
Delete as appropriate.
Signed………………………………………………...Name…………………………(Print)
Designation………………………………………………Date………………………………
23 of 27

Appendix 4
SUBJECT ACCESS REQUEST
9.3 Application for Access to CCTV Image
PLEASE USE BLOCK CAPITALS TO COMPLETE THIS FORM
The Data Protection Act 1998 provides Data Subjects (individuals to whom “personal
data” relates) with a right to access data held about themselves, including data held on
Closed Circuit Television (CCTV) systems.
To enable us to deal promptly with your request for access, please complete the form,
giving as much information as possible to help us identify your personal data.
1 Why CCTV images are requested 2
Please tick the applicable box:
You represent the police or other law enforcement agency, and the images
are required to prevent/detect a crime and/or identify, apprehend or
prosecute offenders.
You represent a prosecution agency and require the images to prosecute an
offender.
You have legal power to act on behalf of the data subject.
You are the person who’s image is held on the CCTV
2 Title, name and address of the applicant
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
Please give your daytime telephone number.................................................................
If you are the Data Subject (The person whose information is held by us) please
complete the following.
Date of birth……………………………..…..................
Male/Female (Please delete)
2 In compliance with the Data Protection Act 1998 ss 29, 35 and 7
24 of 27

Are you the data subject?
(The person to whom the personal data relates)
Yes / No
IF “YES” PLEASE GO DIRECT TO QUESTION 5
IF NO please answer the following
3 Do you have the data subject’s written authority or confirmation of your
entitlement to act on the data subject’s behalf? YES/NO (please delete).
If “YES” please attach a copy of the authority and enter the details required for the data
subject in Question 5.
If “NO” please state the purpose of the request?
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
4 Details of Data Subject
Enter the data subject’s title, name, address, date of birth and gender in the space
provided:
Male/Female (Please delete)
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
5 TO BE COMPLETED BY ALL APPLICANTS
In order for us to identify what data you require access to, please provide the following
information:
1. The exact date, time and location of the CCTV system containing the footage
required:
..........................................................................................................................................
..........................................................................................................................................
2. Information sufficient to enable identification of the Data Subject (a full description
including clothing and/or a photograph. Use a separate sheet of paper if necessary).
..........................................................................................................................................
..........................................................................................................................................
3. Will you need a copy of the images? YES / NO
25 of 27

6 Declaration
I understand that it may be necessary for Peninsula Community Health to obtain more
detailed information in order to be satisfied as to my / the data subject’s identity or
locate my / the data subject’s personal data.
I certify that I am the data subject or authorised to represent the company / organisation
/ person listed above and the images are requested in connection with the prevention /
detection of a crime, the apprehension or prosecution of offenders, criminal proceedings
or public safety.
Signed: .............................................................................. Dated: .....................................
Position/Rank ....................................................................................................................
Under the terms of the Data Protection Act 1998, we have 40 days to comply with your
request. The processing commences when we receive your completed form and advise
you that a fee of up to £10 may be charged.
Please note that in the event that information supplied would seriously prejudice the
prevention or detection of crime, Peninsula Community Health have the right under the
Data Protection Act to refuse requests for access.
Return this form to The Data Protection Officer, Peninsula Community Health, Britannia
Lanes business Centre, Greenbottom, Chacewater, Truro TR4 8QW
Peninsula Community Health Staff use only
Member of Staff authorising
Name…………………………………………………………….........……… (Print name)
Designation ………………………………………………….........……………………........
Location of viewing ………………………………….........…………………………………
Persons present ..........................................................................................................
......................................................................................................................................
Viewing started …………….……AM/PM and ended………………………...... AM/PM
Copy made YES / NO
by………………………………………..……... (Print name)
Signed…………………………………Date……........………Time………………AM/PM
Sent to The Data Protection Officer, Peninsula Community Health, Britannia Lanes
Business Centre, Greenbottom, Chacewater, Truro TR4 8QW on ………………Date
26 of 27

Appendix 5
1.1 Subject Access Request received by Hospital / Service
If a living individual
If a deceased patient
If the request
applies only to
your
location / Service
Retrieve the record and
obtain the advice of an
appropriate health professional
as to whether the record
contains exempted material.
If the request applies
to multiple
locations/Services e.g.
requests for all
records relating to an
individual
Requests from
Police
Forward to
Data Protection Officer
Britannia Lanes Business
Centre,
Chacewater, Truro
TR4 8QW
01872 562790
The appropriate health professional checks the
record for exempted material i.e. data:
likely to cause serious harm to the physical or
mental health of any other individual; or
relating to, or provided by an individual, other
than the patient, who could be identified from
that information (unless the individual
concerned has consented or where that
individual is a health professional who has
been involved in the care of the patient); or
that was provided in the expectation that it
would not be disclosed to the applicant; or
information obtained as a result of any
examination or investigation to which the
patient consented in the expectation that the
information would not be so disclosed; or
where the data subject has expressly indicated
that the information should not be disclosed.
Prepare a copy of the record removing or
indicating exempted data and
Sign the Subject Access Requests Advice
form.
Send:
the original request;
proof of consent;
a copy of the record; and
the signed Advice form;
to the Records Management
office.
There is no need for you to
keep copies as the
original record will remain with
you.
In the event that the request
cannot be forwarded within 10
working days – could you
please inform the Records
Management office as to the
nature and subject of the
request, the requester’s
details and the reason for the
delay in responding.
27 of 27

Initial Equality Impact Assessment Screening Form
Initial Equality Impact Assessment
Pro Forma

Section Governance Officer responsible for the
assessment
Alan Gerrish, Records Manager
Data Protection Officer
Name of Policy to
be assessed
Subject Access Request Policy and
procedure
Date of
Assessment 19/05/2009
Is this a new or existing
policy?
New
1. Briefly describe the aims, objectives and
purpose of the policy.
This Policy and Procedure sets out how NHS Cornwall and Isles of Scilly and NHS
Cornwall and Isles of Scilly Community Health Services staff will manage Subject
Access Requests effectively and ensure procedures are in place to deal with subject
access requests under The Access to Health Records Act 1990 (AHR), The Access
to Medical Reports Act 1988 (AMR) and The Data Protection Act (DPA) 1998.
This policy aims to improve the uniformity of procedures used in complying with
relevant legislation in respect of Subject Access Requests.
2. Are there any associated objectives of
the policy? Please explain.
3. Who is intended to benefit from this
policy, and in what way?
4. What outcomes are wanted from this
policy?
An associated objective is that both organisations achieve compliance with
Standards for Better Health, the Information Governance Toolkit and national
standards.
Members of the public, patients and staff by improving the uniformity of procedures
used in complying with relevant legislation in respect of Subject Access Requests.
Adoption of consistent policy and procedures across the community will improve the
service to the public, patients and staff.
5. What factors/forces could
Failure of staff to follow policy and procedure resulting in litigation and loss.
contribute/detract from the outcomes?
6. Who are the main
stakeholders in relation to
the policy?
Community Services Staff
7. Who implements the policy,
and who is responsible for the
policy?
Records Manager
Data Protection Officer
8. Are there concerns that the policy could
have a differential impact on RACIAL
groups?
No The policy reflects the current legislation, which is designed to protect the
rights of all, irrespective of racial groups.
What existing evidence (either presumed or
otherwise) do you have for this?
There are no sections within the Policy and Guidelines that distinguish between any
racial groups. The responses in relation to request for information are dealt with
under The Data Protection Act 1998, The Access to Health Records Act, The
Human Rights Act 1998, Freedom of Information Act 2000 and other related

legislation.
9. Are there concerns that the policy could
have a differential impact due to GENDER
(including TRANSGENDER)?
No
The policy reflects the current legislation, which is designed to protect the
rights of all, irrespective of gender.
What existing evidence (either presumed or
otherwise) do you have for this?
There are no sections within the Policy and Guidelines that distinguish between
gender or transgender. The responses in relation to request for information are dealt
with under The Data Protection Act 1998, The Access to Health Records Act, The
Human Rights Act 1998, Freedom of Information Act 2000 and other related
legislation.
10. Are there concerns that the policy could
have a differential impact due to
DISABILITY?
No
There is no specific concern in relation to disability. Legislation dictates
that requests must be made in writing. However they may be made in
many formats, accounting for disabilities.
What existing evidence (either presumed or
otherwise) do you have for this?
11. Are there concerns that the policy could
have a differential impact due to SEXUAL
ORIENTATION?
What existing evidence (either presumed or
otherwise) do you have for this?
No request has been refused on the grounds of the applicant being disabled.
No
Sexual orientation is not relevant to the subject of this policy.
No references to sexual orientation are made within the legislation governing this
policy.
12. Are there concerns that the policy could
have a differential impact due to their AGE?
No
Age is dealt with considerably within legislation and children receive
special focus in legislation. Confidentiality is a main factor in dealing with
all requests, especially when dealing with children and the elderly as they
may/may not have the capacity to understand the nature of the request.
What existing evidence (either presumed or
otherwise) do you have for this?
The Data Protection Officer receives advice from Children Services on all requests
for access to children records.

13. Are there concerns that the policy could
have a differential impact due to their
RELIGIOUS BELIEF?
No
Religious beliefs are not relevant to the subject of this policy
What existing evidence (either presumed or
otherwise) do you have for this?
No references to Religious beliefs are made within the legislation governing this
policy.
14. Could the differential
impact identified in 8 – 13
amount to there being the
potential for adverse impact
in this policy?
15. Can this adverse impact
be justified on the grounds of
promoting equality of
opportunity for one group?
Or any other reason?
16. Should the policy
proceed to a full equality
impact assessment?
No
No
No
There is no differential impact identified.
Not applicable.
Signed (completing officer) ……………………………………………………….. Date
Signed (Head of Section) ……………………………………………………….. Date
Please ensure that a signed copy of this form is sent to both the Policies Lead and the Equality and Diversity lead to be
placed on the Community Health Services website.