Subject Access Request Policy

(1)

Trust Policy

Subject Access Request Policy

WAHT-CG-764 Page 1 of 23 Version 2

Subject Access Request

Policy

Department / Service:

Corporate

Originator:

Company Secretary

Accountable Director:

Director of Nursing

Approved by:

Information Governance Steering Group Trust Management Committee

Date of approval:

26th August 2015

First Revision Due:

26th August 2017

Target Organisation(s)

Worcestershire Acute Hospitals NHS Trust

Target Departments

All

Target staff categories

All

Policy Overview:

This policy sets out the Subject Access Requests (SAR) processes that are in place to deal with Subject Access Requests under the Data Protection Act (1998) and the Access to Health Records Act (1990)

Latest Amendments to this policy:

Updated into the most recent Trust Policy format

Updated SAR Health Records Guidance and Application included Reporting structure and other minor amendments included

(2)

Trust Policy

Contents page:

1. Introduction

2. Scope of this document 3. Definitions

4. Responsibility and Duties 5. Policy detail

6. Implementation of key document 6.1 Plan for implementation 6.2 Dissemination

6.3 Training and awareness 7. Monitoring and compliance 8. Policy review

9. References 10. Background

10.1 Equality requirements 10.2 Financial Risk Assessment 10.3 Consultation Process 10.4 Approval Process 10.5 Version Control

Appendices

Appendix 1: Flowchart for SAR

Appendix 2: Guidance notes for Subject Access Requests, Health Records applicants Appendix 3: Guidance on charges and payments

Appendix 4: Employment Records SAR Form Appendix 5: Template SAR Form

Appendix 6: Template Letter (A) Appendix 7: Template Letter (B)

Supporting Documents

Supporting Document 1 Equality Impact Assessment Supporting Document 2 Financial Risk Assessment

(3)

Trust Policy

1. Introduction

A Subject Access Request (SAR) is a request from a person asking an organisation to provide them with information relating to that person which is held or processed by the organisation.

Individuals have a right under the Data Protection Act 1998 to make a request in writing for a copy of the information we hold about them, both in electronic format and in paper. In respect of

deceased patients, the application can be made by their personal representative under the Access to Health Records Act 1990.

The disclosure request may be direct (for a copy of health records for example) or may form part of an investigation (a request for a statement by the Police). They may be vague or imprecise and may be relevant to a claim against the organisation.

It is important that action is taken promptly as legislation dictates that the organisation has only 40 calendar days to make the disclosure.

Applications for information of a personal nature cannot be made under the Freedom of Information Act 2000.

2. Scope of this document

This policy deals with the rights of data subjects provided under Section 7 of the Act whereby individuals can request access to their personal data.

This policy applies to all requests for access to personal data held by the Trust. This applies to anyone about whom the Trust holds information – including staff, ex-staff, patients and other service users.

This policy will provide a framework for the Trust to ensure compliance with the Data Protection Act 1998 and the Access to Health records Act 1990. This policy is supported by operational

procedures and activities connected with the implementation of Subject Access Requests, as detailed in appendix 1- 8

3. Definitions

Health Record A ‘health record’ is defined in the act as being any record which consists of information relating to the physical or mental or condition of an

individual, and has been made by or on behalf of a health professional in connection with the care of that individual. The definition can also apply to material held on an x-ray or an MRI scan. This means that when a subject access request is made, the information contained in such material must be supplied to the applicant within the fee structure. Data Recorded information, whether stored electronically on computer or in

paper-based filing systems

Personal Data The information is about an identifiable individual. This can be factual, such as name and address, or it can be an opinion about the individual Data Subjects The person the information is about and who can be identified from that

information. All data subjects have certain legal rights in relation to their personal information.

4. Responsibility and Duties

(4)

Trust Policy

The Head of Legal Services has responsibility for ensuring all Subject Access Requests regarding health records are actioned.

The Patient Services Manager has responsibility for ensuring all Subject Access Requests regarding complaints are actioned.

The Head of Clinical Governance & Risk Management has responsibility for ensuring all Subject Access Requests regarding patient safety incidents and alerts are actioned.

The Head of Human Resources (Resourcing) is responsible for requests by employees or ex-employees for copies of their personal employment files (this includes both medical and non-medical staff)

All managers must ensure their staff are aware of this policy and procedure and know how to deal with requests for personal/patient identifiable information.

Appendix 3 provides information on charges and payments.

5.

Subject Access Request Process

See appendix 1 for a flowchart for all SAR requests

See appendix 2 guidance for guidance from the Legal Services Dept for Health Records See appendix 3 for guidance on charges and payments

See appendices 4-6 for template forms See appendices 7-8 for template letters

The Access to Health Records Act 1990

This act has been repealed to the extent that it now only affects the health records of deceased patients. It applies only to records created since 1st November 1991.

Applications for disclosure of records for deceased patients should only be granted to the personal representative of the estate or to someone having a claim arising out of the death

The Data Protection Act 1998

The Data Protection Act gives an individual several rights in relation to the information held about them. Access gives them the right to obtain a record in permanent form.

Requests will be monitored through reporting to the Information Governance Steering Group (IGSG)

6. Implementation

6.1 Plan for implementation

The Company Secretary will ensure that this policy is sent to all directorate managers within the Trust. It is their responsibility to ensure that all staff groups within their area are directed to this policy.

The Head of Legal Services will ensure that all requests for health records are logged and processed to meet the required timescales for completion.

For all other areas where these types of requests are processed, (such as Patient Services, Patient Safety, Human Resources) details must be recorded in a central log held with the Company Secretary and include timescales and when the request has been completed.

(5)

Trust Policy

Staff involved with requests must be trained and be aware of the process to ensure they respond to meet the requirements and timescales detailed in the policy.

6.2 Dissemination

This policy will be published on the Trust’s Intranet. It is the responsibility of line managers to ensure that members of staff are made aware of this policy. New members of staff are advised during their induction process to look at the Trusts Internet and Intranet to ensure that they read and have a good working knowledge of all relevant policies, strategies, procedures and guidelines. The Company Secretary will ensure that the policy is placed on the Trust’s Weekly Brief once approved.

6.3 Training and awareness

Annual Information Governance training is mandatory for all staff. Any staff responsible for handling Subject Access requests must be aware of their responsibilities.

Departmental training is given to Legal Services staff responsible for actioning subject access requests for Health Records

7. Monitoring and compliance

This policy will be monitored through summary updates to the Information Governance Steering Group (IGSG) from the xxx and the Head of Legal Services. Where requests are not managed within the agreed timescales and standard, the steering group will request actions and monitor the improvement.

(6)

Trust Policy

Page/ Section of Key Document

Key control: Checks to be carried out to confirm compliance with the Policy: How often the check will be carried out: Responsible for carrying out the check: Results of check reported to:

(Responsible for also ensuring actions are developed to address any areas of non-compliance)

Frequency of

reporting:

WHAT? HOW? WHEN? WHO? WHERE? WHEN?

Section 5 Requests will be monitored through reporting to the Information Governance Steering Group (IGSG)

Reports to the IGSG Twice Yearly

IG Manager IGSG Twice

(7)

Trust Policy

8. Policy Review

The Information Governance Steering Group will review this strategy on a bi-annual basis. Where national policy or legislation dictates change, review will be carried out at an earlier point if appropriate.

9.

References:

Code:

Data Protection Act 1998

Access to Health Records Act 1990 Freedom of Information Act 2000 Trust Information Governance Policy

10. Background

10.1 Equality requirements

None - equality assessment Supporting Document 1

10.2 Financial risk assessment

None - financial risk assessment Supporting Document

10.3 Consultation

The policy has been updated by the Information Governance Manager with input from the Information Governance Steering Group members.

Contribution List

This key document has been circulated to the following individuals for consultation;

Designation

Director of Resources/SIRO (Chair) Director of Asset Management and ICT Information Governance Manager Information Governance Officer

Head of Human Resources - Workforce Deputy Director of Nursing

Head of Legal Services

IT Operations Manager (on behalf of WHITS Director of IT) Head of Risk Management and Clinical Governance Chief Medical Officer – Caldicott Guardian

Company Secretary

This key document has been circulated to the chair(s) of the following committee’s / groups for comments;

Committee

Information Governance Steering Group Trust Management Committee

(8)

Trust Policy

10.4 Approval Process

This strategy will be approved by the Trust Management Committee bi-annually. 10.5 Version Control

This section should contain a list of key amendments made to this document each time it is reviewed.

Date Amendment By:

Feb 2013

Policy Created IG Manager

May 2015

Updated into the most recent Trust Policy format

Updated SAR Health Records Guidance and Application included

Reporting structure and other minor amendments included

(9)

Appendix 1 SAR Flowchart

Guidance 2015 Dealing with Subject Access Requests – if not sent directly to correct department

Telephone calls received from a PATIENT requesting access to their Health Records should be directed to the Access to

Health dept, ext 43850

Telephone calls received from a EX/MEMBER OF STAFF requesting access to their employment/occupational health records should be

directed to Human Resources on 01905 760409 Telephone Requests Telephone calls received from a PATIENT/EX/MEMBER OF

STAFF requesting access to their complaints records should be directed to the

Patient Services dept, 0300 123 1732 Telephone calls

received from a PATIENT requesting access to their Patient Safety records should be directed to the

patient safety dept, ext 33089

All other telephone calls regarding Subject Access

Requests that do not fit within any of the four criteria shown here, should be directed to the Company

Secretary on via switchboard

A request is received from a PATIENT requesting access to their

Health Records Letter are placed in an envelope and addressed to

Legal Services Dept, Alexandra Hospital,

A request is received from a EX/MEMBER OF STAFF requesting access to their employment/occupational therapy records should be directed to Human Resources,

Aconbury East WRH Written Requests A request is received from a PATIENT/EX/MEMBER OF

STAFF requesting access to their complaints records should be directed to the

Patient Services dept, Kidderminster Hospital A request is

received from a PATIENT requesting access to their Patient Safety records should be directed to the

Patient Safety dept, Aconbury East

WRH

All other requests regarding Subject Access Requests that do not fit within any of the four criteria shown here, should be directed to

the Company Secretary, WRH

(10)

Appendix 2 Health Records SAR Guidance

APPLICATION FOR COPIES OF HEALTH RECORDS

NOTES FOR APPLICANTS

Ensure you read these guidance notes before completing the Application Form

An incomplete form or a failure to provide the required identify / legal documents will result

in the application not being processed or being delayed

Charges for processing your application

The Data Protection Act 1998 allows for a charge to be applied for this service up to a maximum of

£50.00.

Requests relating to

deceased patient’s records are governed by the Access to Health Records

Act 1990 there is no maximum limit to the charge in these cases.

All charges include postage by recorded delivery and where applicable:



A £10.00 administration fee unless you have been seen within the last forty days of the

application in which case this fee does not apply.



Paper records at a charge of 30p per page (single sided, A4).



Most records are available in an electronic format and will be provided on an encrypted CD.

The charge for records in this format is £10.00.



If copy radiology (x-rays) is required this information will be provided on an encrypted CD. The

charge for x-rays is £10.00.

Once the copy information is available you will be notified of the charge. Payment is required

before the information is disclosed.

Cheques/Postal Orders should be made payable to:

WORCESTERSHIRE ACUTE HOSPITALS NHS TRUST

Please note we do not have the facilities to accept payment by credit or debit card.

Note 1 (Part A) – Identity of the person about whom the information is requested

This part must be completed for all applicants.

Complete all details relating to the patient whose records you wish to access. This should include

former names (e.g. maiden name) and previous address, if applicable, for the period relating to the

record requested.

If known please provide the Hospital Registration Number and NHS Number.

Note 2 (Part B) – Details of the information required

This part must be completed for all applicants.

You must specify the records you wish to access and provide as many details as possible. If there

is insufficient space, please attach a continuation sheet.

(11)

Appendix 2 Health Records SAR Guidance

Example

Consultant or Department Condition/Illness Approximate Date Mr Smith Physiotherapy ECG Broken Leg Back pain Chest Pain March 2007 June 2008 November 2009

Note 3 (Part C) – Declaration

This part must be completed by the person seeking access.

A photocopy of a document (e.g. passport, birth certificate) that will support the identification of the Applicant must be attached to the completed Application Form.

Tick one box only which best describes you.

Sign and date in the space provided, and if you are not the patient, provide your address, telephone number and relationship to the patient.

Note 4 (Part D) – Authorisation for Application made on behalf of patient

This part should only be completed when the applicant is not the patient but has been authorised by the patient to make the application.

Once the details in sections A to C have been completed the patient should sign and date in the space provided to officially authorise the applicant’s request for access.

GENERAL NOTES

1. WARNING – It is a criminal offence to make false or misleading statements in order to obtain information.

2. Patients, including those who are deceased, have a right to confidentiality of their personal health information and the hospital must be satisfied that an applicant is the patient or the patient’s authorised representative. This may involve checking the identity of any of the named persons on the completed application form and their validity to request access.

3. Information may be withheld where it is considered that access might cause harm to the physical or mental health of the patient or any other individual, or where a third party might be identified. It is not a requirement for the Trust to disclose the fact that information has been withheld.

(12)

Appendix 2 Health Records SAR Guidance

PLEASE COMPLETE IN BLOCK CAPITALS

APPLICATION FOR COPIES OF HEALTH RECORDS

Part A – Identity of the Person about whom the information is requested

(see note 1)

SURNAME:

FORMERLY:

FORENAME(S):

DATE OF BIRTH:

CURRENT ADDRESS:

PREVIOUS ADDRESS:

TEL NO:

**E-mail*:**

HOSPITAL NUMBER:

NHS NUMBER:

*Please supply an e-mail address to receive an acknowledgement of receipt of your request and to

enable us to keep you informed about progress with your application.

Part B – Details of the information required

(see note 2)

Consultant or Department

Condition/Illness

Approximate Date

X-Ray Images Required (CD)

YES / NO

X-Ray Reports only

YES / NO

Please tick the box if you require the records in relation to a complaint you have registered with

the Trust relating to your care.

(13)

Appendix 2 Health Records SAR Guidance

Part C – Declaration

(see note 3)

I declare that the information given is correct to the best of my knowledge and that I am

entitled to apply for access to the information detailed above.

(Tick as appropriate)

I am the patient named in Part A.

I have been authorised to act by the patient. (

Part D must be completed

)

The patient is under 18 years of age. I am the patient’s parent/legal guardian and

have parental responsibility.

The patient is over 16 years of age. I am their next-of-kin/legal representative. I am making

this application as they lack the capacity of understanding to make the request. Please

provide proof of evidence to support your application (e.g. Lasting Power of Attorney

relating to health care)

I am the deceased patient’s personal representative and attach conformation of this. If you

are applying for the records of a deceased patient please provide proof

of evidence to support

your application (e.g. Grant of Probate or Letters of Administration)

SIGNED:

ADDRESS

(if different from that in Part A)

PRINT NAME:

DATE:

TEL NO:

RELATIONSHIP TO PATIENT:

Part D – Authorisation for application made on behalf of patient

(see note 4)

I hereby authorise release of my health records, as specified above, to the person named in

Part C and declare that I am the patient named in Part A of this form.

SIGNED:

PRINT NAME:

DATE:

WARNING: It is a criminal offence to make false or misleading statements in order to obtain

information.

(14)

Appendix 2 Health Records SAR Guidance

PLEASE ENSURE YOU HAVE ATTACHED THE REQUIRED

IDENTITY / LEGAL DOCUMENTS

WITHOUT THIS INFORMATION WE WILL BE UNABLE TO

PROCESS YOUR REQUEST

Please return the completed form to:

Access to Records

Legal Services Department

Alexandra Hospital

Woodrow Drive

Redditch

Worcestershire

B98 7UB

(15)

Appendix 3 Guidance on charges and

payments

Process 2015

Subject Access Requests - Charges

A request for a Subject Access Request is received

within a department

Each department then sends out the relevant form

(with payment information included), asking for

payment prior to the information being released

Cheques should be made payable to

Worcestershire Acute Hospitals NHS Trust

When the cheque is received the information can be

released to the requestor

Cheques should then be taken to the cashiers office

along with the relevant cost centre and subjective

codes (for where the money should be allocated)

(16)

Appendix 4 Template Employment SAR Form

PLEASE COMPLETE IN BLOCK CAPITALS

APPLICATION FOR ACCESS TO HEATH RECORDS

Part A – Identity of the Person about whom the information is requested (see note 1)

SURNAME: FORMERLY:

FORENAME(S): DATE OF BIRTH:

CURRENT ADDRESS: PREVIOUS ADDRESS:

TEL NO:

HOSPITAL NO: NHS NO:

Part B – Details of the information required (see note 2)

Consultant or Department Condition/Illness Approximate Date

Part C – Declaration (see note 3)

I declare that the information given is correct to the best of my knowledge and that I am entitled to apply for access to the information detailed above under the terms of the Data Protection Act 1998. (Tick as appropriate)

 I am the patient named in Part A

 I have been authorised to act by the patient

 I am the patient’s parent/legal guardian and have parental responsibility

 The patient is over 16 years of age. I am their next-of-kin/legal representative. I am making this application as they lack the capacity of understanding to make the request.

 I am the deceased patient’s personal representative and attach conformation of this.

SIGNED: ADDRESS (if different from that in Part A)

PRINT NAME: DATE:

TEL NO:

RELATIONSHIP TO PATIENT:

(17)

Appendix 4 Template Employment SAR Form

I hereby authorise release of my health records, as specified above, to the person named in Part C and declare that I am the patient named in Part A of this form.

SIGNED: PRINT NAME: DATE:

WARNING: It is a criminal offence to make false or misleading statements in order to obtain information.

Please return the completed form to: Access to Records

Legal Services Department Alexandra Hospital

Woodrow Drive Redditch Worcestershire B98 7UB

(18)

Appendix 5 Template For SAR Form

Under the Data Protection Act 1998, Add the type of request such as employee/patient etc, about who the Trust may be holding personal data have a right to access the data that is being held about them. Any person may exercise this right, known as a Subject Access Request, by submitting a written or email request to their line manager. It should be noted that it is not Trust policy to make a charge for any Subject Access Requests made by a current employee. A maximum charge of up to £50.00, including a £10.00 administration fee, can be made for all other non-employee requests.

The Trust aims to comply with requests for access to employment records as quickly as possible, and will ensure that information is provided within 40 days.

You will need to supply a form of identification. This may be (photocopies are acceptable):

 A current driver’s licence

 A Current passport

 A birth certificate

We require proof of identity before we can process your request. This is to protect the identity of the data subject and ensure that the Data Protection principles are not breached.

Please complete using BLOCK CAPITALS as appropriate:

A: Details of Data Subject (person to whom the information relates) Full Name:

Former Names:

Address: Please also include former addresses:

Telephone Number:

Email:

B: If the Data Subject is, or has been, employed by the Worcestershire Acute Hospitals Trust, please provide the following information:

Relevant Identifier such as ID number : Relevant 2nd Identifier :

Relevant dates to which the request refers: Department or Ward or Area:

Reason for request – employment/complaint, patient safety etc

C: Which records are being requested? If you wish to see only certain specific document(s), for example, a specific departmental file etc, please describe these below:

(19)

Appendix 5 Template For SAR Form

D: Declaration:

I declare that the information given is correct to the best of my knowledge and that I am entitled to apply for access to the information detailed above under the terms of the Data Protection Act 1998.

I agree to pay a £10.00 administration fee plus photocopying and postage costs up to a maximum of £50.00 (delete if current employee)

Signed: Print Name Date:

Data Subject ☐ On behalf of Data

Subject

☐

Relationship to Data Subject:

E: Authorisation for application made on behalf of the data subject:

I hereby authorise release of my records, as specified above, to the person named in Part D and declare that I am the person named in PartAof this form.

Signed: Print Name Date:

(20)

Appendix 6 Template Letter (A)

All correspondence relating to this matter to: **Department*

**Address Line1** **Address Line2** **Address Line3** **Address Line4**

Telephone Number: ** Number**

Our Ref: ****

**Date**

**Requestor Details/name/address** Dear **

Further to your request regarding access to your xxx records under the Data Protection Act 1998.

Please find enclosed the application form for you to complete and return to the above address.

In the meantime if I can be of any further assistance please do not hesitate to contact me.

Yours sincerely

(21)

Appendix 7 Template Letter (B)

All correspondence relating to this matter to: **Department*

**Address Line1** **Address Line2** **Address Line3** **Address Line4**

Telephone Number: ** Number**

Our Ref: ****

**Date**

**Requestor Details/name/address**

Dear ***

The copy information that you require is ready for dispatch.

The charge for providing you with the information is £xxx

I will be pleased to release this information to you as soon as I have received a cheque for this sum made payable to Worcestershire Acute Hospitals NHS Trust, forwarded to **Department* at the above address.

Yours sincerely

**Name of person or department**

[Please note we do not have the facilities to accept payment by credit or debit card]

(22)

Trust Policy

Supporting Document 1

-

Equality Impact Assessment Tool

To be completed by the key document author and attached to key document when submitted to the appropriate committee for consideration and approval.

If you have identified a potential discriminatory impact of this key document, please refer it to Assistant Manager of Human Resources, together with any suggestions as to the action

required to avoid/reduce this impact.

For advice in respect of answering the above questions, please contact Assistant Manager of Human Resource

Yes/No Comments

1. Does the Policy/guidance affect one group less or more favourably than another on the basis of:

 Race No

 Ethnic origins (including gypsies and travellers) No  Nationality No  Gender No  Culture No  Religion or belief No

 Sexual orientation including lesbian, gay and bisexual people

No

 Age No

2. Is there any evidence that some groups are affected differently?

No

3. If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable?

N/A

4. Is the impact of the Policy/guidance likely to be negative?

No

5. If so can the impact be avoided? N/A 6. What alternatives are there to achieving

the Policy/guidance without the impact?

N/A

7. Can we reduce the impact by taking different action?

(23)

Trust Policy

Supporting Document 2 – Financial Impact Assessment

To be completed by the key document author and attached to key document when submitted to the appropriate committee for consideration and approval.

Title of document: Yes/No

1. Does the implementation of this document require any additional Capital resources

No

2. Does the implementation of this document require

additional revenue No

3. Does the implementation of this document require

additional manpower No

4. Does the implementation of this document release any manpower costs through a change in practice

No

5. Are there additional staff training costs associated with implementing this document which cannot be delivered through current training programmes or allocated training times for staff

No

Other comments: _None

If the response to any of the above is yes, please complete a business case and which is signed by your Finance Manager and Directorate Manager for consideration by the Accountable Director before progressing to the relevant committee for approval