Subject Access Request (SAR) Procedure

(1)

Subject Access Request (SAR) Procedure (v2.0)

East and North Hertfordshire Clinical Commissioning Group Page 1 of 16

(2)

DOCUMENT CONTROL SHEET

Document Owner:

Chief Finance Officer

Document Author(s):

Anne Ephgrave – HR Business Manager

Version:

2.0 Final

Directorate:

Finance

Approved By:

Information Governance Forum

Date of Approval:

March 2015

Date of Review:

March 2017

Change History:

Version Date

Reviewer(s)

Revision Description

0.1 19/08/2013

Anne Ephgrave

Initial Draft

1.0 19/09/2013

Caroline Law

Final

2.0 15/02/2015

Charlotte Travill

Reformat

2.0 March 2015

Sarah Feal

Review of subject matter,

Roles and responsibilities

2.0 March 2015

Alan Pond

Procedure Approved

Implementation Plan:

Development and

Consultation

Information Governance Forum

Dissemination

Staff can access this policy via the Intranet and will be

notified of new/revised versions via the staff briefing.

This policy will be included in the CCG's Publication

Scheme in compliance with the Freedom of Information

Act (FOI) 2000.

Training

Subject Access Training will be provided to relevant

staff.

Monitoring

The procedure implementation will be monitored for

effectiveness.

Review

This Subject Access Request Procedure will be

reviewed bi-annually or in response to relevant

organisational, regulatory or legislative changes.

Equality and

Diversity

March 2015 - Equality Impact Assessment

March 2015 - Privacy Impact Assessment

Associated

Documents

(3)

References



Access to Health Records Act 1990



Caldicott Guardian Manual 2010



Care Record Guarantee 2009



Data Protection Act 1998



Human Rights Act 1998



NHS Code of Confidentiality

(4)

Section No.

Section Name

Page No.

1.0 Introduction

5

2.0 Scope

5

3.0 Purpose

5

4.0 Definitions

6

5.0 Role & Responsibilities

7

6.0 Procedure for who can make a request

8 6.1 Who can make a request?

8 6.2 Time limits for access provision

9 6.3 Processing a subject access request

9

Appendix 1 Subject Access Request (SAR) flow chart

Chart 1: Requests from data subjects and third party

11

Appendix 2 Appendix 2: Subject Access Request (SAR) flow chart

Chart 2: Requests from the police under Section 29 (3)

12

(5)

1.0 Introduction

1.1 NHS East and North Hertfordshire Clinical Commissioning Group (CCG) is committed to being an organisation within which diversity, equality and human rights are valued. We will not discriminate either directly or indirectly and will not tolerate harassment or victimisation in relation to gender, marital status (including civil partnership), gender reassignment, disability, race, age, sexual orientation, religion or belief, trade union membership, status as a fixed-term or part-time worker, socio - economic status and pregnancy or maternity. 1.2 The CCG works to a framework for handling personal information in a

confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients.

1.3 The CCG, via the Information Governance Toolkit, provides the means by which NHS England can assess compliance with current legislation, Government and National guidance.

1.4 Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance.

2.0 Scope

2.1 This policy applies to all CCG staff members, including Governing Body Members and Practice Representatives whether permanent, temporary or contracted-in (either as an individual or through a third party supplier).

2.2 This procedure applies to all requests for access to personal data held by the CCG.

2.3 The rights to access under the Act extend only to living individuals. Requests for deceased patients’ records are made under the Access to Health Records Act 1990 (AHRA).

3.0 Purpose

3.1 An individual has the right to request:

 access to their records, subject to certain safeguards;

 copies of their records;

 have these records explained if they are illegible or unintelligible;

 to be informed of the purpose(s) their information is used for; and

 the source(s) of that data.

(6)

East and North Hertfordshire Clinical Commissioning Group Page 6 of 16 3.3 This procedure will provide a framework for the CCG to ensure compliance

with the Data Protection Act 1998. The procedure is supported by operational processes connected with the implementation of Subject Access Requests, as detailed in the document.

4.0 Definitions

CCG Clinical Commissioning Group

DPA Data Protection Act 1998 (the Act)

ICO Information Commissioner’s Office

PID Patient Identifiable Data

SAR Subject Access Request

SIRO Senior Information Risk Owner

Data Information processed electronically or manually as part of a relevant filing system.

Data subject An individual who is the subject of personal data.

Personal data Data which relates to a living individual who can be identified from the data or from that data and other information which is in possession of the data controller (in this instance, the CCG).

Redact This is the separation of disclosable from non-disclosable information by clocking out individual words, sentences or paragraphs or the removal of whole pages or sections prior to the release of the document. (The National Archive) To edit or revise documents by removing text or images from a document

Third party/ Representative

(7)

5.0 Roles and Responsibilities

5.1 Chief Executive

The Chief Executive is the Accountable Officer and has ultimate responsibility for compliance with the Data Protection Act 1998.

5.2 The Director of Nursing and Quality is the Caldicott Guardian

The Caldicott Guardian is the conscience of the organisation and is responsible for ensuring that patient information is used, and shared in an appropriate, justifiable and secure manner.

5.3 The Chief Finance Officer is the Senior Information Risk Owner

(SIRO)

The SIRO is responsible for managing information risks and information incidents and is also the Information Governance Lead to the Governing Body.

5.4 Head of Information

The Head of Information is the CCG’s “Information Governance Lead” and is responsible for advising on IG strategic direction, leading on data protection, the development of policy and guidance for the CCG and the day to day management of the IG agenda, including;

 The successful implementation of the Data Protection Act 1998 work programme,

 The working practices carried out in the departments are in line with the organisation’s IG policy,

 The staff are adequately trained and aware of their personal responsibilities for IG issues,

 Timely submission of the IG Toolkit,

 Responsible for identifying any additional resources required to implement the IG Strategy.

5.5 The Governance Support Officer

The Governance Support Officer provides clerical support to the IG function and the IG Forum and is responsible for the administration of the Freedom of Information Act 2000 responses and the IG Toolkit. They may also receive subject access requests from patients which are logged and forwarded to the relevant department.

5.6 All CCG staff are responsible for:

 Ensuring compliance with the requirement of this procedure;

 Respecting the data subjects’ rights to confidentiality and actively responding to any concerns raised about confidentiality; and

(8)

6.0 The procedure for making a request

6.1 Who can make a request?

6.1.1 Requests from data subjects and/or their representatives (third

party)

 The data subject

 A person or third party acting on behalf of the data subject and authorised in writing by the data subject can apply on their behalf. Such a person or third party can be a relative or a solicitor.

 Individuals requesting access on behalf of a child for whom they have parental responsibility.

 In certain situations a person granted an attorney or agent by the Court of Protection on behalf of an adult who is incapable of providing consent.

 Where the data subject has died their personal representative or any person having a claim arising from the death. Where the data subject has died, disclosure would be subject to the recorded wishes of the deceased data subject under the Access to Health Records Act. Guidance can be found in the Records Management Policy or by contacting the Information Governance Lead.

 Where the applicant is not the data subject, the applicant should have access to only the information which would otherwise have been available to the data subject, unless access to further information is deemed justifiable in exceptional circumstances. Where the applicant is not the data subject, access is not permitted where the holder of the records are of the opinion that the data subject gave the information or underwent the examination / investigation in the expectation that the information would be kept confidential.

6.1.2 Requests from the Police

 Under the DPA 1998, Section 29(3) the police may get information without seeking the consent of the individual(s). The police may access personal data for prevention or detection of crime, the apprehension or prosecution of offenders or taxation purposes.

 The police have a form specifically for this. It is referred to as a ‘Section 29(3) form’ which allows them to approach any data controller (the CCG in this case) for information regarding an individual, in relation to the apprehension of an offender or for the prevention of a crime, or for the prosecution of a crime.

 The Section 29(3) must state the reason(s) for requesting specific information about a data subject and must be countersigned by a higher ranking officer.

(9)

6.2 Time limits for access provision

6.2.1 The CCG is required to respond to SARs within 40 calendar days from the date of receipt of the request for access. Failure to do so is a breach of the Act.

6.3 Processing a subject access request

6.3.1 Step 1: Check that the request comes within the scope of the DPA. For Subject Access Request, this means that:

 the request has been received in writing (including e-mail or fax);

 the request for information is about the data subject who is a living individual;

 there is sufficient information to verify the data subject’s identity;

 there is sufficient information to verify the authorised representative’s identity;

 there is sufficient information to enable the organisation to locate the information required,

Note 1: The application does not have to quote the Act to have the request

treated as a subject access request.

Note 2: Inform the Governance Support Officer upon receipt of SAR

6.3.2 Step 2: Logging of SAR to register and allocation of unique reference

number

 Log request in the SAR register and allocate unique reference number for the request.

 Acknowledgement of receipt of the request within 3 workingdays.

6.3.3 Step 3: Verify the identity of the data subject and/or their representative Indicate the measures to verify identity:

 A record should be kept of the measure of verification. These may include but are not limited to copies of drivers’ licence, passport and utility bills;

 Consent form - where a representative/third party puts in a requests on behalf of the data subject, ensure that there is signed consent notification provided by the data subject.

 Information can be requested from an individual to judge whether they are the person making the request.

 Photographic identity documents such as drivers licence or passport are more acceptable.

6.3.4 Step 4: Clarify the request (if necessary)

If the request is too broad, contact the data subject or their representative to seek clarification or a narrowing of the request

6.3.5 Step 5: Whether a fee will be charged.

 Inform data subject whether a fee is applicable

N

ote

:

 The Act states a maximum fee of £10 for SAR.

(10)

East and North Hertfordshire Clinical Commissioning Group Page 10 of 16 6.3.6 Step 6: Calculate deadline for response (Update database)

 Provide timescale of processing (subject to fee/ID confirmation provision and written consent where a representative puts in request)

 The 40 calendar day countdown stops until you are in receipt of the fee and any other required information e.g. ID or written consent.

6.3.7 Step 7: Look for information

 Electronic and manual or any other formats

6.3.8 Step 8: Review information considering possible exemption

 Screen the collated personal data for duplicate records and redact.

 A copy of the disclosure bundle showing the redactions and the reasons behind them must be retained.

6.3.9 Step 9: Delivery method

 It is important that the information is delivered in a secure and confidential manner. If the requestor is able to collect the information in person, a time should be agreed for them to receive copies of their records.

 Prior to handing over the information, the person’s identification needs to be checked to ensure that the information is provided to the right person.

 If the data subject prefers that the information is sent through post, this would have to be sent via recorded delivery and a copy of the delivery note kept.

6.3.10 Step 10: Respond to data subject

 The data subject should be provided with all the personal information relating to them which meets their request, that is not exempt and which will not disclose personal information relating to a third party (without their consent).

Note: Ensure the data subject is informed of his/her right of appeal to the

Information Commissioner’s Office 6.3.11 Step 11: Update SAR request log

(11)

East and North Hertfordshire Clinical Commissioning Group Page 11 of 16 Appendix 1: Subject Access Request (SAR) flow chart

Chart 1: Requests from data subjects and third party

A

Request for information

1. Is the request in writing?

2. Is there enough information to find data?

1.

Log details in SAR Log and allocate unique reference number

2.

Inform Governance Support Officer

Acknowledge receipt within 3 working days.

Include as relevant: 1. SAR form for completion 2. And/or validation

information request. 3. And/or request fee

N

1.

Does it include the data subjects’ validation information?

2.

Does it include signed consent from data subject if from third party?

3.

Is the correct fee enclosed?

Y

Check for and collate requested information Review information considering exemptions/ redaction Confirm secure delivery

method:

 Collection by data subject  Collection by a confirmed representative (check ID)



Post via recordeddelivery

1. Respond to request 2. Inform user of right of

appeal to ICO  Retain copies of disclosed

information.

 Keep list of reasons for redaction for reference

Update SAR Log Inform Governance Support

(12)

East and North Hertfordshire Clinical Commissioning Group Page 12 of 16 Appendix 2: Subject Access Request (SAR) flow chart

Chart 2: Requests from the police under Section 29 (3)

1.

Log details in SAR Log and allocate unique reference number

2.

Inform Governance Support Officer 1. Is the request in writing? 2. Is there enough information to find data?

Request for information

Acknowledge receipt within 3 working days.

Request for a complete form which must include:

1. Statement of nature of enquiry

2. Specific information required

3. Name of requesting officer 4. Name and rank of

authorising officer

1.

Does the request state the nature of the enquiry?

2.

Does the request state name of the enquiring Officer?

3.

The form must be counter-signed by a high ranking officer. Does the request state the name and rank of authorising officer?

N

Check for and collate requested information Review information considering exemptions/ redaction

 Retain copies of disclosed information.

 Keep list of reasons for redaction for reference

Confirm secure delivery method:

 Collection by requesting officer. (ID must be checked)  Post via recorded delivery

3. Respond to request

Inform Governance Support Officer

Update SAR Log Process End

(13)

Appendix 3: Subject Access Request (SAR) Form Section 1: Your details

Section 2: Personal data requested

Please provide as much details of personal data you request.

Section 3: Additional document(s) required

You must provide:

Copies of two different documents as evidence of your identity and current address:

(Original copies may be requested)

☐

A cheque or postal order for £10 made payable to:

East and North Hertfordshire Clinical Commissioning Group.

☐

Section 4: Declaration of data subject

I confirm that I am the data subject named in Section 1 and I am requesting access to my own personal data. I understand that the information I have supplied will be used to confirm my identity and assist in locating the information I have requested.

Signed: Date:

Surname:

First and middle names: Previously known as (if applicable)

Date of birth: (DD/MM/YYYY)

Address:

(14)

Section 5: Consent by data subject for representative/third party acting on their behalf

I confirm that I am the data subject named in Section 1. I consent to the person or organisation named below to act on my behalf in relation to my subject access request. I have enclosed document(s) referred to in Section 3.

I give consent for my personal data to be sent to my representative at the address provided below.

Signed: Date:

Third Party Details

Name of Person/Organisation : Relationship to data subject: Address:

Telephone number: E-mail:

Section 6: Returning your completed form

Please send your completed form and additional information requested to:

Governance Support Officer,

NHS East and North Hertfordshire Clinical Commissioning Group, Charter House,

Parkway,

(15)

Appendix 4: Equality Impact Assessment Stage 1 Screening

1. Procedure EIA Completion Details

Title: Subject Access Request Procedure Names & Titles of staff involved in completing the EIA: Sarah Feal, Company Secretary

Proposed Existing

Date of Completion: 27/03/2015

Review Date:27/03/2017

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

3. Impact on Groups with Protected Characteristics

Probable impact on group? High, Medium or Low

Please explain your answers

Positive Adverse None

Age

Being married or in a civil partnership

Disability, inc.learning difficulties, physical disability, sensory impairment etc.

Having just had a baby or being pregnant

Race, ethnicity, nationality, language etc.

Religion or belief

Sex (inc. being a transsexual person)

Sexual Orientation

Other:

No impact on any of the groups above.

Please explain and provide evidence

4. Which equality legislative Act applies to the policy?

Human Rights Act 1998 Equality Act 2010

Health & Safety Regulations

Mental Health Act 1983 Mental Capacity Act 2005

5. How could the identified adverse effects be minimised or eradicated?

(16)

Appendix 5: Privacy Impact Assessment Stage 1 Screening

1. Procedure PIA Completion Details

Title: Subject Access Request Procedure Names & Titles of staff involved in completing the PIA: Sarah Feal, Company Secretary

Proposed Existing

Date of Completion: 27/03/2015

Review Date: 27/04/2017

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

Yes No Please explain your answers Technology

Does the policy apply new or additional information technologies that have the potential for privacy intrusion?

(Example: use of smartcards)

Identity

By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication?

(Example: digital signatures,

presentation of identity documents, biometrics etc.)

Individuals will be required to provide documents to verify their identity.

By adhering to the policy content is there a risk of denying anonymity and de-identification or converting

previously anonymous or de-identified data into identifiable formats?

Multiple Organisations

Does the policy affect multiple organisations?

(Example: joint working initiatives with

other government departments or private sector organisations)

Data

By adhering to the policy is there likelihood that the data handling processes are changed?

(Example: this would include a more intensive processing of data than that which was originally expected)

If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its

implications been understood and approved by the department?