Access to personal information held about you

Transcription

1 Access to personal information held about you Policy Document This document applies to anyone requesting personal information NHS Ayrshire & Arran holds about them. Version 01.0 Author: SAR SLWG Review date: Approved by: Information Governance Operational Delivery Group Document uncontrolled when printed

2 DOCUMENT CONTROL SHEET Key Information: Title: Access to information held about you policy Document Status: Approved Document Type: Policy Version Number: V01.0 Document location: Author: Jillian Neilson, Head of Information Governance Owner: SAR Short Life Working Group Approved By: Approved Date Effective From: Review Frequency: 2 years Next Review Date: Contact: Jillian Neilson, Head of Information Governance Revision History: Version: Date: Summary of Changes: Responsible Officer: Approvals: this document was formally approved by: Name/Title/Group Date: Version: Information Governance Operational Delivery Group V01.0 Dissemination Arrangements: Intended audience: Method: Date Version: All NHS A&A staff Stop Press AthenA V01.0 Patients, Public NHS A&A Public Website Linked Documentation: Document Title: Document File Path: NB. This document is uncontrolled when printed. The contents of this document are subject to change, any paper copy is only valid on the day of printing. To ensure you have the most up to date version of this document please use the link to access the document directly from AthenA. Document uncontrolled when printed Page 2 of 11

3 Table of Contents 1 Introduction Purpose Definitions Scope Responsibilities Policy Principles Governance, Monitoring & Review Relevant Legislation, Guidance and Codes of Practice Table of Departmental Responsibilities Document uncontrolled when printed Page 3 of 11

4 1 Introduction 1.1 NHS Ayrshire & Arran (NHS A&A) aims to achieve a standard of excellence in information governance by ensuring information is dealt with legally, securely, efficiently and effectively in the course of NHS A&A s business to deliver person centred, clinically effective and safe care. 1.2 NHS A&A regards the Data Protection Act 1998 as an important mechanism for achieving an honest and safe relationship with patients, carers, families, the public and employees. 1.3 All information processing including fulfilling our obligations with respect to Subject Access Requests and other requests for access to personal information will be undertaken in accordance with the relevant legislation and best practice. 1.4 NHS A&A aims to improve transparency in its activities to enable its patients, their carer s, families, the public and employees to verify that the information NHS A&A holds on them is accurate and processed legitimately. 2 Purpose The purpose of the policy for access to personal information NHS A&A holds about you, is to: 2.1 Ensure that we meet our obligations regarding processing Subject Access Requests under the terms of the Data Protection Act 1998 and associated Information Commissioners Office best practice, 2.2 Ensure that we meet our obligations regarding processing other requests for access to personal information in compliance with the relevant legislation, 2.3 To set our responsibilities for responding to and managing Subject Access Requests and other requests for access to personal information, 2.4 Provide assurance that personal information is being managed by us in accordance with the Data Protection Act 1998 and associated Information Commissioner s best practice. Document uncontrolled when printed Page 4 of 11

5 3 Definitions 3.1 Information Governance is a framework for handling information in a confidential and secure manner, to appropriate ethical and quality standards. Ultimately it is to ensure that information is: Held securely and confidentially; Obtained fairly and lawfully; Recorded accurately and reliably; Used effectively and ethically; Shared appropriately and legally; Retained for the appropriate length of time, and Accessible and available where required. 3.2 Personal data/information as defined by the Data Protection Act 1998, is data which relates to an individual who can be identified from those data or from those data and other information which is in the possession of the data controller and includes any expression or opinion about the individual and any indication of the intentions of the data controller or any other person in respect of that individual. 3.3 Sensitive Personal Data The 1998 Act defines sensitive personal data as information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the Act the processing of this sensitive personal data is subject to more stringent conditions. 3.4 Data subject means a living individual whom personal data is about. 3.5 Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. 3.6 Subject Access it a right under the Data Protection Act which enables individuals to find out what personal data organisations hold about them, why it is held and who it is disclosed to. Individuals may exercise this right by making a written request subject access request. Document uncontrolled when printed Page 5 of 11

6 4 Scope 4.1 Subject Access Requests under the terms of Section 7 of the Data Protection Act Other requests for access to personal information, these are listed in Section 9 of this document. 4.3 This policy relates to all personal information held by NHS A&A in all formats. 4.4 This policy excludes requests for access to personal data for business as usual purposes including information sharing to support the provision of services, business planning, audit or research and development. 5 Responsibilities 5.1 Chief Executive The Chief Executive has overall responsibility for ensuring that processes are in place for responding to subject access requests under the Data Protection Act 1998 and other legitimate requests for access to personal data. 5.2 Caldicott Guardian The Caldicott Guardian has responsibility for advising staff and ensuring that adequate arrangements are in place to protect patient identifiable information. The Executive Medical Director is the designated Caldicott Guardian. 5.3 Head of Integrated Health Records Responsible for ensuring subject access requests for access health records and other legitimate requests for access to personal data contained within health records are dealt with in compliance with the Data Protection Act 1998 and other applicable legislation. 5.4 Head of Information Governance Responsible for ensuring subject access requests where the personal information is not contained in either health or employee records are dealt with in compliance with the Data Protection Act Director of Organisation & Human Resource Development Responsible for ensuring subject access requests for access to personal information contained within employee records and other associated information are dealt with in compliance with the Data Protection Act Freedom of Information Officer The Freedom of Information Officer is not responsible for processing subject access requests under the Data Protection Act Any request for personal information Document uncontrolled when printed Page 6 of 11

7 under the Freedom of Information (Scotland) Act 2002 will be processed in accordance with this Act. When appropriate, the relevant exemption under the Act will be applied and the request re-directed to the appropriate lead to process under the Data Protection Act Managers Managers must ensure that their teams are aware of this policy and that they may be required to provide information that they hold to fulfil a request for access to personal information, this may include correspondence held within their mail box. 5.8 All Staff All staff must adhere to this policy. In particular all staff must, when requested undertake the appropriate searches and submit all information requested to the team processing the subject access request or other request for access to personal information, within the defined timescale. 6 Policy Principles 6.1 Requests for access to personal information must be made in writing, correspondence is acceptable. For specific requests the following forms should be used: For requests for access to information contained with Health Records Access health records Form should be used. For requests for access to Closed Circuit Television footage the CCTV SAR Form should be used. For requests for access to personal information by the Police the Section 29 Form should be used. For requests for access to an Adverse Event Report (DATIX) the ---TO BE INCLUDED should be used. All other requests for access to personal information should be directed to the Information Governance Team who will redirect the request to the designated department or team. Information Governance, 14 Lister St, Crosshouse Hospital, KA2 0BE or InformationGovernance@aapct.scot.nhs.uk Document uncontrolled when printed Page 7 of 11

8 6.2 Responsibility for processing requests for access to personal information are listed in the table in Section 9. All requests for access to personal data will be processed by the designated department or team; Medico Legal Administrative Services; Department of Operational & Human Resource Development ;or Information Governance Team. 6.3 The designated departments or teams are responsible for developing supporting Standard Operating Procedures for processing Subject Access Requests and other legitimate requests for access to personal information. 6.4 All Subject Access Requests will be processed in compliance with the Data Protection Act 1998, Data Protection (Subject Access Modification) (Health) Order 2000 (SI 2000/413) and Information Commissioner s Office Guidance, listed in Section Other legitimate requests for access to personal information must be processed in line with the associated legislation. 6.6 Once a valid Subject Access request has been received it must be responded to within 40 calendar days. Other requests for access to personal data will be processed in line with the respective deadlines as defined in Section Any persons making a request for access to personal information who are dissatisfied with the way their request has been handled in the first instance should direct their concerns to the Information Governance team or alternatively raise the concerns directly with the Information Commissioner s Office (for more details see 7 Governance, Monitoring & Review 7.1 Routine reports will be submitted to the Information Governance Operational Delivery Group, which is the group responsible for ensuring that NHS A&A has a robust Information Governance Framework in place. The Information Governance Operational Delivery Group will specifically monitor compliance with the 40 calendar day for time limit for responding to subject access requests. 7.2 Non-compliance rates will be regularly reported to the Information Governance Committee, which is responsible for oversight of information governance arrangements and considering and scrutinizing NHS A&A s compliance with relevant legislation and national standards with regards to information governance. 7.3 NHS A&A will continue to develop and expand on policies and procedures to ensure that appropriate standards are defined, implemented, maintained, assured and evaluated to ensure information rights are respected. This policy will be reviewed biannually by a group convened by the Head of Information Governance. Document uncontrolled when printed Page 8 of 11

9 8 Relevant Legislation, Guidance and Codes of Practice Legislation Data Protection Act 1998 Access to Health Records Act 1990 Data Protection (Subject Access Modification) (Health) Order 2000 Information Commissioner s Office Guidance Subject Access Code of Practice Information Access to information held in Complaint Files Employment Practices Code Employment Practices Code Supplementary Guidance Data Protection Technical Guidance Determining what is Personal Data Document uncontrolled when printed Page 9 of 11

10 9 Table of Departmental Responsibilities for processing SAR s and other requests for access to personal information Information Type of Request Processed by: Health Record living person Health Record - deceased person Employee s information e.g. for access to personal data contained in employee record and/or other associated employee information Adverse event report (Datix) Other personal data not contained in Health record or employee record Subject Access Request for access to personal data contained in Health Record (40 days) Section 29 Request (Police) Court Specification (7 days) Procurator Fiscal (7 days) Central Legal Office (7 days) Criminal Injuries Compensation Authority (CICA) SCRA - Children s Reporter Access to Health Records Act 1990 request (deceased) Court Specification (7days) Procurator Fiscal (7 days) Central Legal Office (7 days) Subject Access Request (40 days) Subject Access Request (40 days) Subject Access Request (40 days) Medico-Legal Administrative Services Legislation Lead on Ailsa Hospital Ext Ayr Team on Telephone or Ext Crosshouse Team on Ext (27076) Or SubjectAccessRequest@aapct.scot.nhs.uk Medico-Legal Administrative Service See above for contact details Department of Organisation and Human Resource Development Mark Hogarth Human Resources Manager University Hospital, Crosshouse 64 Lister Street Kilmarnock KA2 0BE Tel: (ext 25954) Mob: mark.hogarth@aaaht.scot.nhs.uk Medico-Legal Administrative Services See above for contact details Information Governance 14 Lister Street, Crosshouse Hospital, KA2 0BE Tel: (26813) or 8(25897) InformationGovernance@aapct.scot.nhs.uk Document uncontrolled when printed Page 10 of 11

11 CCTV Footage Subject Access Request (40 days) Information Governance 14 Lister Street, Crosshouse Hospital, KA2 0BE Tel: (26813) or 8(25897) Document uncontrolled when printed Page 11 of 11