Subject Access Request (SAR) Procedure

Transcription

1 Subject Access Request (SAR) Procedure East and North Hertfordshire Clinical Commissioning Group Page 1 of 16

2 DOCUMENT CONTROL SHEET Document Owner: Chief Finance Officer Document Author(s): Anne Ephgrave HR Business Manager Version: 2.0 Final Directorate: Finance Approved By: Information Governance Forum Date of Approval: March 2015 Date of Review: March 2017 Change History: Version Date Reviewer(s) Revision Description /08/2013 Anne Ephgrave Initial Draft /09/2013 Caroline Law Final /02/2015 Charlotte Travill Reformat 2.0 March 2015 Sarah Feal Review of subject matter, Roles and responsibilities 2.0 March 2015 Alan Pond Procedure Approved Implementation Plan: Development and Consultation Dissemination Training Monitoring Information Governance Forum Staff can access this policy via the Intranet and will be notified of new/revised versions via the staff briefing. This policy will be included in the CCG's Publication Scheme in compliance with the Freedom of Information Act (FOI) Subject Access Training will be provided to relevant staff. The procedure implementation will be monitored for effectiveness. Review Equality and Diversity Associated Documents This Subject Access Request Procedure will be reviewed bi-annually or in response to relevant organisational, regulatory or legislative changes. March Equality Impact Assessment March Privacy Impact Assessment Confidentiality Code of Conduct Information Governance Policy Records Management Policy East and North Hertfordshire Clinical Commissioning Group Page 2 of 16

3 References Access to Health Records Act 1990 Caldicott Guardian Manual 2010 Care Record Guarantee 2009 Data Protection Act 1998 Human Rights Act 1998 NHS Code of Confidentiality Records Management: NHS Code of Practice East and North Hertfordshire Clinical Commissioning Group Page 3 of 16

4 Contents Section No. Section Name Page No. 1.0 Introduction Scope Purpose Definitions Role & Responsibilities Procedure for who can make a request Who can make a request? Time limits for access provision Processing a subject access request 9 Appendix 1 Appendix 2 Subject Access Request (SAR) flow chart Chart 1: Requests from data subjects and third party Appendix 2: Subject Access Request (SAR) flow chart Chart 2: Requests from the police under Section 29 (3) Appendix 3 Appendix 3: Subject Access Request (SAR) Form 13 Appendix 4 Equality Impact Assessment Stage 1 Screening 15 Appendix 5 Privacy Impact Assessment Stage 1 Screening 16 East and North Hertfordshire Clinical Commissioning Group Page 4 of 16

5 1.0 Introduction 1.1 NHS East and North Hertfordshire Clinical Commissioning Group (CCG) is committed to being an organisation within which diversity, equality and human rights are valued. We will not discriminate either directly or indirectly and will not tolerate harassment or victimisation in relation to gender, marital status (including civil partnership), gender reassignment, disability, race, age, sexual orientation, religion or belief, trade union membership, status as a fixed-term or part-time worker, socio - economic status and pregnancy or maternity. 1.2 The CCG works to a framework for handling personal information in a confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients. 1.3 The CCG, via the Information Governance Toolkit, provides the means by which NHS England can assess compliance with current legislation, Government and National guidance. 1.4 Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance. 2.0 Scope 2.1 This policy applies to all CCG staff members, including Governing Body Members and Practice Representatives whether permanent, temporary or contracted-in (either as an individual or through a third party supplier). 2.2 This procedure applies to all requests for access to personal data held by the CCG. 2.3 The rights to access under the Act extend only to living individuals. Requests for deceased patients records are made under the Access to Health Records Act 1990 (AHRA). 3.0 Purpose 3.1 An individual has the right to request: access to their records, subject to certain safeguards; copies of their records; have these records explained if they are illegible or unintelligible; to be informed of the purpose(s) their information is used for; and the source(s) of that data. 3.2 The purpose for this procedure is to ensure that an individual s rights under the Act are followed and that each SAR is treated equally within the law. East and North Hertfordshire Clinical Commissioning Group Page 5 of 16

6 3.3 This procedure will provide a framework for the CCG to ensure compliance with the Data Protection Act The procedure is supported by operational processes connected with the implementation of Subject Access Requests, as detailed in the document. 4.0 Definitions CCG DPA ICO PID SAR SIRO Clinical Commissioning Group Data Protection Act 1998 (the Act) Information Commissioner s Office Patient Identifiable Data Subject Access Request Senior Information Risk Owner Data Data subject Personal data Redact Third party/ Representative Information processed electronically or manually as part of a relevant filing system. An individual who is the subject of personal data. Data which relates to a living individual who can be identified from the data or from that data and other information which is in possession of the data controller (in this instance, the CCG). This is the separation of disclosable from non-disclosable information by clocking out individual words, sentences or paragraphs or the removal of whole pages or sections prior to the release of the document. (The National Archive) To edit or revise documents by removing text or images from a document A Person or organisation other than the data subject East and North Hertfordshire Clinical Commissioning Group Page 6 of 16

7 5.0 Roles and Responsibilities 5.1 Chief Executive The Chief Executive is the Accountable Officer and has ultimate responsibility for compliance with the Data Protection Act The Director of Nursing and Quality is the Caldicott Guardian The Caldicott Guardian is the conscience of the organisation and is responsible for ensuring that patient information is used, and shared in an appropriate, justifiable and secure manner. 5.3 The Chief Finance Officer is the Senior Information Risk Owner (SIRO) The SIRO is responsible for managing information risks and information incidents and is also the Information Governance Lead to the Governing Body. 5.4 Head of Information The Head of Information is the CCG s Information Governance Lead and is responsible for advising on IG strategic direction, leading on data protection, the development of policy and guidance for the CCG and the day to day management of the IG agenda, including; The successful implementation of the Data Protection Act 1998 work programme, The working practices carried out in the departments are in line with the organisation s IG policy, The staff are adequately trained and aware of their personal responsibilities for IG issues, Timely submission of the IG Toolkit, Responsible for identifying any additional resources required to implement the IG Strategy. 5.5 The Governance Support Officer The Governance Support Officer provides clerical support to the IG function and the IG Forum and is responsible for the administration of the Freedom of Information Act 2000 responses and the IG Toolkit. They may also receive subject access requests from patients which are logged and forwarded to the relevant department. 5.6 All CCG staff are responsible for: Ensuring compliance with the requirement of this procedure; Respecting the data subjects rights to confidentiality and actively responding to any concerns raised about confidentiality; and Ensuring they are fully aware of the Subject Access Request Procedure and are following the correct process as set out in this procedure when a subject access request is received. East and North Hertfordshire Clinical Commissioning Group Page 7 of 16

8 6.0 The procedure for making a request 6.1 Who can make a request? Requests from data subjects and/or their representatives (third party) The data subject A person or third party acting on behalf of the data subject and authorised in writing by the data subject can apply on their behalf. Such a person or third party can be a relative or a solicitor. Individuals requesting access on behalf of a child for whom they have parental responsibility. In certain situations a person granted an attorney or agent by the Court of Protection on behalf of an adult who is incapable of providing consent. Where the data subject has died their personal representative or any person having a claim arising from the death. Where the data subject has died, disclosure would be subject to the recorded wishes of the deceased data subject under the Access to Health Records Act. Guidance can be found in the Records Management Policy or by contacting the Information Governance Lead. Where the applicant is not the data subject, the applicant should have access to only the information which would otherwise have been available to the data subject, unless access to further information is deemed justifiable in exceptional circumstances. Where the applicant is not the data subject, access is not permitted where the holder of the records are of the opinion that the data subject gave the information or underwent the examination / investigation in the expectation that the information would be kept confidential Requests from the Police Under the DPA 1998, Section 29(3) the police may get information without seeking the consent of the individual(s). The police may access personal data for prevention or detection of crime, the apprehension or prosecution of offenders or taxation purposes. The police have a form specifically for this. It is referred to as a Section 29(3) form which allows them to approach any data controller (the CCG in this case) for information regarding an individual, in relation to the apprehension of an offender or for the prevention of a crime, or for the prosecution of a crime. The Section 29(3) must state the reason(s) for requesting specific information about a data subject and must be countersigned by a higher ranking officer. A section 29(3) form is the safe guard to the CCG for releasing the information to the police. The police must provide a complete and appropriately signed form to show that the information is needed to further their case, as per the Section 29(3) requirements. East and North Hertfordshire Clinical Commissioning Group Page 8 of 16

9 6.2 Time limits for access provision The CCG is required to respond to SARs within 40 calendar days from the date of receipt of the request for access. Failure to do so is a breach of the Act. 6.3 Processing a subject access request Step 1: Check that the request comes within the scope of the DPA. For Subject Access Request, this means that: the request has been received in writing (including or fax); the request for information is about the data subject who is a living individual; there is sufficient information to verify the data subject s identity; there is sufficient information to verify the authorised representative s identity; there is sufficient information to enable the organisation to locate the information required, N ote 1 : The application does not have to quote the Act to have the request treated as a subject access request. N ote 2 : Inform the Governance Support Officer upon receipt of SAR Step 2: Logging of SAR to register and allocation of unique reference number Log request in the SAR register and allocate unique reference number for the request. Acknowledgement of receipt of the request within 3 working days Step 3: Verify the identity of the data subject and/or their representative Indicate the measures to verify identity: A record should be kept of the measure of verification. These may include but are not limited to copies of drivers licence, passport and utility bills; Consent form - where a representative/third party puts in a requests on behalf of the data subject, ensure that there is signed consent notification provided by the data subject. Information can be requested from an individual to judge whether they are the person making the request. Photographic identity documents such as drivers licence or passport are more acceptable Step 4: Clarify the request (if necessary) If the request is too broad, contact the data subject or their representative to seek clarification or a narrowing of the request Step 5: Whether a fee will be charged. Inform data subject whether a fee is applicable N ote : The Act states a maximum fee of 10 for SAR. There are special rules that apply to fees for paper based health records. The maximum fee for paper based health records is currently 50 under the AHRA. East and North Hertfordshire Clinical Commissioning Group Page 9 of 16

10 6.3.6 Step 6: Calculate deadline for response (Update database) Provide timescale of processing (subject to fee/id confirmation provision and written consent where a representative puts in request) The 40 calendar day countdown stops until you are in receipt of the fee and any other required information e.g. ID or written consent Step 7: Look for information Electronic and manual or any other formats Step 8: Review information considering possible exemption Screen the collated personal data for duplicate records and redact. A copy of the disclosure bundle showing the redactions and the reasons behind them must be retained Step 9: Delivery method It is important that the information is delivered in a secure and confidential manner. If the requestor is able to collect the information in person, a time should be agreed for them to receive copies of their records. Prior to handing over the information, the person s identification needs to be checked to ensure that the information is provided to the right person. If the data subject prefers that the information is sent through post, this would have to be sent via recorded delivery and a copy of the delivery note kept Step 10: Respond to data subject The data subject should be provided with all the personal information relating to them which meets their request, that is not exempt and which will not disclose personal information relating to a third party (without their consent). N ote : Ensure the data subject is informed of his/her right of appeal to the Information Commissioner s Office Step 11: Update SAR request log Step 12: Inform Governance Support Officer for reporting purposes. East and North Hertfordshire Clinical Commissioning Group Page 10 of 16

11 A Appendix 1: Subject Access Request (SAR) flow chart Chart 1: Requests from data subjects and third party Request for information 1. Is the request in writing? 2. Is there enough information to find data? 1. Log details in SAR Log and allocate unique reference number 2. Inform Governance Support Officer Acknowledge receipt within 3 working days. Include as relevant: 1. SAR form for completion 2. And/or validation information request. 3. And/or request fee N 1. Does it include the data subjects validation information? 2. Does it include signed consent from data subject if from third party? 3. Is the correct fee enclosed? Y Confirm secure delivery method: Collection by data subject Collection by a confirmed representative (check ID) Post via recorded delivery Review information considering exemptions/ redaction Check for and collate requested information Retain copies of disclosed information. Keep list of reasons for redaction for reference 1. Respond to request 2. Inform user of right of appeal to ICO Update SAR Log Inform Governance Support Officer Process End East and North Hertfordshire Clinical Commissioning Group Page 11 of 16

12 Appendix 2: Subject Access Request (SAR) flow chart Chart 2: Requests from the police under Section 29 (3) Request for information 1. Is the request in writing? 2. Is there enough information to find data? 1. Log details in SAR Log and allocate unique reference number 2. Inform Governance Support Officer Acknowledge receipt within 3 working days. Request for a complete form which must include: 1. Statement of nature of enquiry 2. Specific information required 3. Name of requesting officer 4. Name and rank of authorising officer N 1. Does the request state the nature of the enquiry? 2. Does the request state name of the enquiring Officer? 3. The form must be counter-signed by a high ranking officer. Does the request state the name and rank of authorising officer? Y Confirm secure delivery method: Collection by requesting officer. (ID must be checked) Post via recorded delivery Review information considering exemptions/ redaction Check for and collate requested information Retain copies of disclosed information. Keep list of reasons for redaction for reference 3. Respond to request Update SAR Log Inform Governance Support Officer Process End East and North Hertfordshire Clinical Commissioning Group Page 12 of 16

13 Surname: Appendix 3: Subject Access Request (SAR) Form Section 1: First and middle names: Previously known as (if applicable) Your details Date of birth: (DD/MM/YYYY) Address: Telephone number: Section 2: Personal data requested Please provide as much details of personal data you request. Section 3: Additional document(s) required You must provide: Copies of two different documents as evidence of your identity and current address: (Original copies may be requested) A cheque or postal order for 10 made payable to: East and North Hertfordshire Clinical Commissioning Group. Section 4: Declaration of data subject I confirm that I am the data subject named in Section 1 and I am requesting access to my own personal data. I understand that the information I have supplied will be used to confirm my identity and assist in locating the information I have requested. Signed: Date: East and North Hertfordshire Clinical Commissioning Group Page 13 of 16

14 Section 5: Consent by data subject for representative/third party acting on their behalf I confirm that I am the data subject named in Section 1. I consent to the person or organisation named below to act on my behalf in relation to my subject access request. I have enclosed document(s) referred to in Section 3. I give consent for my personal data to be sent to my representative at the address provided below. Signed: Date: Third Party Details Name of Person/Organisation : Relationship to data subject: Address: Telephone number: Section 6: Returning your completed form Please send your completed form and additional information requested to: Governance Support Officer, NHS East and North Hertfordshire Clinical Commissioning Group, Charter House, Parkway, Welwyn Garden City, Hertfordshire, AL8 6JL East and North Hertfordshire Clinical Commissioning Group Page 14 of 16

15 Appendix 4: Equality Impact Assessment Stage 1 Screening 1. Procedure EIA Completion Details Title: Subject Access Request Procedure Proposed Existing Date of Completion: 27/03/2015 Names & Titles of staff involved in completing the EIA: Sarah Feal, Company Secretary Review Date:27/03/ Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public 3. Impact on Groups with Protected Characteristics Age Being married or in a civil partnership Probable impact on group? Positive Adverse None High, Medium or Low Please explain your answers Disability, inc. learning difficulties, physical disability, sensory impairment etc. Having just had a baby or being pregnant Race, ethnicity, nationality, language etc. Religion or belief Sex (inc. being a transsexual person) Sexual Orientation Other: No impact on any of the groups above. Please explain and provide evidence 4. Which equality legislative Act applies to the policy? Human Rights Act 1998 Equality Act 2010 Health & Safety Regulations Mental Health Act 1983 Mental Capacity Act How could the identified adverse effects be minimised or eradicated? 6. How is the effect of the policy on different Impact Groups going to be monitored? East and North Hertfordshire Clinical Commissioning Group Page 15 of 16

16 Appendix 5: Privacy Impact Assessment Stage 1 Screening 1. Procedure PIA Completion Details Title: Subject Access Request Procedure Proposed Existing Date of Completion: 27/03/2015 Names & Titles of staff involved in completing the PIA: Sarah Feal, Company Secretary Review Date: 27/04/ Details of the Policy. Who is likely to be affected by this policy? Staff Patients Public Yes No Please explain your answers Technology Does the policy apply new or additional information technologies that have the potential for privacy intrusion? (Example: use of smartcards) Identity By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication? (Example: digital signatures, presentation of identity documents, biometrics etc.) By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats? Multiple Organisations Does the policy affect multiple organisations? (Example: joint working initiatives with other government departments or private sector organisations) Data By adhering to the policy is there likelihood that the data handling processes are changed? (Example: this would include a more intensive processing of data than that which was originally expected) If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department? Individuals will be required to provide documents to verify their identity. Yes, information will be exchanged securely. East and North Hertfordshire Clinical Commissioning Group Page 16 of 16