SUBJECT ACCESS REQUEST PROCEDURE

Transcription

1 SUBJECT ACCESS REQUEST PROCEDURE Document History Document Reference: Document Purpose: IG31 This procedure sets out the responsibility for staff when receiving requests for information provided under Section 7 of the Data Protection Act whereby individuals can request access to their data. Date Approved: 28 th March 2014 Approving Committee: Information Governance Management and Technology Committee Version Number: V1.0 Status: Approved Next Revision Due: January 2015 Developed by: Policy Sponsor: Target Audience: Associated Documents: Information Governance, Greater East Midlands Commissioning Support Unit (GEM CSU) Information Governance Management and Technology Committee This Policy applies to any person directly employed, contracted or volunteering to the CCG All Information Governance Policies and the Information Governance Toolkit Author: GEM CSU IG 1 Approved January 2014

2 Revision History Version Revision date Comments Draft August 2013 Developed in line with NHS England guidance, Caldicott Review and the Information Governance Toolkit version 11 Approved January 2014 Information Governance Management and Technology committee pending minor amendments to text and formatting. Policy Dissemination information Reference Number IG31 Title Subject Access Request Procedure Available from CCG Intranet Contents 1. Introduction Purpose & Scope Policy Statement Principles Who can make a request Roles & Responsibilities Subject Access Requests the rights of individuals Consent Issues Shared Records Deceased Patient Records Exemptions to the Release of Information Subject Access Request Process Incidents Equality Impact Assessment Due Regard Policy Review APPENDIX A - REFERENCES AND BIBLIOGRAPHY Author: GEM CSU IG 2 Approved January 2014

3 1. Introduction This procedure applies to Nottinghamshire County Clinical Commissioning Groups (CCGs) subsequently referred to in this document as the CCGs. They include: NHS Mansfield and Ashfield CCG NHS Newark and Sherwood CCG NHS Nottingham North and East CCG NHS Nottingham West CCG NHS Rushcliffe CCG Legislation provides that an individual has the right to request access to their personal information that is held by an organisation. The information can be health records, employment records, or records which hold information relating to them as the data subject. An organisation must ensure that it has a procedure in place to respond to Subject Access Requests under the Data Protection Act Purpose & Scope The Act gives data subjects the right, subject to certain exceptions, to request access and obtain copies of personal data about themselves that is held in either computerised or manual formats and any type of personal information that is recorded including photographs, x-rays, audio messages and CCTV images. Data subjects have access rights to their personal information irrespective of when the record was created. To exercise this right, an individual must make a written request for information. This is known as a subject access request. This procedure applies to all requests for access to personal data held by the CCG. This procedure applies to all staff employed by or working on behalf of the CCG including contracted, non-contracted, temporary, honorary, secondments, bank, agency, students, volunteers or locums. 3. Procedure Statement This procedure will provide a framework for the CCG to ensure compliance with the Data Protection Act This procedure matches the requirements identified by the Information Commissioner Subject Access Request Code of Practice August 2013 ( Author: GEM CSU IG 3 Approved January 2014

4 4. Principles Individuals have the right to request copies of their information that the CCG may hold and to also request certain information relating to the processing of their information including: A description of the information The purposes the information is used for The disclosures that are made or might be made The source of the data The CCG is required to respond to Subject Access requests promptly within 40 calendar days of receipt of the request. Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner (ICO). If it is anticipated that a request will take longer than the 40-day period, the organisation must inform the applicant giving an explanation of the delay and agree a new deadline. Failure to comply with a request for subject access, without valid justification is treated as a serious matter and may be referred to the ICO. Such complaints are dealt with as a matter of priority and may lead to a full-scale investigation into an organisation s procedures and practices. 5. Who can make a request Subject access requests can be made by: The individual themselves Individuals requesting access on behalf of a child for whom they have parental responsibility A representative nominated by the individual to act their behalf such as solicitors or a relative, where there is valid consent by the individual granting this authority In certain situations a person granted an attorney or agent by the Court of Protection on behalf of an adult who is incapable of consent A request does not have to specifically state whether it is under the provisions of the Data Protection Act or Freedom of Information Act and individuals may sometimes confuse the two. It is the CCG s responsibility to ensure that any request is dealt with under the correct legislation 5.1 Individuals living abroad Patients or individuals who used to live in the UK who have records held by the CCG will still have the right to make a subject access request. The same procedure would apply as for an individual living in the UK. Author: GEM CSU IG 4 Approved January 2014

5 5.2 Access to Health Records A health record is defined as: consisting of information relating to the physical or mental health or condition of an individual and has been made by or on behalf of a health professional in connection with the care of that individual. 6 Roles & Responsibilities 6.1 Chief Officer The Chief Officer is the accountable officer and Data Controller for the CCG. The Chief Officer is responsible for ensuring compliance with the Data Protection Act GEM CSU IG Lead Greater East Midlands Commissioning Support Unit (GEM CSU) provide Information Governance expertise and support to all Nottinghamshire CCGs under a Service Level Agreement and will process requests received by individual CCGs. Requests received by CCG staff will be forwarded to the Information Governance Lead at GEM CSU for review and response. All request details will be entered into a log and this will be maintained to monitor compliance to ensure all requests are answered in a timely manner. The GEM CSU Lead is responsible for: Reviewing the request to determine whether it is a subject access request (or Freedom of Information request) and liaising with CCG staff where advice is required. Prior to the release of any information, the GEM CSU lead must be satisfied as to the identity of the person making the request. The CCG will not release any information until this identification has taken place. Providing advice to responsible staff in the CCG on the withholding of certain information requested under the Data Protection Act. Liaising with other organisations if relevant to process the access request in the event of shared records/data. The CCG remains responsible for their organisations compliance under the Data Protection Act and the GEM IG Lead will ensure adequate sign off from a responsible staff member or designated professional prior to release of any information under a subject access request. 6.3 All Staff All managers and staff will comply with any request for personal data forwarded by the GEM CSU Lead as quickly as possible, and will respond as soon as possible but before a deadline communicated by the IG Lead. Author: GEM CSU IG 5 Approved January 2014

6 7 Subject Access Requests the rights of individuals The Data Protection Act 1998 ensures the transparency of data processing by obliging organisations to explain to individuals how their data is used (Principle 1) and by providing the right of subject access under Section 7. Section 7 of the Act provides that individuals who request access to their data should: Be informed whether or not they are the subject of any data being processed by a data controller organisation; and Be provided with an understandable copy of the information held about them on request It should also be provided in a permanent form i.e. paper or electronic format that may be retained by the individual unless the provision of the information in a permanent form would involve disproportionate effort. Individuals also have the right to: A description of the personal data of which they are the data subject A description of the purposes for which the data are being processed or are to be processed this could be based on the information supplied to the Information Commissioners office during notification or on some information specific to the applicant; Any information available to an organisation on the source of the applicant s data; and Where the applicant specifically requests it, the logic involved in any fully automated decision-taking that has or may have a significant effect on the individual concerned, such as a decision in relation to risk stratification (except where the logic would constitute a trade secret or be regarded as commercially in confidence). 8 Consent Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual s consent as: any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent must be appropriate to the age and capacity of the individual and to the particular circumstances of the case. The Data Protection Act distinguishes between: the nature of the consent required to satisfy the first condition for processing; and the nature of the consent required to satisfy the condition for processing sensitive personal data, which must be explicit. In most cases the consent to access personal information will be provided by the individual who is requesting the information, however, there may be cases where the individual is unable to consent or the data subject is a child. Author: GEM CSU IG 6 Approved January 2014

7 When an applicant is not able to produce written consent from the data subject to access the information or is not able to evidence that he/she is entitled to access the information, the GEM CSU Lead will request further information from the applicant on the reason for the request to decide whether it would be justifiable to release the information to the applicant in any event. The GEM CSU IG Lead will liaise with the CCG staff holding the information to determine whether it is appropriate to release the information under these circumstances. In the event that the applicant is a solicitor the subject s written authority for release must be obtained. Where a person is unable to manage his/her own affairs then the application will only be accepted if evidence is presented that the representative is a person appointed by the Courts e.g. under the Court of Protection (or acting within the terms of a registered Lasting Power of Attorney - Health). Any individual over the age of 12 who is considered to be Fraser competent may exercise their right of access to his/her records under the Act. This is also in line with guidance issued by the Information Commissioner. However, care must be taken to verify that the young person has either initiated such a request or consented to such a request being made or that the young person s lack of understanding requires a parent or guardian to act on their behalf. Another important aspect may well be the nature of the personal information that will be supplied. This will be of particular significance where the information may contain reference to the parent or guardian within the young person s records: for example, where allegations of abuse have been made against the parent or guardian in a social work file. Requests from minors need to be handled carefully; consideration needs to be given to balancing the harm that might arise against the possible benefits of supplying the information and will involve the CCG s Designated Professionals in all such requests. 9 Shared Records There are situations where a subject access request involves a record that is shared between organisations. The modernisation and integration of health and social care will place a greater emphasis on shared records, both health and non-health records. The following principles will be followed where this is the case: Obligations under the Act are, in general placed on the holder of the record. If records are shared between two health or NHS bodies, they will be joint data controllers. Responsibility for ownership of the record rests with the Secretary of State for Health although essentially, where both organisations are joint data controllers for the shared record, both are controlling how they are used In order to deal with Subject Access requests effectively, the organisation receiving the Subject Access request will take responsibility for processing the request and for obtaining consent or refusal for the release of parts of the record relating to the other organisation The CCG takes responsibility for the access request and joint liability for their release where each organisation has authorised its release. Author: GEM CSU IG 7 Approved January 2014

8 If the CCG does not agree with the decision made by the other organisation to withhold data from release and subsequently releases that element of the record, it will accept full liability. The GEM CSU Lead must document the reasons for withholding certain information lawfully in the request log. The applicant may challenge the decision not to release information If there is a refusal to disclose the record from the partner organisation, the organisation dealing with the access request should, in their response to the applicant explain the reason for the refusal and refer them to the other partner organisation directly if they wish to contest the refusal. 9.1 Other Records In addition to health records, all other records held by the CCG containing individual s information are liable to subject access requests by those individuals or their representatives. This includes personnel, finance, complaints and administration records. Any third party content of the record must be referred to the originating organisation for consent to release. Where the CCG is the originator of the third party information the GEM CSU IG Lead will liaise with the designated professional in the CCG to determine whether the information should be redacted. 10 Deceased Patient Records The rights to access under the Data Protection Act 1998 extend only to living individuals. Requests for deceased patients records are made under the Access to Health Records Act Requests can only be made by: The patient s personal representative (usually the executor of the will or administrator of the estate) or Any person who may have a claim arising out of the patient s death- release of any information will only be the minimum necessary to process their claim. Only relevant information relating to any claim made should be released The same rules apply to third party information as with other health records. The CCG should afford the same level of confidentiality to deceased patient s records as for living ones. 11 Exemptions to the Release of Information The Data Protection Act 1998 makes provision for withholding information in certain circumstances which must be considered when a request is received. The GEMCSU IG Team will liaise with a designated professional holding the record to determine whether an exemption should be applied and document all decisions where this is the case. The reasons for withholding the information will be provided to the requester. Author: GEM CSU IG 8 Approved January 2014

9 12 Subject Access Request Process 12.1 Receiving an access request under the DPA Applications for access to personal data must be made in writing to the GEM CSU IG Lead and sent to: Information Governance Birch House Ransom Wood Business Park Southwell Road West Mansfield Notts NG21 0HJ or by to Applications must be signed and dated by the applicant (but the application process will be supported by GEMCSU who will undertake all relevant checks). Where an application is made on behalf of an individual, adequate authorisation documentation must accompany the written application. The application must clearly identify the person in question, and the records required, including the following details: Full name including previous names Address including previous address(es) NHS number (if available) Date of birth Dates of health/personnel records required 12.2 Provision of Information in response to a request Where requested the CCG will allow data subjects to view their data. The CCG (through the GEM CSU Lead) will provide a data subject with a copy of their information in an intelligible form i.e. the use of jargon, abbreviations or codes contained within the information must be explained. If the information is terminologically difficult or of a technical nature, the designated professional must offer to go through the information with the data subject to explain the meanings. The CCG must take into account the provisions of the Equality Act 2010 and offer information in large print or Braille format for data subjects with visual difficulties. Arrangements will be agreed with the data subject and relevant CCG Managers to facilitate this within the timescales allowed by the Act. Where an access request has previously been complied with under the Act, the CCG does not have to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous compliance (The Information Commissioner s office has Author: GEM CSU IG 9 Approved January 2014

10 defined a reasonable interval to be 12 months). Where the CCG does not hold the personal information requested, it will inform the applicant as quickly as possible Response Times for Disclosure Responses to request for access must be made within 40 days of the date of receipt of the request and/or the fee payable. Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner. Failure to comply with a request for subject access, without valid justification is treated as a serious matter and is investigated by the Information Commissioner. Such complaints are dealt with as a matter of priority and may often lead to a full scale investigation into an organisation s procedures and practices. In exceptional circumstances, if it is not possible to comply with this period, the applicant should be informed. Where the CCG has decided to charge a fee for a subject access request, it will inform the applicant that a fee is payable and the amount requested. The CCG is not required to provide the information requested until such time as the fee has been paid. This process is known as stopping the clock and can only be applied where it has been decided to impose a charge e.g. if the charge is requested at day 20 of the process the clock is stopped at that point. Once the charge has been received the clock is restarted at day 20 and the CCG then has 20 days to provide the information that has been requested Charges The following charges apply: Viewing paper or Computer records Copying of only computer records Copying of paper records or a mix of computer and paper records 10 (Maximum charge) 10 (Maximum charge) 10 minimum charge up to a maximum of Data identifying a Third Party Where personal data relating to the applicant also identifies another individual, the applicant s right of access must be weighed against the other data subject s right to privacy. The GEM CSU Lead should attempt, where practicable, to seek the consent of the third party to the release of their data. Where consent is obtained then the information can be released Serious harm or adverse effect on health On inspection of the records the responsible person or CCG designated professional can advise that certain personal information is not released on the grounds that its release would be likely to cause serious harm to the physical or mental health of the person or to others. Author: GEM CSU IG 10 Approved January 2014

11 There is no definite requirement to inform the requestor or their representative that this information has not been released Other Agencies Records Letters or reports from another agency or person may be contained in records held by the CCG. Where this is the case the designated professional reviewing the records should consider the need to approach those agencies or persons to secure agreement for release of those records. If health information has been obtained from another NHS organisation and used for direct care purposes there is no obligation to contact the other organisation for permission to release (but there may be circumstances where this may need to be considered) Requests from public bodies and law enforcement agencies Section 29 of the Data Protection Act outlines the circumstances in which some public bodies have statutory powers that enable them to request access to personal information. The CCG as a data controller will be extremely careful when releasing personal data to such parties and will, following receipt of a request, check that the organisation requesting the disclosure is acting within its powers by asking the applicant to quote the authority on which its power is based. The CCG will only accept the request if it is made in writing and it is able to verify the source of the request and any necessary test of prejudice carried out prior to releasing any personal data through its legal channels if necessary. Law enforcement agencies can request personal information on behalf of and where written consent has been obtained from the individual. If members of staff come across any such requests, they must inform the GEM CSU Information Governance Lead immediately. 13. Incidents Any incident involving a potential breach of the Data Protection Act 1998 or the Access to Health Records Act 1990 should be reported as an incident using the appropriate CCG reporting system. The Caldicott Guardian and relevant line manager should also be informed of this and a decision will be taken whether it is necessary to report this as a Serious Incident under the Serious Incident Reporting and Management Policy and/or to the Information Commissioner. 14. Equality Impact Assessment The CCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. Author: GEM CSU IG 11 Approved January 2014

12 In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation Due Regard This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 16 Policy Review This policy will be reviewed annually or where significant legal changes have occurred. Author: GEM CSU IG 12 Approved January 2014

13 APPENDIX A - REFERENCES AND BIBLIOGRAPHY Data Protection Act 1998 available from Access to Health Records Act 1990 available from Human Rights Act 1998 available from Freedom of Information available from Record Management available from Common Law of Confidentiality NHS Confidentiality- code of Practice available from PolicyAndGuidance/DH_ NHS For the Record available from dsmanagement/index.htm The Abortion Regulations Act 1991 available from The Computer Misuse Act 1990 available from The Census (Confidentiality) Act The Civil Evidence Act The Electronic Communications Act The Public Interest Disclosure Act Crime and Disorder Act NHS For the Record available from dsmanagement/index.htm NHS Retention of Records available from PolicyAndGuidance/DH_ Mental Capacity Act The National Health Service Act 2006 available from Author: GEM CSU IG 13 Approved January 2014