Trust Policy Subject Access Request Policy Department / Service: Corporate Originator: Company Secretary Accountable Director: Director of Nursing Approved by: Information Governance Steering Group Trust Management Committee Date of approval: 26 th August 2015 First Revision Due: 26 th August 2017 Target Organisation(s) Worcestershire Acute Hospitals NHS Trust Target Departments All Target staff categories All Policy Overview: This policy sets out the Subject Access Requests (SAR) processes that are in place to deal with Subject Access Requests under the Data Protection Act (1998) and the Access to Health Records Act (1990) Latest Amendments to this policy: Updated into the most recent Trust Policy format Updated SAR Health Records Guidance and Application included Reporting structure and other minor amendments included WAHT-CG-764 Page 1 of 23 Version 2
Trust Policy Contents page: 1. Introduction 2. Scope of this document 3. Definitions 4. Responsibility and Duties 5. Policy detail 6. Implementation of key document 6.1 Plan for implementation 6.2 Dissemination 6.3 Training and awareness 7. Monitoring and compliance 8. Policy review 9. References 10. Background 10.1 Equality requirements 10.2 Financial Risk Assessment 10.3 Consultation Process 10.4 Approval Process 10.5 Version Control Appendices Appendix 1: Flowchart for SAR Appendix 2: Guidance notes for Subject Access Requests, Health Records applicants Appendix 3: Guidance on charges and payments Appendix 4: Employment Records SAR Form Appendix 5: Template SAR Form Appendix 6: Template Letter (A) Appendix 7: Template Letter (B) Supporting Documents Supporting Document 1 Supporting Document 2 Equality Impact Assessment Financial Risk Assessment WAHT-CG-764 Page 2 of 23 Version 2
Trust Policy 1. Introduction A Subject Access Request (SAR) is a request from a person asking an organisation to provide them with information relating to that person which is held or processed by the organisation. Individuals have a right under the Data Protection Act 1998 to make a request in writing for a copy of the information we hold about them, both in electronic format and in paper. In respect of deceased patients, the application can be made by their personal representative under the Access to Health Records Act 1990. The disclosure request may be direct (for a copy of health records for example) or may form part of an investigation (a request for a statement by the Police). They may be vague or imprecise and may be relevant to a claim against the organisation. It is important that action is taken promptly as legislation dictates that the organisation has only 40 calendar days to make the disclosure. Applications for information of a personal nature cannot be made under the Freedom of Information Act 2000. 2. Scope of this document This policy deals with the rights of data subjects provided under Section 7 of the Act whereby individuals can request access to their personal data. This policy applies to all requests for access to personal data held by the Trust. This applies to anyone about whom the Trust holds information including staff, ex-staff, patients and other service users. This policy will provide a framework for the Trust to ensure compliance with the Data Protection Act 1998 and the Access to Health records Act 1990. This policy is supported by operational procedures and activities connected with the implementation of Subject Access Requests, as detailed in appendix 1-8 3. Definitions Health Record Data Personal Data Data Subjects A health record is defined in the act as being any record which consists of information relating to the physical or mental or condition of an individual, and has been made by or on behalf of a health professional in connection with the care of that individual. The definition can also apply to material held on an x-ray or an MRI scan. This means that when a subject access request is made, the information contained in such material must be supplied to the applicant within the fee structure. Recorded information, whether stored electronically on computer or in paper-based filing systems The information is about an identifiable individual. This can be factual, such as name and address, or it can be an opinion about the individual The person the information is about and who can be identified from that information. All data subjects have certain legal rights in relation to their personal information. 4. Responsibility and Duties The Company secretary has overall responsibility for Subject Access Requests. WAHT-CG-764 Page 3 of 23 Version 2
Trust Policy The Head of Legal Services has responsibility for ensuring all Subject Access Requests regarding health records are actioned. The Patient Services Manager has responsibility for ensuring all Subject Access Requests regarding complaints are actioned. The Head of Clinical Governance & Risk Management has responsibility for ensuring all Subject Access Requests regarding patient safety incidents and alerts are actioned. The Head of Human Resources (Resourcing) is responsible for requests by employees or exemployees for copies of their personal employment files (this includes both medical and nonmedical staff) All managers must ensure their staff are aware of this policy and procedure and know how to deal with requests for personal/patient identifiable information. Appendix 3 provides information on charges and payments. 5. Subject Access Request Process See appendix 1 for a flowchart for all SAR requests See appendix 2 guidance for guidance from the Legal Services Dept for Health Records See appendix 3 for guidance on charges and payments See appendices 4-6 for template forms See appendices 7-8 for template letters The Access to Health Records Act 1990 This act has been repealed to the extent that it now only affects the health records of deceased patients. It applies only to records created since 1 st vember 1991. Applications for disclosure of records for deceased patients should only be granted to the personal representative of the estate or to someone having a claim arising out of the death The Data Protection Act 1998 The Data Protection Act gives an individual several rights in relation to the information held about them. Access gives them the right to obtain a record in permanent form. Requests will be monitored through reporting to the Information Governance Steering Group (IGSG) 6. Implementation 6.1 Plan for implementation The Company Secretary will ensure that this policy is sent to all directorate managers within the Trust. It is their responsibility to ensure that all staff groups within their area are directed to this policy. The Head of Legal Services will ensure that all requests for health records are logged and processed to meet the required timescales for completion. For all other areas where these types of requests are processed, (such as Patient Services, Patient Safety, Human Resources) details must be recorded in a central log held with the Company Secretary and include timescales and when the request has been completed. WAHT-CG-764 Page 4 of 23 Version 2
Trust Policy Staff involved with requests must be trained and be aware of the process to ensure they respond to meet the requirements and timescales detailed in the policy. 6.2 Dissemination This policy will be published on the Trust s Intranet. It is the responsibility of line managers to ensure that members of staff are made aware of this policy. New members of staff are advised during their induction process to look at the Trusts Internet and Intranet to ensure that they read and have a good working knowledge of all relevant policies, strategies, procedures and guidelines. The Company Secretary will ensure that the policy is placed on the Trust s Weekly Brief once approved. 6.3 Training and awareness Annual Information Governance training is mandatory for all staff. Any staff responsible for handling Subject Access requests must be aware of their responsibilities. Departmental training is given to Legal Services staff responsible for actioning subject access requests for Health Records 7. Monitoring and compliance This policy will be monitored through summary updates to the Information Governance Steering Group (IGSG) from the xxx and the Head of Legal Services. Where requests are not managed within the agreed timescales and standard, the steering group will request actions and monitor the improvement. WAHT-CG-764 Page 5 of 23 Version 2
Trust Policy Page/ Section of Key Document Key control: Checks to be carried out to confirm compliance with the Policy: How often the check will be carried out: Responsible for carrying out the check: Results of check reported to: (Responsible for also ensuring actions are developed to address any areas of noncompliance) Frequency of reporting: Section 5 WHAT? HOW? WHEN? WHO? WHERE? WHEN? Requests will be monitored Reports to the IGSG Twice IG Manager IGSG Twice through reporting to the Yearly Yearly Information Governance Steering Group (IGSG) WAHT-CG-764 Page 6 of 23 Version 2
Trust Policy 8. Policy Review The Information Governance Steering Group will review this strategy on a bi-annual basis. Where national policy or legislation dictates change, review will be carried out at an earlier point if appropriate. 9. References: References: Data Protection Act 1998 Access to Health Records Act 1990 Freedom of Information Act 2000 Trust Information Governance Policy Code: 10. Background 10.1 Equality requirements ne - equality assessment Supporting Document 1 10.2 Financial risk assessment ne - financial risk assessment Supporting Document 10.3 Consultation The policy has been updated by the Information Governance Manager with input from the Information Governance Steering Group members. Contribution List This key document has been circulated to the following individuals for consultation; Designation Director of Resources/SIRO (Chair) Director of Asset Management and ICT Information Governance Manager Information Governance Officer Head of Human Resources - Workforce Deputy Director of Nursing Head of Legal Services IT Operations Manager (on behalf of WHITS Director of IT) Head of Risk Management and Clinical Governance Chief Medical Officer Caldicott Guardian Company Secretary This key document has been circulated to the chair(s) of the following committee s / groups for comments; Committee Information Governance Steering Group Trust Management Committee WAHT-CG-764 Page 7 of 23 Version 2
Trust Policy 10.4 Approval Process This strategy will be approved by the Trust Management Committee bi-annually. 10.5 Version Control This section should contain a list of key amendments made to this document each time it is reviewed. Date Amendment By: Feb Policy Created IG Manager 2013 May 2015 Updated into the most recent Trust Policy format Updated SAR Health Records Guidance and Application included Reporting structure and other minor amendments included IG Manager WAHT-CG-764 Page 8 of 23 Version 2
Appendix 1 SAR Flowchart Dealing with Subject Access Requests if not sent directly to correct department Telephone Requests Telephone calls received from a PATIENT requesting access to their Health Records should be directed to the Access to Health dept, ext 43850 Telephone calls received from a PATIENT requesting access to their Patient Safety records should be directed to the patient safety dept, ext 33089 Telephone calls received from a PATIENT/EX/MEMBER OF STAFF requesting access to their complaints records should be directed to the Patient Services dept, 0300 123 1732 Telephone calls received from a EX/MEMBER OF STAFF requesting access to their employment/occupational health records should be directed to Human Resources on 01905 760409 All other telephone calls regarding Subject Access Requests that do not fit within any of the four criteria shown here, should be directed to the Company Secretary on via switchboard Written Requests A request is received from a PATIENT requesting access to their Health Records Letter are placed in an envelope and addressed to Legal Services Dept, Alexandra Hospital, A request is received from a PATIENT requesting access to their Patient Safety records should be directed to the Patient Safety dept, Aconbury East WRH A request is received from a PATIENT/EX/MEMBER OF STAFF requesting access to their complaints records should be directed to the Patient Services dept, Kidderminster Hospital A request is received from a EX/MEMBER OF STAFF requesting access to their employment/occupational therapy records should be directed to Human Resources, Aconbury East WRH All other requests regarding Subject Access Requests that do not fit within any of the four criteria shown here, should be directed to the Company Secretary, WRH Guidance 2015 WAHT-CG-764 Page 9 of 23 Version 2
Appendix 2 Health Records SAR Guidance APPLICATION FOR COPIES OF HEALTH RECORDS NOTES FOR APPLICANTS Ensure you read these guidance notes before completing the Application Form An incomplete form or a failure to provide the required identify / legal documents will result in the application not being processed or being delayed Charges for processing your application The Data Protection Act 1998 allows for a charge to be applied for this service up to a maximum of 50.00. Requests relating to deceased patient s records are governed by the Access to Health Records Act 1990 there is no maximum limit to the charge in these cases. All charges include postage by recorded delivery and where applicable: A 10.00 administration fee unless you have been seen within the last forty days of the application in which case this fee does not apply. Paper records at a charge of 30p per page (single sided, A4). Most records are available in an electronic format and will be provided on an encrypted CD. The charge for records in this format is 10.00. If copy radiology (x-rays) is required this information will be provided on an encrypted CD. The charge for x-rays is 10.00. Once the copy information is available you will be notified of the charge. Payment is required before the information is disclosed. Cheques/Postal Orders should be made payable to: WORCESTERSHIRE ACUTE HOSPITALS NHS TRUST Please note we do not have the facilities to accept payment by credit or debit card. te 1 (Part A) Identity of the person about whom the information is requested This part must be completed for all applicants. Complete all details relating to the patient whose records you wish to access. This should include former names (e.g. maiden name) and previous address, if applicable, for the period relating to the record requested. If known please provide the Hospital Registration Number and NHS Number. te 2 (Part B) Details of the information required This part must be completed for all applicants. You must specify the records you wish to access and provide as many details as possible. If there is insufficient space, please attach a continuation sheet. WAHT-CG-764 Page 10 of 23 Version 2
Appendix 2 Health Records SAR Guidance Example Consultant or Department Condition/Illness Approximate Date Mr Smith Physiotherapy ECG Broken Leg Back pain Chest Pain March 2007 June 2008 vember 2009 te 3 (Part C) Declaration This part must be completed by the person seeking access. A photocopy of a document (e.g. passport, birth certificate) that will support the identification of the Applicant must be attached to the completed Application Form. Tick one box only which best describes you. Sign and date in the space provided, and if you are not the patient, provide your address, telephone number and relationship to the patient. te 4 (Part D) Authorisation for Application made on behalf of patient This part should only be completed when the applicant is not the patient but has been authorised by the patient to make the application. Once the details in sections A to C have been completed the patient should sign and date in the space provided to officially authorise the applicant s request for access. GENERAL NOTES 1. WARNING It is a criminal offence to make false or misleading statements in order to obtain information. 2. Patients, including those who are deceased, have a right to confidentiality of their personal health information and the hospital must be satisfied that an applicant is the patient or the patient s authorised representative. This may involve checking the identity of any of the named persons on the completed application form and their validity to request access. 3. Information may be withheld where it is considered that access might cause harm to the physical or mental health of the patient or any other individual, or where a third party might be identified. It is not a requirement for the Trust to disclose the fact that information has been withheld. WAHT-CG-764 Page 11 of 23 Version 2
Appendix 2 Health Records SAR Guidance PLEASE COMPLETE IN BLOCK CAPITALS APPLICATION FOR COPIES OF HEALTH RECORDS Part A Identity of the Person about whom the information is requested (see note 1) SURNAME: FORENAME(S): CURRENT ADDRESS: FORMERLY: DATE OF BIRTH: PREVIOUS ADDRESS: TEL NO: E-mail*: HOSPITAL NUMBER: NHS NUMBER: *Please supply an e-mail address to receive an acknowledgement of receipt of your request and to enable us to keep you informed about progress with your application. Part B Details of the information required (see note 2) Consultant or Department Condition/Illness Approximate Date X-Ray Images Required (CD) X-Ray Reports only YES / NO YES / NO Please tick the box if you require the records in relation to a complaint you have registered with the Trust relating to your care. WAHT-CG-764 Page 12 of 23 Version 2
Appendix 2 Health Records SAR Guidance Part C Declaration (see note 3) I declare that the information given is correct to the best of my knowledge and that I am entitled to apply for access to the information detailed above. (Tick as appropriate) I am the patient named in Part A. I have been authorised to act by the patient. (Part D must be completed) The patient is under 18 years of age. I am the patient s parent/legal guardian and have parental responsibility. The patient is over 16 years of age. I am their next-of-kin/legal representative. I am making this application as they lack the capacity of understanding to make the request. Please provide proof of evidence to support your application (e.g. Lasting Power of Attorney relating to health care) I am the deceased patient s personal representative and attach conformation of this. If you are applying for the records of a deceased patient please provide proof of evidence to support your application (e.g. Grant of Probate or Letters of Administration) SIGNED: ADDRESS (if different from that in Part A) PRINT NAME: DATE: TEL NO: RELATIONSHIP TO PATIENT: Part D Authorisation for application made on behalf of patient (see note 4) I hereby authorise release of my health records, as specified above, to the person named in Part C and declare that I am the patient named in Part A of this form. SIGNED: PRINT NAME: DATE: WARNING: It is a criminal offence to make false or misleading statements in order to obtain information. WAHT-CG-764 Page 13 of 23 Version 2
Appendix 2 Health Records SAR Guidance PLEASE ENSURE YOU HAVE ATTACHED THE REQUIRED IDENTITY / LEGAL DOCUMENTS WITHOUT THIS INFORMATION WE WILL BE UNABLE TO PROCESS YOUR REQUEST Please return the completed form to: Access to Records Legal Services Department Alexandra Hospital Woodrow Drive Redditch Worcestershire B98 7UB Any queries regarding completion of this form please contact 01527 503850. WAHT-CG-764 Page 14 of 23 Version 2
Appendix 3 Guidance on charges and payments Subject Access Requests - Charges A request for a Subject Access Request is received within a department Each department then sends out the relevant form (with payment information included), asking for payment prior to the information being released Cheques should be made payable to Worcestershire Acute Hospitals NHS Trust When the cheque is received the information can be released to the requestor Cheques should then be taken to the cashiers office along with the relevant cost centre and subjective codes (for where the money should be allocated) Finance can provide these codes when needed Process 2015 WAHT-CG-764 Page 15 of 23 Version 2
Appendix 4 Template Employment SAR Form PLEASE COMPLETE IN BLOCK CAPITALS APPLICATION FOR ACCESS TO HEATH RECORDS Part A Identity of the Person about whom the information is requested (see note 1) SURNAME: FORENAME(S): CURRENT ADDRESS: FORMERLY: DATE OF BIRTH: PREVIOUS ADDRESS: TEL NO: HOSPITAL NO: NHS NO: Part B Details of the information required (see note 2) Consultant or Department Condition/Illness Approximate Date Part C Declaration (see note 3) I declare that the information given is correct to the best of my knowledge and that I am entitled to apply for access to the information detailed above under the terms of the Data Protection Act 1998. (Tick as appropriate) I am the patient named in Part A I have been authorised to act by the patient I am the patient s parent/legal guardian and have parental responsibility The patient is over 16 years of age. I am their next-of-kin/legal representative. I am making this application as they lack the capacity of understanding to make the request. I am the deceased patient s personal representative and attach conformation of this. SIGNED: ADDRESS (if different from that in Part A) PRINT NAME: DATE: TEL NO: RELATIONSHIP TO PATIENT: Part D Authorisation for application made on behalf of patient (see note 4) WAHT-CG-764 Page 16 of 23 Version 2
Appendix 4 Template Employment SAR Form I hereby authorise release of my health records, as specified above, to the person named in Part C and declare that I am the patient named in Part A of this form. SIGNED: PRINT NAME: DATE: WARNING: It is a criminal offence to make false or misleading statements in order to obtain information. Please return the completed form to: Access to Records Legal Services Department Alexandra Hospital Woodrow Drive Redditch Worcestershire B98 7UB WAHT-CG-764 Page 17 of 23 Version 2
Appendix 5 Template For SAR Form Under the Data Protection Act 1998, Add the type of request such as employee/patient etc, about who the Trust may be holding personal data have a right to access the data that is being held about them. Any person may exercise this right, known as a Subject Access Request, by submitting a written or email request to their line manager. It should be noted that it is not Trust policy to make a charge for any Subject Access Requests made by a current employee. A maximum charge of up to 50.00, including a 10.00 administration fee, can be made for all other non-employee requests. The Trust aims to comply with requests for access to employment records as quickly as possible, and will ensure that information is provided within 40 days. You will need to supply a form of identification. This may be (photocopies are acceptable): A current driver s licence A Current passport A birth certificate We require proof of identity before we can process your request. This is to protect the identity of the data subject and ensure that the Data Protection principles are not breached. Please complete using BLOCK CAPITALS as appropriate: A: Details of Data Subject (person to whom the information relates) Full Name: Former Names: Address: Please also include former addresses: Telephone Number: Email: B: If the Data Subject is, or has been, employed by the Worcestershire Acute Hospitals Trust, please provide the following information: Relevant Identifier such as ID number : Relevant 2 nd Identifier : Relevant dates to which the request refers: Department or Ward or Area: Reason for request employment/complaint, patient safety etc C: Which records are being requested? If you wish to see only certain specific document(s), for example, a specific departmental file etc, please describe these below: WAHT-CG-764 Page 18 of 23 Version 2
Appendix 5 Template For SAR Form D: Declaration: I declare that the information given is correct to the best of my knowledge and that I am entitled to apply for access to the information detailed above under the terms of the Data Protection Act 1998. I agree to pay a 10.00 administration fee plus photocopying and postage costs up to a maximum of 50.00 (delete if current employee) Signed: Print Name Date: Data Subject On behalf of Data Subject Relationship to Data Subject: E: Authorisation for application made on behalf of the data subject: I hereby authorise release of my records, as specified above, to the person named in Part D and declare that I am the person named in Part A of this form. Signed: Print Name Date: Please send this completed form to: WAHT-CG-764 Page 19 of 23 Version 2
Appendix 6 Template Letter (A) All correspondence relating to this matter to: **Department* **Address Line1** **Address Line2** **Address Line3** **Address Line4** Telephone Number: ** Number** Our Ref: **** **Date** **Requestor Details/name/address** Dear ** Further to your request regarding access to your xxx records under the Data Protection Act 1998. Please find enclosed the application form for you to complete and return to the above address. In the meantime if I can be of any further assistance please do not hesitate to contact me. Yours sincerely **Name of person or department** WAHT-CG-764 Page 20 of 23 Version 2
Appendix 7 Template Letter (B) All correspondence relating to this matter to: **Department* **Address Line1** **Address Line2** **Address Line3** **Address Line4** Telephone Number: ** Number** Our Ref: **** **Date** **Requestor Details/name/address** Dear *** The copy information that you require is ready for dispatch. The charge for providing you with the information is xxx I will be pleased to release this information to you as soon as I have received a cheque for this sum made payable to Worcestershire Acute Hospitals NHS Trust, forwarded to **Department* at the above address. Yours sincerely **Name of person or department** [Please note we do not have the facilities to accept payment by credit or debit card] N.B. The maximum charge is 50.00 including postage WAHT-CG-764 Page 21 of 23 Version 2
Trust Policy Supporting Document 1 - Equality Impact Assessment Tool To be completed by the key document author and attached to key document when submitted to the appropriate committee for consideration and approval. 1. Does the Policy/guidance affect one group less or more favourably than another on the basis of: Race Ethnic origins (including gypsies and travellers) Nationality Gender Culture Yes/ Comments Religion or belief Sexual orientation including lesbian, gay and bisexual people Age 2. Is there any evidence that some groups are affected differently? 3. If you have identified potential discrimination, are any exceptions valid, legal and/or justifiable? 4. Is the impact of the Policy/guidance likely to be negative? 7. Can we reduce the impact by taking N/A different action? If you have identified a potential discriminatory impact of this key document, please refer it to Assistant Manager of Human Resources, together with any suggestions as to the action required to avoid/reduce this impact. For advice in respect of answering the above questions, please contact Assistant Manager of Human Resource N/A 5. If so can the impact be avoided? N/A 6. What alternatives are there to achieving the Policy/guidance without the impact? N/A WAHT-CG-764 Page 22 of 23 Version 2
Trust Policy Supporting Document 2 Financial Impact Assessment To be completed by the key document author and attached to key document when submitted to the appropriate committee for consideration and approval. Title of document: 1. Does the implementation of this document require any additional Capital resources 2. Does the implementation of this document require additional revenue Yes/ 3. Does the implementation of this document require additional manpower 4. Does the implementation of this document release any manpower costs through a change in practice 5. Are there additional staff training costs associated with implementing this document which cannot be delivered through current training programmes or allocated training times for staff Other comments: ne If the response to any of the above is yes, please complete a business case and which is signed by your Finance Manager and Directorate Manager for consideration by the Accountable Director before progressing to the relevant committee for approval WAHT-CG-764 Page 23 of 23 Version 2