Skip to main content

Individuals’ rights policy

Contents

1 Introduction

Individuals have a right to apply for access to health information held about them and, under the correct circumstances, this can also apply to requesting information about other people, or a deceased person. NHS organisations must ensure they have adequate procedures in place to enable people to exercise this right. This also applies to employees who wish to access their trust records.

The main legislative measures that give rights of access to health records include:

  • the Data Protection Act 2018 (DPA) or The UK General Data Protection Regulations (UK GDPR), rights for living individuals to access their own records. The right can also be exercised by an authorised representative on the individual’s behalf
  • the Access to Health Records Act (AHRA) 1990, rights of access to deceased patients’ health records by specified persons
  • individuals rights, one of the aims of the general data protection regulation (GDPR) is to empower individuals and give them control over their personal data. This includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing
  • the Medical Reports Act (MRA) 1988, rights for individuals to have access to reports, relating to them, provided by medical practitioners for employment or insurance purposes

2 Purpose

A subject access request (SAR) can be received by anyone within the trust. If you receive a SAR, this must be sent to the information governance (IG) department immediately for them to action. All SARs are to be completed within one calendar month of receipt; otherwise the trust will be in breach of the Data Protection Act (DPA) 2018 and could be liable to investigation and or monetary fines.

Within this policy is further information as to how a SAR is handled, and ensured it is done correctly, securely and efficiently.

It also specifies in certain areas or situations whereby people can ask for information and this does not necessarily fall into the requirements for a SAR.

3 Scope

This policy applies to all those working for the trust in whatever capacity, including the trust’s employees, volunteers, students, temporary workers, contractors, suppliers and third parties. It applies to third party providers who may hold Information belonging to the trust, including patient information.

This document applies to and is relevant across all services, departments, or care groups.

4 Responsibilities, accountabilities and duties

Persons with lead responsibility for this policy are:

4.1 Chief executive

The chief executive has overall accountability for ensuring that all laws are implemented within the trust including the DPA 2018 or UKGDPR, the AHRA 1990 and the MRA 1988. In addition, the chief executive has overall accountability for implementing records management within the trust.

4.2 Senior information risk owner (SIRO)

The SIRO (director of health informatics) is accountable for information risk throughout the organisation.

4.3 Caldicott guardian

The Caldicott guardian is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.

4.4 Data protection officer (DPO)

The DPO will assist in monitoring internal compliance, inform and advise on data protection obligations, provide advice regarding Data protection impact assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

4.5 Information asset owners (IAOs)

IAOs are responsible for information assets which include health records within each service. It is the IAO’s responsibility to make sure that employees within service areas follow the outlined procedures to ensure the trust is compliant with appropriate laws.

5 Procedure or implementation

5.1 Data subjects’ rights

The rights of data subjects under which individuals may make requests include the following:

5.1.1 Right to access

The right to obtain confirmation whether personal data concerning the person is being processed, and, where that is the case, request access to the personal data.

5.1.2 Right to rectification

The right to the rectification of inaccurate or incomplete personal data.

5.1.3 Right to erasure

The right to the erasure of personal data. Sometimes known as the “right to be forgotten”.

5.1.4 Right to restriction

The right to restrict the processing of personal data

5.1.5 Right to data portability

The right to receive a copy of personal data in a structured, commonly used and machine-readable format, also to request these data are transmitted to another controller directly

5.1.6 Right to object

The right to object to processing of personal data.

5.1.7 Rights related to automated decision-making and profiling

The rights:

  • not to be subject to a decision based solely on automated processing (for example, to have a human involved)
  • to have the theory or mechanisms behind an automated decision explained
  • to give an opinion about an automated decision
  • to challenge an automated decision, rights related to automated decision-making and profiling

In addition to the above, data subjects also have the right to be informed, which the trust fulfils by providing privacy notices whenever it collects personal data about individuals

5.2 Qualified not absolute rights

All of the rights listed above are qualified rights, meaning there are some exceptions to when they must be applied. Whilst the trust must always acknowledge a request has been made, there may be legal grounds for not complying with it.

5.3 Transparency and modalities

When dealing with individual rights requests, the trust will take into account the GDPR concepts of transparency and modalities. These are responsibilities on data controllers in terms of how they ensure data subjects’ rights are facilitated.

Specifically, information in connection to data subjects’ rights should be provided to data subjects in a ‘concise’, transparent, intelligible and easily accessible form’, ‘using clear and plain’ language (transparency). In addition, information should be provided in any form as per the requirements of the data subject, this can include all written forms, hard copy or electronic and in certain cases oral provision of information (modalities).

5.4 Notification obligation

When processing individual rights requests around the right to erasure, rectification and restriction, the trust will also take into account the ‘notification obligation’ conferred by article 19 of the GDPR. This means that when the trust actions a request around one of the above rights we are obligated to communicate what we have done to any other controllers of processers whom we have shared the data with previously, except where this is impossible or involves disproportionate effort.

5.5 Recognising individual rights requests

Key points:

  • a request can be made verbally or in writing
  • a request can be made to any part of the organisation and does not have to be to a specific person or contact point
  • a request does not need to mention the phrase containing the right being exercised or the relevant GDPR Article to be a valid request. As long as the individual has clearly described their request; this is valid. We will check with the requester that we have understood their request and request any identification or authorisation (if required)
  • we will record the details of all requests we receive

The format that an individual rights request is received may differ from request to request. In essence, if an individual writes to the trust or speaks to the trust and asks for access, changes or makes any objections of any kind to the personal data the trust is processing about them (whether perceived or actually processing their data) it should be considered and handled where appropriate as an individual rights request.

5.6 Fees and refusal of requests

Individual rights requests are free of charge. However, if the trust considers that a request is ‘manifestly unfounded’ or excessive (repeated) we can either:

  • request a ‘reasonable fee’ to deal with the request
  • refuse to deal with the request

In either case the trust will need to document and justify the decision and let the requestor know about the decision as soon as possible.

A reasonable fee should be based on the administrative costs of complying with the request. The trust does not need to comply with the request until we have received the fee.

5.7 Response times

Under data protection legislation the trust has one month to respond to any request. The trust is implementing this as a 28-day period in line with ICO guidance.

The trust will calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding date 28 days from that point.

5.7.1 Extending the response time

The trust can extend the time to respond by a further two months if the request is complex or we have received a number of requests from an individual. We will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.

However, it is the ICO’s view that it is unlikely to be reasonable to extend the time limit if:

  • the request is manifestly unfounded or excessive
  • an exemption applies or we are requesting proof of identity before considering the request

5.8 Verifying identity

If the IG department has doubts about the identity of the person making the request we can ask for more information. However, it is important that we only request information that is necessary to confirm who they are. We will take into account what data we hold, the nature of the data, and what we are using it for.

We will let the individual know without undue delay that we need more information from them to confirm their identity. We do not need to comply with the request until we have received the additional information.

5.9 Information to be provided to requesters within the first 28 days

If the trust is not able to action the request:

  • the reasons we are not taking action
  • their right to make a complaint to the ICO
  • their ability to seek to enforce a right through a judicial remedy

If the trust is able to action the request dependent on further information:

  • that we are requesting a reasonable fee
  • that we need additional information to identify the individual

If the trust is actioning the request:

  • respond to the request
  • notify the requestor that we need to extend the response time (up to a further two months)

5.10 Scope of requests

Any personal data in relation to an individual, no matter what format, where or how it is stored by the trust could fall into the scope of an individual rights request.

5.11 Third party requests

Requests received by third parties in regard to access to a data subjects’ personal data (for example, the police or home office) will be handled using the processes described in the appendices.

6 Training implications

6.1 All employees, data security and awareness training

  • How often should this be undertaken: Upon commencement of employment and annually thereafter.
  • Length of training: 1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: Information governance or NHS digital e-learning package.
  • Where are the records of attendance held: Electronic staff record (ESR).

As a trust policy, all colleagues need to be aware of the key points that the policy covers. Colleagues can be made aware through a variety of means such as:

  • all user emails for urgent messages
  • continuous professional development posters sessions
  • daily email (sent Monday to Friday)
  • group supervision
  • intranet
  • local Induction
  • one to one meetings or supervision
  • posters
  • practice development days
  • special meetings
  • team meetings

7 Monitoring arrangements

7.1 Policy content

  • How: Paper for debate.
  • Who: IG manager.
  • Reported to: IG group.
  • Frequency: As relevant legislation updates or changes.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act 2005

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all employees working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the guiding principles of the Mental Capacity Act (2005) (section 1).

9.1 Legislation

All colleagues are required to comply with data protection legislation. This includes:

In addition, consideration will also be given to all applicable law concerning privacy confidentiality, the processing and sharing of personal data including:

Consideration must also be given to the:

10 References

11 Appendices

11.1 Appendix A Process for responding to a subject access request

11.1.1 Valid requests

  • Requests can be made verbally or in writing.
  • Requests can be made to any part of the organisation (including by social media) and do not have to be to a specific person or contact point.
  • Requests do not have to include terminology relating to the right it is in reference to.
  • Requests must be relating to personal data (including special categories of data) or processing of personal data.
  • Request does not have to be made on a predefined form, however the trust does supply one for people to use to help them ensure they provide all the required information.

11.1.2 Process on receipt

When a request is received it must be immediately shared with the IG department who will log it on the requests logbook.

11.1.3 Acknowledgement

The IG team will acknowledge the request without undue delay and at least within 48 hours of receipt into the organisation.

11.1.4 Verifying identities or permissions

In order to process a request the trust must ensure that we are satisfied as to the identity of the individual making the request. The key is proportionality, and we must only request enough information to confirm who they are. This must be requested without undue delay and at least within 48 hours of receipt of the request.

The period for responding to the request begins once the ID has been received. Forms of ID which are acceptable:

Verifying identities or permissions
Type of applicant Type of evidence
An individual applying for their own records Two items of proof of identity required, for example:

  • full birth certificate
  • passport
  • driving licence
  • marriage certificate
Someone applying on behalf of another individual over the age of 12
  • One item of proof of the person’s identity
  • One item of proof of the representative’s identity (individuals only does not apply to solicitors, orgs, etc) (see examples above)
Someone applying on behalf of another individual under the age of 12
  • One item of proof of the person’s identity
  • One item of proof of the representative’s identity (individuals only, this does not apply to solicitors, orgs, etc) (see examples above)
  • Proof of parental responsibility: copy of full birth certificate or copy of court order appointing parental responsibility, adoption order, etc.
Power of attorney or court appointed deputy applying on behalf of an individual
  • Copy of relevant documentation
  • One item of proof of the person’s identity
  • One item of proof of the attorney or deputy identity (see examples above)
Deceased records,
patient’s representative, for example, executor or administrator of estate
  • Proof of requestor’s identity
  • Copy of death certificate
  • Evidence that they are either executor or administrator of the deceased patient’s estate. Evidence could be:
    • solicitor’s letter
    • copy of the will
    • letter of administration
Person with a claim arising out of the patient’s death
  • Proof of requestor’s identity
  • Copy of death certificate
  • Evidence of claim, which could be:
    • solicitor’s letter
    • copy of the will

11.1.5 Requests received from representatives or third parties

The GDPR does not prevent an individual making a valid request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act on their behalf. In these cases, we must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This may be in the form of a written consent or authority form evidencing that the third party has consent from the individual to access their personal data.

Guidance should be sought from the Caldicott guardian or data protection officer if there are any concerns over the nature of the information and whether there are concerns whether the data subject is aware of what might be shared with the representative.

Requests may also be received from those who hold power of attorney if the individual lacks mental capacity. There are no specific provisions under the GDPR or Mental Capacity Act (2005) enabling a third party to exercise individual rights on behalf of such an individual therefore it is reasonable to assume that an attorney with authority to manage the affairs of an individual (or under a deputyship order) will have the appropriate authority.

11.1.6 Fees

Under the GDPR, in most cases a fee cannot be charged. However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We can also charge a reasonable fee if an individual requests further copies of their data following a request. The fee must be based on the administrative costs of providing further copies.

11.1.7 Clarification of requests

If a request is received, but more information is required in order to clarify the request this must be requested without undue delay. However we must only ask for information that is reasonably required to find the personal data covered by the request. The period for responding to the request begins once the additional information is received. However, if an individual refuses to provide any additional information, we must still endeavour to comply with the request, for example, by making reasonable searches for the information covered by the request.

11.1.8 Refusing to comply with a request

If we consider that a request is ‘manifestly unfounded’ or excessive we can:

  • request a “reasonable fee” to deal with the request
  • refuse to deal with the request

In either case we will need to justify the decision. For further advice please contact the data protection officer or IG department (rdash.ig@nhs.net).

If we do refuse to comply with a request we must explain the reasons we are not taking action; advise the individual of their right to make a complaint to the ICO and their ability to seek to enforce a right through a judicial remedy.

11.1.9 Exemptions

Exemptions to the individual rights (as provided by the GDPR and DPA18) will be applied by the trust where required, the full detail of the relevant possible exemptions are detailed in appendix I.

11.1.10 Retention

The log and all documentation relating to a particular request should be kept and retained for a period of three years. In the event of an appeal, the subject access request is retained for six years post closure of appeal.

11.2 Appendix B The right of access by the data subject (subject access request GDPR article 15)

11.2.1 What is the right of access?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information.

11.2.2 What is an individual entitled to?

Individuals have the right to obtain the following from the trust:

  • confirmation that we are processing their personal data
  • a copy of their personal data and other supplementary information such as:
    • the purposes of processing
    • the categories of personal data concerned
    • the recipients or categories of recipient we disclose personal data to.
    • retention period for storing personal data or, where this is not possible, our criteria for determining how long we will store it.
    • the existence of their right to request rectification, erasure or restriction or to object to such processing.
    • the right to lodge a complaint with the ICO or another supervisory authority.
    • information about the source of the data, where it was not obtained directly from the individual.
    • the existence of automated decision-making (including profiling). and the safeguards we provide if we transfer personal data to a third country or international organisation.

Much of this supplementary information is provided in our privacy notice.

11.2.3 Scope of requests

A request under the right of access relates to the data held at the time the request is received. However, in many cases, routine use of the data may result in it being amended or even deleted while the request is being dealt with. Therefore it is reasonable to supply information that is held at the time the request is responded to, even if this is different to that held when the request was received. However, it is not acceptable to amend or delete the data if we would not otherwise have done so. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure.

11.2.4 Transparency and modalities

The trust may be required to explain particular references, acronyms or information which are provided to an individual as part of a subject access request. Data must be provided in an ‘intelligible’ form. At its most basic, this means the information should be understandable by the average person. Therefore all records must contain explanations of codes or abbreviations where appropriate.

If an individual makes a request electronically, the information should be provided in a commonly used electronic format, unless the individual requests otherwise.

11.2.5 Requests for information about children

A child has a right under the GDPR to have access to their personal data regardless of their age. However, children under a particular age will likely have their rights exercised by those who have parental responsibility for them.

Before responding to a request for information about a child we must consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should respond directly to the child, unless the child authorises their parent (or an individual with parental responsibility) to act on their behalf.

To determine whether the child understand their rights the following will be taken into account:

  • the child’s level of maturity and their ability to make decisions like this
  • the nature of the personal data
  • any court orders relating to parental access or responsibility that may apply
  • any duty of confidence owed to the child or young person
  • any consequences of allowing those with parental responsibility access to the child or young person’s information, this is particularly important if there have been allegations of abuse or ill treatment
  • any detriment to the child or young person if individuals with parental responsibility cannot access this information
  • any views the child or young person has on whether their parents should have access to information about them
  • any views the child or young person has on whether their parents should have access to information about them

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. When assessing a child’s competence, it is important to explain the issues in a way that is suitable for their age. The Gillick competency test or Fraser guidelines can also be used to determine whether a child is presumed to be of a sufficient age or maturity.

In England, Wales and Northern Ireland there is no set age at which a child is generally considered to be competent to provide their own consent to processing. In Scotland children aged 12 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown, and the trust also aligns to this.

For further information on situations where the request has been made by a child, see the ICO guidance on children and the GDPR (opens in new window).

11.2.6 Documenting redactions or exemptions applied

If information has been withheld due to an exemption, for example, information relating to another individual, legal privilege etc. this will be documented on the individuals rights log (including justification for applying the exemption) and explained to the requestor that information has been redacted or removed in accordance with the provisions set out in the GDPR or DPA.

A copy of all the unredacted information which forms part of the request will be kept on file for audit purposes.

11.2.7 Secure electronic transmission

Where a requestor has asked for the information to be disclosed to them via email the NHSmail encryption service will be used to send the data.

11.2.8 Requests for information about deceased individuals

The Access to Health Records Act 1990 (AHRA) provides a small cohort of people with a statutory right to apply for access to information contained within a deceased person’s health record.

There may be circumstances where individuals who do not have a statutory right of access under AHRA request access to a deceased patient’s record. Current legal advice is that the courts would accept that confidentiality obligations owed by health professionals continue after death. Each request should be reviewed on a case-by-case basis and advice should be sought from the Caldicott guardian if there are any concerns regarding disclosing any personal information.

Individuals who have a right of access under the AHRA are defined under section 3(1)(f) of the act as, ‘the patient’s personal representative and any person who may have a claim arising out of the patient’s death’. A personal representative is the executor or administrator of the deceased person’s estate.

The personal representative is the only person who has an unqualified right of access to a deceased patient’s record and need give no reason for applying for access to a record.

There is less clarity regarding which individuals may have a claim arising out of the patient’s death. Whilst this is accepted to encompass those with a financial claim, determining who these individuals are and whether there are any other types of claim is not straightforward. The decision whether a claim actually exists lies with the record holder. In cases where it is not clear whether a claim arises the record holder should seek legal advice and speak to the data protection officer.

There are different requirements to the GDPR or DPA in terms of timescales; access to health records requests should be responded to within 40 calendar days and there can be no charge for the request. It is still a requirement to check the validity of the request (ID etc.). No prescribed form needs to be completed however we must be satisfied as to the identity of the individual making the request and we can therefore seek clarification from the requestor. If a request is received from a patient’s personal representative evidence must be provided such as a sealed grant of probate or valid will evidence that the individual making the request is a personal representative. If the individual died intestate, the individual making the request can apply for letters of administration.

Disclosures in the absence of a statutory basis should be in the public interest, be proportionate, and judged on a case-by-case basis. The public good that would be served by disclosure must outweigh both the obligation of confidentiality owed to the deceased individual, any other individuals referenced in a record, and the overall importance placed in the health service providing a confidential service. Key issues for consideration include any preference expressed by the deceased prior to death, the distress or detriment that any living individual might suffer following the disclosure, and any loss of privacy that might result and the impact upon the reputation of the deceased. The views of surviving family and the length of time after death are also important considerations. The obligation of confidentiality to the deceased is likely to be less than that owed to living patients and will diminish over time.

Another important consideration is the extent of the disclosure. Disclosing a complete health record is likely to require a stronger justification than a partial disclosure of information abstracted from the record. If the point of interest is the latest clinical episode or cause of death, then disclosure, where this is judged appropriate, should be limited to the pertinent details.

If the deceased individual expressed a wish for information to remain confidential this should be upheld regardless of who is making the request unless there is an overriding public interest in disclosing.

For further guidance, please refer to the NHS Choices deceased individuals records (opens in new window).

11.3 Appendix C The right to rectification (GDPR article 16 and 19)

The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete, although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

This right has close links to the accuracy principle of the GDPR (article 5(1) (d)).

However, although we may have already taken steps to ensure that the personal data was accurate when we obtained it; this right imposes a specific obligation to reconsider the accuracy upon request.

11.3.1 What do we need to do?

If we receive a request for rectification we should take reasonable steps to check that the data is accurate and to rectify the data if necessary. We should take into account the arguments and evidence provided by the individual.

In terms of taking reasonable steps; what steps are reasonable will depend on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort we should put into checking its accuracy and, if necessary, taking steps to rectify it. We may also take into account any steps we have already taken to verify the accuracy of the data prior to the challenge by the data subject.

The GDPR does not give a definition of the term accuracy. However, the Data Protection Act 2018 states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.

If mistakes are recorded, it may be prudent to maintain the mistake but update the record to show the accurate information. For example, if a diagnosis for a condition is recorded on a patient’s record which later is proved not to be the case, it is likely that their medical records should record both the initial diagnosis (even though it was later proved to be incorrect) and the final findings. Whilst the medical record shows a misdiagnosis, it is an accurate record of the patient’s medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be rectified.

It may also be difficult to argue that ‘opinions’ are inaccurate and therefore able to be rectified but should be recorded as opinions on the record.

Whilst the request is being considered, the data should be restricted until the data is rectified.

If we are satisfied that the information is accurate or complete then we must tell the individual that we will not be amending their data. We must ensure that a note is recorded on the individual’s record indicating that the individual challenged the accuracy of the data and their reasons for doing so.

If we have disclosed the personal data to other organisations or individuals, we must contact each recipient and inform them of the rectification or completion of the personal data, unless this proves impossible or involves disproportionate effort (article 19). If asked, we must also inform the individual about these recipients.

11.4 Appendix D The right to erasure (GDPR article 17 and 19)

11.4.1 Overview

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose which we originally collected or processed it for
  • we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent
  • we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • we are processing the personal data for direct marketing purposes and the individual objects to that processing
  • we have processed the personal data unlawfully (for example, in breach of the lawfulness requirement of the first principle)
  • we have to do it to comply with a legal obligation
  • we have processed the personal data to offer information society services to a child

Therefore the right of erasure will not apply in all circumstances, and we must establish whether the above conditions apply before we can process such a request.

11.4.2 Exemptions

The right to erasure does not apply if processing is necessary for one of the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • for the establishment, exercise or defence of legal claims

The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:

  • if the processing is necessary for public health purposes in the public interest (for example, protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
  • if the processing is necessary for the purposes of preventative or occupational medicine (for example, where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (for example, a health professional)

If we have disclosed the personal data to others, we must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort (article 19). If asked, we must also inform the individuals about these recipients.

Where personal data has been made public in an online environment (such as social networks) reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable we should take into account available technology and the cost of implementation.

If we refuse to comply with the request for erasure due to the fact that it is manifestly unfounded or excessive we must adhere to the conditions set out above.

11.5 Appendix E The right to restrict processing (GDPR article 18 and 19)

Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, we are permitted to store the personal data, but not use it. This right has close links to the right to rectification (article 16) and the right to object (article 21).

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information we hold or how we have processed their data. In most cases we will not be required to restrict an individual’s personal data indefinitely, but we will need to have the restriction in place for a certain period of time.

11.5.1 Overview

Individuals have the right to request the restriction or suppression of their personal data in particular circumstances. The restriction cannot be put in place indefinitely, but we will need to have the restriction in place for a certain period of time. This right has close links to the right to rectification (article 16) and the right to object (article 21).

Individuals have the right to request that their personal data is restricted in the following circumstances:

  • the individual contests the accuracy of their personal data and we are verifying the accuracy of the data
  • the data has been unlawfully processed (for example, in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead
  • we no longer need the personal data, but the individual needs us to keep it in order to establish, exercise or defend a legal claim
  • the individual has objected to us processing their data under article 21(1), and we are considering whether our legitimate grounds override those of the individual

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

  • if an individual has challenged the accuracy of their data and asked for us to rectify it (article 16), they also have a right to request that we restrict processing while we consider their rectification request
  • if an individual exercises their right to object under article 21(1), they also have a right to request us to restrict processing while we consider their objection request

Therefore, as a matter of good practice we should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.

In order to restrict processing, we should consider the following options:

  • temporarily moving the data to another processing system
  • making the data unavailable to users
  • temporarily removing published data from a website

Once the data is restricted, we must not process the restricted data in any way except to store it unless:

  • we have the individual’s consent
  • it is for the establishment, exercise or defence of legal claims
  • it is for the protection of the rights of another person (natural or legal)
  • it is for reasons of important public interest

If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the restriction of the personal data, unless this proves impossible or involves disproportionate effort (article 19). If asked, we must also inform the individual about these recipients.

In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:

  • the individual has disputed the accuracy of the personal data and we are investigating this
  • the individual has objected to us processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and we are considering whether our legitimate grounds override those of the individual

Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. Once we have done this we must inform the individual before we lift the restriction.

As noted above, these two conditions are linked to the right to rectification (article 16) and the right to object (article 21). This means that if we are informing the individual that we are lifting the restriction (on the grounds that we are satisfied that the data is accurate, or that our legitimate grounds override theirs) we should also inform them of the reasons for our refusal to act upon their rights under articles 16 or 21. We will also need to inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek a judicial remedy.

If we refuse to comply with the request for restriction due to the fact that it is manifestly unfounded or excessive we must adhere to the conditions set out above.

11.6 Appendix F The right to data portability (GDPR article 20)

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

11.6.1 Overview

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

The right to data portability only applies when:

  • our lawful basis for processing this information is consent or for the performance of a contract
  • we are carrying out the processing by automated means (for example, excluding paper files)

The right to data portability only applies to personal data and allows data to be transferred from us as the controller to another controller (if the above conditions apply).

The data must be provided in a structured, commonly used and machine-readable format. We may need to seek advice and assurance from the IT team to determine how the data can be transferred. Further details on how the data can be transferred can be found on the ICO’s guidance webpages under ‘right to data portability’. We are responsible for ensuring the data is transmitted securely.

We can refuse to comply with a request for data portability if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. Please refer above for details on what information must be provided to the individual if we are refusing to comply with their request.

11.7 Appendix G The right to object (GDPR article 21)

An individual has the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority
  • direct marketing (including profiling)
  • processing for the purposes of scientific or historical research and statistics

11.7.1 Performance of a legal task or organisation’s legitimate interests

Individuals must have an objection on “grounds relating to his or her particular situation”.

We must stop processing the personal data unless:

  • we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
  • the processing is for the establishment, exercise or defence of legal claims

We must inform individuals of their right to object “at the point of first communication” and in our privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

11.7.2 Direct marketing purposes

We must stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

We must deal with an objection to processing for direct marketing at any time and free of charge. We must inform individuals of their right to object “at the point of first communication” and in our privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other
information”.

11.7.3 Research purposes

Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

We can refuse to comply with a right to objection if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. Please refer above for details on what information must be provided to the individual if we are refusing to comply with their request. National data opt-out.

Patients also have the right under the National data opt-out (opens in new window) to have their personal data excluded from many research and planning projects. The trust is fully compliant with the National data opt-out, but options must be registered nationally, not with the trust itself

11.8 Appendix H The right not to be subject to automated decision-making and profiling

The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if we are carrying out solely automated decision-making that has legal or similarly significant effects on them. The processing is defined as below.

Automated individual decision-making (making a decision solely by automated means without any human involvement). Examples include an online decision to award a loan; or a recruitment aptitude test which uses pre-programmed algorithms and criteria. Automated individual decision-making does not have to involve profiling, although it will often do.

Profiling (automated processing of personal data to evaluate certain things about an individual) and includes any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The GDPR applies to all automated decision-making and profiling. This Article sets out additional rules to protect individuals if we are carrying out solely automated decision-making that has a legal or similarly significant effect on an individual. Automated individual decision-making must be made without human involvement, for example, a recruitment aptitude test which uses pre-programmed algorithms and criteria.

Solely automated individual decision-making, including profiling, with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances. We can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:

  • necessary for entering into or performance of a contract between an organisation and the individual
  • authorised by law (for example, for the purposes of fraud or tax evasion)
  • based on the individual’s explicit consent

If we’re using special category personal data we can only carry out processing described in article 22(1) if:

  • we have the individual’s explicit consent
  • the processing is necessary for reasons of substantial public interest

Profiling (automated processing of personal data to evaluate certain things about an individual) and includes any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Profiling can be part of an automated decision-making process. The GDPR restricts you from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals. For something to be solely automated there must be no human involvement in the decision-making process.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

We must inform individuals if we are using this form of processing and if we are, we must:

  • give individuals information about the processing
  • introduce simple ways for them to request human intervention, express their point of view or challenge a decision
  • carry out regular checks to make sure that your systems are working as intended
  • provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual
  • use appropriate mathematical or statistical procedures
  • put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors
  • secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects

Article 22 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects. If our processing does not match this definition then we can continue to carry out profiling and automated decision-making, but we must still comply with the GDPR principles. We must identify and record our lawful basis for the processing. We need to have processes in place, so people can exercise their rights. Individuals have a right to object to profiling in certain circumstances. We must bring details of this right specifically to their attention.

11.9 Appendix I relevant exemptions

Relevant exemptions
Exemption Legislation reference Individual rights it can be applied to Extent
Crime and taxation personal data processed for:

  • the prevention and detection of crime
  • apprehension or prosecution of offenders
  • assessment or collection of tax, duty or similar
Legislation reference DPA18, section 2, page 1, paragraph 2 Informed access, rectification, erasure restriction, data portability, object To the extent that the application of the individual rights to the data would be likely to prejudice any of the matters listed
Immigration personal data processed for either:

  • the maintenance of effective immigration control
  • the investigation or detection of activities that would undermine the maintenance of effective immigration control
Legislation reference DPA18, section 2, page 1, paragraph 4 Individual rights it can be applied to informed access, erasure restriction, object To the extent that the application of the individual rights to the data would be likely to prejudice any of the matters listed
Required by law or legal proceedings personal data which the controller is obliged by an enactment to make available to the public, or which:

  • is necessary for the purpose of, or in connection with, legal proceedings (including prospective)
  • is necessary for the purpose of obtaining legal advice

Or:

  • is otherwise necessary for the purposes of establishing, exercising or defending legal rights
Legislation reference DPA18, section 2, page 1, paragraph 5 Informed access, rectification, erasure restriction, data portability, object To the extent that the application of the individual rights to the data would prevent the controller from complying with that obligation or making the relevant disclosure
Protection of the public personal data processed for the purposes of discharging a function which is designed to protect the public. A full list of these functions is available in DPA18, but they include health and safety at work, dishonesty, malpractice, incompetence, maladministration and failures in public services Legislation reference DPA18, section, page 2, paragraph 7 Informed access, rectification, erasure restriction, data portability, object To the extent that the application of the individual rights to the data would be likely to prejudice the proper discharge of the function
Health services regulatory functions personal data processed for the function of considering a complaint about healthcare under certain legislation Legislation reference DPA18, section 2, page 2, paragraph 10 Informed access, rectification, erasure restriction, data portability, object To the extent that the application of the individual rights to the data would be likely to prejudice the proper discharge of the function
Third party data, personal data relating to another individual who can be identified (not the data subject) does not have to be disclosed unless there is consent from the third party or it is reasonable to disclose without consent. Note, this does not include third party data included in health records which relates to health professionals and either contributed to the record or were involved in the care Legislation reference DPA18, section 2, page 3, paragraph 16 Informed access Not applicable
Legal professional privilege personal data to which either:

  • a claim of legal professional privilege could be maintained in legal proceedings
  • a duty of confidentiality is owed by a professional legal adviser to a client of the adviser
Legislation reference DPA18, section 2, page 4, paragraph 19 Informed access Not applicable
Self-incrimination personal data which would reveal evidence of the commission of an offence Legislation reference DPA18, section 2, page 4, paragraph 20 Informed access To the extent that compliance would expose the person to proceedings for that offence
Negotiations, personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject Legislation reference DPA18, section 2, page 4, paragraph 23 Informed access To the extent that the application of the individual rights to the data would be likely to prejudice those negotiations
Confidential references personal data consisting of a reference given (or to be given) in confidence for the purposes of:

  • the education, training or employment (or prospective) of the data subject
  • the placement (or prospective) of the data subject as a volunteer
  • the appointment (or prospective) of the data subject to any office
  • the provision (or prospective) by the data subject of any service
Legislation reference DPA18, section 2, page 4, paragraph 24 Informed access Not applicable
Journalistic, academic, artistic, literary purposes personal data processed for the ‘special purposes’ listed above with a view to the publication of the material where the controller believes publication will be in the public interest Legislation reference DPA18, section 2, page 5, paragraph 26 Informed access, rectification, erasure restriction, data portability, object To the extent that the application of the individual rights to the data would be incompatible with the special purposes
Research and statistics personal data processed for either:

  • scientific or historical research purposes
  • statistical purposes only where the data is processed in accordance with GDPR article 89(1)
Legislation reference DPA18, section 2, page 5, paragraph 27 Informed access, rectification, restriction, object To the extent that the application of the individual rights to the data would prevent or seriously impair the achievement of the purposes in question
Archiving personal data processed for archiving purposes in the public interest, only where the data is processed in accordance with GDPR article 89(1) Legislation reference DPA18, section 2, page 5, paragraph 28 Informed access, rectification, restriction, data portability, object To the extent that the application of the individual rights to the data would prevent or seriously impair the achievement of the purposes in question
Health data, serious harm health data (this exemption must be judged by a health professional within the preceding six months) Legislation reference DPA18, section 3, page 1, paragraph 2 Informed access, rectification, restriction, data portability, object To the extent that the application of the individual rights to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual
Health data, court processed health data is processed by a court, contained in a report or other evidence under proceedings

 

Legislation reference DPA18, section 3, page 1, paragraph 3 Informed access, rectification, restriction, data portability, object Not applicable
Health data, people under 18 heath data where the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject or where the data subject is incapable of managing his or her own affairs and a court appointed representative is managing their affairs Legislation reference DPA18, section 3, page 1, paragraph 4 Informed access, rectification, restriction, data portability, object To the extent that the application of the individual rights to the data would:

  • release data given by the data subject in the expectation that it would not be shared with the person making the request on their behalf
  • release the results of an examination or investigation carried out under the data subjects consent with the understanding that the result would not be disclosed
  • release information that the data subject has expressly indicated should not be disclosed

Note, information already known by the data subject.

Under DPA18, section 3, page 1, paragraph 6 an exemption cannot be applied to a health records request under the right to access or be informed where it is apparent that the data subject has already seen or knows about the health information.

11.10 Appendix J Application for access to health records

11.11 Appendix K Guidance on requests for information

Information about your personal treatment and care is confidential and will normally be something you will discuss with the healthcare professionals you meet. However, there may be other issues about which you would like further information, or you may just want to have a copy of the information we hold about you.

11.11.1 Your right to request access to your personal records

The Data Protection Act 2018 incorporating the General Data Protection Regulation 2016 (GDPR) gives living individuals the right to request access to personal records held about them by organisations such as ours. This is known as a subject access request (SAR). The Data Protection Act 2018 requires the trust to comply with requests for information within one month of receipt.

Any individual can make a request for their own information. In addition, an individual may nominate a representative (such as a solicitor, relative or just someone they trust) to apply on their behalf. In this case, there must be a valid consent signed by the individual who authorises the release of information to the representative.

11.11.2 Request access to someone else’s personal records (including children)

Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So, it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.

Whilst there is no legal age limit in the UK that young people may apply themselves, the trust takes the guidance of the Information commissioner’s office whereby a person aged 12 years or over, is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown. Therefore they should be consulted regarding any request that has been made for their records by another individual, even if another individual has parental responsibility for them.

All people have the same rights over their personal data, regardless of their age. These include the rights to access their own personal data; request rectification; object to processing and have their personal data erased.

For those who are unable to consent a person may make a request on their behalf if they have been granted a power of attorney or deputy by a court to manage their affairs.

11.11.3 Access to deceased patient records

The Access to Health Records Act 1990 provides certain individuals with a right of access to the health records of a deceased individual. These individuals are defined under section 3(1)(f) of the act as ‘the patients personal representative and any person who may have a claim arising out of the patients’ death’. A personal representative is the executor or administrator of the deceased person’s estate.

If you wish to request access to patient records, you will need to complete the enclosed application form and either:

  • post to Rotherham, Doncaster and South Humber Foundation NHS Trust, Information Governance, Health Informatics, Woodfield House, Tickhill Road Site, Tickhill Road, Balby, Doncaster, DN4 8QN
  • email to rdash.ig@nhs.net with the required copy documentation (please note that this is not a secure method to send personal or sensitive information)

You can obtain a copy of the application form on the trust’s website at access your information and submit using the above methods.

11.11.4 What documentation will I need to provide

In most cases we will require copies of two items of evidence of identity and all ID must be current, see table below:

Access to deceased patient records
Type of applicant Type of evidence
An individual applying for their own records Two items of proof of identity required, for example:

  • full birth certificate
  • passport
  • driving licence
  • marriage certificate
Someone applying on behalf of an individual over the age of 12
  • One item of proof of the person’s identity
  • One item of proof of the representative’s identity (individuals only does not apply to solicitors, orgs, etc) (see examples above)
Someone applying on behalf of an individual under the age of 12
  • One item of proof of the person’s identity
  • One item of proof of the representative’s identity (individuals only does not apply to solicitors, orgs, etc) (see examples above)
  • Proof of parental responsibility: copy of full birth certificate or copy of court order appointing parental responsibility, adoption order, etc.
Power of attorney or court appointed deputy applying on behalf of an individual
  • Copy of relevant documentation
  • One item of proof of the person’s identity
  • One item of proof of the attorney or deputy identity (see examples above)
Deceased records, patients representative, for example, executor or administrator of estate
  • Proof of requestor’s identity
  • Copy of death certificate
  • Evidence that they are either executor or administrator of the deceased patient’s estate. Evidence could be:
    • solicitors letter
    • copy of the will
    • letter of administration
Person with a claim arising out of the patients death
  • Proof of requestor’s identity
  • Copy of death certificate
  • Evidence of claim, which could be:
    • solicitors letter
    • copy of the will

Exemptions to the release of personal information:

In general, all the personal records you request will be released to you, although there may be circumstances where certain information could be restricted. These include:

  • if it is considered that information in the records, if released, may be likely to cause serious mental or physical harm to yourself or another
  • where there is personal information concerning another person contained within your records, for example, third party

Should one or both of these exemptions apply to your request, we will notify you.

11.11.4.1 How long will it take for you to complete my request?

There are time scales laid down by the acts, which state that you should be given the information within a month, although we can extend this time by a further two months if the request is ‘complex’ or you have made a number of requests

11.11.4.2 How will the information be provided?

In most cases, copies of the records will be made and sent to you (or you can collect the copies if you prefer). You may prefer to view the records, in which case the trust will arrange with you a suitable time and location for you to come in and view the records.

11.11.4.3 Will I be charged for access to the records?

In most cases we cannot charge a fee to comply with a subject access request. However, where a request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We can also charge a reasonable fee if an individual requests further copies of their data following a request. We will base the fee on the administrative costs of providing further copies.

11.11.4.4 If you are not satisfied with your response?

In the first instance you should write to information governance explaining why you are dissatisfied with the response and asking for an internal review to be carried out.

If you remain unhappy and you wish to discuss further you can do this by writing to the trust’s data protection officer, the details are:

Data Protection Officer
Rotherham Doncaster and South Humber Foundation NHS Trust
Information Governance
Health Informatics
Woodfield House
Tickhill Road Site
Tickhill Road
Balby
Doncaster
DN4 8QN

Independent advice:

If you remain dissatisfied with the trust’s response you can contact the office of the information commissioner (ICO), the body with responsibility for enforcing the Data Protection Act, and their contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow Cheshire
SK9 5AF

Please note that the ICO does not support complaints or queries that have been made under the Access to Health Records Act 1990. Requests for other health records, for example, GP. If you require access to your primary care health record, the request should be made to the relevant GP, etc.

11.12 Appendix L Reviewing records for release

11.12.1 Guidance for personal data

Editing information from paper and electronic documents prior to release in response to a subject access request (SAR).

Reviewing health records to see if redaction is applicable is made only in limited circumstances whereby restricting the rights to access to, ‘protect the data subject or the rights and freedoms of others’ DPA Article 23(i).

Reviewing can only be made by an ‘appropriate health professional’, for example, one who is currently or was most recently, responsible for the care or treatment of the data subject, and where there is more than one health professional, the one who is most suitable in relation to the request.

The lawful reasons for redaction are:

  1. third party information, disclosing information about another individual who can be identified from that information GDPR schedule
  2. part 3(16), except if:
    • the identified individual has consented to the disclosure.
    • it is reasonable to comply with the request without that identified individual’s consent.

In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:

  • the type of information that you would disclose
  • any duty of confidentiality you owe to the identified individual
  • any steps you have taken to seek consent from the identified individual
  • whether the other identified individual is capable of giving consent
  • any express refusal of consent by the identified individual

Further factors to be considered:

  • is the information already known to the requestor?
  • the circumstances relating to the individual making the request, the need to preserve a third party’s confidentiality must be weighed against the requestor’s right to access the information
  • need to distinguish between a third party’s personal information and information about a third party that is also about the data subject: For example:
    • his mother suffers from depression, is personal information about a third party that cannot be released without their explicit permission
    • he was voluntarily accommodated as his mother is unable to cope as she is suffering from depression, is personal information about a third party and the data subject that must be redacted appropriately
    • he was voluntarily accommodated as his mother is unable to cope //REDACTED// is acceptable for release as it provides context without disclosing the third party’s personal
      information

For the avoidance of doubt, you cannot refuse to provide access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request, and information about someone else. Consideration should also be given to the nature of the third party and their proposed use of the information.

Contrary to subject’s expectations and wishes, GDPR schedule 3, part 2(4(2)), disclosing information when the subject has said not to, we must respect the wishes of the data subject therefore we are unable to disclose health records if they identify information that was:

  • provided by the subject in the expectation that it would not be disclosed to the person making the request
  • which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be disclosed
  • which the data subject has expressly indicated should not be so disclosed

Serious harm test GDPR schedule 2(part 5), disclosing the information ‘would be likely to cause serious harm to the physical or mental condition of the data subject, or any other person’; This exemption can apply if you receive a subject access request for health data. It exempts you from the GDPR’s provisions on the right of access regarding your processing of health data.

But the exemption only applies to the extent that compliance with the right of access would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for health data. You can only rely on this exemption if:

  • you are a health professional
  • within the last six months you have obtained an opinion from an appropriate health professional that the serious harm test for health data is met. Even if you have done this, you still cannot rely on the exemption if it would be reasonable in all the circumstances to re-consult the appropriate health professional

Note, the GDPR and DPA 2018 only applies to living individuals however, duty of confidentiality continues to apply after death and records of the deceased are treated with same level of confidentiality as those for the living, so all applicable guidelines above must be followed

So, although you may sometimes be able to disclose information relating to another individual, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.

11.12.2 Employee names

These should be disclosed as they will only be contained within the health records within their professional capacity. GDPR schedule 2 (part 3(17)(1) and (2).

Names of colleagues from other agencies may be released if they are held by the trust in the context of providing a complete care package. If phone numbers are requested, switchboard numbers should be released rather than direct lines.

11.12.3 Special category data (sensitive personal data)

Consent must be obtained before releasing sensitive personal information about the data subject that is not relevant to the request. Special category data consists of information pertaining to:

  • physical or mental health conditions
  • racial or ethnic origin
  • political opinions
  • sexual life
  • trade union membership
  • criminal convictions
  • religious beliefs or other beliefs of a similar nature
  • third party opinion
  • genetic or biometric data

If a non-trust professional gives an opinion it should not be released without consent from that person or their organisation; however, we may consider releasing it without consent if it influenced the trust’s provision of treatment and care. If the data subject is already aware of the opinion it can be released.

Example; If there is written discussion or correspondence between health professionals pertaining to the data subject that is only of an opinion of the treatment being received or information obtained during consultations, this would not be for disclosure without consent from that individual or the organisation they work for.

If there is written correspondence between health professionals pertaining to actual treatment of the data subject this should be disclosed.

11.12.4 Legal privilege

Advice provided by trust solicitors or legal advisors must not be disclosed. Court documents, including statements ordered by the court, are court property and cannot be released: anyone wishing to obtain them should apply directly to the appropriate court.

11.12.5 Self-incrimination and disclosure of concerns

Information revealing evidence of an offence and exposing the trust to criminal proceedings must not be released. If information of this nature is discovered it must be reported immediately to a manager. Where this is not appropriate or escalation is required, it should be raised with a director or the chair of the trust.

Please note that this is guidance only and that each request should be dealt with on a case-by-case basis. References to DPA and GDPR are Data Protection Act 2018 and General Data Protection Regulation 2016.

11.12.6 Frequently asked questions

Do I need to redact patient information that is being requested in relation to a police request?

  • No, with regard to a request for information in relation to a police request, there is no need for redaction. This is because we cannot be certain of what information is pertinent to the case in question.

Is redaction required in relation to a request for court proceedings?

  • No. As there is likely to be a court order produced to request release of the records, and this will specify what the court case is likely to be regarding, this does not disclose full information. Therefore, we cannot be entirely sure what information is or is not relevant to the case.

I have been requested to authorise and provide information regarding a patient that is a mother, and her child or children are listed within the copy records, should I remove the names and or details of her child or children?

  • No, there is no need to redact or remove these. Although the request could be for the mother’s records, she will be well aware of her child or children’s details and consents to share these with whom she has agreed to have access to her health records.

Should I remove details regarding mention of a patients partner or incidents mentioned within the health records?

  • This would predominately depend on the requestor and what is requested from within the health records. For example, if the request is pertaining to a police investigation, then nothing should be redacted or removed, as any information disclosed could be imperative to the investigation. But if it is a solicitor requesting records, it may be advisable to ask the information governance department what the request is for, and if mentioned, they will be able to advise appropriately, as this could have some bearing on whether any redaction or removal is required.

11.13 Appendix M Release form (health records)

11.14 Appendix N Release form (employee records)

11.15 Appendix O Definitions

Definitions
Term Definition
Personal data Means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Processing Means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Third party Means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
Consent Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Data concerning health Means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
Recipient Means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
Profiling Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
Controller Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

11.13.1 Subject access request flowchart

  1. Request received into the trust. Date stamp hardcopy requests.
  2. Forward the request immediately to the Information Governance  (IG) team (one month to respond, it’s the law. Enforced by the ICO).
  3. Does the request contain adequate information to process the request?
    • Yes, does the trust hold the records? If so continue. If not, The Information Governance team will inform applicant trust does not hold records.
    • No, the Information Governance team will contact the applicant to request further information.
  4. The Information Governance team will acknowledge and enter SARs log. The IG team will contact relevant service to request records. The IG team will send relevant information to applicant via secure mail or recorded delivery. update SARs log.
  5. One month to respond, it’s the law. Enforced by the ICO. Requests for information must be returned as quickly as possible and certainly by no later than the date shown in the request. If you cannot provide the information, inform the Information Governance team as soon as possible.

Document control

  • Version: 6.
  • Unique reference number: 265.
  • Date approved: 8 October 2024.
  • Approved by: Digital transformation clinical leadership group.
  • Name of originator or author: Data protection officer or head of information governance.
  • Name of responsible individual: Director of health informatics or senior information risk owner.
  • Date issued: 9 October 2024.
  • Review date: 31 October 2027.
  • Target audience: All employees.

Page last reviewed: November 12, 2024
Next review due: November 12, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem