IGPOL92 Subject Access Request (SAR) Policy v1 by Provide Community

Subject Access Request (SAR)

Policy and Procedure

Version: V1

Ratified by: Finance and Investment Committee

Date ratified: 23/02/2022

Job Title of author: Information Governance Manager

Reviewed by Committee or Expert Group Technology Programme Board

Equality Impact Assessed by: Information Governance Manager

1. Introduction

The General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 gives individuals the right of access to their personal data which are being ‘processed’ (i.e. used in any way) by data ‘controllers’ (i.e. Provide Group, or those who decide how and why data are processed), as well as to other supplementary information.

These requests are often referred to as ‘(data) subject access requests (SAR)’, or ‘access requests’. The Act gives individuals (known as data subjects) the right, subject to certain exceptions, to request access and obtain copies of personal data about themselves that is held in either computerised or manual formats and any type of personal information that is recorded including photographs, x-rays, audio messages and CCTV images.

The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) enable an individual citizen of the UK to ask an organisation to declare what information is held about them and how the information is used.

Data subjects have access rights to their personal information irrespective of when the record was created.

2. Purpose

This policy applies to service users and all staff employed by or working on behalf of the organisation, including contracted, non-contracted, temporary, honorary, secondments, bank, agency, students, volunteers or locums. This policy applies to all requests for access to personal data held by the Provide Group.

The purpose of this Policy is to advice colleagues on how to recognise a Subject Access Request, what to do with one and what actions need to be taken in order to respond

3. Responsibilities

The Board of Provide (here after referred to as “the organisation”) has a duty to ensure that the requirements of the General Data Protection Regulation (UK GDPR ) and the Data Protection Act 2018 (DPA 2018) are upheld.

The Chief Executive Officer is responsible for the implementation of this policy.

The Caldicott Guardian is responsible for ensuring that patient data is used and shared in an appropriate and justifiable manner.

The Senior Information Risk Owner (SIRO) is responsible the oversight of Information risks and incidents across the organisation and represents IG at the Board

The Information Governance Manager is responsible for operationalising the requirements of the GDPR, including overseeing the SARs process and for advising colleagues on Information Governance principles and practices

The Data Protection Officer (DPO) is responsible for monitoring GDPR compliance, informing and advising on data protection obligations and providing advice regarding SARs

Relevant Heads of Service and Managers are responsible for ensuring that information is disclosable under the requirements of the UK GDPR and DPA 2018, and for ensuring that records are provided in a timely fashion.

The relevant Assistant Director with the relevant Clinician, is responsible for providing confirmation that records are disclosable, or that access should be limited or denied.

The SAR administrator is responsible for coordinating and monitoring the SARs process, acknowledging requests with the data subject and on approval, disclosing the information requested to the data subject

All colleagues are responsible for ensuring they are fully aware of the SARs procedure as set out in this document

4. Executive Summary

A summary of the process is as follows: -

• Where appropriate, Service Users or anyone making a request will be directed to the SAR portal on Provide Website page (How can you access Your Information –Home Page - SAR Portal (ams-sar.com)) where an enquiry is made regarding a Subject Access Request.

• Subject Access Requests can be submitted in other formats not only via SAR portal. They can also be made verbally or in writing (including by social media) to any part of the organisation and do not have to be to a specific person or contact point. Requests received into the organisation are to be submitted to the Information Governance team - provide.sar@nhs.net

• The organisation has one calendar month to comply with a request. Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner (ICO) who can levy a fine on the organisation for failure to comply.

• If it is anticipated that a request will take longer than one calendar month from the receipt of a Subject access request, the organisation must inform the applicant giving an explanation of the delay and agree a new deadline. The Act allows an extension of a further 2 months in such circumstances.

• Access is free of charge except in exceptional circumstances

• Data subjects have a right of amendment if any information is found to be incorrect. They also have right to rectification; the right to erasure or restrict processing; and the right not to be subject to automated decision-making.

• Where a request has been made electronically the information should be supplied in an electronic format unless otherwise specified. The organisation has taken the

decision to use SAR portal as the default position for sending information requested (unless otherwise specified).

5. Principles Relating to Rights of

Access

Under the Data Protection Act 2018, any living person who is the subject of personal information held and processed by the organisation, has a right of access and to receive a copy of that information and other supplementary information.

The supplementary information includes the following:

• Purpose of processing

• Categories of personal data

• Recipients or categories of recipients that the information has been or will be shared with

• Retention period

• Whether or not we use automated decision making (including profiling) and information about the logic involved

• The individual’s right to request erasure, rectification, restriction or objection

• Whether or not the information is transferred to a third county and the corresponding safeguards provided

• The individuals right to make a complaint to the ICO

If the above information is already provided in a Privacy Notice, then a link or a copy of the Privacy Notice can be provided.

A request can be made on someone’s behalf but it must be accompanied by the individual’s consent (who the information is about).

The organisation is not required to respond to subject access requests, unless it is provided with sufficient details to satisfy itself as to the identity of the individual making the request.

The right of access applies only to “personal data”. To amount to personal data, the information must:

• Relate to a living individual; and

• Be held either in electronic format or in a “relevant filing system”. A manual record created for the purpose of being transmitted electronically (e.g Scanned or faxed) will also be disclosable.

The organisation has the right to check with the applicant if they require access to their entire health record and confirm what material the applicant requires prior to processing the request. However, the applicant does not have to provide a reason for applying for access request.

Health Records Relating to the Deceased SARs under GDPR does not apply to the deceased.

Applications for access to health records of the deceased are made under the Access to Health Records Act 1990.

Records made after 1 November 1991 can be made available to a service user representative, executor or administrator.

Claimants of compensation are entitled only to access information specifically relating to the claim.

There is a separate application form for records relating to a deceased individual. Anyone wishing to make an application under the Health Records Act 1990 should be directed to the Information Governance team.

Health Records Act 1990 – This UK legislation covers access to a service user's records after death. The duty of confidentiality remains after a service user has died. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the service user's death are permitted access to the records.

Who can make a request?

Subject access requests can be made by:

• The individual/service users themselves

• Individuals requesting access on behalf of a child for whom they have parental responsibility

• A representative nominated by the individual to act on their behalf such as solicitors or a relative, where there is valid consent by the individual granting this authority

• A representative appointed by the court to act to manage an individual’s affairs

• An employee or ex- employee requesting access to their employment records

• The Police, for the prevention or detection of crime

• HMRC for the assessment or collection of tax or duty

• The courts

Requests made by a Service User Representative

An individual can authorise a representative to access their personal data on their behalf. This must be done in writing, with confirmation of the representative’s identity and relationship to the service user and a signed form of consent must accompany the written application. Where a service user who is physically or mentally disabled and unable to provide written consent for a representative to seek access ontheir behalf, the organisation will give the patient service user as much assistance as possible, in order to ascertain whether consent has been granted by other means. The application must clearly identify the service user in question, and the records required, including the following details: -

• Full name – including previous names

• Address – including previous address(es)

• NHS number (if available/if applicable)

• Dates of health records required (if applicable)

• Details of general records required

Parental Responsibility

Parents, or those with parental responsibility, will generally have the right to apply for access to a child’s health record.

Parental responsibility is defined in the Children’s Act 1989 as ‘all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property’. If you are in any doubt about the level of parental responsibility (for example the parents are divorced) please contact the Information Governance Team for legal advice.

In practice, parental responsibilities would include: -

• Safeguarding a child’s health, development and welfare

• Financially supporting the child

• Maintaining direct and regular contact with the child

Where a child is considered capable of making decisions about his/her medical treatment, the consent of the child must be sought before a person with parental responsibility can be given access to the child’s health records.

According to the Information Commissioner office, there are no age requirements attached to the right of subject access but in the UK we tend to consider 12 and above as the age where young people can exercise their own legal rights.

This means that if you process children’s information, they have a right to ask for copies of it. If the young person is under 12 and making their own request, you might need to satisfy yourself that they understand what they’re doing, but this should not be a barrier to supplying them with their information.

If the young person is over 12, there’s unlikely to be any reason why you should not treat the request exactly as you would if an adult made it.

Although young people can submit their own subject access requests, parents or guardians can also exercise this right on their behalf. If the young person is 12 or over, check whether they’re happy to authorise the disclosure of their personal data to their parent or guardian. Where, in the view of the health professional, the child is not capable of understanding the application for access to records, the organisation is entitled to deny access as being against the best interests of the service user.

Third Party Disclosure

Where records contain information that relates to an identifiable third party, that information may not be released unless: -

• The third party is a health professional who has compiled or contributed to the health records, or who has been involved in the care of the service user

• The third party, who is not a health professional, gives their consent to the disclosure of that information

• It is reasonable to dispense with the third party’s consent (taking into account the duty of confidentiality owed to the other individual, any steps taken to seek his/her consent, whether he/she is capable of giving consent and whether consent has been expressly refused)

6. Subject Access Request application process for health data

On receipt of a valid access request application for personal data, the organisation has a duty to consider the following issues relating to disclosure of information:

• To confirm that the applicant is of an age and capacity to understand the nature of the application

• To take a decision regarding the withholding of access to all or part of a (health) record

• To provide assistance where records may need to be explained to the applicant

For health records the relevant Assistant Director (of the service for which the records originate from) is responsible, in conjunction with the relevant Clinician, for providing confirmation that records are disclosable, or that access should be denied. The appropriate clinician must complete an access approval form (see Appendix 2).

Where safeguarding issues are identified, a member of the organisation’s Safeguarding Team must be consulted to ensure that there are no concerns with regards to disclosure. Any concerns must be documented and discussed with the Head of Quality Assurance and Safety and/or the Information Governance Manager.

Where there are confidentiality concerns with regards to release of information (e.g. third party information contained in records), these should be discussed with the Information Governance Manager with input from the Caldicott Guardian where necessary.

To avoid multiple requests for information, the service holding the requested record, will ensure that all sources of information are searched for data relating to the request, including manual and computerised records.

Where a request for access has previously been complied with, the organisation is not obliged to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous request, upon doing so the organisation may charge a reasonable fee.

Subject Access Request process flow

Please refer to Appendix 1

7. Fees to Access Records

Under the Data Protection Act 2018 the organisation cannot charge for complying with a request unless the request is ‘manifestly unfounded or excessive’.

If a data subject makes a request for further copies of the same information the organisation may charge a reasonable fee to cover the cost of supplying this. The fee will

be based on the administrative cost of providing the information and will be advised to the applicant at the time of the request if this is relevant.

Manifestly unfounded

If it is clear that the individual has no intention of exercising their right of access, for example if they make a request but then offers to withdraw the request in return for a favour or some benefit from the organisation or if they state in some communication that they intend to use their request to cause disruption to the organisation then this can be considered manifestly unfounded.

It is also manifestly unfounded if the individual makes unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice.

When deciding if a request is manifestly unfounded you must consider the request in the context in which it is made.

Manifestly Excessive

To determine if a request is manifestly excessive, you should determine whether the request is proportionate when balanced against the efforts or costs involved in dealing with the request

Disproportionate Effort

Data Protection legislation does not define “disproportionate effort” but it is clear that there is some (albeit limited) scope for assessing whether complying with a request would result in so much work or expense as to outweigh the individual’s right of access to their personal data.

The concept of disproportionate effort, however, only justifies not providing copies of the information requested, rather than not searching for the information.

Given the significance of employment records, the view of the Information Commissioner is that the defence of disproportionate effort should only be relied upon in exceptional circumstances.

Disproportionate effort is technically only a defence to providing copies of information requested, so the applicant should be given access in some other way, for example allowing them to come in to inspect it.

Cases that involve disproportionate effort will be assessed on a case by case basis and in conjunction with the Data Protection Officer. Advice may be sought from the ICO to assist with this determination.

Multiple Requests

The rules around subject access do not prevent individuals from making multiple requests for information. However, if an individual (or representative) has recently made an identical request, the organisation may be able to reject the later request on the basis that there must be a “reasonable interval” between requests. What amounts to a reasonable interval

depends on the nature of the information being requested (e.g. is it sensitive) the purposes for which it is being processed (e.g. is the processing likely to cause detriment to the individual) and the frequency with which the information is altered.

8. Times of Disclosure

Once a valid request has been made the organisation has one calendar month in which to respond.

Where proof of identity/ consent is required, the one month time limit does not start to run until this has been received and accepted. Where additional information or clarification is required in order to satisfy the request the ‘clock’ stops until all the necessary information has been provided.

If the one month time limit cannot be complied with it is important that the applicant is made aware of this. An extension may then be agreed with the applicant. Please note that under the terms of Data Protection Legislation in exceptional circumstances the time limit can be extended by two months, for example for particularly complex requests. Where this is the case the applicant must be informed as soon as it is known that it will not be possible to fulfil the request within the time limit and in any event within one month. When informing the subject that more time is needed you must provide them with the details of the data protection officer and the ICO, informing them that they have the right to complain. Noncompliance can result in a complaint being made to the Information Commissioners Office which can issue a monetary penalty of up to €20 million or 4% of annual global turnover, whichever is higher for any serious contraventions of the Data Protection Act.

9. Exemptions for the Right of Access

There are certain exemptions that apply with regards to rights of access. These exemptions are not absolute and must be assessed on a case by case basis. Additional exception can be found on the ICO website: https://ico.org.uk/for-organisations/guide-todata-protection/guide-to-the-general-data-protection-regulation-gdpr/right-ofaccess/what-other-exemptions-are-there/

Access to all or part of an individual’s record will be denied if: -

• In the opinion of the relevant Service lead, Caldicott guardian or health professional, the information to be disclosed would be likely to cause serious harm to the physical or mental health of the applicant or any other person

• Where the record relates to, or has been provided by, an identifiable third party, unless the third party has consented to disclosure

Confidential references

The organisation is not obliged to disclose a reference it has provided or received from another organisation. The organisation should consider disclosure in any case. Organisation should understand that the contents may need to be disclosed if the subject exercises other legal rights or seeks a legislative approach in the areas of employment and equality law.

Please note that this exemption does not apply to internal references.

Information used for management forecasting/ planning

This exemption can be applied where to disclose the information would likely prejudice the business of the organisation. This exemption might therefore apply where the information requested is concerning planned redundancies or promotions within the organisation. *

Information recording the intention of the organisation in relation to any negotiations with the employee

Personal data that consists of a record of the organisation’s negotiations with an employee is exempt from the right of subject access to the extent that complying with a request would likely to prejudice the negotiations (for example by giving the organisation’s “fall-back” position)*

Information held for the prevention or detection of crime, the prosecution of offenders or the assessment or collection of any tax or duty.

This prevents the right applying to personal data that is passed to statutory review bodies by law-enforcement agencies, and ensures that the exemption is not lost when the information is disclosed during a review.*

Legal professional privilege

Legal professional privilege applies in two areas. Firstly, legal professional privilege attaches to any document which was created with the dominant purpose of being used in current or potential litigation. The document can be created by anybody so long as this was its dominant purpose. The second branch of legal professional privilege attaches to any document which was brought into being in order to obtain legal advice from a barrister or solicitor. This will include documents created by third parties as part of the process of giving or receiving legal advice.

* Once the risk of prejudice has passed the information should be considered disclosable. Information may need to be released if the subject seeks a legislative approach in the areas of employment or equality law.

Information in respect of informal grievances are not likely to be covered by legal professional privilege if the information is not the giving or receiving of legal advice from a barrister or solicitor.

Information about third parties

Some of the personal information requested by a data subject might also include personal information about a third party (for example their opinions). The decision on whether to disclose will involve balancing the individual’s right of access against those of the third party in respect of their own personal information.

In general the organisation should not disclose information in relation to a third party unless:

• The third party has consented to the disclosure

• It is reasonable in all the circumstances to comply with the request without the third party’s consent.

Applying an Exemption

Notification of refusal to grant access must be given as soon as possible, in writing. The organisation will record the reason for this decision, and will also fully explain the reason to the applicant and inform them of their right to make a complaint to the ICO.

Where it is decided that an exemption is to be applied and information is to be withheld it is important to:

1) document the application of the exemption, what information has been withheld or redacted and the reasons why.

2) be open with the individual and inform them as to why certain information has been withheld.

3) Inform the individual that if they are not happy with the way their request has been handled, they may complain to the Data Protection Officer or the ICO and provide them with information on how to do so.

Clear documentation and correspondence with an individual on these issues will assist the organisation in the event of a dispute.

Appendix 1

SAR Received (verbally, electronically –email/SAR portal or by post)

Notify SAR team

SAR Procedure

Do we commission the service from which records are requested?

Are we the controller of the information?

Check what type of records it is

records Employee records – see references to a separate HR process below

no yes

Proceed with the SAR request

Identify the controller and advise them and/or requester accordingly

recordings All records held on the individual including emails and videos, etc.

Acknowledge the receipt of Subject Access Request (via SAR portal or use template letters 1a, 1b)

Verify the identity (pause the time limit for responding) of the data subject if not known (You can ask questions that only they would know, about reference numbers or appointment details for example. Or you can ask for ID that you can actually verify).

Use SAR portal or email/post application forms (Template letters 2a, 2b or 2c). Clarifythe request (if necessary) including narrowing down of the scope such as dates, records required, the extent of information required

Calculate deadline for response/disclosure.

Collation of information – Consider where the information may be held and contact appropriate service or department (use template letter 3) with the request.

For health records, SAR admin collate records from SystmOne. Records from other health systems need to be provided by the appropriate service.

Collated information (pdf) is sent to respective Assistant Director to check and approve, limit or deny (Appendix 2).

Safeguarding concerns will need to be checked by the safeguarding team.

For employee records HR to collate information. IG to extend search for information via service desk if necessary.

For CCTV recordings contact estates

Check what type of request it is: Living individual

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object Rights in relation to automated decision making and profiling

If request is for the deceased, end SAR and refer to the appropriate process or section

All records held on the individual. SAR/IG team need to extend search for information via service desk request if necessary. Ensure both electronic and manual filing systems are considered.

Review information considering possible exemptions with input from IG team.

Consider review and approval by Information Governance Team and/or DPO, prior to disclosure if there is a discrepancy, conflict or complex issue.

Respond to requestor with information requested using SAR portal, secure email or by recorded post stating private and confidential. Provide the information requested or if applicable include reasons for any omissions. (SAR response template letter 5 If the decision is not to disclose, then explain the reason why (Template letter 4 – No disclosure). HR to respond to the employee records requests

Template letter 1a

Acknowledgement via email

Dear [name of data subject],

Subject access request

Thank you for your request for [enter the type of request, i.e. access to personal data, correction of health records, etc.] which was received on [xx/xx/xxxx].

In order to verify your identity and process your request as quickly as possible we will need you to complete an application form.

You can complete the form using our secure SAR portal Home Page - SAR Portal (ams-sar.com) to provide the necessary information and document/s that we require in order to process your request. You may need to register if you do not already have an account on the portal. Once registered, you will be able to view your request/records securely using a download function within the portal, reducing the need for paper copies, DVD files, etc.

Alternatively, please let us know if you would prefer to complete a manual application form by email or post.

Your personal data/records can only be provided once you have completed all relevant details on the SAR portal or on a manual application form and your identity has been satisfactorily verified.

Failure to provide the details within 30 days of the date of this letter will result in closure of this request.

If you require any further information please do not hesitate to contact us at provide.sar@nhs.net.

Yours sincerely,

Subject Access request Team

Template letter 1b

Acknowledgement to solicitors - email

Dear [name of data subject],

This is to an acknowledgement of your request [enter the type of request] which was received on [xx/xx/xxxx]. We will respond with the requested information via secure email within one calendar month. Very occasionally it may not be possible to comply within this time frame but you will be informed (if this is the case) within one calendar month of receipt of your request to explain why the extension is necessary.

Any future requests please submit via our secure SAR Portal in order for you to receive the information requested securely. You can complete the form using Home Page - SAR Portal (ams-sar.com) to provide the necessary information and document/s that we require in order to process your request. You may need to register if you do not already have an account on the portal. Once complete, you will be able to view your request/records securely using a download function within the portal, reducing the need for paper copies, DVD files, etc.

Yours Sincerely,

Subject Access Request Team

Template letter 2a – manual application form

Application for your own Records and for requests from Guardian/Parent (Child under 16)

(Data Protection Act 2018)

PLEASE COMPLETE IN BLOCK CAPITALS AND BLACK INK

Section 1: Details of the Person whose Information is requested Forename(s) Surname

Date of Birth

NHS Number Current Address

Sex

If the name or address was different from the above, during the period to which the application relates, please give additional details below:

Forename(s)

Previous Address

Section 2: Information Required

Previous Surname

In the table below, please provide a brief summary of the type of information you require the records to cover and the timescale involved:

Type of Information/Treatment/ Attendance (e.g., email, health records, staff records, CCTV)

Location/Service/Department (e.g. Physiotherapy, District Nursing, human resources, CCTV).

Date(s) Name of Health Professional (if known or applicable)

Unless requested otherwise, the information will be sent to you electronically by encrypted, secure NHSmail email together with instructions for opening the email from us safely, securely and free of charge. Therefore please ensure that you complete the email address box under Section 3 of this Access to Record Application Form clearly and in full.

If you require a hard copy of the records to be sent to you, please specify this below. These will be sent to you by recorded delivery and will require your signature on receipt. You also have the option to collect the records personally or you can choose to come in to view the records with an appropriate health professional.

I require a hard copy of the records sent via recorded delivery

I would like to come in to view the records with the appropriate health professional I would like to collect the records from Provide Headquarters Colchester Section 3: Person whose Information is requested (location where records should be sent)

Forename(s) Surname

Current Address

Tel No

Relationship to the person named in Section 1.

Email Address

Where the person named in Section 1 is under the age of 16, a responsible adult should clarify where appropriate that the child understands the nature of application. Please note that you may be required to provide proof of parental responsibility.

Section 4: Details of the Person whose Information is requested - Consent

To be completed by the person named in Section 1 if you are acting on their behalf.

I hereby request Provide to release any Personal Data held relating to me.

I authorise the release of my information to………………………………………………… whom I have given consent to act (enter the name of the person acting on your behalf)

Signature

Section 5: Identification

Date

Two forms of identification must be provided for the Person whose Information is requested (section 1) and also for the applicant (section 3) if applicable.

Two copies must be provided. One copy of photographic ID and one form of nonphotographic ID from the following list of identification will be accepted. Please indicate which forms of ID you are providing below:

Person whose Information is requested Applicant

PHOTOGRAPHIC

Birth Certificate or child benefit entitlement – must be provided if requesting information for a child

If you are unable to provide two of the above or have any questions about completing this form, please phone 0300 303 2642.

Section 6: Declaration

I declare that the information given in this form is correct, to the best of my knowledge and that I am entitled to apply for access to these health records under the Data Protection Act 2018

• I am the person named in Section 1 ☐

• I am acting on behalf of the person named in Section 1

Applicant’s

Please return this completed Form and 2 copies of Identification to: -

Provide Subject Access Request (SAR) Team 900 The Crescent, Colchester Business Park, Colchester, Essex, CO4 9YQ

Important Notes

• The Data Protection Act 2018 allows an individual to access their own health records. This right can also be exercised by an authorised representative on an individual’s behalf e.g. a solicitor. Third parties must provide evidence to show they are authorised to act on the person’s behalf.

• Once we have received your request and completed Application Form, we will respond within one calendar month to provide the information you have requested.Very occasionally it may not be possible to comply within this time frame but you will be informed (if this is the case) within one calendar month of receipt of your request to explain why the extension is necessary.

• Information you request under a Subject Access Request is supplied free of charge. If you make a request for further copies of the same information we may charge a reasonable fee to cover the cost of supplying this. The fee will be based on the administrative cost of providing the information and will be advised to you at the time of your request if this is relevant.

• It is the responsibility of the applicant to provide enough information to enable Provide to identify his/her records. Please ensure that you complete the Access to Record Application Form as fully as possible so as not to delay your request and within 30 days of the date of our initial letter.

• Our Privacy Notice describes how Provide collects, uses, retains and discloses personal information.

Your Information Your Rights by Provide CIC - Issuu ERUK-Final-GDPR.pages (provide.org.uk) (easy read version) Template letter 2b – SAR portal application form

Access to Records Application on behalf of living individuals –Third Party (e.g. Requests from Police, Solicitors, CHC, on behalf of a Child under 16)

(Data Protection Act 2018)

Important Notes

• Our Privacy Notice describes how Provide collects, uses, retains and discloses personal information. Your Information Your Rights by Provide CIC - Issuu ERUK-Final-GDPR.pages (provide.org.uk) (easy read version)

PLEASE COMPLETE IN BLOCK CAPITALS AND BLACK INK PLEASE COMPLETE ALL SECTIONS

Section 1: Details of the Person whose Information you are requesting

Forename(s) Surname

Date of Birth Sex

Current Address

Postcode

NHS Number if Known

If the name or address was different from the above, during the period to which the application relates, please give additional details below:

Forename(s)

Previous Address

Post Code

Previous Surname

Requestors details (i.e. the authorised party who is requesting the records)

Requestor’s Name

Requestor’s Address

Requestor’s Postcode

Requestors Telephone number

Requestors relation to the patient

Please complete the following or upload the relevant information via the initial request letter.

Section 2: Information Required

In the table below, please provide a brief summary of the type of information you require the health records to cover and the timescale involved:

Type of Information/Treatment/ Attendance (e.g., email, health records, staff records, CCTV)

Location/Service/Department (e.g. Physiotherapy, District Nursing, human resources, CCTV).

Date(s) Name of Health Professional (if known or applicable)

Date of Incident/Accident If Applicable

Section

3: Identification

Please submit the relevant documents relating to your application

Two forms of identification must be provided for the Person whose Information is requested (section 1) and also for the applicant (section 3) if applicable.

Person whose Information is requested Applicant

PHOTOGRAPHIC

Current Passport

Photo Driving Licence

National Identity Card

NON-PHOTOGRAPHIC ID

Paper Driving License

Utility Bill (received in the past 3 months)

Birth Certificate or child benefit entitlement

– must be provided if requesting information for a child

Requests for individuals who lack capacity

If you are requesting health records for an individual who lacks mental capacity and you have authority to act on their behalf please upload a copy of the Power of attorney (for personal welfare) here:

Solicitor Request

If you are a solicitor making a request on behalf of client please upload the following:

Initial Request Letter

Form of authority showing Client consent

Continuing Healthcare Request

If you are from the Continuing Healthcare team please upload the following:

Initial Request Letter

Form of authority or power of attorney for personal welfare

Police Request

For requests from Police please upload the following:

Medical Form

A101 (Put name of form)

Court Request

For requests for records from courts please upload a copy of the Court order requesting the records

Other request

If you are requesting records for any other reason please specify and upload relevant documentation:

Section 4: Declaration

I declare that the information given in this form is correct, to the best of my knowledge and that I am entitled to apply for access to these health records under the Data Protection Act 2018 and that I am entitled to act on the behalf of the person named in section 1 ☐

Date

Template letter 2c – manual application form

Access to Record Application – Deceased patient records (Access to Health Records Act 1990)

PLEASE COMPLETE IN BLOCK CAPITALS AND BLACK INK

Section 1: Details of the Person whose Information is requested Forename(s) Surname

Date of Birth Sex

NHS Number

Current Address

If the name or address was different from the above, during the period to which the application relates, please give additional details below:

Forename(s)

Previous Address

Section 2: Information Required

Previous Surname

In the table below, please provide a brief summary of the type of information you require the health records to cover and the timescale involved:

Type of Information/Treatment/ Attendance (e.g., email, health records, staff records, CCTV)

Location/Service/Department (e.g. Physiotherapy, District Nursing, human resources, CCTV).

Date(s) Name of Health Professional (if known or applicable)

I require a hard copy of the records sent via recorded delivery I would like to come in to view the records with the appropriate health professional I would like to collect the records from Provide Headquarters Colchester

Section 3: Applicant (location where records should be sent) Forename(s)

Current Address

Tel No

Relationship to Patient

Surname

Email Address

Have you previously held a Lasting Power of Attorney for Health and Welfare?

Yes ☐ No ☐

Are you a personal representative (the executor or administrator of the deceased estate)?

Yes ☐ No ☐

Do you have a claim resulting from the death?

Yes ☐ No ☐

Please detail below in brief the reason for requesting the information:

Section 4: Identification

Two forms of identification must be provided for the applicant (section 3).

Applicant

Current Passport

Photo Driving Licence

National Identity Card

Paper Driving License

Utility Bill (received in the past 3 months)

If you are unable to provide two of the above or have any questions about completing this form, please phone 0300 303 2642.

Section 5: Declaration

I declare that the information given in this form is correct, to the best of my knowledge and that I am entitled to apply for access to these health records under the Health Records Act 1990.

I am acting on behalf of the person named in Section 1

Applicant’s Name

Applicant’s Signature Date

Please return this completed Form and 2 copies of Identification to: -

Provide Subject Access Request Team (SAR)

900 The Crescent, Colchester Business Park, Colchester, Essex, CO4 9YQ

Important Notes

• Our Privacy Notice describes how Provide collects, uses, retains and discloses personal information.

Your Information Your Rights by Provide CIC - Issuu ERUK-Final-GDPR.pages (provide.org.uk) (easy read version)

Template letter 3

Collation of information – Email to services to request records

Dear [service/department],

We have received the following data subject request on [xx/xx/xxxx].

Please would you be able to collate the information required and ask the (service lead) to approve the information.

Once approved, please can you send back to Provide.sar@nhs.net for us to respond to the requestor.

NAME: DOB:

ADDRESS:

SITE SEEN IF APPLICABLE: SERVICE AREA:

The requester specifies the request below [copy and paste the request]:

The above specified request is for [tick as many as appropriate]:

☐ Health records

☐ Employee records

☐ CCTV recordings

☐ All records held on the individual including emails and videos, etc. - Services or departments need to extend search for information request via service desk in addition to the clinical systems if necessary. Ensure both electronic and manual filing systems must be considered.

Please note you should respond within a reasonable time frame if you hold the records or not as we have a legal duty to respond to the SAR requests within 30 days.

If you have any questions please contact us by return email at provide.sar@nhs.net

Yours Sincerely,

Subject Access Request Team

Template letter 4

Response to data subject - No disclosure

Dear [name of data subject],

Subject access request dated [xx/xx/xxxx].

Thank you for your request.

We regret that we are unable to provide the personal data you requested. The reason being:

[give the reason for non-disclosure, for example:

• the personal data is under legal privilege as it is relevant to an ongoing legal case or it is part of legal advice given to Provide;

• providing the data would likely prejudice the conduct of Provide business;

• providing the data would likely prejudice negotiations with the data subject or future negotiations;

• the personal data is included in a confidential reference, either given or received in confidence;

• disclosure may cause serious harm to the data subject or other individuals;

• the data subject has expressly indicated that their data must not be disclosed even to those with parental responsibility or power of attorney].

If you have any questions please contact us either by return email at provide.sar@nhs.net

Yours Sincerely,

Subject Access Request Team

Template letter 5

Response to data subject – information provided – email/post

Dear [name of data subject],

Subject access request dated [xx/xx/xxxx].

Please find enclosed/attached the information you requested: [attach information]

Please contact us in the first instance by return email at provide.sar@nhs.net, if you have any questions about the information received or about the way your request has been handled.

If you are unhappy with the way we have handled your request you may report your concern to the ICO through their website at following link https://ico.org.uk/make-acomplaint/

For further information about the type of information we hold about you, how we use this and how you can access it, please view our 'Your Information, Your Rights' leaflet on our Provide CIC website or by clicking on the link below. This leaflet describes how Provide collects, uses, retains and discloses personal information.

Your Information Your Rights by Provide CIC - Issuu ERUK-Final-GDPR.pages (provide.org.uk) (easy read version)

Yours Sincerely, Subject Access Request Team

Appendix 2

Access approval form - email

Dear [AD/Clinician],

ACCESS TO HEALTH RECORDS

The below detailed patient/patient representative has made an application to access their health records under the 2018 Data Protection Act.

Data Subject/patient details:

NHS Number: Patient Name:

Service Records Requested:

Patient Representative:

We are obliged to disclose personal data of the service user including those we collected (shared to us) from third parties. The data must be considered carefully to check if we have grounds to withhold some records/data.

We must check that disclosing the records will not cause serious harm to the physical or mental health or condition of the data subject or any other person and that there is no disclosure of data relating to other individuals.

Please ensure that every document is checked against the correct patient and reviewed for disclosure. Once this has been done, can you please vote:

Approve: I have no objections to the named patient/patient representative seeing the entire records requested.

Note: If there are any limitations to the data in the record that can be disclosed, please state.

Reject: I do not wish the named patient /patient representative to see the records requested.

Note: Please provide the reason for rejection.

We only have a one calendar month turnaround, so your quick action would be much appreciated.

Kind regards Subject Access Team

Click here to enter text.

EQUALITY

IMPACT ASSESSMENT

TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

Subject Access Request policy and procedure

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

The policy is to ensure that there is a systematic approach to the management and process of subject access request

Project/Policy Manager: Petra

Lastivkova

Date: 3/3/2022

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”? neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

Positive impact – ensures that all Subject access requests are handled appropriately and that personal information is not disclosed to someone who does not have a right

to that information. Policy and procedure to be monitored through the organisation’s Incident Reporting and Complaints processes and reviewed every 2 years.

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative. The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action. If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.womenandequalityunit.gov.uk – Gender issues in more depth www.opportunitynow.org.uk - Employer member organisation (gender) www.efa.org.uk – Employers forum on age www.agepositive.gov.uk – Age issues in more depth

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’