Subject Access Request Policy

(GDPR Right of Access)

SUBJECT ACCESS REQUEST FORM

Document Control

Confidentiality Notice

This information is the property of Lakeside Healthcare.

Introduction

The General Data Protection Regulation (GDPR) clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing and understand how and why LHG is using their data.

Under the GDPR, individuals have the right to obtain:

• Confirmation that their data is being processed,
• Access to their personal data (and only theirs),
• Other supplementary information – this largely corresponds to the information that has been provided in the privacy notice.

ICO - Rights of Access

An application for access to health records may be made in any of the circumstances explained below. This policy does not apply to requests to access records of deceased patients, as the GDPR does not apply to the data of deceased patients.

Purpose

The purpose of this policy and protocol is to provide clear and concise guidelines to LHG staff on Subject Access Requests.

Lakeside Healthcare Group (LHG) therefore will:

• Ensure all staff are familiar with this policy and that its purpose and principles are well understood and that the associated procedures are rigorously applied,
• Regard breaches of this policy as misconduct and could lead to disciplinary proceedings.

All Employees are under a duty to comply with these rules. Failure to do so will result in disciplinary action being taken.

This policy and procedure replaces all previous policies and procedures relating to Subject Access Requests.

Scope

This policy applies to all clinicians, employees, partners and executives. It also applies to other people who work at LHG e.g. locum GPs, non-employed nursing staff, students, volunteers, temporary staff and contractors.

LHG will ensure that, if relevant to the job role, staff will understand the Subject Access Request Policy, and that partners, supervisors, managers and employees will be trained to enable them to apply the principles of this Policy within their roles and provide advice and guidance.

The Subject Access Request Policy forms part of LHG Induction Programme for new and transferred Employees, where this is relevant to the job role.

Implementation

Patient Requests

A request for access to health records in accordance with the GDPR can be made in writing to LHG. A simple form is included in this policy for patients to use, if they wish, this can be found in Appendix A – Patient Subject Access Request form. Requests for access can be made verbally, or in writing, to any member of LHG staff. A form to record verbal requests, made either face-to-face or by phone can be found in Appendix C – Recording Verbal Subject Access Requests (Face to Face or by Phone).

All requests should be documented. The documented request should then be passed on to either the Administration Team or the Information Governance lead. A list of the Information Governance Leads for LHG can be found in the LHG Policy Site Localisation Sheet on Oak.

Requests must be recorded in the Subject Access Request Register.

A request does not have to include the phrase “subject access request” or “Article 15 of the GDPR” or “data protection” or “right of access”.

The requester should provide enough proof to satisfy LHG of their identity (and LHG is entitled to verify their identity using “reasonable means”). LHG must only request information that is necessary to confirm who they are. LHG should request any identity verification as soon as possible after the request has been received.

The default assumption when a requester asks for “a copy of their GP record” is that the information requested by the individual is the entire GP record. However, LHG may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The GDPR permits LHG to ask the individual to specify the information the request relates to (Recital 63) where LHG is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely).

Recital 63 of the GDPR states:

“Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”

A patient is under no obligation to provide a reason for the request, even if asked by LHG.

Patients Living Abroad

For former patients living outside of the UK and whom once had treatment for their stay here, under GDPR they still have the same rights to apply for access to their UK health records. Such a request should be dealt with as someone making an access request from within the UK.

Patient Representatives

A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.

A patient’s representative (e.g. solicitor or authorised person), is under no obligation to provide a reason for the request, even if asked by LHG.

LHG must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney (Legal Power of Attorney for Health and Welfare) in the case of an individual who no longer has the mental capacity to manage their own health.

LHG is entitled to send the information requested directly to the patient if we think that the patient may not understand what information would be disclosed to a third party who has made a request on their behalf.

A next of kin has no rights of access to medical record, unless they have Health & Welfare Power of Attorney.

Court Representatives

A person appointed by the Court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to a third party.

Children

No matter their age, it is the child who has the right of access to their information.

Before responding to a subject access request for information held about a child, we should consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should usually respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.

What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.

When considering borderline cases, LHG should take into account, among other things:

• The child’s level of maturity and their ability to make decisions like this;
• The nature of the personal data;
• Any court orders relating to parental access or responsibility that may apply (you should contact your local Caldecott Guardian for further advice if required);
• Any duty of confidence owed to the child or young person;
• Any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
• Any detriment to the child or young person if individuals with parental responsibility cannot access this information;
• Any views the child or young person has on whether their parents should have access to information about them.

A person with parental responsibility is either:

• The birth mother;
• The birth father (if married to the mother at the time of child’s birth or subsequently or named on the birth certificate);
• An individual given parental responsibility by a court.
• (This is not an exhaustive list but contains the most common circumstances)
• If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.

If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, their mother and the father applies for access to the child's records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.

In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions. 

Notification of Requests

Each site will keep a Subject Access Request Register of all requests in order to ensure that requests and response deadlines are monitored and adhered to.

Fees

LHG must provide a copy of the information free of charge, including not charging for postage costs.

However, LHG may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.

LHG may also charge a reasonable fee if the request is manifestly unfounded or excessive. The fee must be based on the administrative cost of providing the information.

Manifestly Unfounded or Excessive Requests

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, LHG can:

• Charge a reasonable fee taking into account the administrative costs of providing the information;
• Refuse to respond.

Where LHG refuses to respond to a request, LHG must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay, and at the latest within one month.

Requirement to Consult an Appropriate Health Professional

It is LHG’s responsibility to consider an access request and to disclose the records if the correct procedure has been followed. Before LHG discloses or provides copies of medical records, the records must be checked, and the release must be documented and authorised.

It is the responsibility of LHG to ensure that the information to be released:

• Does not disclose anything that identifies any other data subject. The only exception to this is the identity of people involved in the care of the individual requester, such as community staff or hospital specialists;
• Does not disclose anything that is likely to result in harm to the data subject or anyone else;
• Does not disclose anything subject to a court order or that is privileged or subject to fertilisation or adoption legislation.

Grounds for Refusing Disclosure of Health Records

LHG should refuse to disclose all or part of the health record if the Health Professional is of the view that:

• Disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person;
• The records refer to another individual who can be identified from that information (apart from a health professional). This is unless:
• That other individual’s consent is obtained,
• The records can be anonymised,
• It is reasonable in all the circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the third party.
• The request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and:
  • The information was given by the patient in the expectation that it would not be disclosed to the person making the request;
  • The patient has expressly indicated it should not be disclosed to that person.

For the avoidance of doubt, we cannot refuse to provide access to personal data about an individual simply because we obtained that data from a third party.

Access to Medical Records Act

LHG will not provide information under a Subject Access Request made on behalf of a patient by a solicitor, insurance agency or employer, and where it is clear that such a request should be made under the Access to Medical Records Act. This would refer to reports for employment (proposed or actual) and insurance purposes (any "insurance contract" so covering accident claims, insured negligence, or anything covered by an insurance contract that requires a medical report to support an actual or potential insured claim).

If necessary, or unsure, LHG will seek clarification from both the requester and the patient concerned.

Appendix E - Subject Access Request Insurance Request Letter to Patients is to be used to contact the patient to ensure they understand what they are requesting, or what is being requested on their behalf, i.e. a whole medical record, as opposed to a more defined report.

The requester should be informed in writing that LHG is seeking further clarification from the patient and this may cause a delay.

Informing of the decision not to disclose

If a decision is taken that the record should not be disclosed, a letter must be emailed to them securely or sent by recorded delivery to the patient or their representative stating the grounds for refusing disclosure.

The letter must inform the patient or representative without undue delay and within one month of receipt of the request, and will state:

• The reasons you are not taking action;
• Their right to make a complaint to LHG;
• Their right to make a complaint to the ICO or another supervisory authority;
• Their ability to seek to enforce this right through a judicial remedy.

Disclosure of the Record

Information must be provided without delay and at the latest within one month. This is calculated from the day after the request is received, which will be day one, even if this is a non-working day.

The period for responding to the request begins at receipt of the request, or:

• When LHG receives any additional information required to confirm the identity of the requester
• When LHG receives any additional information requested (and required) to clarify the request 

In addition to the information requested, LHG Privacy Notice will also be provided to the individual.

When the information is provided by LHG, this is for personal use only. The security and confidentiality of the records becomes the responsibility of the requestor and LHG cannot be held responsible for any onward transmission or distribution.

If a request is made verbally, for example within a GP consultation, then the GP should pass this request to the Administrative Team or ask the patient to contact the Administration directly via the Reception Team. Only if it is appropriate and possible within the consultation and, no additional ID verification is required – should the GP provide the requested information immediately, in which case the GP must make the Administration team aware of the request so that the Verbal Subject Access Request can be recorded on the Subject Access Request Register.

LHG will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, LHG must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be left for the patient or their representative to collect in person, emailed to them securely or sent via recorded delivery.

If the information requested is handed directly to the patient, then verifiable identification must be confirmed at the time of collection.

It should be assumed that if an individual makes a request electronically (i.e. by email), LHG should provide the information in a commonly used electronic format (e.g. as .pdf or .doc) and provide it to the requester by email.

If sending the information via email, LHG will:

• Check that the individual wishes to receive the information via email
• Check the email address, and send an email to the address requesting confirmation of receipt, in order to verify the address and test that the individual can receive, and access, a test email and attachment via NHSmail’s [Secure] encryption service. The individual will need to register to access the information via Trend Micro upon receipt.
• If in doubt about the recipient email address, LHG will not send the information via email
• Depending on the volume of data to be sent, the information may need to be split across multiple [Secure] emails, due to the maximum attachment files size. The individual should be made aware of this where this is the case.

Collection In Person

Patients and representatives should be encouraged to collect SARs in person.

• Whilst awaiting collection, information should be stored securely and clearly addressed with patient’s name, date of birth and address.
• "Office use only" checklist should be attached to the front and completed (including ID check) up on collection
•  The checklist then will be scanned onto the patient’s record to enable auditing of multiple requests and the original shredded.

Email

Confidential information will not be sent by email unless:

• The email address of the recipient is absolutely verified, and
• The information is sent securely as described above
• The patient clearly expresses a preference to receive unencrypted information in this way

Post

If sent by post:

• The record should be sent to a named individual
• By recorded delivery
• Marked "private and confidential"
• "For addressee only"
• LHG details should be on the reverse of the envelope. 

Fax

Information or reports should not be sent by fax, under any circumstances as this is not a secure format.

Filing and Retention of Subject Access Requests

The log and all documentation relating to a particular request should be kept and retained for a period of three years or six years if there has been a subsequent appeal.

All SAR request forms should be scanned to the patient’s record to enable auditing of multiple requests and originals must be shredded.

A copy of the disclosure letter which sets out the outcome of the request, must be retained on the data subjects record, for example, medical record, personnel file, as a record of what was disclosed/withheld.

Definitions

• LHG – Lakeside Healthcare, The Group, The Practice
• Practice Manager – Hub Manager, Operations Manager, Practice Manager
• Information Commissioners Office (ICO) – role is to uphold information rights in the public interest.
• General Data Protection Regulation (GDPR) – is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR will come into effect across the EU on May 25, 2018
• Data Controller – The organisation (or person) that determines the purposes for which and the way any personal data about individuals is processed.
• Data Subject – Is a living individual (not an organisation) who is the subject of the personal data.
• Caldicott Guardian/Information Governance Lead – The person responsible for ensuring that the organisation is compliant with the confidentiality requirements of the Data Protection Act 1998.
• Subject Access Request (SAR) – Is any request made by an individual or an individual’s representative for information held by LHG about that individual

Additional resources, FAQs & References

Resources

• ICO Guide to GDPR
• CQC Guide to GDPR
• BMA & GDPR
• IGA Records Management Code of Practice for Health and Social Care