GENERAL INFORMATION SHEET FOR PATIENTS/REPRESENTATIVES/OTHER WHO WISH TO

VIEW/RECEIVE RECORDS UNDER THE PROVISIONS OF THE DATA PROTECTION ACT 1998 OR

ACCESS TO HEALTH RECORDS ACT 1990

General Information

The Data Protection Act 1998 applies to patient information held relating to living patients on computers and in manual filing systems. The Access to Health Records Act 1990 is similar but applies to patient information held on computers and in manual filing systems relating to deceased patients. Applications for the release of information should be made in writing/email to the Subject Access Team, at the Trust and we will provide a request form that will need to be completed. A request form can also be downloaded on the

Bedford Hospital webpage

Under the provisions of the Acts, people who can apply include the patient to whom the information relates or someone acting on behalf of the patient, for example, where the patient has given their consent to release of the information or where the patient is too young or incapable of giving consent or who has relevant authority to request the information.

The GDPR sets the age when a child can give their own consent to this process and this is currently set at 16.

Applications can also be made to access deceased patient information.

The Acts give rights of access, but specific information may be withheld, if this identifies another person (third party) or in the opinion of a doctor, the release of the information may, cause serious mental or physical harm to the patient or third party.

All patients have a right to expect their personal health information is kept confidential. The Trust is obliged to check that an applicant is entitled to access the patient information requested. We will need you to provide some forms of identity to prove who you are and what authority, where applicable, you have.

We aim to supply or arrange for applicants to view the requested information as per Department of Health guidelines require us to comply with your request within 21 days. However GDPR gives us one calendar month from when we receive your completed request, received the payment (if applicable) and provided proof of identification. However, it may take longer if the access requests are complex.

In cases requesting the notes of a deceased person, there are fees which need to be paid before the information is released. A fees notice can be found at the end of this document.

Questions and Answers Regarding Information and Health Records Information Requests.

1. What information do we keep about you?

General details, such as your name, address, date of birth and ethnic group. Health care, treatment and support needs.

2. Why do we need the information?

  • To provide you with health care and treatment.
  • To share with health professionals who become involved in your care.
  • To train and educate health professionals to help to improve the quality of care.
  • To fully investigate any concerns you might have.
  • To manage and plan the work of the Trust and other NHS services.
  • To look after the health of the general public.

3. Why do we share information?

We only pass on information about you if it is genuinely needed. Whenever possible, we will remove any details which might identify you. You may be receiving health care from other people, both within the NHS and from outside. Staff need to work together to provide the best service for you and it may be necessary to share some information with your GP, dentist, care manager and other health or social care staff for example. The sharing of sensitive personal information is strictly controlled by law (Data Protection Act 1998). Anyone who receives information from us is also under a legal obligation to keep it confidential. We are required by law to notify the Department of Health of certain diseases for public health reasons or to notify other events such as death. Limited information is shared with health authorities to help them organise national public health programmes such as breast screening, immunisation or to monitor discharge from hospital. Occasionally we are required by law to pass on information to the Police, in order to assist them with the prevention and detection of serious crime. We are sometimes asked for medical or health reports by solicitors. We will always require the patient’s or the designated personal representative’s written consent before disclosing information. Where information is used for research projects, we will ask for your consent if we need to use information that identifies you.

4. Will anyone else be allowed to see my records?

No, only you, staff that have the right to do so or someone you authorise to act for you or someone a court appoints to act on your behalf. However, if you ask us to, we will let other people see health records about you.

Parents may ask to see information on their children, however if the child is deemed ‘competent’ by a registered health professional in relation to:

  • Understanding the importance of consenting to or refusing treatment

Or

  • Gives information to a health professional or consents to treatment

Then they can request that their health records are not disclosed to their parents.

5. Can information be kept from me?

Yes, if a health professional thinks it is likely to cause you serious physical or mental harm. You will be told whether information has been withheld and you have the right to appeal against the withholding of information.

6. How can you make sure your personal details are up-to-date?

By letting us know immediately of any changes.

7. How long will I have to wait to receive copies my records?

Department of Health guidelines require us to comply with your request within 21 days. However GDPR gives us one calendar month from when we receive your completed request.

8. Will I have to pay to just view my records?

No.

9. Will I have to pay for copies of my Health Records?

No, a fee will only be charged for manifestly unfounded or excessive requests.

10. What if I want formal access to see/receive copies of my or others records?

a)For health records requests for: self, living person

  1. The Data Protection Act 1998 allows you to see and have copies of your health records. You will need to complete the Self Subject Access Request Form and providesatisfactory proof of identification.
  2. To request health records for someone else who is alive, you will need to complete thesame form and provide satisfactory proof of identification and a

legitimate reason as why you are asking for records on behalf of someone’s else e.g.

consent by the individual the records belong to or parents of young children.

b)If you are requesting records for a deceased person, you will need to complete an Access toHealth Records of a Deceased Person Form and provide satisfactory proof of your identification and that of the deceased prior to viewing or receiving the information and provide either a copy of the Grantof Probate form or Letters of Administration or a copy of the will showing you as namedexecutor or a letter showing you have a claim. The completed relevant application form anddocuments should be sent to:

Bedford Hospital

Subject Access Team

South Wing

Kempston Road

Bedford

MK42 9DJ

Tel: 01234 355122 xtn 2102/5828

Secure Fax: 01234 792688

11. Types of proof of identity required, for ALL types of access, for the person requesting theinformation. Photocopies - no originals please.

See section 18

12. Other proof required

Please ring for advice.

13. What happens when we receive your request in writing/email?

When we receive a request in writing, unless you have requested a specific element of the patients records we must normally give you access to everything. We may not give confidential information about other people, or information that a health professional considers likely to cause serious harm to your/their physical or mental health.

14. How do I pay if applicable?

You will be contacted by letter when we have received your request.

Please note we are not able to accept cash due to security reasons.

You can make payment by any of the following methods

a)Payment by credit/debit card either by phone or in person. Please tell the General Office officerthe details needed from the payment return slip OR bring in the completed payment return slip withyou so monies can be dealt with efficiently.

b)Payment by cheque by post or in person. Please send/bring in the completed payment return slipso monies can be dealt with efficiently.

When phoning/visiting in person, please state the nature of the payment you are making.

By phone – 01234 355122 extension 4079

In person - General Office, situated in the main Trust building

Cheques are to be made payable to – Bedford Hospital NHS Trust

Address – General Office Bedford Hospital NHS Trust, South Wing, Kempston Road, Bedford, MK42 9DJ

If you require any further assistance in this matter, please do not hesitate to contact the subject access department on 01234 355122.

15. What if I think my records are inaccurate?

Under the Data Protection Act 1998 all information held on you must be accurate. If this is not the case, you will need to raise it with your health professional or write to the Trust. If there is any disagreement about the accuracy of your records you have the right to seek advice from the list of people below.

a) Write to the Health Records manager at the Trust.

b) Write to PALS manager at the Trust.

c) Write to the Complaints manager at the Trust.

d) Seek legal advice

e) Request the Information Commissioner for an assessment if you believe a contravention of the Act has occurred. The Information Commissioner has the role of ensuring that data and information is used in line with the provisions of the Data Protection Act 1998. If you want more information about the work of the Information Commissioner’s Office and your rights under the Data Protection Act 1998 the address is: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 08456 30 60 60 or 01625 54 57 45 Fax: 01625 524510.

16. What if I was a private patient?

If you were a private patient, please contact the consultant who treated you, as we do not deal with private patient access requests.

17. Is there anything else you need to know?

If you would like to know more about how we record or use your information, or have concerns about your information being shared, please contact the health professional who is providing your care. This applies to paper and electronic records.

18. What Proof of identity can I send?

All Requesters must prove their own identity by confirmation of who they are in a photographic format

(Choose 1 from the list below)

  • Driving licence (photographic) valid
  • Passport valid. NB or in exceptional circumstances an expired passport within the last 3 years
  • Identity card issued by a European Union (EU) or European Economic Area (EEA) member state
  • Original birth/adoption certificates
  • Original marriage or civil partnership certificate

AND

Proof of their address (chose 1 from the list below)

  • A recent utility bill dated within the last 3 months
  • Bank statement issued within the last 3 months
  • Council tax documents

In circumstances where a person has only some of or none of the required forms of identity, the Trust will only accept a recent photograph signed by the person and solicitor/police/ GP/magistrate AND a covering letter from the solicitor outlining their verification of the persons identity.

18.1 Self Requests

Provide proof of their ID (valid as above)

AND

Proof of their address (valid as above)

18.2 Request for Third Party Information for Competent Living Adults

  • The requester provides proof of their ID (valid as above)
  • Proof of their address (valid as above)
  • The requester provides a completed application form signed by the living patient whom has given their consent to the requester to view/receive copies of their Health Care File

18.3 Request (by Family member or personal representative) for Third Party Information for Non Competent Living Adults

  • The requester provides proof of their ID (valid as above)
  • Proof of their address (valid as above)

AND

  • A power of attorney (these are not all the same see NB)
  • A copy of the court appointed deputy document

OR

  • A copy of a relevant power of attorney document

NB Where the family member or carer holds a Power of Attorney, it is important to check 4 things: Legal help may be required

  • That the power has been registered with the Court of Protection because, if it has not beenregistered, it is not valid; and
  • For any restrictions in the scope of the authority of any Power of Attorney to ensure that it is wideenough to cover the disclosure required.
  • If a ‘health and welfare‘ lasting power of attorney (LPA) is held, the attorney has the right to see allmedical notes relating to the patient that the patient would be able to see themselves if they hadcapacity.
  • If either a ‘property and affairs‘ LPA, or an ‘old style’ enduring power of attorney is held, theattorney does not have an automatic right to request disclosure of all medical notes.

18.4 Request (by Family member or personal representative who have no power of attorney) for Third Party Information for Non Competent Living Adults

  • The family member or carer does not have an automatic right to see the medical notes purely byvirtue of their relationship to the person lacking capacity.
  • The family member or carer should be encouraged to apply to the Court of Protection to beappointed as a deputy under the Mental Capacity Act 2005. This would mean notes could bedisclosed to them as a court appointed representative and they would be entitled to give consent tothe disclosure of those notes to other persons (provided the scope of their appointment coveredthis).
  • If no family member or carer has been appointed as a deputy, before medical notes can bedisclosed to them, the Trust must be satisfied that the disclosure is required under one of thegrounds set out in Schedules 2 or 3 to the DPA. These grounds include the establishment ordefence of the legal rights of the person to whom the information relates, or the protection of thevital interests of the patient.

18.5 Request (where there is no family member or personal representative) for Third Party Information for Non Competent or competent Living Adults

  • An Independent Mental Capacity Advocate (IMCA) can be sought. Where appropriate the Trust canrefer the case to an IMCA who can support and represent the patient. Relevant medical notes canbe disclosed to an IMCA under the terms of the Mental Capacity Act 2005.
  • Advocate. Even if an individual does not meet the criteria for use of the IMCA service, andregardless of whether or not they lack capacity, they may wish to be supported by an advocate.

Trusts should ensure that individuals are made aware of local advocacy and other services that may be able to offer advice and support.

18.6 Request for access to a deceased’s’ records

  • The requester provides proof of their ID (valid as above)
  • Proof of their address (valid as above)

AND 1 of the following

  • A copy of the grant of probate to prove their status as executor of the will
  • A copy of the will proving their status as executor of the will
  • A copy of the grant of letters of administration to prove their status as administrator of the estate
  • A letter explaining that they feel they have a claim to make arising from the death of the patient andas such need to review the Health Care File to check information to base that claim on.

18.7 Request by a family member to access a child’s records

  • The requester provides proof of their ID (valid as above)
  • Proof of their address (valid as above)

AND

  • Proof of their relationship to the child
  • Birth certificate
  • An unmarried father can obtain parental responsibility by providing documentation to prove:
  • marrying the mother
  • having his name registered or re-registered on the birth certificate if his name is not already registered.
  • making a parental responsibility agreement with the mother
  • obtaining a parental responsibility order from the court
  • obtaining a residence order from the court
  • becoming the child's guardian on the mother’s death

NB Who has parental responsibility?

  • Mothers automatically have parental responsibility and will not lose it if divorced.
  • Married fathers automatically have parental responsibility and will not lose it if divorced.
  • Unmarried fathers do not automatically have parental responsibility

Who else can have Parental Responsibility?

  • Parental responsibility is not automatically granted to people who are not parents, even if in reality they care for and are responsible for the child on a day to day basis. There are several ways that aperson who is not the child’s parent may obtain parental responsibility for the child:
  • Documentation must be given to prove 1 of the following
  • by being appointed as a guardian to care for the child if those with parental responsibility for thechild have died
  • by obtaining a residence order from the court which requires that the child lives with that person
  • by becoming the child’s special guardian
  • by adopting the child

Children and their right to consent

Section 66 of the DPA provides that a person under 16 may exercise any right under the Act when he has a general understanding of what it means to exercise that right and that a person of 12 years or more shall be presumed to be of sufficient age and maturity to have such understanding.

Accordingly, the Trust, as data controller (Caldicott Guardian), on receipt of a subject access request on behalf of a child will need to judge whether the child understands the nature of the request. If the child understands, he or she is entitled to exercise the right and the data controller should reply to the child. If the child does not understand the nature of the request, someone with parental responsibility for the child is entitled to make the request on behalf of the child and to receive the response.

19. Fees and Charges from 25th May 2018

The fees chargeable for subject access requests are determined, in the case of living individuals, by the General Data Protection Regulation and the Data Protection (Subject Access)(Fees and Miscellaneous Provisions) Regulations 2000 and, in the case of deceased individuals by the Access to Health Records Act 1990.