Standard Operating Procedure

Title: / Standard Operating Procedure for handling CCG Subject Access Requests and other requests for disclosure of Personal Confidential Data
Date approved:
Date Updated: / 15/12/2014
22/09/2016
Version: / 1.2
Business owner: / Governance and Risk
Director accountable: / David Thomas, Director of ICT
Author: / Alex Rogers, IG Officer

1. Introduction

1.1The CSU provides a Subject Access Request (SAR) service to CCGs. This Standard Operating Procedure (SOP) sets out the responsibilities of CCGs and NEL CSU.

1.2In the course of its business, each of the London CCGsfor which NEL CSU provides IG services and the CSU itself collect, use and hold personal data about individuals including information about employees, patients, suppliers, clients and stakeholders. This personal data must be handled properly regardless of how it is collected, recorded and used and includes information held both manually or electronically in any format. In handling this data, the CCGs and the CSUare bound by the Data Protection Act 1998.

1.2 One aspect of the Act relates to the right of access an individual has to their personal information, known as subject access. The procedure to follow when responding to such requests can be found at Appendix 1. This Standard Operating Procedure(SOP) covers access to non-clinical information which typically concerns HR information, CCTV footage or any other personal information held by the organisation for non-clinical purposes.

1.3The correct and legitimate handling of personal information by the CCGs and CSU is considered very important. Failure to do so may undermine the confidence of employees, patients, stakeholders and the general public in the CCGs and may impact on its reputation.

2.Objectives and Scope

2.1The key objectives are to:-

•Ensure that personal information is processed in accordance with the requirements of the Data Protection Act 1998, and;

•Provide comprehensive guidance on the correct and consistent way to handle requests for personal information (SAR).

2.2The CSU has limited direct involvement with patient records; therefore it is unlikely to receive Subject Access Requests for medical records.However, this procedure will apply to any request from a member of staff for access to their personal information held by the CSU. In normal cases of “Live Records”, patients should be advised to contact the relevant GP Practice, Acute or Community Provider including Local Authorities where the relevant episodes took place. Where patients are no longer registered with a GP and are seeking legacy records, they should be referred to the relevant handlers of legacy primary care records for the CCG concerned. Please use the list here to direct the request to the appropriate service (the list is by the geographical area of the GP).

2.3This Standard Operating Procedureapplies to all employees of the following CCGswho come into contact with information;

Barnet CCG

Camden CCG

Enfield CCG

Haringey CCG

Islington CCG

Newham CCG

Tower Hamlet CCG

Waltham Forest CCG

Islington CCG

NEL CSU

All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the requirements incumbent upon them and forensuring that they comply with these on a day to day basis.

3.The Legal Basis

3.1The Data Protection Act 1998 came into effect from 1st March 2000. It superseded the Data Protection Act 1984 and amended the Access to Health Records Act 1990. This policy details howthe CCGwill comply with its legal obligations under the Act with respect to the right of subject access.

3.2The Act legislates for the safeguarding of personal information relating to living individuals. The Access to Health Records Act 1990 remains relevant for information relating to deceased persons.

3.3The CCGsand NEL CSU fully endorse and adhere to the eight Data Protection principles and meet their obligations under the Act by working in line with these.

3.4To this extent, the CCGs and NEL CSU will endeavour to:-

  • Ensure that the conditions surrounding the fair and lawful collection and use of personal data are adhered to.
  • Ensure the rights of the individuals, who are the subjects of the data held, are respected and can be fully exercised as detailed in the Act. These are:-

1.The right of access to one’s personal data

2.The right of an individual to prevent the processing of their personal data

3.The right to prevent personal data being used for direct marketing. The right to ensure that no decision made, which significantly affects an individual, is based solely on the processing of their personal data by automatic means

4.The right to compensation should it be proved that damage and distress has been caused to an individual due to a contravention of the Act, and

5.The right of an individual to have their personal data rectified, blocked, erased or destroyed, in certain circumstances.

6.Ensure that appropriate technical and organisational security measures are inplace to safeguard personal data against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data.

7.Ensure that personal data is not transferred outside of the EEA without adequate safeguards.

4Access to Personal Information

4.1Under the rights of individuals contained within the Act, an individual who is the subject of personal information processed by the Trust has the right of access to this information. The procedure to follow when handling such requests is included at Appendix 1.

4.2 Consent Issues

1In most cases the consent to access personal information will be provided by the individual who is requesting the information, however, there may be cases where the individual is unable to consent or the individual is a child.

2When an applicant is not able to produce written consent from the patient to access the patient information or is not able to evidence that he/she is entitled to access the patient information, NHS Islington CCG will request further information from the applicant on the reason for the request to decide whether it would be justifiable to release the information to the applicant in any event. In the event that the applicant is a solicitor the subject’s written authority for release must be obtained.

5.Roles and responsibilities.

5.1The Subject Access Lead Officer in CCG

  1. Each CCG will identify a manager to act as Subject Access Lead Officer with overall responsibility for advising and screening information in response to requests. This person must be trained in the relevant areas and have completed the mandatory training outlined within the Information Governance Training Policy within six weeks of commencing the role. This is in addition to any locally identified training needs.
  1. Second line review of subject access requests will be provided by NEL CSU.
  1. CCG Subject Access Lead Officer is responsible for ensuring that the relevant time limits are met and the information requested must be provided correctly and as requested, subject to any legal redactions.
  1. All request details will be entered into a log and this will be maintained to monitor compliance to ensure all requests are answered in a timely manner.

5.2The Subject Access Lead Officer in NEL CSU

  1. Prior to the release of any information, the Subject Access Lead Officer must be satisfied as to the identity of the person making the request. CCG organisations must not release any information until this identification has taken place.
  1. Providing advice to staff in CCGs on the withholding of certain information requested under the Data Protection Act.
  1. Liaising with other organisations if relevant to process the access request in the event of shared records/data.
  1. If an applicant is making a request on behalf of another, such as a relative or a child, then consent or valid authority or evidence of parental responsibility of the patient should be produced. Further guidance on consent issues can be found in the Implementing the Mental Capacity Act Policy and Deprivation of Liberties.

5.3Staff in CCGs and NEL CSU

All managers and staff will comply with any request for personal data forwarded by the Subject Access Lead Officer as quickly as possible, and will respond as soon as possible but before a deadline communicated by the Subject Access Lead Officer.

6.Reporting requirements

The CSU IG Team routinely prepares quarterly IG reports for CCGs. Numbers of SARs answered on behalf of CCGs should be reported as a standing item but without details that would compromise the identity of the applicant(s). Such reports should include details of any exemptions or issues surrounding redaction or other points of interest. Any breaches of the statutory timescale limit (40 calendar days) should be recorded in the same report.

7.Review

This SOP is valid for three years, and will be updated not later than 31st October 2017. It will be reviewed as part of the annual IG Toolkit submission for the CCG.

Appendix1

SubjectAccessProcedure

1Allstaffshould beawareofhowto deal withsubjectaccessrequests, as these maybe received byanydepartment. Please refer to the Guidance on Completing the Checklist – Subject Access Request. Itisconsideredgood practicetohave aspecificcontact withineach department to deal with accessrequests. However,itisintended thatsubjectaccessrequests will be loggedandmonitored centrally within theCCG.

2Ifarequest isreceivedlocallybya member of staff,itshouldbenotifiedand passed immediatelytoInformationGovernanceTeamas appropriatetobe loggedanddisseminatedforcollation oftherequestedinformation.

3Personal informationcomes ina varietyof formats including,butnot limited to, manual and electronicfiles,emails,imagesandpictures.Allapplicationsforaccess topersonal informationmust bemadein writingby letter,email orfax, but notbytextmessage.Undernocircumstancesshould a request beaccepted overthetelephone. Thecaller should beadvised to writeinorcompletetheSubject Access Requestform.

4Theapplicant mustprovideenoughinformationfor theCCGtobe abletoprocessthe request.TheCCGmay, on occasions, needtoconfirm andclarifywhatinformationis required, including whether information identified only by NHS number is required – see below.

5Therequestshouldbearthesignatureof thedatasubject[anelectronicsignatureis acceptable inthecaseof email],andtheindividualdealingwith therequest should confirmand verifythe identityoftherequesterand legitimacyoftherequest.

HandlingtheSubject AccessRequest

6Under theAct, information mustbesuppliedwithin 40days of receiptof the written request, therelevantfee[ifapplicable]and proof ofidentity. Iffurther details arerequiredto locatethedata,the40dayswillcommencefromthereceipt of theadditional information. However, thislimitisthemaximum time allowed to respond to arequest and commonsenseshouldprevail in caseswhere itisobvious that theinformation is requiredasamatterorurgency.Ifitisclearthatthe40-daylimitwill notbe met, thedata subjectshould beinformed priortothisdeadline.

7Information must be searched for under any criteria which enable it to be identified. Usually, for most health or staff records, this will be the name(s) of the individual concerned. Care should be taken in handling requests to ensure that mistakes are not made between individuals with the same or similar names, or residing at the same address.

8The Data Protection Act 1998 grants a right of access to personal data, and this term includes any data identifying a living individual. Where a patient makes a request for “all information” but does not specify whether they specifically wish information recorded only by their NHS number to be provided, in addition to that identified by their name, then clarification should be sought from the patient. In cases of doubt whether such disclosure is compliant with NHS England guidance on pseudonymisation and identification of data using the NHS number, guidance should be sought from the CSU IG Team.

9TheCCGmayrefusetodisclose all orpart oftheinformationshouldanyof thefollowing criteriaapply:-

•Disclosure wouldbelikelytocauseseriousharmtothephysical ormentalhealthofthe patientoranyotherperson;

•Therecordsrefertoanotherindividual[apart from a healthprofessional] whocanbe identifiedfrom thatinformation.That isunlesstheotherindividual’s consentis obtained ortherecordscanbeanonymisedoritisreasonableinall the circumstancestocomplywith therequestwithout that individual’sconsent,taking into accountanydutyof confidentialityowed to the thirdparty.

10There isnorequirement within theData ProtectionAct1998toinformanapplicantofthe reason informationiswithheld orexempt, andtheexemptionreliedupon,when responding toasubjectaccessrequest. Ifadecision is takenthat informationshould notbedisclosed,theCCGarefreetoadviseapplicantsof thegroundsonwhich information hasbeenwithheld –buttheyare not obligedtodoso.

11Beforereleasing the information,allreferencestothirdpartiesmustberemoved,redactedorblanked out [unless consent hasbeenobtainedfrom themfortheirdetailsto be released].

12Oncethevolumeofinformation is identifiedandknown,aninvoiceshouldbe sent tothe applicant requestingpaymentofthebalanceofanyappropriatefee.

13Theinformationmustbesupplied inanintelligiblemannerand inaformat suitablefor therequester,forexample photocopiesorelectronically. Photocopieswould normallybeissuedbutthe medium could bedifferentshould aspecificrequestbemade.

Proof of Identity

14The applicant must provide two types of identification. These may be:

  • Birth Certificate
  • Passport
  • Driving Licence
  • Medical Card
  • Staff ID badge (for members of staff only)

15In addition, proof of address must be provided e.g. bank statement, utility bill, Tax certificate. Originals must be produced when collecting your information. If the applicant wish to have information sent out to them, photocopies of identification information may be sent to NEL CSU, but must be verified by a “person of standing” e.g. employer, doctor.

Fees

16TheDataProtection[Subject Access] [FeesandMiscellaneousProvisions]Regulations 2000setsout thefees adatasubject maybechargedtoviewtheirrecordsortobe providedwithacopyofthem. UndertheAct, themaximum feethat can bechargedfora standardsubject accessrequest is£10.However,underspecialrules, themaximumfee that canbechargedforpaperbasedhealthrecordsis £50. Thesemaximumcharges includepostageandpackaging.

17The request does not have to be completed until the fee has been received from the applicant.

WhenAccesscanbeRefused,LimitedorWithheld

18There aretimeswhen accesstopersonal informationcanbe withheld,examplesofwhichinclude:-

•Information that islikely to prejudiceanyofthefollowingpurposes:-

  • Prevention ordetectionofcrime;
  • Theapprehensionorprosecutionofoffenders,or;
  • Theassessment orcollection ofanydutyortax.

•Confidentialreferencesgiven bythe datacontroller

•Certain recordsrelating tohealth, education andsocialwork

•Negotiations

•Legalprofessional privilege

•Self-incrimination

When withholdinginformation, thereasonfordoing somustberecordedon theinitial request.

19When personal informationcontainsdetailsof third partiesadecision must bemadeastowhethertheinformationcan bereleased. Therearethreeoptions available:-

•Edit theinformationsoas not torevealtheidentityofthethirdparty, forexampleby redactingorblankingouttheidentityorre-typingthe textwithoutidentifying the individual.

•Ifitisreasonabletodoso,obtain thethirdparty’sconsenttorelease their details.

•Decide that itisreasonable to disclosethethird partydetails withoutconsent, while considering:-

  • whetheryouowe adutyofconfidentialitytothethirdparty
  • whatstepsyou have taken toobtainthethirdparty’sconsent
  • whether thethirdpartyiscapable of giving theirconsent
  • whether thethirdpartyhasexpresslyrefusedconsent
  • whether theinformationisofparticularimportance tothedatasubject

ReleasingthePersonalInformation

20As muchcareshouldbetakeninthemethod of releasingandsendingtheinformationas in theinitialauthorisationtorelease.Theneedtomaintain confidentialityshould be reflectedinthemethod ofdisclosure. It isimperative thatevery duecare shouldbe taken inensuring theinformation reachesthe intendedperson bythesafest andsecurestmethodpracticablyavailable.

21Thesafest method of release wouldbe todeliverthe informationin person.However,it isacknowledged that this isnotpossibleorpracticablein mostinstances.

22Ifinformationis tobesentbypost, thisshouldbebyRecordedorSpecialDelivery,withtheenvelope clearlymarked‘PrivateandConfidential – AddresseeOnly’.

23Faxingshouldonlybe usedifthereceiving fax isaguaranteedsafehaven,andthen

receiptof thefaxshouldbeacknowledged.

24It isimportantthat arecordisretained ofthefinalresponse.This shouldidentifythe informationreleasedand,ifapplicable,thereasonsforwithholdingany information.

25Subjectaccessrequestsand anysupportinglogs willbe retainedfora periodofthree

yearsafterthelastaction,andthendestroyedunderconfidentialconditions,in accordance with theretention perioddefinedwithin theRecordsManagementNHS

Code ofPractice.

Whennoinformationisfound

26If therequestedinformation cannot be identifiedand traced, a lettershouldbesentto therequesterindicatingthis.Also, ifinformationhasbeenfoundbutcannotbereleased, forexample duetoanexemption, alettershouldbesent stating that‘Thereisno informationtheCCG isrequiredtorelease’. Noexplanationhas to begivenastowhy informationhasbeenwithheld.

ComplaintsProcedure

27Under theAct, an individual has theright tohaveany inaccurate, misleadingorout ofdateinformation correctedordeleted.Theymayalso beentitled tocompensationshould theprocessinghavebeendeemedtocausetheindividual damageanddistress.

28Ifacomplaintisreceived,thelawrequiresthat:-

•Thedatasubject receivesaresponsewithin21days.

•Thedatasubject isadvised whetherit isappropriateforthedatatobechangedor forprocessing tocease.

•Thedatasubject is informedofthereasonsbehind decisions.

29If thedatasubject disputes thefinal decision,theycanlodgeacomplaint with the Information Commissioner’sOffice.

Page 1 of 9