Subject Access and Other Information Rights: Information Governance ( IG ) Policy

Subject Access and Other Information Rights: Information Governance ( IG ) Policy FINAL 1.0 July 2017

SUMMARY This Policy: Ensures that all managers and staff are aware of and comply with the Trust s statutory obligations and responsibilities in relation to the information rights held by patients, service users and staff under the Data Protection Act 1998 (DPA), and the new General Data Protection Regulations (GDPR) with effect from May 2018. Sets out the framework and clear processes for dealing with requests from patients, service users and staff for access to the information that the Trust holds about them. These rights are known as the subject access provisions under the DPA, and the right of access under the new GDPR. Explains the process which should be followed when dealing with a request for access to the records of a deceased patient, in accordance with the requirements of the Access to Health Records Act 1990. DOCUMENT DETAILS Author(s): Information Governance Officer Date: July 2017 [FINAL 1.0] Next Review Date: Ratifying Body/Committee: Chair: July 2020 (3-yearly) Information Governance Steering Group Senior Information Risk Owner (SIRO) Date Ratified: 13 November 2017 Target Audience: Date Equality Impact Assessment Completed: All Staff June 2017 DOCUMENT HISTORY Date of Issue Version No. Next Review Date Date Approved Director Responsible for Change Jul 2017 Final 1.0 July 2020 13 Nov 2017 Director of Finance Nature of Change New Policy (GDPR 2018) The purpose of this policy is to ensure that there is a consistent, fair and transparent approach in its application across Poole Hospital NHS Foundation Trust (hereafter referred to as the Trust or the organisation ). All managers and staff (at all levels) are responsible for ensuring that they are viewing and working to the current version of this policy. If this document is printed in hard copy or saved to another location, it must be checked that the version number in use matches with that of the live policy on the intranet. All policy are published on the staff intranet and communication is circulated to all staff when new policies or changes to existing policies are released. Managers are encouraged to use team briefings to aid staff awareness of new and updated policies. Page 1 Review Date: July 2020

TABLE OF CONTENTS 1. RELEVANT TO... 3 2. PURPOSE... 3 3. GENERAL PRINCIPLES... 4 4. AN INDIVIDUAL S RIGHTS UNDER THE GDPR... 5 4.1. The Right to be Informed... 5 4.2. The Right of Access... 5 4.3. The Right to Rectification... 6 4.4. The Right to Erasure... 6 4.5. The Right to Restrict Processing... 6 4.6. The Right to Data Portability... 6 4.7. The Right to Object... 7 4.8. Rights Relating to Automated Decision Making and Profiling... 7 5. SUBJECT ACCESS REQUESTS ( RIGHT OF ACCESS UNDER THE GDPR)... 8 5.1. What is a subject access request?... 8 5.2. How can an individual request access to information?... 9 5.3. What happens when the application is received?... 10 5.4. Can information be refused or withheld?... 11 5.5. What happens if the information relates to a child/young person?... 12 5.6. What happens if the information relates to person who lacks capacity?.. 13 5.7. What happens if a third party is asked to release our information?... 14 6. ADDITIONAL GUIDANCE ON ACCESSING INFORMATION... 14 6.1. Requesting Access to the Records of a Deceased Patient... 14 6.2. Medical Reports for Insurance and Employment Purposes... 15 6.3. Informal Access to Health Records Patients, Relatives and Carers... 16 6.4. Expectations of Staff Access to Records... 17 7. DUTIES/RESPONSIBILITIES AND ACCOUNTABILITY... 18 8. IMPLEMENTATION AND REVIEW... 20 TABLE OF APPENDICES APPENDIX A: EQUALITY IMPACT ASSESSMENT... 21 Page 2 Review Date: July 2020

THE POLICY 1. RELEVANT TO 1.1. All medical and non-medical individuals at all levels within Poole Hospital NHS Foundation Trust ( the Trust ) are expected to comply with this policy, including: individuals directly employed by the Trust (substantive/ permanent, fixed-term, bank/locum, etc); and individuals working within but not directly employed by the Trust (volunteers, students, agency, secondees, etc); hereafter referred to collectively as staff. 1.2. This policy relates to the information rights of patients, service users and staff, and should be read in conjunction with the: 2. PURPOSE Medical Records Policy and Procedures Personnel Files Procedure Information Sharing Policy Privacy Notice for Patient and Service User Information Privacy Notice for Staff Information ICO Subject Access Code of Practice ICO Privacy Notices, Transparency and Control Code of Practice IGA Records Management Code of Practice DH Guidance for Access to Health Records Requests 2.1. This policy ensures that all managers and staff are aware of and comply with the Trust s statutory obligations and responsibilities in relation to the information rights held by patients, service users and staff under the Data Protection Act 1998 (DPA), and the new General Data Protection Regulations (GDPR) with effect from May 2018. 2.2. This policy sets out the framework and clear processes for dealing with requests from patients, service users and staff for access to the information that the Trust holds about them. These rights are known as the subject access provisions under the DPA, and the right of access under the new GDPR. 2.3. This policy also explains the process which should be followed when dealing with a request for access to the records of a deceased patient, in accordance with the requirements of the Access to Health Records Act 1990. The DPA only applies to the personal information of a living individual, and therefore different requirements apply to these requests. Page 3 Review Date: July 2020

3. GENERAL PRINCIPLES 3.1. The GDPR creates some new rights for individuals, and strengthens some of the rights that currently exist under the DPA. These rights include: The right to be informed (see 4.1) The right of access (see 4.2) The right to rectification (see 4.3) The right of erasure (see 4.4) The right to restrict processing (see 4.5) The right to data portability (see 4.6) The right to object (see 4.7) Rights in relation to automated decision making and profiling (see 4.8) 3.2. Unless otherwise stated in this policy, individuals who would like to invoke any of the above rights under the GDPR should submit their request in writing to the Trust s Information Governance Department. 3.3. Where there are no specific timeframes imposed by the GDPR for processing a request made by an applicant in relation to the rights outlined above, the Trust will endeavour to meet a best practice turnaround of within one month (28 calendar days), and no more than three months (84 calendar days). 3.4. All requests will be centrally logged by the Trust and turnaround times will be monitored and reported by the Information Governance Department. Any breaches will be highlighted immediately to the Senior Information Risk Owner, and regularly to the Information Governance Steering Group. 3.5. If the Trust has actioned a request for rectification, erasure or restriction of processing and we have already disclosed the personal data in question to any third parties, we must inform them about the action taken, unless it is impossible or involves disproportionate effort to do so. 3.6. If the Trust takes the decision not to action a request made by an applicant in relation to the rights outlined above, this must be clearly communicated to the applicant in writing along with a full explanation and reasons for the decision. The applicant must also be given the right to complain via the Trust s formal procedures, and be made aware of their right to complain to the Information Commissioner s Office. 3.7. Failure by any member of staff to follow the processes outlined in this policy may result in initiation of the Trust s Staff Disciplinary Procedure. Page 4 Review Date: July 2020

4. AN INDIVIDUAL S RIGHTS UNDER THE GDPR The Trust is commitment to compliance with the requirements of the GDPR and recognises the rights of all individuals about whom it holds information. Below is a summary of these rights and the Trust s approach to compliance. 4.1. The Right to be Informed The right to be informed encompasses the Trust s obligation to provide fair processing information, and emphasises the need for transparency over how we use personal data. To meet our obligations, the Trust has two privacy notices one for patient and service user information, and one for applicant and staff information both of which explain: What a privacy notice is and why it has been issued Who we are, what we do and how to get hold of us What information we collect, how and why How the information is stored and used, and why this is important How we keep information safe and maintain confidentiality Where and why information may be shared with others An individual s right to withhold or withdraw sharing consent How to gain access to the information that we hold How to raise concerns, queries or complaints These privacy notices are displayed at key locations around the Trust and can also be accessed via the intranet and our public website. 4.2. The Right of Access 4.2.1. All individuals have the right to obtain access to the information that the Trust holds about them. This is similar to the existing subject access provisions under the DPA. The Trust has published guidance on our public website for anyone wishing to invoke this right. Alternatively, a printed copy of this can be requested from the Trust s Information Governance Department. 4.2.2. From the date of receiving the request, the Trust has one month (28 calendar days) to provide the information. This timeframe may be extended to a maximum of three months (84 calendar days) where the request is complex or numerous. If this is the case, the individual must be informed of this within the initial one month compliance period, with an explanation as to why the extension is necessary and the likely response date. 4.2.3. The Trust must provide a copy of the information requested free of charge. The Trust is only permitted to charge a reasonable fee where the request is manifestly unfounded or excessive (particularly if it is repetitive), or it relates to duplicate copies of Page 5 Review Date: July 2020

information already provided. This fee must be based solely on the administrative cost of providing the information. 4.2.4. Requests for access may be managed by the Medico-Legal, X- Ray Department, Information Governance or Legal Department, as applicable. Further details regarding the Trust s internal process on dealing with access requests can be found in Section 5. 4.3. The Right to Rectification Individuals are entitled to have their personal information corrected (rectified) if it is inaccurate or incomplete. The corrections must be actioned by the Trust within one month (28 calendar days) of receiving the request. This timeframe may be extended to a maximum of three months (84 calendar days) where the request is complex. Any processing of the information which requires correction should be restricted until the corrections are completed (see 4.5 for further details). These types of requests will usually be raised by the patient directly with the ward or department when the required correction is identified. For large or complex requests, further guidance should be sought from the Information Governance Department as required. 4.4. The Right to Erasure The right to erasure is also known as the right to be forgotten, and enables an individual to request the deletion or removal of personal data. However, this right will only apply under specific circumstances (further details are available on the ICO website). There are also additional requirements when the request for erasure relates to a child s personal data. Further guidance should be sought from the Information Governance Department as required. 4.5. The Right to Restrict Processing Patients and service users are entitled to stop or prevent the processing of their personal data. Where this occurs, the Trust is permitted to continue storing the data - unless the individual also invokes their right to erasure (see 4.4 above). Where processing is restricted, the Trust will retain just enough information to ensure that this restriction is respected in the future. Should this type of request be received, further guidance should be sought from the Information Governance Department. 4.6. The Right to Data Portability The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. However, this right will only apply when the processing is carried Page 6 Review Date: July 2020

out by automated means, and therefore is unlikely to apply to the information held by the Trust. Should this type of request be received, further guidance should be sought from the Information Governance Department. 4.7. The Right to Object Individuals have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing (including profiling); and processing for the purposes of scientific/historical research/statistics. The individual must have an objection on grounds relating to his or her particular situation, and the Trust must cease the processing unless we can demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the individual) or the processing is for the establishment, exercise or defence of legal claims. The right to object is explained within the Trust s privacy notices, and individuals should be made aware of this right at the point of first communication. This must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. This right is particularly relevant to research carried out by (or in conjunction with) the Trust, and further guidance is available from the Information Governance Department as required. 4.8. Rights Relating to Automated Decision Making and Profiling The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Individuals have the right not to be subjected to a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on the individual. It is unlikely that this situation will occur due the ways in which information regarding patients and service users is processed by the Trust. However, should there be a query relating to this area, guidance should be sought from the Information Governance Department. Page 7 Review Date: July 2020

5. SUBJECT ACCESS REQUESTS ( RIGHT OF ACCESS UNDER THE GDPR) 5.1. What is a subject access request? (a) Individuals have the right to request access to the information that the Trust holds about them this is explained in section 4.2 of this policy. This is known as a subject access request under the DPA, and is the term adopted by the Trust. There are different procedures that apply if the request is for access to the information of a deceased person, and this is explained further in Section 6.1 of this policy. If the request is from the police or the courts, please refer to the Medical Records Policy and Procedures, Information Sharing Policy and Personnel Files Procedure as appropriate. If the request relates to information about the Trust (for example, policies, statistics and finances) rather than the personal health information of an individual, then this would be handled under the Freedom of Information Act 2000. Please refer to the Freedom of Information Policy for further details regarding this. (b) Personal information comes in a variety of formats including, but not limited to, manual and electronic files, emails, images and pictures. Subject access requests are also applicable to CCTV footage which is considered personal information. All formats of information are covered by this policy, although specific guidelines for releasing CCTV footage can be found in the ICO s CCTV Code of Practice. (c) The Trust is not legally obliged to supply any information unless: the request has been made in writing (by letter, email or fax); any required fee has been paid (if applicable); the identity of the requestor has been verified and the legitimacy of the request has been confirmed; and sufficient details have been supplied to locate the information. (d) The Trust is also not obliged to comply with repeat, identical or vexatious requests made by an individual unless a reasonable time period has passed. Under these circumstances, the Trust is permitted to apply a charge equivalent to the associated admin costs. (e) A subject access request may be made by the patient for access to their own information, or by someone else on behalf of the patient, Page 8 Review Date: July 2020

such as a carer, relative or legal representative. Where the applicant is not the patient, additional processes must be followed. 5.2. How can an individual request access to information? (a). All subject access requests must be made in writing either by letter, email or fax. Under no circumstances, will a request be accepted by text or verbally over the telephone. Faxing should only be used if the receiving location is a guaranteed safe haven, and procedures should be followed to safeguard the information. Please refer to the Trust s Information Sharing Policy and Faxing Safe Haven Procedures. (b). All requests for access to recruitment/applicant and employment information from prospective, current and former staff, should be directed to the Information Governance Department. Further guidance is available within the Trust s Personnel Files Procedure. (c). All requests for access to health and medical information should be directed to the Medico-Legal Department. Ideally, the requestor should complete the Trust s Application for Access to Information to ensure that all relevant details are supplied as early as possible in the process. (d). The request must be accompanied by appropriate documentation to verify identity, address and legitimacy of the request. If the request is from a legal professional or other organisation, we must see evidence of their authority to act on behalf of the individual. Please refer to the patient guidance document Requesting Access to Information for further details. (e). The request should bear the signature of the requestor (and the patient, if this is different). An electronic signature may be acceptable in the case of email requests, although this will be assessed on a case-by-case basis depending on the circumstances. (f). The request must include enough information for the Trust to be able to process the application and locate the records required. The Trust may, on occasions, need to confirm and clarify the details of the application before being able to proceed. (g). All requests must be logged centrally in the Trust s Subject Access Database, including those relating to legal claims. This database is used to track the progress of all requests received, monitor compliance with the requirements of the DPA and GDPR, and to prevent repeat or duplicate requests for the same information. Page 9 Review Date: July 2020

5.3. What happens when the application is received? (a) (b) (c) (d) (e) Upon receipt of the request, the Trust will establish if there is any fee for the supply of information. In the majority of cases, the Trust will provide a copy of the requested information free of charge. However, in accordance with the GDPR, the Trust may charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive or a duplicate. This fee is based on the administration time associated with the request. Should there be a fee for the information, the Trust will contact the applicant with a request for payment and an explanation and/or breakdown of the fee applied. The request will not be processed further until the relevant payment has been received by the Trust. Under the GDPR, the Trust has up to one month (28 calendar days) to comply with the request. The Trust will endeavour to provide a response as soon as possible, and common sense should prevail in cases where it is obvious that the information is required as a matter of urgency. The turnaround will vary for each request depending on the volume and location of the information required. The deadline countdown will begin once the Trust has successfully received the request in written format with sufficient detail to locate the information, and relevant proof of identity, address and legitimacy of the request. The countdown may be paused if: clarity is required from the applicant regarding the request; there is outstanding supporting evidence/documentation; any necessary fee has been requested but not received; there is a bank or public holiday (an additional day is added). If it is clear that the one month time limit is insufficient to meet the full needs of the request, the applicant should be informed as soon as this is identified, and in any case before the initial deadline date. An extension to the deadline may be applied of up to two months (56 calendar days), and this should be communicated in writing to the applicant. It may also be appropriate to consider a staggered approach to supplying the information, i.e. sending as and when identified rather than waiting until fully collated. Where copies of information have been requested, this must be supplied in a permanent format unless the individual has agreed otherwise, or this would involve disproportionate effort (in these circumstances the requester could be invited to the Trust to view the information). The preferred format for supplying information is electronic; however this will depend on the information requested and any specifics of the application. If information is sent by post, this should be by Recorded or Special Delivery, with the envelope Page 10 Review Date: July 2020

clearly marked as confidential. If information is supplied on disc, this should be encrypted and sent separately to the password/code. (f) (g) (h) The covering note with any posted information should identify and explain any redactions or withheld details (see Section 5.4 for further details), and may also refer to, or provide a copy of, the Trust s Privacy Notice which explains the purposes for processing personal information and possible disclosures and sharing. Where the applicant is requesting access to the information but does not require copies, the Medico-Legal Department will liaise with the appropriate department(s) and/or the Patient Advice and Liaison Service to ensure that the requestor is contacted to arrange a suitable date, time and location for the viewing, with an appropriate healthcare professional available for support. All information supplied, or made available for viewing, should be clear and intelligible, and accompanied by an explanation of any abbreviations, codes acronyms or other jargon used. (h). The Trust will retain records in the Subject Access Database, together with any supporting information, for a minimum of three years, as required by the Records Management Code of Practice for Health and Social Care 2016. Thereafter, records will be reviewed and destroyed under confidential conditions if no longer required. 5.4. Can information be refused or withheld? (a) (b) The Trust may refuse to disclose all or part of the information requested if it has been assessed by an appropriate healthcare professional that disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person. There are also other circumstances when the Trust is legally permitted to withhold information - for example, if the disclosure would prejudice the prevention or detection of crime. The Trust may also refuse to disclose information which relates to, or identifies, another individual. This information will be redacted, removed or refused from the final release, unless: the information identifies an organisation, not an individual; the individual in question is a health professional who has provided the information as part of the health/medical record; the other individual has given their explicit consent; or it is reasonable to release without gaining consent. When considering the option to release without consent, the Trust will assess whether: Page 11 Review Date: July 2020

o there is a duty of confidence to the other individual; o appropriate steps have been taken to gain consent; o the other individual is capable of giving consent; and o the other individual has expressly refused to give consent. (c) (d) If the information requested has been located but the decision is taken not to release, a response should be sent to the applicant confirming this decision and the reason for it (unless this would be likely to prejudice the purpose of the exemption in question). Any decision to refuse disclosure will be centrally recorded by the Trust. If the information requested cannot be located (i.e. it is not held by the Trust), a response should be sent to the applicant indicating this. It should be made clear that the Trust is not refusing to supply information, but in fact does not hold the information requested. 5.5. What happens if the information relates to a child/young person? (a) (b) (c) (d) There is no minimum age requirement for applicants, and therefore a child/young person can apply for access, provided that they are capable of understanding the nature of the request. Legally in England, there is no automatic presumption of capacity for people under 16 years, and those under that age must demonstrate they have sufficient understanding of what is proposed. However, children/young people who are aged 12 or over are generally expected to have this capacity. Where a child/young person is considered capable of making decisions about his or her medical treatment, their consent must be sought before a parent, guardian or any other third party can be given access. Where it is the opinion of an appropriate health professional that the child/young person is not capable of understanding the nature of an application for access, the Trust is entitled to refuse the request, or to insist that the request is made via a parent, guardian or someone else with parent responsibility. A parent or guardian can only apply for access where: The child/young person has given explicit consent; or The child/young person lacks the capacity to give consent (i.e. they are too young or in an unconscious state) and there is evidence of parental responsibility. This must be checked carefully as not all parents have parental responsibility. Any access granted to a parent, guardian or other individual with parental responsibility should not include any information provided Page 12 Review Date: July 2020

by the child/young person in confidence (i.e. there is an expectation that the information will not be revealed) or where they expressly asked for it not to be disclosed. The access should also not go against the best interests of the child/young person, and must only include relevant and not excessive information. (e) (f) Divorce or separation does not affect parental responsibility and the Trust should allow both parents reasonable access to their children's health records, unless there are other legal/court restrictions in place which prohibit this access or there are other valid reasons to restrict access (such as safeguarding concerns). Where access is granted to one parent with parental responsibility, the Trust is under no obligation to inform any other individuals with parental responsibility that this access has been given. The Trust is entitled to refuse access to a child/young person, parent, guardian or another individual with parental responsibility where the information contained in the records is likely to cause serious harm to the child/young person, or another person (see Section 5.4). 5.6. What happens if the information relates to person who lacks capacity? (a) (b) (c) Patients with mental disorders or learning disabilities should not automatically be regarded as lacking capacity. Unless unconscious, most people suffering from a mental impairment can make valid decisions about some matters that affect them and therefore explicit consent would be required. An individual s mental capacity must be judged in relation to the particular decision being made. Where it has been determined that the patient lacks capacity and is therefore incapable of managing their own affairs, information may be requested by/disclosed to the following without patient consent: An individual acting under a valid Lasting Power of Attorney (as long as the information relates to decisions that the individual has the legal right to make) - the type of permission required (health and welfare, or property and financial affairs) will depend on the purpose of the request; The Court of Protection and court appointed deputies; Independent Mental Capacity Advocates (MCAs). Any access granted without patient consent should not include any information provided by the patient in confidence (i.e. there is an expectation that the information will not be revealed) or where they expressly asked for it not to be disclosed. The access should also not go against the best interests of the patient, and must only include relevant and not excessive information. Page 13 Review Date: July 2020

(g) The Trust is entitled to refuse access where the information contained in the records is likely to cause serious harm to the applicant, patient, or another person (see Section 5.4). 5.7. What happens if a third party is asked to release our information? (a) There may be occasions when a third party, such as another NHS organisation or a local authority (social services), is dealing with a subject access request which includes information which has been provided by the Trust. Under these circumstances, the Information Governance Department should be asked to review the information being requested and either request redactions or amendments prior to the information being released, or provide approval for the information to be released to the applicant as is. 6. ADDITIONAL GUIDANCE ON ACCESSING INFORMATION 6.1. Requesting Access to the Records of a Deceased Patient (a) (b) The health records of a deceased patient are not included within the subject access provisions of the DPA or the right of access under the GDPR. Instead, the Access to Health Records Act 1990 (AHRA) provides a statutory right for certain individuals to apply for access to this information. However this is limited to: the patient s personal representative This is the named executor or administrator of the deceased person s estate, either through an official will or grant of probate. any person who may have a claim arising out of the patient s death The decision as to whether a legitimate claim exists lies with the Trust and therefore this will be assessed on a case-bycase basis, with legal advice sought as required. Where an individual who does not have a statutory right of access submits a request to the Trust, this should be carefully considered and not simply rejected. Access may be permitted, however the benefit of the disclosure must outweigh both: the obligation of confidentiality owed to the deceased individual (likely to be less than that owed to living patients and will diminish over time) and any others cited in a record; and the overall importance placed on the health service providing a confidential service. Key issues for consideration include: any preference expressed by the deceased prior to death; the distress or detriment that any living individual might suffer following the disclosure; and Page 14 Review Date: July 2020

any loss of privacy that might result and the impact upon the reputation of the deceased. The views of surviving family and the length of time after death are also important considerations, along with the extent of the disclosure. Disclosing a complete health record is likely to require a stronger justification than a partial disclosure of information extracted from the record. If the point of interest is the latest clinical episode or cause of death, then disclosure, where this is judged appropriate, should be limited to the pertinent details. (c) (d) (e) Any request for access should be submitted in writing to the Medico- Legal Department, preferably using the Trust s Application for Access to Information. The applicant will need to provide sufficient identity documentation, as outlined in the guidance document Requesting Access to Information, together with proof of their right to access the information either: a valid Will naming them as the Executor of the estate; a Grant of Representation (Grant of Probate for an Executor, or Letters of Administration for an Administrator); or evidence to support their claim to the deceased s estate. Upon receipt of the request, the Trust will establish if there is any fee for the supply of information. In the majority of cases, the Trust will provide a copy of the requested information free of charge. However, in accordance with the AHRA, the Trust may charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive or a duplicate. This fee is based on the administration time associated with the request. Should there be a fee for the information, the Trust will contact the applicant with a request for payment and an explanation and/or breakdown of the fee applied. The request will not be processed further until the relevant payment has been received by the Trust. Once the request, all supporting evidence and any relevant fee has been received, the Trust must comply with the request promptly and either within 21 calendar days where the record has been added to in the last 40 days, or within 40 days otherwise. The request will be recorded and processes in the same way as any other information request, and the Trust still has the right to deny or restrict any access or disclosure as outlined in Section 5.4 of this policy. 6.2. Medical Reports for Insurance and Employment Purposes The Access to Medical Reports Act 1988 governs access to medical reports which have been drafted by a medical practitioner (who is, or has been, responsible for the clinical care of the individual) for insurance or employment purposes. Medical reports prepared by other medical Page 15 Review Date: July 2020

practitioners, such as those contracted by the Trust, are not covered by this Act, but are covered by the DPA. Any medical reports contained within Trust records would have been supplied with the consent of the individual, and therefore may be included as part of any request made for access (see Section 4.2 and Section 5). Further guidance can be found in the Trust s Medical Records Policy and Procedures, Personnel Files Procedure and the Department of Health Guidance for Access to Health Records Requests. Advice may also be sought from the Human Resources Department, Occupational Health Department or Information Governance Department, as appropriate. 6.3. Informal Access to Health Records Patients, Relatives and Carers These guidelines are designed to strike a pragmatic working balance between the occasional justifiable need to permit supervised informal access, and the duty to protect personal and confidential information. It is expected that this guidance will only be appropriate on infrequent occasions, and assessed on a case-by-case basis. 6.3.1. The Trust has a duty to protect patients from the unauthorised release of information under the DPA, GDPR, Human Rights Act and Freedom of Information Act, and also to protect the patient from the release of information which may be subsequently harmful or detrimental to them. 6.3.2. Third parties/individuals, irrespective of their connection to the patient, have no automatic right of access to another person s personal and sensitive information; hence the need to protect patient records on wards. The only exceptions are Members of Parliament who, as a patient s representative and only with the patient s permission, have a right of access. 6.3.3. Relatives, carers or other visitors must be deterred and dissuaded from randomly accessing a patient s record with or without the consent of the patient, or the knowledge of staff. The use of confidential folders at bed ends, clearly marked as such and for Trust staff only, should be considered and actioned as resources allow. Medical notes should not be left unattended near patients or visitors, where access is probable/inevitable. If individuals want formal copies of patient information, then this should be obtained via the processes described in Section 5 of this policy, which all NHS organisations are required to have in operation. 6.3.4. There will be occasional instances where a patient may give fully informed consent to allow informal supervised access to their medical records by a relative, carer or another individual for a specific urgent purpose, e.g. determining placement for continuing care. If access is requested, then the first step should be a preliminary discussion between the patient and the Page 16 Review Date: July 2020

relative/carer, so that they are fully supported throughout the process and can be provided with the interpretation and explanation of medical terminology. If informal access is to go ahead, then the following safeguards should be in place: a) The patient must be in control of their mental abilities (have capacity) and be able to freely give informed written consent (verbal consent may be considered in certain circumstances); b) Access must be restricted to relevant information contained within the record for the purpose of the request; c) Access must be to a named relative, carer or other identifiable individual who is present, and this should be checked against the records held by the Trust; d) Trust staff must believe that access is justifiable, appropriate and unlikely to be harmful to either the patient or relative, and the electronic patient record has been checked for any critical patient information (CPI) flags which may impact; AND e) A health care professional, responsible for the care of that patient, must confirm that it is safe for the patient and relative/carer to have access (i.e. access or release is not going to adversely affect the patients or anybody else s physical or mental health), and they must be in attendance to give advice, explanation and overview. 6.3.5. If a patient is not in control of their mental abilities, is unable to understand what is going on or give informed consent, or if staff believe there are suspicious circumstances or motives, then the individual(s) wanting access should be deterred and asked to apply through the formal application route (see Section 5). 6.4. Expectations of Staff Access to Records 6.4.1. Staff should not look up or amend their own record as it could be construed as abuse of privilege - this includes health/medical and employment records. All access must be governed via the processes outlined in this policy, and staff are required to follow the same procedure as any other requestor. 6.4.2. Staff should only access the records of their family, friends and other people they know (such as colleagues) when there is a legitimate professional reason for them to do so, in line with their job description and contract of employment. If this situation occurs, the member of staff should inform an appropriately senior manager who will then assess the impact and risks, and may allocate another member of staff to the relevant tasks. Page 17 Review Date: July 2020

6.4.3. If a member of staff is attending the hospital as a patient, they can ask the Information Governance Department to monitor access to their records. This is known as the Trust s Celebrity List and is completely confidential. The individual does not need to provide any medical information to be added to the Celebrity List, however they may be asked to give an indication of the wards or departments that they are likely to visit to assist with identifying whether or not access to the records is appropriate. If any potential inappropriate access is identified, this will be followed up by the Information Governance Department and pursued via the Trust s Disciplinary Procedure, if appropriate. 7. DUTIES/RESPONSIBILITIES AND ACCOUNTABILITY 7.1. Chief Executive Officer and Directors The Chief Executive Officer and Directors are responsible for ensuring that all policies and procedures are fit for purpose and meet the needs of the organisation, whilst ensuring that the Trust is able to meet its statutory obligations and responsibilities in line with relevant legislation, and ensuring that at all times the Trust s policies and procedures promote, maintain and strengthen the organisation s strategies, values and aims. 7.2. Medico-Legal Department The Medico-Legal Department is a sub-team of the Medical Records Department and is responsible for: 7.2.1. Providing guidance and support to applicants on making a subject access request and the necessary evidence required; 7.2.2. Coordinating all subject access requests from patients, service users, solicitors, other NHS organisations, insurers and the police, redirecting the request as appropriate, such as to the Legal Department (potential litigation against the Trust) or Radiology (for x-ray and other scans and images); 7.2.3. Processing subject access requests within the remit of the department, including checking proof of identity and address (and/or authority to act), establishing right of access, maintaining active communication with the applicant and resolving queries; 7.2.4. Ensuring that all information provided to applicants is done so via secure means, or liaising with PALS and/or the relevant department(s) to arrange access where viewing is requested; 7.2.5. Recording all subject access requests within the Trust s central Subject Access Database, and ensuring that information is recorded accurately and in a timely manner. Page 18 Review Date: July 2020

7.2.6. Monitoring current applications to ensure that legal deadlines are met, with appropriate action taken in the database to record any appropriate stop clock actions, escalating any potential or actual breaches to the Information Governance Department; 7.3. Legal Department The Legal Department is responsible for: 7.3.1. Dealing with all subject access requests which relate to, or have the potential to turn into, litigation against the Trust; 7.3.2. Recording all subject access requests within the Trust s central Subject Access Database, and ensuring that information is recorded accurately and in a timely manner. 7.4. Patient Advice and Liaison Service (PALS) PALS is responsible for: 7.4.1. Providing guidance and support to applicants on making a subject access request and the necessary evidence required; 7.4.2. Supporting with applications for viewing information by providing a convenient and neutral meeting location; 7.4.3. Working with relevant departments to ensure that an appropriate healthcare professional is available to attend appointments for applicants to view information (where possible and required). 7.5. Information Governance (IG) Department: The IG Department is responsible for: 7.5.1. Providing support to patients, service users and staff on the legislation and individual s rights outlined in this policy; 7.5.2. Managing all subject access requests submitted by staff and job applicants relating to recruitment and employment information, (liaising with the HR Department as required), and supporting the Medico-Legal Department, Legal Department and PALS with queries and complaints relating to other applications, as needed. 7.5.3. Recording all subject access requests within the Trust s central Subject Access Database, and ensuring that information is recorded accurately and in a timely manner. Page 19 Review Date: July 2020

7.5.4. Monitoring and reporting on compliance rates to ensure that legal deadlines are met and any breaches are fully investigated; 7.5.5. Producing and updating the Trust s privacy notices in relation to patient, service user and patient information, and ensure that these are clearly accessible and promoted within the Trust; 7.5.6. Review all requests from other organisations to release information provided by the Trust under subject access. 7.6. All Trust Employees All Trust Employees are responsible for being familiar and complying with all Trust policies and procedures, ensuring that they are using and following the current and correct version, and seeking guidance, advice and support as required. 8. IMPLEMENTATION AND REVIEW 8.1 This policy will receive endorsement from the Trust s Caldicott Guardian and Senior Information Risk Owner, and receive formal ratification from the Information Governance Steering Group (IGSG) prior to launch, publication and use within the organisation. 8.2 This policy will be reviewed by the Information Governance Department on at least a three yearly basis, unless there is a change in legislation or practice, or new guidelines are published, which necessities an earlier review. Any major updates or changes to this policy will be ratified by the Caldicott Guardian, Senior Information Risk Owner and/or the IGSG (as appropriate) prior to implementation. 8.3 The use of this policy will be monitored by the Information Governance Department and Medico-Legal Department (as appropriate), and the IGSG as part of its formal arrangements. Page 20 Review Date: July 2020

APPENDICES APPENDIX A: EQUALITY IMPACT ASSESSMENT Date of Assessment June 2017 Assessor Details Information Governance Officer Assessment Area Purpose, Aims and Intended Outcomes Target Group(s) and Impact/Influence Assessment of Aspects/Activities Relevant to Equality Subject Access and Other Information Rights Policy See Sections 1 and 2 of this document for details regarding the purpose, aims and intended outcomes of the policy. This policy is applicable to all staff and there is no anticipated detrimental impact on any equality group. This policy makes all reasonable provision to ensure equal access to all staff. There are no statements, conditions or requirements that disadvantage any particular group of people. Accessibility All IG policies, procedures and guidance are accessible for all managers and staff via the intranet and copies are obtainable from the IG Department. Consultation and Communication This policy will be ratified by the Information Governance Steering Group (IGSG) prior to launch, publication and use within the organisation. All procedures are communicated widely and openly across the organisation, will be accessible to everyone via the intranet and as required staff will be supported in their application of the procedure. Implementation The application of this policy supports the Trust s duties under the Equality Act 2010. The organisation will have due regard for the need to eliminate unlawful discrimination, promote equality of opportunity and provide for good relations between all people of all diverse groups. Monitoring and Review This policy will be reviewed by the IG Department on a three yearly basis, unless there is a change in legislation or practice, or new guidelines are published which necessities an earlier review. Any major updates or changes to this policy will be ratified by the IGSG prior to implementation. The implementation and use of this policy will be monitored by the IG Department and Medical Records Team, and the IGSG as part of its formal arrangements. Page 21 Review Date: July 2020