Subject Access Request Procedure

Similar documents
CCTV POLICY. Document Type Corporate Policy. Unique Identifier HS-103

Data Protection Policy

Closed Circuit Television Code of Practice

CCTV CODE OF PRACTICE

Subject Access and Other Information Rights: Information Governance ( IG ) Policy

CCTV Code of Practice

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Schools Subject Access Request Procedures

Freedom of Information Act 2000 Policy and Procedure

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

DATA PROTECTION AND FREEDOM OF INFORMATION POLICY

Data Protection Policy

SUBJECT ACCESS REQUEST

Data Protection Policy

Data Protection Policy. Revisions and Editions Log

Data Protection Policy

Access to Personal Information Procedure

Access to Health Records Policy

Freedom of Information Act 2000 (Section 50) Decision Notice

St. Paul s C of E Primary School

Statutory Policy No 7 DATA PROTECTION POLICY

Subject Access Requests

Freedom of Information Act 2000 (Section 50) Decision Notice

Environmental Information Regulations Decision Notice

BACKGROUND INFORMATION

Practical Guidance on the sharing of information and information governance for all NHS organisations specifically for Prevent and the Channel process

Data Protection Policy and Procedure

Data Protection Policy

Information Management Unit. Data Protection Policy for Schools BURNT TREE PRIMARY SCHOOL. Date Issued: September 30th 2015

RESTRICTED (when complete)

DATA PROTECTION POLICY STATUTORY

Freedom of Information Act 2000 (FOIA) Decision notice

Child sex offenders disclosure scheme (CSODS)

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Privacy Notice (GDPR) - Vetting

Access to Patient Health Records Policy

INTRODUCTION 3 ABOUT THE NTPF 4 CLASSES OF RECORDS HELD BY THE NATIONAL TREATMENT PURCHASE FUND 5 HOW TO OBTAIN INFORMATION UNDER THE FOI ACT 7

Request under the Freedom of Information Act 2000 (FOIA)

Privacy Notice (GDPR) Licensing Firearms

Data Protection Act 1998 Policy

Freedom of Information Review

The London Borough of Barnet. The Metropolitan Police Barnet Borough Division

Freedom of Information Act 2000 (Section 50) Environmental Information Regulations Decision Notice

Merrydale Infant School Freedom of Information Act

Receiving and Responding to a Freedom of Information Act Request: Standard Operating Procedure

THE FREEDOM OF INFORMATION LAW, 2007 (LAW 10 OF 2007) THE FREEDOM OF INFORMATION (GENERAL) REGULATIONS, 2008

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

How we use Personal Information

Freedom of Information Act 2000 (Section 50) Decision Notice

The installation of CCTV can provide information on activities at the Water,

Request under the Freedom of Information Act 2000 (FOIA)

How we use Personal Information

Request under the Freedom of Information Act 2000 (FOIA)

Beaufort Primary School and Beaufort Nursery

Data Protection Commissioner s Foreword 3. Chapter 1: Introduction - Scope of the Guidance 5. Chapter 2: First Data Protection Principle 7

b) How many outstanding arrest warrants does Suffolk Constabulary currently have?

OFFICE OF THE POLICE AND CRIME COMMISSIONER FREEDOM OF INFORMATION ACT 2000 PUBLICATION SCHEME

Freedom of Information Act 2000 (FOIA) Decision notice

Data Protection Bill [HL]

Staff Data Protection Policy

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

Freedom of Information Act 2000 (Section 50) Decision Notice

FREEDOM OF INFORMATION POLICY

Freedom of Information Policy

Immigration and Nationality Directorate

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Policy, Procedures and Requests

A closed circuit television system is used at the Memorial Hall by the Parish Council.

Freedom of Information Act Procedure

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Standard Operating Procedure

PRIVACY MANAGEMENT PLAN

FREEDOM OF INFORMATION REQUEST

Professional Title (e.g. Avocat / Rechtsanwalt): No (circle the relevant answer) If yes please provide details (on a separate sheet of paper)

Data Protection. Standard Operating Procedure

FREEDOM OF INFORMATION REQUEST

FREEDOM OF INFORMATION ACT 2000 POLICY

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

European College of Business and Management Data Protection Policy

DURHAM CONSTABULARY POLICY

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

BERMUDA PUBLIC ACCESS TO INFORMATION REGULATIONS 2014 BR 79 / 2014

2.16 Freedom of Information and Protection of Privacy Act

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Freedom of Information Request to Access a Medical Record

FREEDOM OF INFORMATION REQUEST

Norfolk and Suffolk Constabularies have considered your request for information and our response is below.

Making a Freedom of Information request

Data Protection Bill [HL]

MANUAL V & A WATERFRONT HOLDINGS (PTY) LTD

Environmental Information Regulations 2004 (EIR) Decision notice

Freedom of Information

Freedom of Information Act 2000 (FOIA) Decision notice

Decision 021/2005 Mr Michael Collie and the Common Services Agency for the Scottish Health Service

FREEDOM OF INFORMATION REQUEST

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Force Communications Centre

Freedom of Information Act 2000: Policy

THE PIGGOTT SCHOOL FREEDOM OF INFORMATION POLICY AND GUIDANCE

Transcription:

Standard Operating Procedure 3 (SOP 3) Why we have a procedure? Subject Access Request Procedure Individuals have a legal right to see information that the Trust holds about them, subject to certain exemptions and unless there are compelling reasons not to do so. Black Country Partnership NHS Foundation Trust is committed to promoting a culture of openness and responding to requests for access to health records in a timely manner. Requests for access to health records are currently governed by the following legislation: Data Protection Act (1998) Section 7 of the Act gives patients the right to know whether the Trust is holding or processing information about them. The Act covers all personal information whether held on paper or on computer. All organisations holding personal information are required to comply with this legislation. Access to Health Records Act (1990) When the Data Protection Act came into force it repealed most of the Access to Health Records Act. The exception is the records of a person who has died, which are still governed by Section 3 of the Access to Health Records Act 1990. The Act gives a right of access to the personal representative of the person who has died. The representative will be someone who is entitled to administer the deceased person s estate by virtue of a grant of probate (if the deceased person left a will) or letter of administration (if they died intestate). General Data Protection Regulations (2012) Article12, 15 and Recitcal 63 provides rights to individuals about the use and access to their data. The Regulation gives rights of access to information regardless of the format it is recorded in. All organisations holding personal data are required to comply with this. What overarching policy the procedure links to? Information Sharing Policy Which services of the trust does this apply to? Where is it in operation? Group Inpatients Community Locations Mental Health Services all Learning Disabilities Services all Children and Young People Services x all Corporate Services all Subject Access Request Procedure Page 1 of 19 Version 2.0 January 2017

Who does the procedure apply to? All Staff Are responsible for adhering to the timescales highlighted within this policy and aiding the Information Governance Team with access to requested information. Information Governance Steering Group The Information Governance Steering Group is responsible for monitoring the amount of SARs received and completed by the Trust. The Group is also responsible for monitoring the SAR process to ensure that individual s rights are met. Caldicott Guardian The Caldicott Guardian provides advice in relation to the disclosure of records and the production of reports for requests which can been deemed as complex due to the information contained within the records or the circumstances surrounding the disclosure. Head of Information Governance Is responsible for ensuring the Trust is compliant with this procedure. The IG Manager is responsible for auditing and monitoring the SAR process. The IG Manager is responsible for ensuring that any complaints are fully reviewed. Information Governance and Data Protection Lead Is the main contact in relation to SARs, the IG and DPA Lead manages the SAR process and is responsible for ensuring that staff are aware of the process. Local Security Management Specialist (LSMS) Is responsible for the management of access to CCTV images. Service Managers, Team Managers, Clinical and Professional Leads. Service Managers and Professional Leads have a responsibility to ensure that this procedures is disseminated to all staff and are adhered to within their service area. When should the procedure be applied? The procedure should be applied for all requests for personal information. How to carry out this procedure Access to personal information is referred to as a Subject Access Request (SAR). The following flow chart shows the SAR process broken down into 6 stages: Subject Access Request Procedure Page 2 of 19 Version 2.0 January 2017

Subject Access Request Procedure Page 3 of 19 Version 2.0 January 2017

Stage 1 Request Received Formal requests for access to health records have to be made in writing. This can include email but further proof of identification or signature maybe required. The Trust does not require a formal application form to be completed. However if the individual would prefer to complete an application form this can be provided (see appendix 1). All formal requests are dealt with centrally by the Information Governance Team based at Trust Headquarters. If patients ask for advice on applying for access, staff should advise them that they will need to: Put their request in writing (provide a copy of the application form were necessary) Provide the Trust with any relevant information that is required to sufficiently confirm their identity If the individual requires help to put the request in writing the staff member should aid the individual in either writing the request or completing the application form. Where a request is received by the service directly staff must be forwarded without delay to the Information Governance Team; it is preferred that the request is forwarded to the Information Governance Team within 48 hours of receipt as acknowledgement letters have to be forwarded to the applicant within 5 working days of receipt of the request. The acknowledgement letter will confirm receipt of the request and outline the process. Stage 2 Identity Checks The following individuals are able to apply for access to health records: The patient. Former patients living outside the UK still have the same rights to apply for access to their UK health records. These requests will be dealt with in the same way as an application for access within the UK. The patient s representative, with the patient s consent A parent or guardian may apply for access on behalf of a child if it is a health record A person appointed by the Courts, as the patient s litigation friend, may apply on behalf of a patient who is incapable of managing his/her own affairs. The Police The Coroner Courts The following individuals are able to apply for access to employee records: The employee The employee s representative, with the individuals consent A person appointed by the Court Relevant professional bodies for example the GMC and NMC. The Police Identity checks are completed for the individual requesting their records. Checks may also be made of the person s representative to ensure that they are able to receive the information e.g. a check may be made with the Information Commissioner s Register of Data Controllers to see if a firm of solicitors is registered correctly etc. The following table shows what documentation or identity checks are required for each requester type: Subject Access Request Procedure Page 4 of 19 Version 2.0 January 2017

Requester Consent Required? Identity Documents Required The Data Subject (the person to whom the information is about) No: as the request is made by the individual then further consent is not required Photo ID document such as Passport or Driving Licence. Proof of address Any Other Documentation Required No Additional Information Police Yes; in the absence of a Data Protection form If police are collecting the information then their ID Card must be checked prior to providing the information to them. Data Protection Form stating: The reason(s) for the request A crime reference number The legal basis for the request This must be countersigned by a relevant senior person at the police Coroner N/A N/A Written request from the Coroner. In some cases a court order may be required. The Data Protection Form for West Midlands Police is a WA170 Form. The coroner may request information from the Trust to assist them in the course of their duties. This must only be a copy and not the original. If the coroner requests the originals the Trust must make a copy and ask for Subject Access Request Procedure Page 5 of 19 Version 2.0 January 2017

the originals back when they have finished with them. Courts Yes N/A Court Order (where consent is not obtained) Staff should always seek advice from the Information Governance Team before releasing information. Any such requests will be dealt with in accordance with the requirements of the order. If the Trust is unable to comply with this request, the court must be informed immediately as to the reason why. Relatives, Carers, Next of Kin, patient personal representative. Yes (where applicable) Photo ID document such as Passport or Driving Licence. Proof of address. Confirmation to show relationship with patient; for example the patients birth certificate showing parents details. Where the patient is unable to provide consent due to lack of capacity this must be confirmed by the relevant clinician. Subject Access Request Procedure Page 6 of 19 Version 2.0 January 2017

Solicitors Yes N/A Signed consent form completed by patient (or their representative) from solicitors Third Parties (other organisations not listed) Where the patient is unable to provide consent due to lack of capacity this must be confirmed by the relevant clinician. The consent form received from the solicitor must be signed by a relevant individual who is able to consent on behalf of the patient. Yes N/A Patient consent is required to provide information to Third Parties. Where the patient is unable to give consent a relative, Carer (etc.) is able to do this on their behalf (see this section within the table for further details on their identity checks) Other NHS Trusts No N/A Confirmation of continuation of care needs is required from the requester. Safe haven checks are carried out in relation to the NHS Trust s contact details. Other organisations involved in the patients care; such as Local Authorities and private health care organisations. Yes (where applicable) Safe haven checks are carried out in relation to the organisation s contact details. Confirmation of continuation of care needs or reasons for access is required from the requester. Subject Access Request Procedure Page 7 of 19 Version 2.0 January 2017

Stage 3 - Record Located The IG and Data Protection Lead reviews all systems to locate all records for the individual. Once all records are located a review is complete to see if a charge can be applied to the release of the records. N.B Under the Data Protection Act 1998 a fee can be charged for records. From 25 th May 2018 the General Data Protection Regulation 2016 comes into force. From this date fees are no longer applicable Charges for Access to Health Records Under the terms of the Data Protection Act 1998 and subsequent Statutory Instruments, the Trust is able to request a fee for access to records. The maximum fees are as follows: 10 for providing copies of computerised records 50 for providing copies of manual health records The Trust has adapted Statutory Instrument 191 in relation to the fees limits applied by the Trust. For providing hard copies of all or part of manual records the charges shall be calculated on a sliding scale as follows: - Between 0-100 A4 pages = 10.00 - From 100 299 A4 pages = 25.00 - Over 300 A4 pages = 50.00 (statutory maximum) For a combination of computerised and manually held paper records the statutory maximum allowed is 50.00 and accordingly the fees for these records will be calculated on the sliding scale listed above. For Supervised Access, (simply to allow the data subject or their representative to view the manual or computerised records) there may be a standard fee of 10.00 as allowed by the Data Protection Act 1998. This fee does not allow the applicant to be given copies of the records to take away; a separate charge will be levied for any such request. If a patient wishes to view their health record there will be no charge made however if the patient then wishes to be provided with copies, a fee may be required dependant on the above scale. No charge can be made for any information that has been generated or created in the previous 40 days from the date of the application. All charges are inclusive of postage and administrative costs incurred. The Trust will consistently apply the above charging arrangements to any requests for access to records. However a level of discretion will be allowed in cases where the patient has applied directly for the information, the consideration will be made in relation to the level of hardship and in support of patient care. Where the requester does not wish to pay the required fee the Information Governance and Data Protection Lead will support the individual in reducing the request by identifying the specific information required. Where the fee cannot be reduced and the requester is unable to pay the fee they will be offered the opportunity to view the original records. Subject Access Request Procedure Page 8 of 19 Version 2.0 January 2017

Disproportionate Effort The Data Protection Act does allow for records not to be released if providing a copy involves disproportionate effort. However, this is not defined and any decision is based on the total size of the combined record, the estimated time to copy etc. Where the Trust decides that disproportionate effort would be required to provide a copy of the record this decision will be taken by the Caldicott Guardian. This will be fully documented (including estimates for copying, total cost of provision etc.). At every stage the applicant will be asked to refine or limit their request rather than use this exemption. Clinical Review On receipt of a written request to access health records, the Information Governance Team will contact the relevant health professional(s) informing them of this request and requesting that they review the records prior to release. The health professional will be responsible for ensuring that they have: read and reviewed the record and considered the impact of release The health professional must inform the IG Team if there is any information contained within the records which may cause serious harm to the physical or mental health or condition of the patient, or any other person. Where the health professional has highlighted concerns with the release of the information but there is a legal requirement to release the information in the original unredacted format the concerns raised by the health professional must be highlighted as part of the disclosure letter. Stage 4 Copy Records Once the clinical review has been completed the IG and Data Protection Lead will arrange to receive a copy of all records, manual and electronic, in relation to the request. For manual records the IG and Data Protection Lead will arrange to access the records to be copied. Records are usually copied at the location that they are held, however there may be some instances where the originals are required by the Information Governance Team. Stage 5 Exemption Review There are two exemptions where information may be redacted or refused to be released in its entirety: Where the release of the information may cause serious harm to the physical or mental health or condition of the patient, or any other person. This is a clinical decision and the clinician will need to confirm that :- o they have read and reviewed the record and o they have considered the impact of release to the individual Where access would disclose information relating to or provided by a third person (this does not include the names of staff members making the entries to a record). Where it is agreed an exemption applies the Information Governance Officer must review the record in its entirety and redact the exempt information to ensure that this cannot be read or interpreted by the remaining information. Subject Access Request Procedure Page 9 of 19 Version 2.0 January 2017

Where an exemption is applied this must be explained within the disclosure response. If the health professional states that due to the patient s health by disclosing sections which show redacted information or by highlighting that some information has been removed would cause additional harm or distress to the patient then sections of the record may be removed and the explanation of the use of the exemption can be removed from the final disclosure response. Third Party Disclosure Before disclosing information to patients, or their representatives, the records must be checked for information that relates to an identifiable third party, the information may not be released unless: The third party is a health professional who has compiled or contributed to the health records or who has been involved in the care of the patient. The third party, who is not a health professional, gives their consent to the disclosure of that information. It is reasonable to dispense with that third party s consent (taking into account duty of confidentiality owed to the other individual, any steps to seek his or her consent and whether consent has been expressly refused). Health professionals under the Data Protection Act are not required to approach a third party for disclosure, but in some cases they may wish to. If decisions are taken following proper consideration, and for valid reasons, the Trust will accept responsibility for the actions of its staff if patients object to any refusals to disclose details. Stage 6 Release Information When a request is received for a copy of a record it will be taken to mean all records held by the Trust for that individual, unless the Trust is able to agree that the request can be refined. The Trust will make the information available to the individual or requester either by providing copies or inviting him/her to attend a meeting to view the records with an appropriate representative; this would usually be a member of staff from the Information Governance Team. Each case will be considered on an individual basis as to whether there is a requirement for the provision of additional support for the interpretation of these records. If the applicant raises any queries, then an appointment should be offered to meet with the appropriate health professional. If information is copied from the records, it should preferably, be handed to the individual. If that is not possible, and the information has to be posted, it must be sent in line with the Trust Safe Haven procedures; i.e. it should be sent as a minimum requirement via Recorded Delivery. Information will be provided to the individual either by sending them a photocopy of the records or, if via email, a scanned copy. No matter how the information is supplied to the applicant, all of it must be intelligible. If records contain codes, technical terms or obtuse jargon, an understandable explanation must be provided for example by including a relevant abbreviation list. Subject Access Request Procedure Page 10 of 19 Version 2.0 January 2017

The Information Governance Team will maintain a record of all access requests with a full audit trail of actions completed and decisions taken. A standard response letter will be provided which will include: - Where to find the Trusts Complaint Process - The Information Commissioners Details - Exemption explanation (where applied) Time Allowed for Response The Data Protection Act 1998 requires access requests to be complied within 40 calendar days and in exceptional circumstances if it is not possible to comply within this period then the applicant must be informed. However, in line with Department of Health guidance the Trust will seek to release health records within 21 days (if possible). Failure to meet the appropriate deadlines may result in patients making a complaint to the Information Commissioner. Following the implementation of the General Data Protection Regulations the timescale for responding to requests will be one month (or 30 days) from the date received. The timescale starts as soon as the Trust receives the request for access to records. The Trust is able to pause the timescale under the following circumstances: Where all of the information needed to identify the individual s record or to confirm the information required has not been received within the initial written request. The paused timescale comes into effect once the information has been requested. Where a third party is acting on behalf of the individual and consent has not been received. The paused timescale comes into effect once the consent has been requested. If payment is required. The paused timescale comes into effect once the appropriate fee has been requested. Where the Trust requires further details, consent or payment the timescale is then paused, this allows the Trust the full time period to process and respond to the request. The timescale does not restart once the additional information or payment has been received for example; Working on a 40 calendar day timescale: If the Trust requested payment 5 days after the request was originally received, once the payment is received the Trust will have 35 days (or 16 days DoH standard) to complete the request. Where a response has not been received within 6 weeks of pausing a request a reminder must be sent to the requester. If no response is received within 3 months of the initial date the request was paused then the request will be marked as completed on the Trust system and a suitable response sent to the requester outlining if they still require the records they will have to reapply for the information. Access to CCTV Images Access to and the disclosure of, images recorded by CCTV or other similar surveillance equipment must be strictly controlled. This is not only to protect the rights of the individual but also to ensure that the chain of evidence remains intact. Access to recorded images must be restricted to those staffs that need to have access in order to achieve the purpose(s) of using the equipment. Subject Access Request Procedure Page 11 of 19 Version 2.0 January 2017

In adopting this national standard for the release of data to third parties, it is intended, as far as reasonably practicable, to safeguard the individual s rights to privacy and to give effect to the following principles: Recorded material shall be processed lawfully and fairly and used only for the purposes defined in the CCTV Code of Practice; Access to recorded material shall only take place in accordance with the CCTV Code of Practice; The release or disclosure of data for commercial or entertainment purposes is specifically prohibited. Police Access to CCTV Footage In the event of a crime in progress Police are allowed to view CCTV footage under the supervision of the appropriate manager. Should the Police subsequently require a copy of the CCTV footage they must put the request in writing either by submitting the relevant data protection form allowing access under section 29(3) or by completing the appropriate view / release form (Appendix 2). Third Party Access to CCTV Footage Disclosure of recorded images to third parties will be limited to the following: Law Enforcement Agencies where the images would assist in a specific criminal enquiry Prosecution Agencies Relevant legal representatives The media where it is decided that the public s assistance is needed in order to assist in the identification of victim, witness or perpetrator in relation to a criminal incident. As part of that decision the wishes of the victim of an incident should be taken into account All requests for access or for disclosure to third parties must be documented and the Trust LSMS informed. The reason(s) for disclosure must be compatible with the purpose(s) for which the images were originally obtained. Images must not be released to a third party without the consent of the data subject unless exception for the need to obtain the consent of the data subject is allowed within the Data Protection Act. For example: where disclosure is necessary for the prevention or detection of any unlawful acts where obtaining consent would prejudice that purpose (e.g. passing information to the Police which may help them prevent a serious crime). If access or disclosure to images is denied, the reason must be documented. If access or disclosure is allowed, then the following must be documented as per Appendix 2 and retained in a secure location: The date of the application and, where appropriate, the date when the search fee was received. The date and time at which access was allowed or the date on which disclosure was made. The identification of any third party who was allowed access or to whom disclosure was made. The reason for allowing access or disclosure. The extent of the information to which access was allowed or which was disclosed. In certain circumstances it may be necessary for the images of some or all of the data subjects (together with any vehicle number plates) to be masked before access or disclosure is permitted. (CCTV Code of Practice). Subject Access Request Procedure Page 12 of 19 Version 2.0 January 2017

Access by Data Subjects/Individuals The data subject can request a copy of their record images but it will only be provided if its production does not involve disproportionate effort. In all cases where a copy of a recording is requested by the data subject the advice of the Trust s Local Security Manager must be taken on whether a copy of the recording should be provided. Upon receipt of the request the LSMS will determine whether disclosure is appropriate and whether there is a duty of care to protect the images of any third parties. If the duty of care cannot be discharged then the request can be refused. A written response will be made to the individual, giving the decision (and if the request has been refused, giving reasons) within 21 days of receipt of the enquiry. If access or disclosure is allowed then the following will be documented: The date and time at which access was allowed or the date on which disclosure was made The identification of any third party who was allowed access or to whom disclosure was made The reason for allowing access or disclosure The extent of the information to which access was allowed or which was disclosed Completion of Appendix 3 for data subjects and other individuals should also include the collection of a minimal charge ( 10) to cover administrative costs: If third party images are not to be disclosed it will be necessary to arrange for the images to be disguised or blurred. Requests for Reports Requests for reports must be received in writing along with the relevant consent forms. This can include email but further proof of identification or signature maybe required. Request for reports can be made directly to the relevant health professional. Where assistance is required these can be forwarded to the Information Governance Team who will review the request to ensure that the relevant consent and information is received and the report can be disclosed. The IG Team cannot provide clinical advice on what to include within the report, however such advice can be sought from the Caldicott Guardian. Where the IG Team have been involved a reference number will be provided and the IG Team will maintain a log of all actions associated with the request. Please see appendix 4 to show a simple chart in relation to information disclosures completed by the IG Team. Complaints In the event of the Trust refusing access to any record then the applicant can appeal against this decision through the Trust s Complaint Procedure by contacting the Trust s Complaints Manager. The complaint will be investigated in accordance with the provisions of the Data Protection Act and in compliance with guidance issued by the Information Commissioner s Office, the independent authority for upholding information rights in the public interest. Subject Access Request Procedure Page 13 of 19 Version 2.0 January 2017

Alternatively, the applicant can take this matter up directly with the Information Commissioner s Office. The Information Commissioner s Office may be contacted using any of the following methods: Post: Information Commissioner s Office Wycliffe House, Water Lane Wilmslow Cheshire SK9 5AF Telephone: 03031231113 Website address: http://www.ico.gov.uk/complaints/ Where do I go for further advice or information? The Information Governance Team will be able to provide any advice or additional support required in relation to access to records. All email correspondence is to be sent to; informationgovernance@bcpft.nhs.uk. For advice and guidance in relation to CCTV images please contact the LSMS or a member of the Health and Safety Team. Training Staff may receive training in relation to this procedure, where it is identified in their appraisal as part of the specific development needs for their role and responsibilities. Please refer to the Trust s Mandatory & Risk Management Training Needs Analysis for further details on training requirements, target audiences and update frequencies Monitoring / Review of this Procedure In the event of planned change in the process(es) described within this document or an incident involving the described process(es) within the review cycle, this SOP will be reviewed and revised as necessary to maintain its accuracy and effectiveness. Equality Impact Assessment Please refer to overarching policy Data Protection Act and Freedom of Information Act Please refer to overarching policy Appendices Appendix 1 Subject Access Request Form Appendix 2 Access to CCTV Images Police Request Form Appendix 3 Application for Access to CCTV / Recorded Images Appendix 4 Flow Chart; How to Complete Requests for Access to Information Subject Access Request Procedure Page 14 of 19 Version 2.0 January 2017

APPENDIX 1 Subject Access Request - Information Form Patient Details Full Name: Current Address: DOB: NHS Number: (If known) Previous Address: Information Required Please Select As appropriate: I require: A Copy of my Full Records To View my Full Records To have a copy of part of my record Please provide information on what you require: Consent to release records I confirm that I am the above person and consent to the Trust releasing the information to me as selected within this form. Print: Sign: Date: Once complete forward this form to: Information Governance Department Delta House Delta Point Greets Green Road West Bromwich Subject Access Request Procedure B70 9PL Page 15 of 19 Version 2.0 January 2017

APPENDIX 2 Date/Time of Incident: ACCESS TO CCTV IMAGES POLICE FORM Crime / Safeguard Report No: Rank/Position/Force No. : Contact No: Station: Brief details of Incident reported: Reason for request: Signature: Rank/Position/No: Date: RECEIPT FOR SECURITY RECORDED DATA Date: Released by: Recorded material details: (DVD / CD-R / Photographs (printed Images)/Data Text Files/Print) Date Produced: Signature of person receiving: Trust Media Serial No: Police Rank/Position and Force No. Police Force: Station: Contact No: Police Property Receipt Number: Other Authorised Third-Party Name of person receiving: Function: Signature of person receiving: Subject Access Request Procedure Page 16 of 19 Version 2.0 January 2017

Appendix 3 APPLICATION FOR ACCESS TO CCTV / RECORDED IMAGES The Trust will only accept applications from the data subject, not persons acting on their behalf, except In a case where an application is made on behalf of a child less than 16 years of age by someone with parental responsibility for the child or an application is made on someone s behalf by a legal representative but only if the express consent of the data subject accompanies the request. Name of Applicant: APPLICATION DETAILS Address: Postcode: Name of Data subject: (if different from name of applicant) Please provide details of the date, time and location of when you believe you may have been recorded. If you wish to make an application to see any other occasions where you may have been recorded, please attach a separate form with the details. Only one search fee (see below) is payable if the application forms are received at the same time. Details: Location: Vehicle Registration Number: (only complete if you believe that your image was captured whilst you were travelling in a vehicle) Date: Time: Proof of the applicant s identity (i.e. passport or driving licence) will be required before access to or disclosure of recorded material is permitted. In the case of applications made on behalf of children, the child s consent may also be required. You will receive a written response to your application within 21 days. Access to recorded images will be provided within 40 days of receiving the required fee and information. I have read the above and understand the Trust s policy in relation to the purpose of the CCTV surveillance and the arrangements for access to recorded images. 1. I only wish to view the recoded image(s) 2. I enclose recent colour photographs of myself/the applicant in order that you can locate the correct image 3. I enclose a 10 cheque, made payable to the Black Country Partnership NHS Foundation Trust, in payment for the search to be completed. N.B. Two colour photo booth style photographs must be provided, one of which is full face and the other a side on perspective. Signed: Date: Subject Access Request Procedure Page 17 of 19 Version 2.0 January 2017

Appendix 4 How to Complete Requests for Information Receive Request for access to information including; copies of records and/or new medical, nursing or other professionals reports for solicitors, court or other purposes Forward to the Information Governance Team SUBJECT ACCESS REQUEST REQUEST FOR A REPORT Logged on the IG audit system. Acknowledgment sent. SAR is valid complete and signed by the requester. ID documentation is obtained, Forward to relevant health professional to review and produce a report. Locate the records. Ensure that clinical approval is obtained for the release. Copy all parts of the record and check for any exemptions that may apply Information Governance will work with the relevant staff member to produce the relevant report. Once complete the report will be reviewed by Safeguarding (if required). Complete a list of any abbreviations used within the records. Ensure the Fee (if applicable) has been collected. Release Information via agreed method. Subject Access Request Procedure Page 18 of 19 Version 2.0 January 2017

Standard Operating Procedure Details Unique Identifier for this SOP is State if SOP is New or Revised BCPFT-IG-SOP-05-3 Revised Policy Category Executive Director whose portfolio this SOP comes under Policy Lead/Author Job titles only Committee/Group Responsible for Approval of this SOP Month/year consultation process completed Information Governance Executive Director of Nursing Month/year SOP was approved December 2016 Next review due December 2019 Disclosure Status Head of Information Governance Information Governance Steering Group B can be disclosed to patients and the public Review and Amendment History Version Date Description of Change 2.0 1.0 Jan 2017 Oct 2014 Full SOP review and new format New SOP for BCPFT linked to Information Sharing Policy Subject Access Request Procedure Page 19 of 19 Version 2.0 January 2017

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback