SUBJECT ACCESS POLICY
Semovo recognises the individual’s right of access to their recorded information and in some cases to information relating to other people. Semovo will ensure that adequate provision is given to service users and staff to exercise this right.
This Policy describes how Semovo will achieve compliance with the key legislation that provides access to personal information.
The GDPR/DPA 2018 regulates the processing, including disclosure of information relating to living individuals. The Act gives the individual (data subjects) or their authorised representatives the right to apply to view or have copies of personal data held about them, including health records, (subject access rights) and personnel records.
Semovo recognises that where there is legitimate interest, information relating to a deceased person is accessible through the access to Health Records Act 1990
The purpose of this policy is to establish Semovo’s responsibilities as the designated data controller under the GDPR/Data Protection Act 2018, to comply with and process subject access requests.
This document provides policy statements to the staff processing such requests and the data subjects themselves and:
- describes how Semovo will comply with the law
- provides assurance on lawful practice
- establishes the roles and responsibilities of staff in the processing of requests
- establishes that processes will be in place to support this policy
The key definitions applicable to this policy are as follows:
The Data Protection Act 2018 defines a health record ‘as a record consisting of information relating to the physical or mental health or condition of an identified individual made by or on behalf of a health professional in connection with the care of that individual’. The record may be held in computerised or manual form or in a combination of both.
The Data Subject
An individual who is the subject of the information (service user/member of staff)
The Data Controller
A person (organisation) who determines the purposes for which and the manner in which personal data, is processed
Subject Access Rights
Individuals can make an application in writing to gain access to information held or processed about them
A person identified in the health/medical record other than the data subject or a health professional
Service users Personal Representative
Defined as the executor or administrator of the deceased estate.
Designated by the Caldicott Committee as responsible for overseeing the arrangements for the use and sharing of clinical information.
Permits disclosure of information
Access to Health Records Act 1990
This Act has been repealed to the extent that it affected the Health/medical records of living service users and is now only in force in respect of deceased service users. Applies to records created since 1st November 1991
GDPR/Data Protection Act 2018
An Act that regulates the processing of information relating to living individuals including the holding use or disclosure of such information
Freedom of Information Act 2000
An Act to make provision for the disclosure of information held by Public Authorities
Access To Medical Reports Act 1988
An Act to make provision for the individual to access medical reports written by a health professional for the provision of a service
The Board has ultimate responsibility for the implementation of the provisions of this policy. As the ‘Accountable Officer’ they are responsible for the management of Semovo and for ensuring that the appropriate mechanisms are in place to support service delivery and continuity.
Semovo has a particular responsibility for ensuring that it corporately meets its legal responsibilities, and for the adoption of and compliance with internal and external governance requirements
Caldicott Guardian/Information Governance (IG) Lead
The Semovo Caldicott Guardian is responsible for the confidentiality of person identifiable information as designated in the Caldicott Report and for the information governance agenda, which incorporates data protection. The IG Lead will also ensure that there are robust processes in place to respond to subject access requests from staff and service users.
The Semovo Senior Information Risk Owner (SIRO) is responsible for overseeing the application of this Policy and its principle within the organisation.
The Privacy Officer
The Semovo Privacy Officer is responsible for records management elements of compliance with this Policy and will receive reports on compliance with the subject access provisions through the SIRO.
The Human Resources department will provide information from staff records where that staff member has requested access to their personnel file, to comply with this policy. A member of the Human Resources department will review personnel files with the appropriate Team leader before release to establish if any of the information may not be available for release.
Team Leaders will ensure that their staff are aware of this Policy and comply with and support the operational procedures. Team Leaders will make information readily available to the Privacy Officer to support the processing of subject access requests.
It is the responsibility of all permanent and temporary staff, students, volunteers and contracted staff to comply with data protection legislation, this Policy and the processes that support it.
Subject Access Requests
Semovo will accept written requests, including e-mail, from a data subject in the provision of subject access. Semovo will make a standard access form (SEM-FM-IG-1) available to the public/staff, where required, to assist the application.
Telephone applications from an individual who is unable to make a written request may be accepted subject to strict conditions following the Department of Health Guidance for Access to Health Records 2010 www.nhs.uk/chq/Documents/GuidanceforAccesstoHealthRecords
Semovo requires applicants to provide 2 forms of proof of identity one of which should be photo identification.
Where an application is made on behalf of a service user/member of staff, Semovo will confirm that the consent of the individual had been obtained prior to any release.
Where an individual has not specified the information that they require Semovo will ask the applicant to refine the request.
Where an access request has previously been met and a subsequent identical or similar request is received, Semovo will assess if a reasonable time interval has elapsed before providing the information.
Provision of Copies or Viewing Records
Semovo will ensure that a relevant professional is consulted prior to any release of information of a health related nature. Semovo will require the professional to consider the following prior to the release of copies or the viewing of records:
- any serious harm to the physical or mental health or condition of the service user or, member of staff requesting access, or any other person
- the consent of any third party where the content relates to that third party who is not a health professional
- if it is reasonable to disclose without the consent of a third party
Medical Terminology and Viewing a Record
A health professional will be made available to answer any queries related to the viewing of a health related record including occupational health records to respond to questions relating to any medical terminology.
A designated lay administrator will oversee the viewing of records where a health professional is not required.
Access to Records of the Deceased
Application to view or have copies of health related records or occupational health records of the deceased will be considered under the Access to Health Records Act 1990.
Semovo recognises that it owes a duty of confidentiality to the deceased.
The Caldicott Guardian will be consulted on any proposed disclosure of information relating to the deceased and legal advice will be sought where necessary.
Information Shared with Other Organisations
Where Semovo has legitimately shared identifiable information with other organisations and that organisation maintains its own records, Semovo considers that subject access requests should be made directly to that organisation.
Where Semovo legitimately accesses another organisations system, subject access requests relating to information in that system will be referred to that organisation.
Application by Solicitors
Semovo will pay due regard to subject access requests made through a solicitor where the consent of the data subject has been provided. Consideration will be made to the information requested under the subject access provisions of the Data Protection Act 2018.
Semovo will consider application for access to health related and occupational health records and personnel records where there is a lawful requirement to comply.
Disclosures in Absence of a Statutory Requirement
Where there is no statutory requirement to comply with a request for access, Semovo will consider applications on a case by case basis.
Semovo recognises that in all cases the public interest in disclosure must outweigh the duty of confidentiality owed to the deceased before any disclosure is approved.
Timeframe for Compliance
The Department of Health has issued guidance recommending that subject access requests are responded to within 21 days. The GDPR gives one calendar month from when we receive a completed request and payment (if applicable). Semovo will endeavour to comply with the Department of Health recommendations. Where Semovo cannot meet this compliance guideline the applicant will be informed and a response will be provided as soon as possible after the 21-day period and prior to the statutory calendar month under the Data Protection Act 2018.
Semovo will inform applicants of any refusal to comply with requests as soon as possible within the given timeframe.
Subject access requests including access to health related, personnel and occupational health records will be recorded in a log that will be used to demonstrate compliance with statutory timeframes and will provide assurance reports.
Amendments to Records
Semovo recognises that an opinion or judgment recorded by a health professional, whether accurate or not should not be deleted from a health related record.
Where a data subject requests amendment to information in a health related record or occupational health records the health professional concerned will be consulted.
Amendments will be made where both parties agree and the original information will be left clearly visible. An explanation and amendment date signed by the health professional will be added to the record.
Where a health professional considers disputed information to be accurate Semovo will ensure that a note recording the service user’s disagreement will be added and that the date and signature of the health professional will be included.
Inaccuracies in personnel records will be considered with the HR department and will be amended if appropriate and signed and dated by the Team Leader.
Service Users/Former Members of Staff Living Abroad
Service users or former members of staff, who are now living outside of the UK, will be given the same rights of access under the Data Protection Act 2018, where the records of treatment occupational health or personnel records are still held by the organisation.
Original medical or occupational health or personnel records will not be transferred abroad. A copy or summary of record will be provided, subject to the fees stipulated in Appendix A.
Freedom of Information Act 2000
MF will consider any requests for information which constitutes personal information to be exempt from disclosure under the Freedom of Information Act 2000 if:
- Disclosure would contravene any of the Data Protection principles
- Where information has been provided in confidence.
- Where a duty of confidentially is owed to the deceased.
Access to Medical Reports Act 1988
Applications to view Medical Reports following Insurance or employment medicals with be considered with regard to the Access to Medical Reports Act 1988.
Section 29 Access Requests
Section 29 of the Data Protection Act provides an exemption in Law to access person Identifiable information without seeking the consent of that individual for the purpose of investigating serious crime, fraud and taxation purposes.
Semovo will consider Section 29 applications on a case by case basis.
Where Semovo deems it acceptable to disclose under a section 29 request it will release sufficient information for the purpose but not excessive to the purpose.
Semovo recognises that subsequent to the refusal of a Section 29 request the Police may seek a Court Order which requires the disclosure.
Information will be available to service users and staff detailing how to apply for access to health related, occupational health, and personnel records and will detail the complaints process.
Semovo will initially try to resolve any complaints regarding subject access requests through informal discussion. If unresolved a formal complaints process will be initiated.
Where complaints are unresolved, details of the Semovo Complaints Procedure will be provided by Semovo to the applicant.
Complainants will be informed of their right to contact the Information Commissioner for a review of the subject access provision.
Dissemination and Implementation
This Policy will be made available to the Public through the Semovo website.
This Policy and associated procedure will be made available to staff through Q-Pulse and will be included in training sessions
New employees will be made aware of this policy through the Induction process
Semovo will ensure that processes are in place to implement this policy.
Monitoring Compliance with Effectiveness
Compliance with this Policy will be monitored through the provision of quarterly reports to the Board.
A log of all subject access requests will be maintained. The effectiveness of the log will be regularly reviewed.
Written procedures will detail the compliance process. The effectiveness of the procedures will be reviewed at regular intervals.
Exemplar template documents will be available to the Public in connection with this policy.
Service user satisfaction spot checks will be carried out to establish the effectiveness of the Access to Health Records processes that support this policy.
This Policy will be monitored through the investigation of any related complaints.
This Policy should be read in conjunction with the following Organisation Policies:
- Data Protection Policy
- Freedom of Information Policy
- Information Governance Policy
- Records Management & Information Lifecycle Policy
- Access to Health Records Act 1990
- Access to Medical Reports Act 1988
- Data Protection Act 1998
- Data Protection Subject Access Fees and Miscellaneous Provisions Regulations 2000
- Department of Health Guidance on Access to Health Records Requests 2010
- Freedom of Information Act 2000
- Mental Health Act
- Mental Capacity Act
- NHS Code of Practice: Records Management 2009