Subject Access Request (SAR) Procedure

1 Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 1 of 18 Subject Access Request (SAR) Procedure Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 2 of 18 DOCUMENT CONTROL SHEET Document Owner: Chief Finance Officer Document Author(s): Anne Ephgrave HR Business Manager Version: FINAL Directorate: Finance Approved By: Information Governance Forum Date of Approval: June 2016 Date of Review: June 2018 Change History: Version Date Reviewer(s) Revision Description 19/08/2013 Anne Ephgrave Initial Draft 19/09/2013 Caroline Law Final 15/02/2015 Charlotte Travill Reformat March 2015 Sarah Feal Review of Subject matter, Roles and responsibilities March 2015 Alan Pond Procedure Approved December 2015 IG Forum Review and update to incorporate the needs of the Retrospective Reviews Team June 2016 Sarah Feal Update to make it clearer that all requests need to be logged in the Governance and Corporate Affairs Team Implementation Plan: Development and Consultation Information Governance Forum Dissemination Staff can Access this policy via the Intranet and will be notified of new/revised versions via the staff briefing.

2 This policy will be included in the CCG's Publication Scheme in compliance with the Freedom of Information Act (FOI) 2000. Training Subject Access Training will be provided to relevant staff. Monitoring The Procedure implementation will be monitored for effectiveness. Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 3 of 18 Review This Subject Access Request Procedure will be reviewed bi-annually or in response to relevant organisational, regulatory or legislative changes. Equality and Diversity March 2015 - Equality Impact Assessment March 2015 - Privacy Impact Assessment Associated Documents Confidentiality Code of Conduct Information Governance Policy Records Management Policy References Access to Health Records Act 1990 Caldicott Guardian Manual 2010 Care Record Guarantee 2009 Data Protection Act 1998 Human Rights Act 1998 NHS Code of Confidentiality Records Management: NHS Code of Practice Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 4 of 18 Contents Section No.

3 Section Name Page No. Introduction 5 Scope 5 Purpose 5 Definitions 6 Role & Responsibilities 7 Procedure for who can make a Request 8 Who can make a Request ? 8 Time limits for Access provision 9 Processing a Subject Access Request 9 Appendix 1 Subject Access Request (SAR) flow chart Chart 1: Requests from data subjects and third party 11 Appendix 2 Appendix 2: Subject Access Request (SAR) flow chart Chart 2: Requests from the police under Section 29 (3) 12 Appendix 3 Appendix 3: Subject Access Request (SAR) Form 13 Appendix 4 Equality Impact Assessment Stage 1 Screening 15 Appendix 5 Privacy Impact Assessment Stage 1 Screening 16 Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 5 of 18 Introduction NHS East and North Hertfordshire Clinical Commissioning Group (CCG) is committed to being an organisation within which diversity, equality and human rights are valued.

4 We will not discriminate either directly or indirectly and will not tolerate harassment or victimisation in relation to gender, marital status (including civil partnership), gender reassignment, disability, race, age, sexual orientation, religion or belief, trade union membership, status as a fixed-term or part-time worker, socio - economic status and pregnancy or maternity. The CCG works to a framework for handling personal information in a confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients. The CCG, via the Information Governance Toolkit, provides the means by which NHS England can assess compliance with current legislation, Government and National guidance.

5 Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance. Scope This policy applies to all CCG staff members, including Governing Body Members and Practice Representatives whether permanent, temporary or contracted-in (either as an individual or through a third party supplier). This Procedure applies to all requests for Access to personal data held by the CCG. The rights to Access under the Data Protection Act 1998 extend only to living individuals. Requests for deceased individuals health records are made under the Access to Health Records Act 1990 (AHRA). Purpose An individual or a third party representative have the right to Request : Access to records, Subject to certain safeguards; copies of records; have these records explained if they are illegible or unintelligible; to be informed of the purpose(s) their information is used for; and the source(s) of that data.

6 The purpose for this Procedure is to ensure that an individual s rights are followed and that each SAR is treated equally within the law. Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 6 of 18 This Procedure will provide a framework for the CCG to ensure compliance with the Access to Health Records Act 1990 and Data Protection Act 1998. The Procedure is supported by operational processes connected with the implementation of Subject Access Requests, as detailed in the document. Definitions AHRA Access to Health Records Act 1990 CCG Clinical Commissioning Group DPA Data Protection Act 1998 (the Act) ICO Information Commissioner s Office IG Information Governance PID Patient Identifiable Data SAR Subject Access Request SIRO Senior Information Risk Owner Data Information processed electronically or manually as part of a relevant filing system.

7 Data Subject An individual who is the Subject of personal data. Personal data Data which relates to a living individual who can be identified from the data or from that data and other information which is in possession of the Data Controller (in this instance, the CCG). Redact This is the separation of disclosable from non-disclosable information by clocking out individual words, sentences or paragraphs or the removal of whole pages or sections prior to the release of the document. (The National Archive) To edit or revise documents by removing text or images from a document. Third party / Representative A person or organisation other than the data Subject acting on behalf of the individual. Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 7 of 18 Roles and Responsibilities Chief Executive The Chief Executive is the Accountable Officer and has ultimate responsibility for compliance with the Data Protection Act 1998 and Access to Health Records Act 1990.

8 The Director of Nursing and Quality is the Caldicott Guardian The Caldicott Guardian is the conscience of the organisation and is responsible for ensuring that patient information is used, and shared in an appropriate, justifiable and secure manner. The Chief Finance Officer is the Senior Information Risk Owner (SIRO) The SIRO is responsible for managing information risks and information incidents and is also the Information Governance Lead to the Governing Body. Head of Information The Head of Information is the CCG s Information Governance Lead and is responsible for advising on IG strategic direction, leading on data protection, the development of policy and guidance for the CCG and the day to day management of the IG agenda, including; The successful implementation of the Data Protection Act 1998 work programme. The working practices carried out in the departments are in line with the organisation s IG policy.

9 The staff are adequately trained and aware of their personal responsibilities for IG issues. Timely submission of the IG Toolkit. Responsible for identifying any additional resources required to implement the IG Strategy. The Governance Support Officer The Governance Support Officer provides clerical support to the IG function and the IG Forum and is responsible for the administration of the Freedom of Information Act 2000 responses and is the IG Toolkit Administrator. They may also receive Subject Access requests from patients, which are logged and forwarded to the relevant department. The Retrospective Reviews Team Administrator The Retrospective Reviews Team Administrator will process requests for personal data within the Retrospective Reviews Team. Clinical Decision Manager The Clinical Decision Manager will process requests for personal data within the Individual Funding Requests and Prior Approvals Team.

10 Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 8 of 18 HR Manager The HR Manager will process requests for employees personal data within the HR Department, including ex-employees. All Staff Ensuring compliance with the requirement of this Procedure . Respecting the data subjects rights to confidentiality and actively responding to any concerns raised about confidentiality; and Ensuring they are fully aware of the Subject Access Request Procedure and are following the correct process as set out in this Procedure when a Subject Access Request is received. Subject Access Request (SAR) Procedure ( FINAL) NHS East and North Hertfordshire Clinical Commissioning Group Page 9 of 18 The Procedure for making a Request Who can make a Request ? Requests from data subjects and / or their representatives (third party) The data Subject .