Access to Records Policy - Solent · NHS Southampton itys Access to Records Procedure Portsmouth...

1 R:\IG Solent\IG Toolkit\General Evidence Folder\Policies & Info Sharing Agreements\Policies\AccessRecords\ 20160203_AccessRecordsPolicy_V4_IGT

Access to Records Policy

Solent NHS Trust policies can only be considered to be valid and up-to-date if viewed on the

intranet. Please visit the intranet for the latest version.

Purpose of Agreement

This document details how the organisation will handle requests for information relating to all records including health records for living persons (Subject Access Request), deceased persons (Access to Records) and staff records.

Document Type x Policy SOP Guideline

Reference Number IG04

Version 4

Name of Approving Committees/Groups

NHSLA Policy Steering Group Previously – Committees no longer exist Information Asset Owners Forum Information Asset Custodian Forum Information Governance Steering Sub Committee

Operational Date February 2016

Document Review Date May 2019

Document Sponsor (Name & Job Title) Chief Operating Officer and Senior Information Risk Owner (SIRO)

Document Manager (Name & Job Title) Information Governance Manager

Document developed in consultation with

Previously – Committees no longer exist Information Asset Owners Forum Information Asset Custodian Forum Information Governance Steering Committee

Intranet Location Business Zone / Policies, SOPs and Clinical Procedures

Website Location Publication Scheme / Policies and Procedures

Keywords (for website/intranet uploading) Records; Records Management; Corporate Records; Clinical Records; Access to Records; Subject Access Request; Request for Records


Amendments Summary:

Amend No Issued Page Subject Action Date

1 Logo & name Change 19.02.2012

1 Document Sponsor change 19.02.2012

2 Changes have been made to;

Fees

Minor changes

Change of process to centralise requests

Introduction of medical Reports and Veteran requests

Update on requests for Minors/Childrens records

01.03.2013

2 3 Scope- This Policy forms part of IG management Framework & Strategy

30.08.2013

2 Sponsor change 30.08.2013

3 4 4

10

40

Processing Request – strengthened text Releasing Information – Sign-off information Permission to Release – Sign-off information Appendix 6 – Sign-off Sheet

January 2016

Review Log Include details of when the document was last reviewed:

Version Number

Review Date Lead Name Ratification Process Notes

Prior to October 2010

Refer to;

NHS Southampton City’s Access to Records Procedure

Portsmouth City Teaching PCT Data Protection Policy

2 March 2013 Sadie Bell Information Governance Manager

Information Asset Custodian Forum Information Governance Steering Sub Committee

Policy requires review in line with changes of process and law

2 August 2013 Shelley Brown IG Lead

Policy Steering Group Policy forms part of IG management framework & Strategy

3 November 2015

Sadie Bell IG Manager

Policy Steering Group Policy Review required


CONTENTS Executive Summary .................................................................................................................... 4 Points to Remember – Summary from start to finish ................................................................ 6 1. Introduction & Purpose ................................................................................................. 7 2 Scope & Definitions ....................................................................................................... 7 3 Timescale for complying with Requests ........................................................................ 8 4 ‘Subject Access’ Request (Living Patients) .................................................................... 8 5 Access to Health Records Act 1990 (AHRA1990) [for deceased persons] .................. 15 6 Disclosure - Other than directly to the Data Subject .................................................. 15 7 Other Types of ‘Subject Access’ Request Received ..................................................... 18 8 Complaints Process ..................................................................................................... 20 9 NHS Care Records Guarantee ...................................................................................... 20 10 Roles and Responsibilities ........................................................................................... 21 11 Failure to Comply with the Policy ............................................................................... 22 12 Training ........................................................................................................................ 22 13 Equality & Diversity and Mental Capacity Act ............................................................. 23 14 Success Criteria/Monitoring the Effectiveness of the Policy: ..................................... 23 15 Review ......................................................................................................................... 24 16 Contact Details ............................................................................................................ 24 17 Reference and Links to Other Documents .................................................................. 24 Appendix 1: Procedure for Disclosure of Personal Information to the Police ......................... 25 Appendix 2: Frequently Asked Questions ................................................................................ 31 Appendix 3: Information Governance Risk Assessment .......................................................... 35 Appendix 4: Equality Statement ............................................................................................... 37 Appendix 5: Quality Monitoring Form ..................................................................................... 38 Appendix 6: Healthcare Professional / Senior Manager Sign-Off Sheet .................................. 40


EXECUTIVE SUMMARY

1. Scope: This policy has been written to assist all staff with a responsibility for dealing with

requests for personal data, whether service user’s (patient/client) records, x-rays, Occupational Health, Personnel and whether manual or computer. These are known as ‘Subject Access Requests’ (or data subject requests). This Policy forms Part of the IG Management Framework & Strategy.

2. Acts of Law:

Access to Health Records Act 1990: Applies to deceased patients’ records.

Data Protection Act 1998: Access to all records for living individuals comes under the Data Protection Act 1998 (DPA).

The Medical Reports Act 1988: right for individuals to have access to reports, relating to them, provided by medical practitioners for employment or insurance purposes.

Freedom of Information Act 2005: Gives individuals the right to access non-personal information held by public bodies

3. Processing Requests:

All Requests Must sent to the Information Governance Team

Making a Request: Request must be in writing, with patient consent and proof of ID

Authority to disclose: The individual’s consent must accompany the request. Solicitors often apply on the individual’s behalf; ensure the written authority is attached. Health Care Professionals (HCP) must consider the request and determine whether full, limited or no access should be given (if request could damage mental or physical health of the individual or a third party). Reasons for non-disclosure must be documented, as a Court Order may be sought by the individual or their representative. Copies must be provided; originals should never leave the organisation. If supervised access, this must be by someone competent to explain the contents and terminology to the individual/representative.

Consent Issues: Where an adult lacks capacity, consideration should also be given in respect to the Mental Capacity Act 2005 the HCP must satisfy themselves that an adult lacks capacity and that disclosure would be in the individual’s best interests. The principles of access to records are similar to those in respect of Consent to Treatment

Timescale: The organisation should endeavour to respond within 21 days (but no later than 40 days) from receipt of all information e.g. ID check and fee. Applications must be in writing.

Fee: Access fee of between £10 - £50 is requested. The fee will depend on the type of request e.g. Access to Records Request, Electronic Records, Paper Records, X-rays, etc… For specific fee information refer to the relevant request section of this policy e.g. Access to Records or Subject Access.

4. Releasing Information:

Third party exceptions: Do not disclose any information from or about a third party. ‘A Third Party’ would include, for example a relative, a neighbour, a friend, but NOT information exchanged between Health Care Professionals.

Sign-off: Requests must always be referred to the Consultant / Health Care Professional in charge of the treatment episode for permission to release the data.

For personnel records requests should be reviewed by a Senior Manager within Human Resources.

5. Power of Attorney:

Lasting Power of Attorney replaced Enduring Power of Attorney on 1st October 2007. A lasting power of attorney is a legal document that lets a person appoint someone they trust as an ‘attorney’ to make decisions on their behalf. It can be drawn up at any time while a person has capacity, but has no legal standing until it is registered with the Office of the Public Guardian.


A registered LPA can be used at any time, whether the person has the mental ability to act for themselves or not. There are two types of LPA: o Property and Affairs LPA o Personal Welfare LPA

Enduring Power of Attorney (EPA) A person given power under an EPA before 1 October 2007 can still use it and apply to have it registered. This person has a duty to apply to register the EPA as soon as they believe that a person is becoming or has become mentally incapable of making financial decisions for themselves. If a person has an unregistered EPA and still has the capacity to make decisions for themselves, then they can make a Personal Welfare LPA to run alongside it.


POINTS TO REMEMBER – SUMMARY FROM START TO FINISH

1. Requests should be sent to the Information Governance (IG) Team immediately

[email protected]. For urgent requests, such as Police Requests and Court Orders please telephone 023 8053 8770/ 023 8029 6911

2. The IG Team will ensure the appropriate proof of ID and address has been obtained prior to any

release of records and will acknowledge all requests, providing each request with its own unique reference number.

3. Requests will be sent to the relevant Information Asset Custodian (IAC). 4. IAC’s are to establish on receipt of the request whether the service holds the records and in what

format, so that the IG Team can request the relevant fee. 5. If it has been identified that the records being requested have been lost then the IAC must

immediately contact the IG Team and complete an incident form.

6. All requests must be complied with preferably within 21 days but in any event:

Within forty days of receipt of the request; or if later:

Timeframes are inclusive of weekends and bank holidays.

7. Requests must always be referred to the Consultant or Health Care Professional in charge of the treatment episode for permission to release the data.

Where there is a request for ‘all’ records the most suitable available health professional should advise on access this also applies where a consultant or health professional has left the organisation.

Where no suitable health professional is available to advise on access then a health professional with the necessary qualifications and experience should advise on matters to which the information requested relates.

For personnel records requests should be reviewed by a Senior Manager within Human Resources.

8. Requests can be refused if, in the opinion of the Consultant or Health Professional in charge of the

treatment episode, it is considered that to release the data would be detrimental to the individual’s health. Please advise the IG Team prior to responding to the requestor.

9. Do not disclose any information from or about a third party. ‘A Third Party’ would include, for

example a relative, a neighbour, a friend, Social Services, Council Records etc… Also hospital records, GP records, etc… where they have not contributed directly towards care.

10. If any information needs to be redacted, as it is not to be released, then please refer to the

Redaction Guidance http://solent/corp/igov/IG%20Documents%20Guidance/How%20to%20and%20When%20to%20Redact%20Information%20Guidance.pdf

11. Once all information has been checked, records copied and fee received (the IG Team will advise

of this), the information can be released to the requestor. The IAC is to forward to the IG Team a copy of the disclosure letter [email protected] to be logged and the request closed.

Failure to comply with the request will mean that the organisation is in contravention of the sixth data protection principle and the Information Commissioner may take action (including fines)

http://solent/corp/igov/IG%20Documents%20Guidance/How%20to%20and%20When%20to%20Redact%20Information%20Guidance.pdf

http://solent/corp/igov/IG%20Documents%20Guidance/How%20to%20and%20When%20to%20Redact%20Information%20Guidance.pdf


1. INTRODUCTION & PURPOSE

1.1 This policy has been written to assist all staff with a responsibility for dealing with requests for personal data, whether individuals records, X-Rays, occupational health, personnel, manual or computerised. These will be known as Access to Records Requests or Subject Access Requests.

1.2 Whilst all information requests are ‘technically’ Freedom of information requests this policy

does not cover the FOI Act 2000. Personal data of the applicant is exempt under the FoIA 40(1). Third party disclosure under FoIA is exempt under 40(2), for more information please see the Solent Freedom of Information and Environmental Information Requests (EIR) policy.

1.3 All staff having contact with patients and the general public need to be aware that:

1.3.1 All Subject Access Requests must be in writing and forwarded immediately to the Information

Governance Team [email protected], who will log the request, conduct the necessary checks & fees and then direct to the appropriate Information Asset Custodian responsible for processing requests for the service (the “Designated Person”).

1.3.2 Living Individuals (see section 4), requests for living individuals records (health and personnel) are covered under the Data Protection Act 1998.

1.3.3 Individuals have a right (subject to a fee, if applicable) to:

Be informed whether personal data is processed (which includes being held or stored)

A description of the data held, the purposes for which it is processed and to whom the data may be disclosed

A copy of the information constituting the data

Information as to the source of the data

Where there are multidisciplinary teams working across health and social services boundaries, permission should be sort from each respective body prior to disclosure of records.

1.3.4 Deceased Persons (see section 5), Access to the records of a deceased person fall under the

Health Records Act 1990. Access to all other health records for living individuals now fall under the Data Protection Act 1998, without any date limits (i.e. all retrospective information can be accessed).

2 SCOPE & DEFINITIONS

2.1 This document applies to all directly and indirectly employed staff within Solent NHS Trust and other persons working within the organisation in line with Solent NHS Trust’s Statement of Equality. This document is also to be adhered to by all Independent Contractors working on behalf of Solent NHS Trust.

2.2 Data Protection legislation defines a health record as a record consisting of information about

the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.

2.3 Personnel records can also be requested under the Data Protection Act 1998. 2.4 A record can be recorded in computerised or manual form or in a mixture of both. It may

mailto:[email protected]

- 8 - R:\IG Solent\IG Toolkit\General Evidence Folder\Policies & Info Sharing Agreements\Policies\AccessRecords\ 20160203_AccessRecordsPolicy_V4_IGT

include such things as; hand-written notes, letters to and from other health professionals / managers, laboratory reports, radiographs and other imaging records e.g. X-rays and not just X-ray reports, printouts from monitoring equipment, personal files, photographs, videos and tape-recordings of telephone conversations.

2.5 Definitions

AHRA Access to Health Records Act CRDB Care Record Development Board CRG Care Record Guarantee DPA Data Protection act HCP Health Care Professional RMO Responsible Medical Officer IAC Information Asset Custodian

3 TIMESCALE FOR COMPLYING WITH REQUESTS

3.1 The Data Controller (i.e. Solent NHS Trust) should comply with the request promptly, preferably within 21 days but no later than 40 days after the request has been made. The DPA states that the request must be dealt with within 40 days but when the DPA was enacted, Ministers for Health stated the Health Service would endeavour to respond to requests within 21 days.

3.2 Failure to comply with a Subject Access Request will mean that the NHS organisation is in

contravention of the DPA 1998, in particular section 7 and the sixth data principle. The Information Commissioner may take action against the NHS organisation.

4 ‘SUBJECT ACCESS’ REQUEST (LIVING PATIENTS)

RECEIVED – PATIENT RECORDS

4.1 A request for access to health records in accordance with the DPA (The DPA refers to these as a subject access request) should be made in writing, which includes by email, to the data controller. However, where an individual is unable to make a written request it is the Department of Health view that in serving the interest of patients it can be made verbally, with the details recorded on the individual’s file.

4.2 Any requests received by a clinical service must be forwarded immediately to the Information Governance Team [email protected], who will log the request, allocate a reference number to the request and conduct the necessary checks & fees.

4.3 Where an access request has previously been met the Act permits that a subsequent identical or similar request does not have to be fulfilled unless a reasonable time interval has elapsed between. A check will be made of previous requests to ensure that a ‘reasonable’ time has elapsed since any previous request from the same individual. Although ‘reasonable’ is not specified in the Act, the nature of the data, the purpose and frequency for which it is used must be considered.

4.4 Once the request has been processed it will be direct to the appropriate Information Asset Custodian (IAC) responsible for processing requests for the service (the “Designated Person”). Please note that the reference number should be used for all correspondence relating to the request, including invoices.



4.5 The DPA 1998 has repealed the detail in the Access to Health Records Act (AHRA)1990 such that it now only relates to information relating to deceased persons.

4.6 Where an individual believes they are requesting access under the AHRA 1990 for their own

information, then it is considered that this request is being made under the provisions of the DPA 1998.

4.7 As good practice the data controller (Solent NHS Trust) may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. This may decrease the cost for the applicant and eliminate unnecessary work by NHS staff. However, there is no requirement under the Act for the applicant to inform the data controller of which parts of their health record they require.

4.8 Once the request has been closed (records released) a copy of the release letter should be sent to the Information Governance Team to be logged centrally, so compliance of procedure and response times can be assessed. This will also be used for auditing purposes.

4.9 Logging of Requests 4.9.1 All requests will be logged centrally by the Information Governance, to ensure that relevant

checks are undertaken and requests are monitored in compliance with both the AHRA and DPA.

4.9.2 All information, correspondence, etc… relating to the request will be recorded on this

Spreadsheet, with copies of relevant communication saved in a unique computer file, using the reference number associated with the request.

4.10 Letter in Reply 4.10.1 A letter of acknowledgement must be sent to the address of the requestor within two working

days. The letter should include mention of the fee, which will be applicable. This will be undertaken by the Information Governance Team.

4.11 Request for Further Information 4.11.1 If any further information or clarification is required e.g. proof of ID, further information on

records being requested, etc… then the Information Governance Team will contact the requestor, seeking this additional information..

4.11.2 While seeking any further information or clarification the timescale clock should be paused/

stopped. 4.11.3 Identity: to comply with the law, information relating to the individual must only be disclosed

to them or someone with their written consent to receive it. 4.11.4 Where the Data Subject is a child, see section 7.2 as to when a parent or person with parental

responsibility may make a Subject Access Request on a child’s behalf. 4.11.5 Adequate steps must be taken to identify the requester before commencing the work to

comply with the request under the Act. Where there is any doubt, proof of identity will be


required. Examples of suitable documentation could include copies of:

Valid Passport

Driving Licence

Birth Certificate along with some other proof of address, e.g. a named utility bill or a Medical Card.

4.11.6 Details: to enable a search of the records, sufficient details are required. The application form

may be sent to the individual enabling clarification of the information required. 4.12 Reply Received 4.12.1 When a reply is received from the individual in response to any Request for Further

Information, this will be checked by the Information Governance Team to ensure that it is satisfactory and adequate to continue the process.

4.12.2 The timescale continues/clock re-start from the receipt of satisfactory information. 4.13 Permission to Release from Relevant Health Professionals / Managers 4.13.1 Requests must always be referred to the Consultant / Health Care Professional in charge of the

treatment episode for permission to release the data. The Data Protection (Subject Access Modification) (Health) Order 2000 sets out the appropriate health professional to be consulted to assist with subject access requests as the following:

the health professional who is currently, or was most recently, responsible for the clinical care of the data subject in connection with the information which is the subject of the request; or

where there is more than one such health professional, the health professional who is the most suitable to advise on the information which is the subject of the request, this also applies where a consultant or health professional has left the organisation.

Where no suitable health professional is available to advise on access then a health professional with the necessary qualifications and experience should advise on matters to which the information requested relates.

4.13.2 For personnel records requests should be reviewed by a Senior Manager within Human

Resources. 4.13.3 The Health Care Professional or Senior Manager, who is signing off the release of records, will

be required to complete a sign off form, which should be returned to the IG Team, to be placed in the request folder (Appendix 6).

4.14 Research of Data Files 4.14.1 The Designated Officer/IAC will be responsible for ensuring the checking of systems and files

for any reference, directly or indirectly, relating to the individual. 4.14.2 Copies of the information will be obtained and returned to the Designated Officer/IAC dealing


with the request.

4.14.3 Copies of the information will be obtained via printing, photocopying etc and returned to the designated officer dealing with the request. To allow requestors to have comprehensive access to any electronic records held on computer: either the Designated Officer/IAC needs to print from screen and disclose along with copies of the manual records, or the requestor can be invited in and shown the electronic data held on them.

4.14.4 Important: Where information is found as to the physical or mental health or condition of the Data Subject e.g. Medical Records relating to a patient or Occupational Health records, then disclosure cannot be made without reference to an appropriate health professional (Statutory Instrument 2000 No. 413). The Health Professional will be the person currently or most recently responsible for the clinical care of the Data Subject to which the information relates or, where more than one involved, then the one most suitable to advise on these matters (refer to ‘Withholding Information’.

4.15 Collating Responses 4.15.1 The appropriate Designated Officer/IAC will collate the information received and prepare the

disclosure response to the request as necessary. 4.15.2 If applicable a ‘NO RECORDS FOUND’ response can be sent. 4.15.3 Should information be contained in the record that can identify another individual then that

should be withheld, unless either of the following circumstances applies:

the other individual has consented to the disclosure of the information, or

If it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

Note: Access to records cannot be refused where the other individual is a Health Professional who has compiled or contributed to the health record or has been involved in the care of the Data Subject, unless serious harm to that health professional’s physical or mental health or condition may result from such disclosure.

4.15.4 The DPA Act does not give additional steps that will have to be considered before access is granted. Seek additional advice from your Information Asset Custodian, the Information Governance Team or the Caldicott Guardian in these circumstances.

4.15.5 Solent NHS Trust will support any member of staff who, using careful consideration,

professional judgement and has sought guidance from their manager, can satisfactorily justify any decision to disclose or withhold information against a patient's wishes. Please record the process and details you have used to deliberate, the findings, outcome and decision.

4.15.6 Lost Records: If it has been identified that the records being requested have been lost then the

IAC must immediately contact the IG Team and complete an incident form. The IG Team will respond to the requestor.

4.16 Supervised Access 4.16.1 If either the Data Subject has expressed a preference for sight of the records (rather than


copies) or the Health Professional has stated that the Data Subject should not receive copies but be given supervised access only, the Designated Officer/IAC will make arrangements for the Data Subject to view the records with an appropriate Health Care Professional in attendance who can explain entries and terminology.

4.16.2 To avoid unnecessary delays, where separate records are held each of the respective Designated Officers/IAC’s will be responsible for making arrangements for access to the respective records – unless all agree at the outset that the disclosure arrangements will be co-ordinated by one of the Designated Officers/IAC’s.

4.17 Withholding Information 4.17.1 Non–Disclosure of personal information contained in a Health record. An individual requesting

access to their health records may be refused access to parts of the information if an appropriate Clinician deems exposure to that information could lead to distress:

4.17.2 Should any information be found which might need to be withheld because it would:

Disclose information relating to or provided by a third person who has not consented to that disclosure unless: - The third party is a health professional who has compiled or contributed to the health

records or who has been involved in the care of the patient. - The third party, who is not a health professional, gives their consent to the disclosure

of that information. - It is reasonable to disclose without that third party’s consent.

cause serious harm to the physical or mental health or condition of the Data Subject, or any other person,

4.17.3 Clinicians should be prepared to justify their reasons in a court of law if necessary. In all cases

reasons for non-disclosure should be documented. 4.17.4 Where the third party does not consent, the information may be disclosed providing the

identity of the third party is not revealed. The Act suggests that this might be done by omitting names and particulars from the records. Care should be taken to ensure that the information, if released is genuinely anonymous.

4.17.5 Further guidance should be obtained from the local Information Asset Custodian and/or the

Information Governance Team 4.17.6 The organisation is not required to supply copies of health records if the individual requesting

the information has

not provided enough supporting information in order for the information to be located

not supplied the appropriate fee

not supplied the necessary evidence of identity or

the retrieval of the health records requires disproportionate effort


4.18 Referring Request 4.18.1 If records are not held by the service or organisation then the requestor must be informed and

where known the request sent to the appropriate service or Organisation. This will be undertaken by the Information Governance Team.

4.19 Medical Reports 4.19.1 Requests for Medical Reports should be forwarded to the relevant Healthcare Professional.

Such requests can form part of normal NHS duties and therefore monies received should be credited to the departmental budget. Where medical reports are external to normal NHS duties, and the report has been prepared outside of work hours, monies received will be left to the discretion of the Healthcare Professional.

4.19.2 The Access to Medical Reports Act 1988 governs access to medical reports made by a medical

practitioner who is, or has been responsible for the clinical care of the patient, for insurance or employment purposes. Reports prepared by other medical practitioners, such as those contracted by the employer or insurance company, are not covered by the Act. Reports prepared by such medical practitioners are covered by the Data Protection Act 1998.

4.19.3 A person cannot ask a patient’s medical practitioner for a medical report on him/her for

insurance or employment reasons without the patient’s knowledge and consent. Patients have the option of declining to give consent for a report about them to be written.

4.19.4 The patient can apply for access to the report at any time before it is supplied to the

employer/insurer, subject to certain exemptions. The medical practitioner should not supply the report until this access has been given, unless 21 days have passed since the patient has communicated with the doctor about making arrangements to see the report. Access incorporates enabling the patient to attend to view the report or providing the patient with a copy of the report.

4.19.5 Once the patient has had access to the report, it should not be supplied to the

employer/insurer until the patient has given their consent. 4.20 Fee 4.20.1 The Organisation is entitled to a fee for producing the records, under the Data Protection Act

1998, of up to £50. The Organisation does not have to comply with the request until the appropriate fee is received.

4.20.2 Only one fee can be charged per request, even if several departments are involved in the production of the information e.g. Health Records and X-Rays.

4.20.3 All fees will be requested by the Information Governance Team and returned to the Information Governance Team.

4.20.4 While seeking fees the timescale clock should be paused/stopped.

4.21 Charging Scales 4.21.1 Manual Health Records- A fee of £50 is to be charged for granting Subject Access Requests,


whereby the records are purely paper-based or a mixture of electronic and paper-based.

4.21.2 Electronic Health Records- A fee of £10 is to be charged for granting Subject Access Requests that are purely being automatically/electronically processed, or that are recorded with the intention that they be so processed. In effect, this means that only £10 may be charged for granting access to the sort of records that the Data Protection Act 1984 applied to.

4.21.3 X-Rays - A fee of £50 should only be charged if X-Rays are sent separately following a separate

request. If sent as part of Health Record request then a separate charge should NOT be made. 4.21.4 Viewing Health Records- Records that are to be viewed are charged up to a maximum of £10,

unless the records have been added to within the last 40 days in which case there should be no charge.

4.21.5 Deceased Patient’s Health Records- See 5.7

4.21.6 Sending health records outside the UK - In addition to the normal charges stated above, a fee for secure postage and packing can be requested.

4.21.7 Other Types of Records

Medical Reports – If a clinician is requested to write a medical report summary of the records (which is not already part of the patients record), this should be provided, but is not covered under the Data Protection Act 1998 and therefore the clinician/service can charge for the clinicians time. Any fee requested must be made payable to Solent NHS Trust.

Requests from Government Organisations – e.g. Police, Department of Working Pensions, other Healthcare Professionals. There should be no charge

Requests from the Ministry of Defence and Veterans – On the 8th January 1999, the NHS Executive issued the Health Service Circular – HSC 1999/001 which replaces the Financial Directive letter FDL(93)79 and reaffirms the long-standing responsibilities of the NHS Hospital and Trust Hospitals to supply patient information to the Ministry of Defence (MoD) within 10 working days of request, free of charge, The Service Personnel and Veterans Agency is an executive agency of the MoD.

Personnel Files and References – See 7.1

4.21.8 Fees will be requested in the form of a cheque, made payable to Solent NHS Trust. All fees should be directed to the Information Governance Team.

4.22 Reply/Fee Received 4.22.1 When appropriate fee has been received the timescale for compliance (clock) is re-started. 4.23 Send Copies of Data 4.23.1 Once the appropriate fee has been paid and the information is complete / agreed by the

Health Care Professional, copies of the data and a covering letter will be sent by Recorded Delivery to the Data Subject by the Designated Officer/IAC. A Quality Monitoring form (Appendix 5) should be sent with all records released.

4.23.2 The Designated Person/IAC should send a copy of the release letter to the Information

Governance Team [email protected]



5 ACCESS TO HEALTH RECORDS ACT 1990 (AHRA1990) [FOR DECEASED PERSONS]

5.1 The Access to Health Records Act 1990 (AHRA) provides a small cohort of people with a statutory right of to apply for access to information contained within a deceased person’s health record

5.2 For access to records relating to the deceased, applications may only be received from: -

the patient’s personal representative, and

Any person who may have a claim out of the patient’s death. 5.3 However access is NOT to be given to the record or any part of it, if:

a note is included in the record, that the patient did not wish access to be given, or

the patient had given the information and would not have expected it to be disclosed, or

It would disclose information that is not relevant to any claim.

disclosure would cause serious harm to the physical or mental health of any other person;

would identify a third person, who has not consented to the release of that information. 5.4 A personal representative is the executor or administrator of the deceased person’s estate.

The personal representative is the only person who has an unqualified right of access to a deceased patient’s record and need give no reason for applying for access to a record. Individuals other than the personal representative have a legal right of access under the Act only where they can establish a claim arising from a patient’s death. The decision as to whether a claim actually exists lies with the record holder.

5.5 Record holders must satisfy themselves as to the identity of applicants who should provide as

much information to identify themselves as possible. Where an application is being made on the basis of a claim arising from the deceased’s death, applicants must provide evidence to support their claim. Personal representatives will also need to provide evidence of identity.

5.6 Information will be required to establish a link between the requester and the deceased. A

copy of the death certificate and a description as to relationship with the person making the request or valid reason for access should be sought.

5.7 Process: 5.7.1 The same process is to be followed as that of a Subject Access Request (see section 5).

5.8 Fees: 5.8.1 A fee of up to £10 (plus postage and packaging) is applicable for providing access to

information where all of the records were made more than 40 days before the date of the application.

5.8.2 No fee may be charged for providing access to information if the records have been amended

or added to in the last 40 days. 6 DISCLOSURE - OTHER THAN DIRECTLY TO THE DATA SUBJECT

6.1 Third Parties:


6.1.1. Information may be requested from third parties, e.g., solicitors, on behalf of the Data Subject.

Where this is accompanied by authorisation from the Data Subject then this request can be processed using this procedure. Where the request clearly states that no litigation is intended against the Organisation or its employees, disclosure may take place without reference to the Complaints Manager. If the letter indicates a claim or likely claim, the matter should be forwarded to the Litigation Manager who will handle disclosure and take appropriate action in the investigation and defence of the claim.

6.1.2. Where the disclosure request is made by a third party on behalf of a Data Subject who lacks

capacity, the Health Care Professional must be consulted and must satisfy him/herself that the disclosure would be in the Data Subject’s best interests. If this is not the case, disclosure cannot proceed. The HCP must ensure that justifiable reasons are documented for withholding the disclosure.

6.1.3. Where necessary the third party may be contacted for additional details to enable an effective

search for the information required for their purpose. 6.1.4. No disclosure under these procedures can be made unless authorisation is obtained or the

request is for crime or taxation purposes (in which case refer to Records Manager for advice). 6.1.5. The ‘Every Child Matters’ (Cross Government Guidance – Sharing Information on Children and

Young People), should be followed in conjunction with the guidance given here in this document.

6.1.6. The ‘No Secrets: Guidance on developing and implementing multi-agency policies and

procedures to protect vulnerable adults from abuse’. DH 2000 should be followed in conjunction with the guidance given here in this document

6.2 Subject Access for a Minor

6.2.1 Parents can make subject access requests on behalf of their children who are too young to

make their own request. Normally a person with parental responsibility will have the right to apply for access to their child’s health record. However, in exercising this right a health professional should give careful consideration to the duty of confidentiality owed to the child before disclosure is given.

6.2.2 Parental Responsibility1: While the law does not define in detail what parental responsibility is, the following list sets out the key roles: providing a home for the child protecting and maintaining the child disciplining the child choosing and providing for the child's education determining the religion of the child agreeing to the child's medical treatment naming the child and agreeing to any change of the child's name accompanying the child outside the UK and agreeing to the child's emigration, should the

issue arise being responsible for the child's property

1 http://www.direct.gov.uk/en/parents/parentsrights/dg_4002954

http://www.direct.gov.uk/en/parents/parentsrights/dg_4002954


appointing a guardian for the child, if necessary allowing confidential information about the child to be disclosed

6.2.3 A mother automatically has parental responsibility for her child from birth. However, the conditions for fathers gaining parental responsibility varies throughout the UK.

6.2.4 In England and Wales, if the parents of a child are married to each other at the time of the birth, or if they have jointly adopted a child, then they both have parental responsibility. Parents do not lose parental responsibility if they divorce, and this applies to both the resident and the non-resident parent.

6.2.5 This is not automatically the case for unmarried parents. According to current law, a mother

always has parental responsibility for her child. A father, however, has this responsibility only if he is married to the mother when the child is born or has acquired legal responsibility for his child through one of these routes: (from 1 December 2003) by jointly registering the birth of the child with the mother by a parental responsibility agreement with the mother by a parental responsibility order, made by a court by marrying the mother of the child

6.2.6 A father can apply to the court to gain parental responsibility and if awarded proof of parental responsibility will be provided.

6.2.7 For births registered in Scotland and Northern Island refer to


6.2.8 Access made by a minor: The right of access by a minor should be assessed by application of the same tests as those used in consent to treatment issues. A young person aged 12 or above is generally considered mature enough to understand what a subject access request is. They can make their own request and would need to provide their consent to allow their parents to make the request for them. You must use your judgement to decide whether a young person aged 12 or above is mature enough to make their own request as they do not always have the maturity to do so.

6.2.9 If children are competent to give consent for themselves, consent should be sought directly from them. The legal position regarding ‘competence’ is different for children aged over and under 16.

6.2.10 Children aged 16 and 17: Once children reach the age of 16, they are presumed in law to be competent to make decisions about their healthcare. This means that in many respects, they should be treated as adults and if they request access to their records at this age, and are considered competent, access should be granted.

6.2.11 Younger Children: Children under 16 are not automatically presumed to be legally competent

to make decisions about their healthcare. However, some under 16s are deemed competent if they have sufficient understanding and intelligence to enable him or her to understand what is proposed ‘Gillick or Fraser competent’. If a child of 16 or 17 is not considered competent, a person with parental responsibility can make a request on behalf of a minor. Before releasing the data, consideration must be given to the fact that the request is made solely in the interests of the minor.



6.2.12 Once a child reaches the age of 18 and is deemed competent, no-one else can make decisions on their behalf. Therefore access requests cannot be made by a third party on their behalf.

6.2.13 Children with Learning Disabilities: It should not be assumed that a child with learning

disabilities is not competent to make his/her own decisions. Many children will be competent if information is presented in an appropriate way and they are supported through the decision-making process.

6.3 Requests received for a patient with mental impairment 6.3.1 Requests by a person appointed by the courts 6.3.1.1 The mental Capacity Act 2005 came into force on 01st April 2007. The Act provides a statutory

framework to empower and protect people who may lack capacity to make some decisions for themselves, for example those with dementia, learning disabilities, mental health problems, stroke or head injuries who may lack capacity to make certain decisions. The Act will only affect people aged 16 or over.Under common law, there is the presumption that a person seeking to exercise legal rights has the necessary legal capacity to do so. Where the Data Subject is incapable of managing his or her own affairs, a person appointed by a court to manage those affairs might have a right of access to the Data Subject Personal Data. The specific requirements of the court order or the power of attorney should be considered carefully and followed.

6.3.2 Requests by others. 6.3.2.1 At the NHS organisation where Data Subjects are patients, all their Personal Data is likely to be

confidential. Therefore, any decision to disclose confidential Personal Data outside of Subject Access Requests must be justified on the grounds that there is a court order or statutory provision requiring disclosure or, exceptionally, because the public interest requires it and in any event in compliance with the DPA 1998. Access should be restricted to the information necessary.

6.3.2.2 Such requests should be dealt with in liaison with the Legal Department of the NHS

organisation. 7 OTHER TYPES OF ‘SUBJECT ACCESS’ REQUEST RECEIVED

7.1 Staff Personnel Files and References 7.1.1 All requests for staff records must be directed through the Human Resource Department. 7.1.2 Staff have the same rights to access their records as patients do and their request will be dealt

with in the same way as patient record request, meaning;

In a timely manner

Disclosure of records

A fee may be charged as is patient requests. 7.1.3 Staff are not permitted to directly access their own personnel or medical records, if they have

access to the data, the formal request process must be followed.


7.1.4 If data is accessed outside of the formal request process this will be considered as a confidentiality breach and could lead to a staff disciplinary.

7.1.5 Staff and applicants have the right to request a copy of their references. For further information please refer to the Information Commissioners Office Guidance on ‘Subject access and employment references’. http://www.ico.gov.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Detailed_Specialist_Guides/Subject_Access_And_employment_references_v1.ashx

7.1.6 A maximum fee of £10 is applicable for all personnel and reference requests.

7.2 Police Requests/Court Orders 7.2.1 Guidance on dealing with requests from the Police/Court Orders is available within Appendix 1.

However, to summarise information should not be released unless the patient/employee has given their consent or the risk to the public/person is greater if the relevant information is not divulged. Only copies must be provided, unless a court order is provided for originals, in which case stringent preparation of the records must take place to ensure there completeness.

If you receive a request from a police officer, that request MUST be accompanied by a DP2 form that sets out the legislation under which the information is requested, why the info is needed and exactly what it is required for or the patients consent.

7.3 Missing People 7.3.1 Occasionally the Police will request services to search their records to assist in the search of a

missing person. Such requests should also be accompanied by a DP2 form and advice should be sought from the Information Governance Team.

7.4 Child Protection Request 7.4.1 If the records/patient are under review by the Child Protection Team, then the Child Protection

Team must be contacted prior to the release of records. 7.4.2 Staff are to be supported by the Child Protection Team if they are required to give a statement

to the police on a Child Protection matter. 7.5 Safeguarding Adult Requests 7.5.1 If the records/patient is under review by the Safeguarding Adults Team, then the Safeguarding

Adults Team must be contacted prior to the release of records. 7.5.2 Staff are to be supported by the Safeguarding Adults Team if they are required to give a

statement.

7.6 Requests from Commissioning Organisations 7.6.1 Requests for medical records maybe received from commissioning organisations, in order to

deal with a compliant and/or a litigation claim. These requests should not be handled any differently to any other request.

http://www.ico.gov.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Detailed_Specialist_Guides/SUBJECT_ACCESS_AND_employment_references_v1.ashx

http://www.ico.gov.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Detailed_Specialist_Guides/SUBJECT_ACCESS_AND_employment_references_v1.ashx


7.6.2 The commissioning organisation should provide proof of written consent from the client, authorising the commissioning organisation to act on their behalf.

7.7 Requests from Other Health Organisations 7.7.1 Requests for medical records maybe received from other health organisations, in order to

provide healthcare. These requests should not be handled any differently to any other request. 7.7.2 The health organisation should provide proof of written consent from the client, authorising

the other health organisation to have access to this information.

7.8 Requests from the Department of Work and Pensions 7.8.1 Health Organisations are required to complete forms from the Department of Work and

Pensions. No consent from the patient is required. Though these types of requests are not considered Subject Access Requests, they should be logged centrally by the Information Governance and actioned by the service ASAP.

7.9 War Pensions and Benefit Agency 7.9.1 All requests received will be directed to the Healthcare Professional for their authorisation or

completion. Originals will not be sent; copies must be taken and forwarded.

7.10 Patients Now Living Abroad

7.10.1. Former patients living outside of the UK who had treatment in the UK have the same rights under the DPA to apply for access to their UK health records. An NHS organisation should treat these requests the same as someone making an access request from within the UK.

7.10.2. Original health records should not be given to patients to keep/take outside the UK. In

instances when a patient moves abroad a health professional may be prepared to provide the patient with a summary of the patient’s treatment. Alternatively, the patient is entitled to make a request for access to their health record under the DPA to obtain a copy.

7.10.3. An additional fee for secure postage and packaging is applicable to such requests. 8 Complaints Process

8.1 If a requestor is dissatisfied with the handling of their request, they have the right to ask for an

internal review. Internal review requests should be submitted within two months of the date of receipt of their response letter and should be addressed to: Head of Information Governance, Solent NHS Trust, Adelaide Health Centre, Western Community Hospital Campus, Southampton, SO16 4XE, or [email protected]

9 NHS Care Records Guarantee

9.1 The NHS Care Records Guarantee (CRG) sets out the rules that will govern information held in the NHS

Care Records Service when it goes live. This will form an important part of the public information campaign about NHS Care Records. The NHS Care Record Guarantee has been drawn up by the Care Record Development Board (CRDB) and it is reviewed at least every twelve months as the NHS Care Records Service develops. The Guarantee covers people's access to their own records, controls on



others' access, how access will be monitored and policed, options people have to further limit access, access in an emergency, and what happens when someone cannot make decisions for their self. Refer to http://www.nigb.nhs.uk/guarantee for further information and a summary of the 12 commitments in the CRG.

10 Roles and Responsibilities

10.1 The responsibility for local records management is devolved to the relevant Directors, Heads of

departments/Information Asset Owners, Service managers, and Information Asset Custodians. They are responsible for examining the records of their service area to determine the compliance of the standards contained within this document to ensure that a co-ordinated approach to the management of the record is maintained.

10.2 Chief Executive 10.2.1 The Chief Executive has overall responsibility for records management in the Organisation.

The accountable officer is responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Records management is key to this as it will ensure appropriate, accurate information is available as required.

10.2.2 The Chief Executive has a particular responsibility for ensuring that it corporately meets its

legal responsibilities, and for the adoption of internal and external governance requirements. 10.3 Caldicott Guardian and Senior Information Risk Officers (SIRO) 10.3.1 The Organisation’s Caldicott Guardian and SIRO have a particular responsibility for reflecting

patients’ interests regarding the use of patient identifiable information. They are responsible for ensuring patient identifiable information is shared in an appropriate and secure manner.

10.4 Information Asset Owners 10.4.1 The Information Asset Owner (IAO) is a senior member of staff who is the owner for one or

more identified information assets of the organisation. 10.4.2 There are several IAOs within the organisation, whose departmental roles may differ. IAOs will

work closely with other IAOs of the organisation to ensure there is comprehensive asset ownership and clear understanding of responsibilities and accountabilities. IAOs will support the organisation’s SIRO in their overall information risk management function as defined in the organisation’s policy.

10.5 Information Governance Team 10.5.1 The Information Governance Team is responsible for the overall development and

maintenance of records management practices throughout the organisation, in particular for drawing up guidance for good records management practice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of patient information.

10.6 Designated Officer/ Information Asset Custodians (IAC)

http://www.nigb.nhs.uk/guarantee


10.6.1 Designated Officer/IAC’s are responsible for ensuring that this policy is implemented, through the Records Management Strategy, and that the records management system and processes are developed, co-ordinated and monitored.

10.6.2 Designated Officer/IAC’s are responsible for examining the records of their service area and to

ensure there is structure and processes in place to meet compliance of the standards contained within this document.

10.6.3 Designated Officer/IAC’s for liaising with appropriate departments to ensure that a co-ordinated approach to the management of the record is maintained.

10.6.4 Designated Officer/IAC’s must ensure that all grades of clinical staff receive regular training on clinical record keeping. 2

10.7 All Staff 10.7.1 All staff under the Public Records Act, whether clinical or administrative, who create, receive

and use records have records management responsibilities. In particular all staff must ensure that they keep appropriate records of their work and manage those records in keeping with this policy and with any guidance subsequently produced.

10.7.2 All users of Healthcare Records must be aware of their legal obligations and abide by the

requirements of the Data Protection Act and Principles of Caldicott.3

10.7.3 All users of Healthcare Records must be aware of the process for managing Freedom of Information requests and act on it as required.

10.7.4 Each member of staff is responsible for the records they create and use.

10.8 Healthcare Professionals 10.8.1 Healthcare professionals are responsible for assessing and review the clinical records that they

have contributed to, prior to the records being released. 11 Failure to Comply with the Policy

11.1 If a service feels it can not comply with all or part of an IG policy/ procedure they have a duty

to undertake a risk assessment (Appendix 3) which will be approved by the services Information Asset Owner and Information Governance Team. Failure to do so could result in disciplinary action. For further advice services should contact the Information Governance Team.

11.2 Failure to comply with this policy, (unless agreed exceptions have been approved) will result in

disciplinary action, as stated within all staff contracts. 12 Training

12.1 All Trust staff will be made aware of their responsibilities for record-keeping and record

management.

2 Clinical Information Assurance Requirement 403

3 NHSLA RM Evidence Template


12.2 It is the responsibility of the Information Governance Team to provide Information Governance and Records Management training to all new starters within the Trust as part of Induction Training.

12.3 It is the responsibility of all departmental Information Asset Custodians to provide continuous

Information Governance and Records Management training to all staff within their service(s); this is a role that is support by the Information Asset Owners.

12.4 It is mandated that all staff must complete assigned Information Governance and Records

Management modules using the Information Governance E-Learning tool as an aspect of this training. This training tool is located http://www.igte-learning.connectingforhealth.nhs.uk/igte/index.cfm

12.5 Compliance with this training requirement will be monitored by the Learning & Development

Team in conjunction with the Information Governance Team via a reporting mechanism within the IG online training tool, which will feedback into Learning & Development.

13 Equality & Diversity and Mental Capacity Act 13.1 A thorough and systematic assessment of this policy has been undertaken in accordance with

the Organisation’s Policy on Equality and Human Rights. 13.2 The assessment found that the implementation of and compliance with this policy has no

impact on any employee on the grounds of age, disability, gender, race, faith, or sexual orientation. See Appendix 4.

14 Success Criteria/Monitoring the Effectiveness of the Policy

14.1 The monitoring of this policy and its effectiveness and maintenance will be audited annually

using the Information Governance Toolkit (IGT) or sooner if new legislation, codes of practice or national standards are introduced. The IGT audit is a self-assessment audit undertaken by the Information Governance Team, additionally the submission is audited annually by external auditors, South Coast Audits.

14.2 The owner/author of the policy is responsible for undertaking this audit and ensuring the

policy’s effectiveness. This will be monitored through the Information Governance Steering Group to ensure effectiveness.

14.3 Service Managers and Information Asset Custodians will be responsible for sending Quality Monitoring forms (Appendix 5) out to all requestors, which will be returned centrally to the Information Governance Team, in order to monitor compliance and satisfaction with the organisations process.

14.4 The implementation of this policy will be audited annually by the Information Governance,

with the assistance of Data Custodians and all staff. 14.5 The Information Governance Team will on a weekly basis review and monitor all Information

Governance and Records Management incidents and were required conduct full investigations.

http://www.igte-learning.connectingforhealth.nhs.uk/igte/index.cfm


15 Review

15.1 This document may be reviewed at any time at the request of either at staff side or

management, but will automatically be reviewed two years from initial approval and thereafter on a biennial basis unless organisational changes, legislation, guidance or non-compliance prompt an earlier review

16 Contact Details

Information Governance Team:

Email: SNHS.SolentIGTeam.nhs.net Tel: 023 8029 6922 023 8029 6911 023 8053 8772

17 Reference and Links to Other Documents 17.1 This policy must be read in conjunction with the below policies that are available on the

Intranet http://solent/corp/igov/default.aspx Policies:

Access to Records Procedure

Audio Visual Records Policy

Data Encryption Policy

Data Protection, Caldicott and Confidentiality Policies & Procedures

Information Governance Policy

Information Risk Policy

Information Security Policy

FOI Policy

Records Management & Information Lifecycle Policy Strategies:

Information Governance Strategy

Records Management Strategy Codes of Practice:

Destruction of Confidential Waste

NHS Code of Practice: Records Management Other Documents: Care Record Guarantee (2009 Revision): http://www.nigb.nhs.uk/guarantee Department of Health Guidance for Access to Health Records Requests: February 2010 http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/@ps/documents/digitalasset/dh_113206.pdf

https://web.nhs.net/owa/[email protected]/redir.aspx?C=02bcbbd9a18c4b719f501a768afcdcfb&URL=mailto%3asoc-pct.solentIGTeam%40nhs.net

http://www.nigb.nhs.uk/guarantee


Appendix 1: Procedure for Disclosure of Personal Information to the Police

If you receive a request from a police officer DO NOT PANIC. The request MUST be accompanied by a DP2 form, which sets out the legislation under which the information is requested, why the info is needed and exactly what it is required for.

1. Introduction 1.1 The purpose of this procedure is to help staff in decision-making with regard to sharing

patient information with the police. It is Organisation policy to share legitimate information with the Police in a justifiable way which upholds the patient’s right to confidentiality and releases sufficient, appropriate information to assist the Police with their enquiries.

1.2 It is a fundamental principle of medical ethics that all that passes between a patient and a

doctor in the course of a professional relationship is confidential. The same applies to all other healthcare professionals. Patients have the right to expect that information gained in the course of their treatment and care is given to no-one except those involved in their care and, that even then, only pertinent information is communicated.

1.3 Personal information is any data, such as physical, physiological, mental, economic, political,

religious or social factors which relate to living identifiable individuals.

Personal / sensitive information that police may seek includes the following:-

Personal Information Sensitive Information

Forename Sexuality

Surname Ethnicity

Date of Birth Physical or mental health related information

Hospital Number (NHS number) Religious or other beliefs

Sex Financial details

Occupation Political opinion

Offences committed or alleged offences / court proceedings

Or a combination of the above. This list is not exhaustive, it just provides examples.

2. Procedure 2.1 The relevant Information Asset Owner must be informed of all information requests by the

police to any personal or sensitive record or data. This is a statutory requirement under the ‘NHS Code of Confidentiality’. In child protection matters, the Safeguarding Team must also be informed, and in the case of a vulnerable adult the Vulnerable Adults Team.

2.2 Staff should follow the below decision tree at the end of this procedure4. If in doubt staff

should seek advice from the Information Governance Manager or On-call Duty Manager. The golden rule is for both the HCHC and the police to be able to justify the release of information in the public interest.

2.3 Information will only be released to the police:

for the prevention and detection of crime or in a life or death/emergency situation;

4 With thanks to Hampshire Community Healthcare: Disclosure of Information to the Police

Procedure


if the crime alleged to have been committed is included in Section 116 and Schedule 5, parts I and II (serious arrestable offences of the Police and Criminal Evidence Act 1984

if information has been received relating to terrorism;

where the provisions of Section 172 Road Traffic Act 1988 apply; (basic demographic information only i.e. no clinical details) to establish the driver of a vehicle where the driver is alleged to have committed an offence;

or If one of the following apply:

a public moral duty to furnish certain information about a patient to the police over-rides the duty of confidentiality i.e. there is sufficient public interest justification to release it;

a member of staff exercising their own civil responsibility notifies the police that an incident has taken place that involves a patient;

where it is evident that they, their colleagues and/or members of the public may be at future risk and that involving the police is appropriate.

2.4 Information will not be released unless:

the authority of the consultant or senior clinician in charge is obtained, and

a Section 29(3) form of enquiry (DP2) has been completed and signed.

Proof of identity (eg warrant card) is established (non-uniformed officers) 2.5 Information provided should be the minimum necessary to identify the patient and may

include details of any injury, and the time and date of admission or attendance. 2.6 All releases of information to the Police must be clearly recorded in the patient’s notes i.e.

copy of DP2 form and note of the information provided and/or withheld. If information is withheld the reason for withholding must also be recorded.

2.7 Subject Access requests by Police, must always be authorised in writing. 3. Consent 3.1 Where possible, practical, and safe to do so, the patient’s consent to release information

should be obtained. However, there may be times when this is not possible (e.g. the patient is unconscious or suffering from dementia, the patient has left the hospital, or gaining consent is likely to result in further incidents or risk.) The duty of care requires staff to consider whether the patient is capable of making an informed decision or whether it is appropriate in the circumstances.

3.2 If it is not possible to obtain consent for one of the reasons given above, the consultant or

clinician consultant in charge has discretion, within the law, over what information, (whether in writing or otherwise concerning patients/attendees at his or her Department) may be given to the police.

3.3 If the patient is unable to understand the process or implications of the process an advocate

or interpreter should be found where this would enable the patient to give informed consent, providing this did not impede the police from preventing or investigating a serious crime.

4. Release of information to the police for authorised Police break-ins or missing person

‘distress’ cases 4.1 Staff should always seek to determine why the police need the information. 4.2 There are certain emergency situations where the police will ask, by phone, if an individual is

an in-patient. This is done prior to police forcing entry to a property where it is possible that someone has collapsed, is incapacitated, or has died. In these cases, staff should verify that the caller is using an official police telephone line, and call them back. Confirmation can then


be released. 4.3 There are occasions when the police contact the Organisation seeking information about

missing persons. Such enquiries should not be made by telephone but by a visit to the service or by a written request.

If it is an emergency, then paragraph 4.2 applies.

In missing person cases, if we know the patient is in hospital, we should ask the patient for their consent to pass the information on. If the patient does not want the information passed on (for example to relatives) then the police should be told this. A record of the request and the outcome must be placed in the health record.

If the patient is not in a position to give/withhold informed consent and it is seen to be in the patient’s best interest to give information (e.g. the patient is unconscious, suffering from dementia, dying) then information should be released based on a professional judgement/justification. Again, a record must be made in the health records.

5. Other Circumstances Where Disclosure to the Police Is Permitted. The Police may seek personal information under an exemption of the Data Protection Act 1998. A Section 29(3) exemption is used when making enquiries which are concerned with:-

The prevention and detection of crime and taxation.

The apprehension or prosecution of offenders.

If police are requesting information for another reason, other than the above; a separate statement has to be completed, detailing why the information is required and which Act it is covered by. It then has to be signed by the organisation requesting information. The protocol, as detailed is the same as if information was requested through Schedule 29(3).

NB. The following covers police/other organisation requesting any type of information in any form. This includes:-

Witness statement o Any other type of statement o Communicated via any form

Verbal Written

Copies of documents including:- o CCTV o Audio o Written o X-rays o Pictorial

Original documents / information are only released to the police if it is requested via a court order. In this circumstance, the information has to be given back.

6. Legislative requirements 6.1 The Prevention of Terrorism Act 1989 and The Terrorism Act 2000 – If you have gained

information (including personal information) about terrorist activity you have a statutory duty to inform the police.


6.2 The Road Traffic Act 1988 – You have a statutory duty to inform the police, when asked, of the name and address of any driver who is allegedly guilty of an offence under the Act. It is not necessary to disclose clinical information.

6.3 The Police and Criminal Evidence Act 1984 - You can pass on any information to the Police,

as the Act creates a power to do so (not a duty) if you believe that someone may be seriously harmed or death may occur if the police are not informed. Serious arrestable offences include murder, rape, kidnapping and causing death by dangerous driving.

6.4 The Crime and Disorder Act 1998 - You may be requested to pass information to the police

on an individual, if there is a need for strategic cross-organisational / multi-agency information sharing, to detect, prevent or reduce crime and disorder that an individual may be involved in. There may also be requests for aggregated data (that does not directly identify individuals) for detection, prevention or crime reduction purposes.

6.5 The Data Protection Act 1998 – The duty of confidence may be overridden for the provision

of personal identifiable information for the prevention and detection of crime or the apprehension or prosecution of offenders (Section 29(3) exemption). The police must produce a signed DP2 form signed by a police inspector or higher ranking officer, or a court order.

7. Things to Consider When Making Judgement. (Flow Chart *2).

Without Disclosure

↓

Would any of the following be prejudiced?

↓ ↓ ↓ ↓ Detecting the crime? Prosecuting? Delayed? Preventing ↓

Is the information limited to what is strictly relevant to a specific investigation?

↓

Are you satisfied that:-

↓

Information will not be passed on?

↓

Information will not be used for anything else?

You must comply if the police issue you with a formal court order giving them the right to access to the patient’s’ personal information. You should not feel pressurised or intimidated into giving information just because the police have requested it; in any circumstance. It is perfectly reasonable to ask the reasons why the information is needed and exactly what is required before deciding whether it is appropriate for information to be released. Important Notes Where the patient has given consent to the release of the information, make sure you have proof of this, such as a signed consent form, and ensure you only give the minimum information to satisfy


the request. As stated before, consult with relevant colleagues. “Do not make decisions in isolation.” 8. Information held on the NHS Clinical Spine Application (CSA) Should users of the Clinical Spine Application trace patients on behalf of colleagues, friends, police missing persons, etc?

↓ NO

Organisations requesting use of the service must complete an NSTS Data Access Agreement signed by the Chief Executive and Caldicott Guardian. Once access details have been confirmed it is the Caldicott guardians’ responsibility to register other users to access NSTS, including any Caldicott Guardian Delegated Authorities. If you are approached and asked to share data held on NHS Strategic Tracing service by anyone, then decline politely and ask the enquirer to submit their request on official headed paper to:- NSTS Security Manager NHS Information Authority Hexagon house Paynes Hill Exeter Devon EX2 5SE If you are in doubt as to your position, then please contact the Head of Information Governance on 02380 296922


Appendix 2: Frequently Asked Questions5 What to do if a patient considers their medical notes are incorrect? Where a patient considers that their records contain inaccuracies, the patient should be advised to make an informal approach to the RMO or Health Professional concerned to discuss the situation in an attempt to have the records amended. It should be noted, however, that the diagnosis is a matter of clinical judgement and cannot be changed at the patient’s request.

If this avenue is unsuccessful then the patient may pursue a complaint under the NHS Complaints Procedure in an attempt to have the information corrected or erased. They could further complain to the Information Commissioner, who may rule that the information is rectified, blocked, erased or destroyed. Amendments to health records: An opinion or judgement recorded by a health professional, whether accurate or not, should not be amended subsequently. Retaining relevant information is essential for understanding the clinical decisions that were made and to audit the quality of care. If the patient is not satisfied, it is good practice to allow a statement to be included within the record that the patient disagrees with the content.

Further guidance is available within the: ‘Altering Record Entries’ section within the ‘Records Management & Lifecycle Policy’ available on the intranet at http://solent/Pages/Default.aspx What if there is an indication of litigation against the organisation Where there is indication that a claim or Litigation may be intended against the organisation or its employees the request will be forwarded to the Litigation Manager who will handle the disclosure and take appropriate action in the investigation and defence of the claim. The Litigation Manager will complete the log sheet and return to the Information Governance Team. What if there is information written in work diaries? In some cases, the health professional may keep a work diary, e.g. District Nurses etc. These types of diaries should not contain any reference to the medical history of a patient. If, for any reason, these diaries are used to record patient’s medical history, they should be considered part of the patient’s Health Records and, as such, would need to be included as part of any Subject Access Request made and kept in accordance with the retention period for Health Records.

What should I do in the information in the records is about a third party? Should any information contained in the Personal Data of the Data Subject identify another individual (a ‘third party’) that information should be withheld, unless either of the following circumstances applies:

The other individual has consented to the disclosure of the information, or

It is reasonable in all the circumstances to comply with the request without the consent of the other individual. The Act gives additional steps that will have to be considered before

5 Department of Health Guidance for Access to Health Records Requests: February 2010

http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/@ps/documents/digitalasset/dh_113206.pdf

http://solent/Pages/Default.aspx




access is granted. Seek additional advice from your Information Asset Custodian in these circumstances. Information should not be provided which relates to and identifies another person (for example, a note in the records that a relative had provided certain information) unless that other person has consented to the disclosure or it is reasonable to comply with the request without their consent. The DPA 1998 lists factors that should be considered in determining whether it would be reasonable in all the circumstances. (The Information Commissioner has published specific guidance on ‘Subject Access Rights and Third Party Information’). These provisions do not apply where the person to be identified is a health professional who has complied or contributed to the health record or has been involved in the care of the patient, unless serious harm to that health professional’s physical or mental health is likely to be caused. If appropriate, seek additional guidance from your I.G. Co-ordinator. Can information within a health record which identifies health professionals be disclosed to a patient? Information about health professionals is not normally considered as ‘third party’ information, and as such should normally be disclosed as part of a request unless disclosure would put any person at risk of harm. Should individuals be informed if information is withheld from a request? NHS bodies should normally inform patients if information is withheld from them during an access request unless doing so would put any person at risk, or would disclose information or inappropriately identify a third party. Do researchers have a right to access information from patient health records when they are unable to gain patient consent? Research using health information can provide many potential benefits. Researchers wishing to access information should follow NHS Research Governance processes and in most cases where access to identifiable information is sought they should obtain approval from the Ethics and Confidentiality Committee of the statutory National Information Governance Advisory Board. Can MPs have access to health information about their constituents? The term ‘elected representative’ covers Members of Parliament (UK, Scotland, Wales, Northern Ireland and EU), local authority councillors and mayors (and their equivalents in the devolved countries). Specific legislation under the Statutory Instrument, 2002, No. 2905, The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 enables information to be disclosed to elected representatives without contravening the Data Protection Act 1998. However, it does not remove the constraints of the common law duty of confidentiality and as such the common law should still be satisfied (normally by consent) before information is disclosed. Should all information available be disclosed to a Local Safeguarding Children’s Board when investigating a child’s death? Local Safeguarding Children’s Boards may require access to health records relevant to a deceased child from an NHS body to conduct an investigation/inquiry. It is highly likely that the public interest served by this process warrants full disclosure of all relevant information within the child's own records. However, in some circumstances the LSCB may also require


access to information about third parties (e.g. members of the child’s immediate family or carers). In all cases the LSCB should explain why it believes information about third parties is relevant to its enquiries, and you should use this to consider whether or not there is an overriding public interest to justify the disclosure of the information requested. In cases where you determine disclosure to be in the public interest you must ensure that any information you disclose about a third party is both necessary and proportionate. Should all information requested be disclosed to Coroners for the purpose of carrying out an inquiry? It is the Department of Health’s view that the public interest served by Coroners’ inquiries will outweigh considerations of confidentiality unless exceptional circumstances apply. When an NHS organisation feels that there are reasons why full disclosure is not appropriate, e.g. due to confidentiality obligations or Human Rights considerations, the following steps should be taken:

the Coroner should be informed about the existence of information relevant to an inquiry in all cases;

the concern about disclosure should be discussed with the Coroner and attempts made to reach agreement on the confidential handling of records or partial redaction of record content;

where agreement cannot be reached the issue will need to be considered by an administrative court.

Should consideration be given to surviving family members when disclosing information about deceased patients? NHS bodies should have consideration to the potential harm or distress to the requester or other individuals either through supplying or withholding information. Where information is disclosed the amount of information provided should be proportionate to the need. Requesters should be sensitively informed where the decision is taken to withhold information. How do Independent Mental Health Advocates (IMHAs) and The Mental Health Act 1983 apply to access to health records? Under this Act, certain people (“qualifying patients”) are entitled to support from an IMHA. Subject to certain conditions, section 130B of that Act says that, for the purpose of providing help to a qualifying patient, IMHAs may require the production of and inspect any records relating to the patient’s detention or treatment in any hospital or to any after-care services provided for the patient under section 117 of the Act. The Department has published guidance on IMHAs’ rights to information which would not be disclosed in response to an access request from the qualifying patient themselves. This is available on the Department of Health website: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_098828 How do Deputies and Lasting Powers of Attorney and The Mental Capacity Act 2005 (MCA) apply to access to health records? The MCA generally only affects people aged 16 or over. The Act provides a statutory framework to empower and protect people who may lack capacity to make some decisions. The MCA set up a new Court of Protection, which is permitted to appoint a deputy, to deal with property and affairs and/or personal welfare decisions. People whilst they still have capacity can appoint a Lasting Power of Attorney, also either for property and affairs and / or

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_098828

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_098828


personal welfare decisions. Personal welfare deputies and attorneys can ask to see information concerning the person they are representing as long as the information applies to decisions they have the legal right to make.

Can NHS bodies disclose information in response to allegations made about the operation and conduct of its staff? Where allegations are made against a NHS body in the media by patients or relatives the NHS body may wish to respond in order to maintain the reputation of the NHS. However, in doing so, NHS body should not disclose further confidential information and the level of disclosure should be proportionate to the need, with strong considerations on the impact of possible harm caused to others. How long should health records be kept for? NHS organisations should retain records in accordance with the retention schedules outlined in the Department of Health Records Management NHS Code of Practice before determining

whether they should be archived or destroyed7

. Where records are to be archived they should be transferred to a designated local Place of Deposit (POD) or to the National Archives. The Code is available from the following link: http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Recordsmanagement/index.htm What if records are stored at an archive? Archives may also receive requests for deceased health information from individuals and may consider the use of this guidance as a framework on decisions for disclosure.

http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Recordsmanagement/index.htm

http://www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Recordsmanagement/index.htm


Appendix 3: Information Governance Risk Assessment

GENERIC RISK ASSESSMENTS – Information Governance

This assessment must be undertaken for any current activity that does not meet policies and/or procedural standards and therefore deemed to present a significant risk to employees, patients, visitors or the organisation.

The assessment should be reviewed and signed by the departmental Information Asset Owner and approved by the Information Governance Team [email protected]

Assessing a risk: Likelihood (L) x Severity (S) = Risk (R)

Very Low (Green) = Risk is to be managed locally by the departmental Information Asset Custodian ;

Low (Yellow) = Risk is to be managed locally by the departmental Information Asset Custodian, although the Information Governance Team should be contacted for advice on actions to be taken in order to mitigate the risk;

Moderate (Orange) = Risk is to be managed jointly with the responsible Information Asset Owner and Information Governance Team, a detailed risk reduction plan must be completed;

High (Red) = Current practice should be suspended until a detailed assessment has been undertaken and a Risk Reduction Plan developed and implemented, as it could present a significant risk to the organisation. Risk is to be managed jointly with the Information Asset Owner and Information Governance Team.

When considering the Risk Reduction Plan, the following should be considered (not limited to); avoid current practice if possible, assess those activities that cannot be avoided, reduce the level of risk to the lowest level reasonably practicable by looking at alternative practices, training, etc.

Likelihood of a risk occurring as a result of non-compliance with policy

Severity is a risk was to occur

1 2 3 4 5

Rare Unlikely Possible Likely Almost Certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5



Information Governance

Activity

e.g. unable to comply with policy, transferring of data, relocation of data, service relocation, etc…

Group Affected

e.g. breach of confidentially for an employee, patient, client, etc…

Reason for non-compliance/ risk

e.g. unable to ensure that records are in a lockable facility at all times, community working, transferring data in incorrect method, relocation of data due to service relocation and no identified process, etc…

Existing Control Measures

What has the service already put in place to reduce the risk of non-compliance/risk

Degree of Risk

IT Providers *to complete this

section Additional

Mandated Actions Required to Reduce

the Level of Risk

To be completed by the Information Asset Owner and Information Governance Team

Residual Risk

L S R

IPHIS / HITS

(Please identify)

Please state service used for

disposal of equipment

L S R

Signed ………………………………………………….. Signed…………………………………………………..

Print Name ………………………………………………….. Print Name …………………………………………… (Information Asset

Owner) (Information Governance Team


Appendix 4: Equality Statement Step 1 – Scoping; identify the policies aims Answer

1. What are the main aims and objectives of the document?

To outline the process for creating, reviewing and ratifying policies and standard operating procedures within Solent NHS Trust

2. Who will be affected by it?

All staff who are developing internal control documents

3. What are the existing performance indicators/measures for this? What are the outcomes you want to achieve?

N/A

4. What information do you already have on the equality impact of this document?

None

5. Are there demographic changes or trends locally to be considered?

N/A

6. What other information do you need? N/A

Step 2 - Assessing the Impact; consider the data and research

Yes No Answer (Evidence)

1. Could the document unlawfully against any group?

x

2. Can any group benefit or be excluded? x Applies to all staff groups

3. Can any group be denied fair & equal access to or treatment as a result of this document?

X N/A

4. Can this actively promote good relations with and between different groups?

X

N/A

5. Have you carried out any consultation internally/externally with relevant individual groups?

X

Current Policy Steering Group (SCH) members consulted and wider groups represented by PSG members..

6. Have you used a variety of different methods of consultation/involvement

X Via email and face to face meetings

Mental Capacity Act implications

7. Will this document require a decision to be made by or about a service user? (Refer to the Mental Capacity Act document for further information)

X Does not apply to patients

If there is no negative impact – end the Impact Assessment here.

Step 3 - Recommendations and Action Plans

Answer

1. Is the impact low, medium or high?

2. What action/modification needs to be taken to minimise or eliminate the negative impact?

3. Are there likely to be different outcomes with any modifications? Explain these?

Step 4- Implementation, Monitoring and Review Answer

1. What are the implementation and monitoring arrangements, including timescales?

Already implemented, monitored annually.

2. Who within the Department/Team will be responsible for monitoring and regular review of the document?

The Head of Information Governance

Step 5 - Publishing the Results

Answer

How will the results of this assessment be published and where? (It is essential that there is documented evidence of why decisions were made).

The Information Governance Toolkit annual assessment


Appendix 5: Quality Monitoring Form

Access to Records Feedback Form Quality Monitoring Dear Requestor We would welcome your feedback on how you felt your Access to Record request was managed by the Trust. We would appreciate your comments about your experience to help us to monitor and review the process and to make any necessary improvement to our service. It would be greatly appreciated if you could complete and return this form, in the enclosed pre-paid envelope. However please note that you are under no obligation to do so. Your response is anonymous but a report of the results will be available on our website. If you require more information or any feedback please contact the Information Governance by email: [email protected] or telephone 023 8029 6911 / 023 8053 8772. Solent NHS Trust aims to acknowledge your application within two working days and provide a full written response within twenty - forty working days from receipt. If this is not possible, we will advise you as soon as possible of any delay. Bearing this in mind, would you indicate your experience by ticking the relevant boxes:

Access to the Trust Access to Records Service YES NO

Was the Access to Records service easy to access?

Was it clear who you had to contact to request records?

Was it clear how you should make your request?

Did you have any concerns about making a request? If Yes, please explain

Correspondence with the Trust YES NO

Did you receive an acknowledgement letter, sent to you within two working days of your request being received by the Trust?

After receiving a response from us if you were not satisfied with the way in which your application was handled, were you informed of how to pursue your application further?

Did you feel that all correspondence with the Trust, in connection with your request, were dealt with in a professional and informative way?

Experience YES NO

Whatever the outcome did you feel that your request was considered carefully?

Whatever the outcome did you feel that you were given a full response in a way that you could understand?



If the answer to any of the questions above is ‘no’ please can you give the reasons why: …………………………………………………………………………………………… …………………………………………………………………………………………… If you feel that whilst managing your application we have done something well or that we could improve our Access to Records Service we would welcome your comments. …………………………………………………………………………………………… …………………………………………………………………………………………… As explained this information is anonymous but if you have raised topics that you would like a response to please include your name and address here: .............................................................................................................................. .............................................................................................................................. Thank you for taking the time to complete the questionnaire. Please return the completed form to The Information Governance Team, Solent NHS Trust, Adelaide Health Centre, William MacLeod Way, Southampton, SO16 4XE.


Appendix 6: Healthcare Professional / Senior Manager Sign-Off Sheet To: Information Governance Team, Trust HQ, Highpoint Venue, Bursledon Road,

Southampton, SO19 8BR From: ……………………………………………………………………………. Subject: Access to/Release of Personal Information Records IG Request Ref: …………………………………………………………………… *All requests should be logged with the IG Team prior to any information being released

Delete as appropriate

YES/NO

I have conducted a full search but could not find records for the above named person;

YES/NO

I confirm I have taken into account the mental state of the patient and possible third party identifiable information, I confirm that : a) Have searched both computer and paper records for personal

information of the data subject. b) Access should/should not be given c) Have obtained the medical consent of the Consultant or Health

Care Professional for the release of these records to the patient / the patient’s representative and to the patient’s solicitor if applicable.

YES/NO

YES/NO

YES/NO

I confirm that access is granted on the following basis: a) full access (I have no objection to the whole record being

disclosed); b) limited access (I have identified which records are not be

disclosed); c) a health professional must be present when records or extracts are

inspected (for explanation or counselling); d) access is to be given by posting the records or extracts to the

patient and/or his representative, together with any necessary explanation by the health professional

YES/NO

YES/NO

YES/NO

YES/NO

…………………………….. ………………………………. Signed (Clinician) Date ……………………………………. Name (please print)

Access to Records Policy - Solent · NHS Southampton itys Access to Records Procedure Portsmouth...

Documents

Transcript of Access to Records Policy - Solent · NHS Southampton itys Access to Records Procedure Portsmouth...