General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years. If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.

1. INTRODUCTION

The purpose of this policy is set out NHS Fife’s responsibilities for responding to and managing Data Subject Access Requests (hereafter referred to as DSARs). To provide assurance that all personal information is being managed in accordance with current legislation and best practice guidelines and to improve transparency of operational activities in line with public policy requirements. 

1.1 The Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UKGDPR) and other data protection laws give every living person, or their authorised representative, the right to apply for access to their personal data held by NHS Fife. NHS Fife seeks to comply fully with the Data Protection Act 2018 and UK GDPR, the Data Subject Rights of which are set out in Appendix A.

1.2 The Data Protection Act relates to living individuals only. The Access to Health Records Act (1990) covers access to deceased persons’ data.

1.3 Personal information held by NHS Fife includes, but is not limited to, Health Records, Occupational Health Records, Payroll Records, Personnel Files, Complaints and Incidents. NHS Fife will provide a copy of the personal information and depending on the circumstances allow suitable access if requested. This process is referred to as a Data Subject Access Request (DSAR).
*For the purposes of this document, the terms ‘data’ and ‘information’ shall mean the same thing.

1.4 The Scottish Government Health & Social Care Records Management Code of Practice (Scotland) 2020 defines a health record as “anything that contains information, which has been created or gathered as a result of any aspect of the delivery of patient care”. This includes paper, electronic, radiology and imaging reports, audio and/or video recordings or photographs.

1.5 The purpose of this Policy is to ensure NHS Fife’s compliance with current legislation, guidelines and regulations including:
• Data Protection Act (DPA) (2018)
• UK General Data Protection Regulation
• EU General Data Protection Regulation
• Access to Health Records Act (1990)
• European Human Rights Act (1998)
• Privacy and Electronic Communications Regulations (2003)
• NHS Code of Practice on Protecting Patient Confidentiality 
• Caldicott Principles

The development and implementation of related procedures is a component of NHS Fife’s overall approach to safeguarding information. This Policy overarches all other Policies relating to person identifiable information. 

2. LOCATION

This Policy and any associated procedures, as applicable, applies to all staff and contractors working for NHS Fife. It is offered as advice to independent GP, Dental, Pharmacy, Optometry Contractors and Health and Social Care Partners. It is acknowledged that the accountability arrangements of these independent contractors differ from those of NHS Fife employees, and therefore this Policy is to be seen as good practice guidance and used in conjunction with the requirements of their own professional body.

3. RESPONSIBILITY

Day-to-day responsibility for the operation of the policy shall be delegated to all relevant Heads of Service and responsible line managers within NHS Fife and the Health and Social Care Partnership).

3.1 Chief Executive 

The Chief Executive has a responsibility to ensure that there is a clear and appropriate management structure enabling the implementation and communication of this Policy to all staff. 

3.2 Senior Information Risk Owner (SIRO)

The SIRO has overall responsibility for NHS Fife's information risk and organisational wide compliance. The SIRO is accountable and responsible for information risk across the organisation. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. The SIRO will be supported on the delivery of this policy by:

3.2.1 Associate Director for Digital & Information

The Associate Director of Digital & Information has delegated responsibility for ensuring organisational implementation with the UKGDPR. The Associate Director of Digital and Information is supported by the Board’s Senior Information Risk Owner, Data Protection Officer and Caldicott Guardian

3.2.2. Data Protection Officer

The Data Protection Officer (DPO) is a senior member of staff responsible for ensuring that NHS Fife Board and its staff are informed and given advice about how it can meet its obligations under the UKGDPR and other data protection laws. The DPO is responsible for monitoring compliance of the Regulation on behalf of the Board and reports regularly to the SIRO and Caldicott Guardian.

3.2.3. Information Governance and Security Advisors

The Information Governance and Security Advisors are responsible for the provision of expert advice to clinicians, health professionals and health records staff in relation to non-standard requests and enquiries.

3.3. Heads of Service/Departments

Heads of Service/Departments are responsible for ensuring that personal data requested under the auspices of the UKGDPR is provided to Health Records or Information Governance staff in a timely fashion.

3.3.1. It is the responsibility of each Manager to ensure that: 

• This Policy and the associated procedures are applied within their own areas of responsibility.
• The rights of people about whom information is held can be fully exercised under the Act. These include: the right to be informed of the data held on them; the right to be informed that processing is being undertaken; the right of access to their personal information; the right to prevent processing in certain circumstances and the right to correct or annotate information which is regarded as inaccurate.
• Staff are informed of their rights to access their personal data.
• Staff within their area of responsibility attend Mandatory. information Governance Training every three years, or earlier at the Manager’s discretion.

3.4. Information Governance Steering Group

The Information Governance Steering Group will receive and review statistics to ensure compliance with the UKGDPR.

3.4.1. NHS Fife Health Board has specific responsibility for agreeing, advising on, and monitoring data protection practice within the organisation.

3.4.2. NHS Fife Health Board will lodge a full, correct, and up-to-date notification in its name with the Information Commissioner.

3.4.3. NHS Fife Health Board is responsible for implementing the Caldicott Principles and ensuring there is a nominated Caldicott Guardian. Guidance on the requests for Caldicott Guardian Approval can be obtained from the Information Governance and Security (IG&S) Department.

3.4.4. NHS Fife Health Board will identify a Data Protection Officer with specific responsibility for advising and monitoring data protection practice in the organisation and for ensuring notification with the Information Commissioner.

3.4.5. NHS Fife Health Board as the Data Controller will collectively ensure that:
• Everyone managing and handling personal (and commercial) information understands that they are contractually responsible for following good data protection practice, is appropriately trained to do so, and supervised.
• Anyone wishing to make enquiries about handling personal information is advised to approach IG&S Department.
• Queries about handling personal information are promptly and courteously dealt with.
• Methods of handling personal information are clearly described.
• A regular review and audit of the way in which personal information is managed is conducted. 
• The methods of and performance in the handling of personal information are regularly revised, assessed, and evaluated.

4. GENERAL PRINCIPLES

4.1 Any living person who is the subject of personal data processed by NHS Fife has a right to access that personal data regardless of where they reside.

4.2 An individual does not have the right to access someone else’s personal information unless they are an authorised representative or have parental responsibility or are legally entitled to receive this.

4.3 NHS Fife is not required to respond to Data Subject Access Requests unless sufficient details have been received to enable the location of personal data and to satisfy itself as to the identity of the individual making the request.

4.4 A DSAR application can be made by: 
• Email
• Post
• Verbally
• Social Media
• Corporate Website

DSARs made online must be treated like any other DSAR when they are received but NHS Fife will not provide personal information via social media channels. Responses to requests must be provided in writing, or by other means, including, where appropriate, by electronic means. Where applicants make the request electronically, then unless otherwise requested by the applicant, the response will be sent in a commonly used electronic format. Staff should consult the Board’s Email Policy

4.5 The information may be requested verbally, provided that the identity of the applicant is proven. A written response should be sent to the applicant confirming your understanding of the verbal request along with the request for ID and/or more information.

4.6 A patient may make a request to see their health record or ask for a copy of a specific document from their health record (e.g. discharge letter) during a consultation with the health professional. The decision whether to provide this to the patient or not sits with the Health Professional, however, this verbal request constitutes a formal request under the UKGDPR and should be responded to accordingly.

5. ACCESS TO PERSONAL DATA

5.1 Data Subject

Article 15 of the UKGDPR permits a Data Subject (the person to whom the personal data relates) or someone who has been appointed by that individual, (for example a Solicitor, Next of Kin, Guardianship or Power of Attorney), the right to access personal data held and to have it communicated to him/her in an intelligible form. Data Subjects (or their representatives) are also entitled to an explanation of any terms they may not understand (such as terminology).

5.2 Requests from a Patient’s Representative 

5.2.1 A patient may authorise a representative to make a Data Subject Access Request on their behalf. This must be done in writing, confirming the representative’s identity, and providing evidence to support the patient’s authorisation.

5.2.2 Representatives able to provide evidence that they are acting under Power of Attorney/Guardianship will be granted access to the health records of the patient. This should be restricted to the information necessary for the appointee to carry out his/her function. Where a Power of Attorney or Guardianship is held, this must be checked to ensure it includes the release of the information / records being requested.

5.2.3 Requests from Solicitors must be accompanied by a current signed mandate from the Data Subject. If a mandate has been signed by the Data Subject more than three months from the request for records, it is recommended that a new mandate is sought.

5.2.4 Where a patient is unable to provide consent for a representative to make a Data Subject Access Request on their behalf for reasons of incapacity, the advice of the patient’s consultant (or relevant Health Professional) should be sought to determine whether the access should be provided.

5.3 Parental Responsibility and Children’s Records

Parents, or those with parental responsibility, will generally have the right to apply for access to their child’s health record.

5.3.1 The natural (birth) mother of the child and who is named on the birth certificate will normally automatically have parental responsibility. (For exceptions see 5.3.4)

5.3.2 The father will have parental responsibility if he is named on the child’s birth certificate (applies to births registered from 4 May 2006 onwards). If the child was born before this date, then the father will have parental responsibility if he is married to the birth mother, or he has an order from the Court.

5.3.3 Where a Child is considered capable of making and understanding decisions about access to his/her personal data, the consent of the child must be sought before a person with parental responsibility can be given access to the child’s health records. In Scotland this generally relates to children aged 12 years of age and over. Good practice dictates that the child should be encouraged to involve parents or those with parental responsibility in their decision. Where doubt exists regarding whether the child is capable of making decisions, then advice should be sought from the child’s consultant or relevant health professional.

5.3.4 Parental responsibility may be legally revoked in the following circumstances: 
• Adoption order
• Care Order (Local authority). Although the parents do not lose parental responsibility, the Local Authority can put in place a Care Order which can limit the extent to which a person can exercise their parental responsibility.
• Court Residence Order
• Emergency Protection Order (Local Authority)

5.3.5 If there is any doubt about the level of parental responsibility and you have received a request for information relating to a child (e.g., if the parents are separated), please contact the Information Governance and Security Department for advice.

5.4 Police and Procurator Fiscal

Requests for information from the Police or Procurator Fiscal must be made in writing either by:
• Court Order
• Letter from the Procurator Fiscal
• Submission of an appropriate application (Schedule 2 request under DPA 2018) for the:
(a) prevention or detection of crime
(b) apprehension or prosecution of offenders

5.5 Insurance Companies 

Requests for information from an insurance company must be accompanied by a signed mandate, recently dated, from the data subject.

5.6 Department of Work and Pensions

Section 23 of the DPA 2018 allows, but does not require, personal data to be disclosed to assist in the assessment or collection of any tax or duty. Any request from the Department of Work and Pension for access to any information held about an individual must be accompanied by the relevant form.

5.7 Third Party Definition and Disclosure

Third party information, in relation to personal data, means any person other than (1) the data subject, (2) the data controller or (3) any data processor or other person authorised to process data for the data controller or processor.

Where records contain information which relates to an identifiable third party, that information may not be released unless:
• The third party is a health professional who has compiled or contributed to the health record or who has been involved in the care of the patient, for example the patient’s GP.
• The third party, who is not a health professional, gives their consent to the disclosure of that information, for example the patient’s guardian. 
• It is reasonable to dispense with the third party’s consent, where the following is considered:
o The duty of confidentiality owed to the other individual. 
o Any steps taken to seek his/her consent. 
o Whether the third party is deemed capable of giving consent. 
o Where the third party has refused to give consent.

5.8 Joint Records

Data Subjects do not have to make a subject access request for joint records to multiple directorates (HSCP, Maternity etc.). The Single Point of Contact will ensure that all appropriate directorates receive the request. 

6. Applications for Personal Information

You must verify the identity of the person making the request, using reasonable means. See 4.4 above for the ways a DSAR can be received. The date of receipt should be recorded. Please note, applicants do not have to provide a reason for requesting their personal information.

6.1 Whilst we may ask applicants to complete an application form, this is NOT mandatory so long as they have provided adequate information to allow us to process the request.

6.2 Where a verbal request is made, a written response confirming our understanding of the request should be carried out. This written response can be used to request ID and/or more information as required.

6.3 Where an application is made on behalf of an individual, a signed consent form must accompany the application. The consent form should have been signed within three months from the request being received.

6.4 The application/request must clearly identify the data subject and the information required, including the following:
• Full name (including previous names where appropriate).
• Address and post code (including previous addresses where appropriate). 
• Date of Birth. 
• CHI Number (if known). 
• Dates of records required. 

6.5 Where feasible, applicants will be offered the opportunity to view their records prior to receiving a copy of these. This will allow them to confirm the records they require. In these instances, applicants will be asked to provide photographic identification before personal data is released. Acceptable identification includes but is not limited to passport, driving license, bus pass or student card.

6.6 When viewing records, a member of staff must remain throughout the period of access to ensure that the record remains intact, and no copies of the record are made at that time. Applicants are not permitted to take pictures of the record on their phone / camera during a viewing.

6.7 If an explanation is required by the applicant regarding medical terminology or treatment received, the applicant will be referred to the appropriate health professional.

6.8 The application form for requesting a copy of any personal information can be found at Appendix B. 

6.9 Where a person is requesting health information from more than one service, the SPOC should ensure the request is shared in a timely manner with the other hospital(s)/services. The person who received the DSAR should collate all information and send to the SPOC via AXLR8.

6.10 The SPOC on receipt from the service will distribute to the requester via a secure electronic means. Whereby, if a paper copy is requested, the DSAR is still uploaded to AXLR8 to complete the record, however, it is the responsibility of the individual services to send via recorded mail to the requestor. 

6.11 Where a request for access to records has previously been complied NHS Fife is not obliged to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous request. We believe a period of 3 months to be reasonable; however, we are still obliged to provide a copy of any new personal information to the applicant during that period.

7. Authorising the Release of Health Records

7.1 The responsibility for the release of the health record sits with the lead health professional or the most relevant health professional.

7.2 Where the patient has attended several specialties, the last treating health professional or the most relevant health professional will be asked to authorise the release of the full health record.

7.3 The health professional should inform the DSAR SPOC of any information they have redacted or withheld and the reasons for this. The ‘Agreement to Disclosure of Health Records Form’ should be used for this purpose (Appendix C).

7.4 If there is any dispute with regards to the release or withholding of health records, this will be escalated in the first instance to the Information Governance and Security Department.

8. Staff Requests for Personal Information

8.1 Staff wishing to access personal information held about them should submit a written request to the Single Point of Contact (SPOC) or complete the application form at Appendix B.

8.2 Line Managers receiving requests for personal information from current or previous staff about them should inform them to submit a written request to the Single Point of Contact (SPOC) or complete the application form at Appendix B

8.3 All other requests for personal data (e.g., solicitors, patient complaints) should be passed to DSAR SPOC for recording and distribution.

9. Fees to Access and Copy Health Records 

9.1 There is no fee for supplying information under a DSAR, however, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, NHS Fife may charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request. A reasonable fee may also be charged if the data subject requires additional copies of the information.

9.2 If a charge were to be made under point 9.1 above, the applicant will be advised of the cost ahead of the information being compiled so they can decide whether to proceed with their application. If they wish to proceed, the Finance Department should be notified to raise an invoice for payment.

9.3 The Head of the relevant service may approve the release of health records without any fee being levied in exceptional circumstances.

10. Timescales

10.1 NHS Fife will aim to acknowledge all requests for personal information where practicable within two days of receipt of request.

10.2 NHS Fife will aim to respond to requests for personal information within one calendar month as outlined in Article 12 of the UKGDPR. 

10.3 The one calendar month period will only commence when all sufficient information required (completed application and identification documents) to proceed with the request is received.

10.4 Where the application does not include sufficient information to identify the person making the request or to locate the information, the one calendar month clock will stop and restart once the information has been received. An ID checklist can be found at Appendix D

10.5 Requests will be considered complete/closed if any omitted information/identification required to process the application has not been received from the requestor within 3 months from receipt of application. 

10.6 A Data Subject Access Checklist can be found at Appendix E. Templates for acknowledging requests and for responding to requests have been built into the DSAR Platform to merge in with the requests for ease of communication.

11. Redaction

11.1 In circumstances where information is to be redacted, the original document must be retained in its entirety and not be tampered with. Documents should be photocopied, with information to be redacted covered over with a black marker or marker tape to erase the data. This should be re-copied, and this copy released to the data subject. Alternatively, an online redaction tool may be used where appropriate. For full details, please consult the Redaction Guidance document. 

11.2 Where the redaction of third party and/or non-personal information from a document renders the document meaningless, for example a staff witness statement, consideration will be given to whether this will be released or withheld.

11.3 If, following receipt of a data subject access request, the data subject requests details about redacted information it is acceptable to provide a broad description of the redacted information e.g. personal data relating to a third party or information not personal to the data subject.

11.4 NHS Fife Information Governance and Security Department Single Point of Contact can be contacted for advice on the redaction of information from a DSAR.

12. Amendments to Personal Data (including Health and Corporate Records)

12.1 If a requestor believes information recorded within their record to be inaccurate, they should be advised to put their concerns in writing to the IG&S DSAR SPOC, stating clearly what part(s) of the record they disagree with. This must be signed and dated. The DSAR SPOC will record the request and arrange for a copy of the request to be retained in the individual’s record and a copy sent to the relevant clinical or corporate service for information where appropriate.

12.2 Subsequently, if the individual makes a request to erase information documented in their record, they should be advised to put their request in writing to the IG&S DSAR SPOC, stating clearly what part(s) of the record they wish to have removed. This must be signed and dated. The DSAR SPOC will record the request and arrange for a copy of the request to be retained in the individual’s record and a copy sent to the relevant clinical or corporate service for information where appropriate.

12.3 Under UKGDPR patients have various individual rights, including the right to rectification and erasure, however, there are a number of exclusions which apply to public authorities such as the NHS which means NHS Fife does not need to comply with requests relating to health records, and/or where we are processing data under a particular lawful basis. Each request must be reviewed individually to determine what action, if any, is to be taken. It is important however to respond to such requests as set out.

12.4 If the person remains dissatisfied, they should be advised to raise a complaint in line with the Board’s Complaints Procedures. In addition, they may wish to raise a complaint with the Information Commissioner’s Office whose contact details can be obtained from the IG&S Department.

12.5 Information should never be removed from a record. Notations of any corrections to the record can be made only if approval has been granted by the Head of Relevant Service (Corporate Records) or Head of Relevant Clinical Service (Health Records).

13. Exemptions

13.1 Denial of Access

13.1.1 Health professionals have the right to withhold personal information if they believe the release of this would likely cause serious harm to the physical or mental health or condition of the data subject or any other person (Subject Access Modification) (Health) Order 2000 413 refers).

13.1.2 Where a health professional requests that part or the whole of the health record be withheld, the justification for this must be recorded in the agreement for disclosure, (Appendix C) which will be uploaded on the DSAR Platform and filed with the original request.

13.1.3 The data subject, or patient representative, should normally be provided with a written explanation as to the reasons for withholding part of the health record as soon as possible after the decision has been made. However, we are not obliged to do so and there may be occasions where we would not volunteer that we have withheld information, e.g., if we believe this could cause undue distress or could jeopardise a child protection investigation.

13.1.4 Where the applicant remains dissatisfied with the withholding of information advice should be sought from the Information Commissioner’s Office via the Information Governance and Security Department.

13.2 Requests from Third Party

Where a request is made by a third party for information about an individual’s physical or mental health and that person has the right to make the request on behalf of the individual, such as a parent or someone holding Power of Attorney, this request may be refused if the individual has made clear they do not want it disclosed to that third party.

13.3 Child Protection Concerns 

There may be situations in which access to all or part of a child’s health record is refused, e.g., if there are ongoing child protection issues, or whereby releasing information may put a child/young person at risk of harm. In such situations advice should be sought from appropriate managers and the Child Protection Team before releasing any information.

13.4 Disproportionate Effort

Applicants should be provided with a copy of the information requested unless the supply of this information is not possible or would involve disproportionate effort or the applicant agrees otherwise. Advice on applying this exemption must be sought from the DSAR SPOC.

13.5 Right to Prevent Processing Likely to Cause Harm or Distress

An applicant has the right to request that the Board cease (or not begin), restrict or object to the further processing of personal data on the grounds that the processing of the data is likely to cause substantial damage or substantial distress to them or to another person and that any damage or distress is, or would be, unwarranted. The Board is obliged to respond to such requests within one calendar month. Any requests regarding this should be directed to the Information Governance and Security team in the first instance.

13.6 Other Exemptions 

There are other exemptions which may apply to data subject access requests, including ‘crime and taxation’, ‘legal advice and proceedings’ ‘research’ and ‘fitness to practice’. For advice on these exemptions, please contact the DSAR SPOC. A list of exemptions can be found under Appendix F.

14. Policy Review

This policy will be reviewed every three years, unless the introduction of any new or amended relevant information warrants an earlier review. 

15. Communication and Implementation

This Policy will be communicated via NHS Fife’s corporate communication tools and through the Information Governance and Security Framework. 

16. Further Advice

For further advice on this Policy please contact the DSAR SPOC by email: fife.dsarspoc@nhs.scot.

17. Associated Processes & Guidance

• NHS Fife DSAR User Guidance Process
• NHS Fife DSAR AXLR8 SPOC Guidance
• NHS Fife Redaction Guidelines
• NHS Fife AXLR8 Process Guidance

Appendices can be found at this link: Appendices A - F