IGPOL92 Subject Access Request (SAR) Policy and Procedure by Provide Community

Subject Access Request (SAR)

Policy and Procedure

Version: V2

Ratified by: Finance and Investment Committee

Date ratified: 04/11/2024

Job Title of author: Information Governance Manager

Reviewed by Committee or Expert Group Technology Programme Board

Equality Impact Assessed by: Information Governance Manager

1. Introduction

The General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 gives individuals the right of access to their personal data, which are being ‘processed’ (i.e. used in any way) by data ‘controllers’ (i.e. Provide Group, or those who decide how and why data are processed), as well as to other supplementary information.

These requests are often referred to as ‘(data) subject access requests ((D)SAR)’, or ‘access requests’. The Act gives individuals (known as data subjects) the right, subject to certain exceptions, to request access and obtain copies of personal data about themselves that is held in either computerised or manual formats and any type of personal information that is recorded including photographs, x-rays, audio messages and CCTV images.

The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) enable an individual to ask an organisation to declare what information is held about them and how the information is used.

Data subjects have access rights to their personal information irrespective of when the record was created.

2. Purpose

This policy applies to service users and all staff employed by or working on behalf of the organisation, including contracted, non-contracted, temporary, honorary, secondments, bank, agency, students, volunteers or locums. This policy applies to all requests for access to personal data and other individual data rights, held by the Provide Group.

The purpose of this Policy is to advice colleagues on how to recognise a Subject Access Request, what to do with one and what actions need to be taken in order to respond

3. Responsibilities

The Board of Provide (here after referred to as “the organisation”) has a duty to ensure that the requirements of the General Data Protection Regulation (UK GDPR ) and the Data Protection Act 2018 (DPA 2018) are upheld.

The Chief Executive Officer is responsible for the implementation of this policy.

The Caldicott Guardian is responsible for ensuring that patient data is used and shared in an appropriate and justifiable manner.

The Senior Information Risk Owner (SIRO) is responsible the oversight of Information risks and incidents across the organisation and represents IG at the Board

The Information Governance Manager is responsible for operationalising the requirements of the UK GDPR, including overseeing the SARs process and for advising colleagues on Information Governance principles and practices.

The Data Protection Officer (DPO) is responsible for monitoring UK GDPR compliance, informing and advising on data protection obligations and providing advice regarding SARs

Relevant Heads of Service and Managers are responsible for ensuring that information is disclosable under the requirements of the UK GDPR and DPA 2018, and for ensuring that records are provided in a timely fashion.

The relevant Assistant Director with the relevant Clinician, is responsible for providing confirmation that records are disclosable, or that access should be limited or denied.

The SAR administrator is responsible for coordinating and monitoring the SARs process, acknowledging requests with the data subject and on approval, disclosing the information requested to the data subject.

All colleagues are responsible for ensuring they are fully aware of the SARs procedure as set out in this document.

4. Executive Summary

A summary of the process is as follows: -

• Where appropriate, Service Users or anyone making a request will be directed to the SAR portal– Home Page - Portal (ams-sar.com) when an enquiry is made regarding a Subject Access Request.

• Subject Access Requests can be submitted in other formats not only via SAR portal. They can also be made verbally or in writing (including by social media) to any part of the organisation and do not have to be to a specific person or contact point. Requests received into the respective organisation are to be promptly submitted to the Information Governance teamprovide.sar@nhs.net or for Provide Wellbeing requests, to wellbeing.dpt.providewellbeing@nhs.net

• The organisation has one calendar month to comply with a request. Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioner (ICO) who can levy a fine on the organisation for failure to comply.

• If it is anticipated that a request will take longer than one calendar month from the receipt of a Subject access request, the organisation must inform the applicant giving an explanation of the delay and agree a new deadline. The Act allows an extension of a further 2 months in such circumstances.

• Access is free of charge except in exceptional circumstances

• Data subjects have a right of amendment if any information is found to be incorrect. They also have right to rectification; the right to erasure or restrict processing; and the right not to be subject to automated decision-making.

• Where a request has been made electronically the information should be supplied in an electronic format unless otherwise specified. The organisation has taken the decision to use SAR portal as the default position for sending information requested (unless otherwise specified).

5. Principles Relating to Rights of Access

Under the Data Protection Act 2018, any living person who is the subject of personal information held and processed by the organisation, has a right of access and to receive a copy of that information and other supplementary information.

The supplementary information includes the following:

• Purpose of processing

• Categories of personal data

• Recipients or categories of recipients that the information has been or will be shared with

• Retention period

• Whether or not we use automated decision making (including profiling) and information about the logic involved

• The individual’s right to request erasure, rectification, restriction or objection

• Whether or not the information is transferred to a third country and the corresponding safeguards provided

• The individuals right to make a complaint to the ICO

If the above information is already provided in a Privacy Notice, then a link or a copy of the Privacy Notice can be provided.

A request can be made on someone’s behalf but it must be accompanied by the individual’s consent (who the information is about).

The organisation is not required to respond to subject access requests, unless it is provided with sufficient details to satisfy itself as to the identity of the individual making the request.

The right of access applies only to “personal data”. To amount to personal data, the information must:

• Relate to a living individual; and

• Be held either in electronic format or in a “relevant filing system”. A manual record created for the purpose of being transmitted electronically (e.g Scanned or faxed) will also be disclosable.

The organisation has the right to check with the applicant if they require access to their entire health record and confirm what material the applicant requires prior to processing the request. However, the applicant does not have to provide a reason for applying for access request.

Health Records Relating to the Deceased

SAR under UK GDPR does not apply to the deceased.

Applications for access to health records of the deceased are made under the Access to Health Records Act 1990.

Records made after 1 November 1991 can be made available to a service user representative, executor or administrator.

Claimants of compensation are entitled only to access information specifically relating to the claim.

There is a separate application form for records relating to a deceased individual. Anyone wishing to make an application under the Health Records Act 1990 should be directed to the SAR portal (https://provide.ams-sar.com/ and select Application for records of a deceased person) or to the Provide CIC Information Governance team at provide.sar@nhs.net or for Provide Wellbeing requests, to wellbeing.dpt.providewellbeing@nhs.net.

Health Records Act 1990 – This UK legislation covers access to a service user's records after death. The duty of confidentiality remains after a service user has died. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the service user's death are permitted access to the records.

6. Who can make a SAR request?

Subject access requests can be made by:

• The individual/service users themselves

• Individuals requesting access on behalf of a child for whom they have parental responsibility

• A representative nominated by the individual to act on their behalf such as solicitors or a relative, where there is valid consent by the individual granting this authority

• A representative appointed by the court to act to manage an individual’s affairs

• An employee or ex- employee requesting access to their employment records

• The Police, for the prevention or detection of crime

• HMRC for the assessment or collection of tax or duty

• The courts

Requests made by a Service User Representative

An individual can authorise a representative to access their personal data on their behalf. This must be done in writing, with confirmation of the representative’s identity and relationship to the service user and a signed form of consent must accompany the written application. Where a service user who is physically or mentally disabled and unable to provide written consent for a representative to seek access on their behalf, the organisation will give the patient service user as much assistance as possible, in order to ascertain whether consent has been granted by other means. The application must clearly identify the service user in question, and the records required, including the following details: -

• Full name – including previous names

• Address – including previous address(es)

• NHS number (if available/if applicable)

• Dates of health records required (if applicable)

• Details of general records required

Parental Responsibility

Parents, or those with parental responsibility, will generally have the right to apply for access to a child’s health record.

Parental responsibility is defined in the Children’s Act 1989 as ‘all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property’. If you are in any doubt about the level of parental responsibility (for example the parents are divorced) please contact the Contracts/Legal Team for legal advice.

In practice, parental responsibilities would include: -

• Safeguarding a child’s health, development and welfare

• Financially supporting the child

• Maintaining direct and regular contact with the child

Where a child is considered capable of making decisions about his/her medical treatment, the consent of the child must be sought before a person with parental responsibility can be given access to the child’s health records.

According to the Information Commissioner office, there are no age requirements attached to the right of subject access but in the UK we tend to consider 13 and above as the age where young people can exercise their own legal rights.

This means that if you process children’s information, they have a right to ask for copies of it. If the young person is under 13 and making their own request, you might need to satisfy yourself that they understand what they’re doing, but this should not be a barrier to supplying them with their information.

If the young person is 13 and above, there’s unlikely to be any reason why you should not treat the request exactly as you would if an adult made it.

Although young people can submit their own subject access requests, parents or guardians can also exercise this right on their behalf. If the young person is 13 or over, check whether they’re happy to authorise the disclosure of their personal data to their parent or guardian. Where, in the view of the health professional, the child is not capable of understanding the application for access to records, the organisation is entitled to deny access as being against the best interests of the service user.

Third Party Disclosure

Where records contain information that relates to an identifiable third party, that information may not be released unless: -

• The third party is a health professional who has compiled or contributed to the health records, or who has been involved in the care of the service user

• The third party, who is not a health professional, gives their consent to the disclosure of that information

• It is reasonable to dispense with the third party’s consent (taking into account the duty of confidentiality owed to the other individual, any steps taken to seek his/her consent, whether he/she is capable of giving consent and whether consent has been expressly refused)

7. Subject Access Request application process for data

On receipt of a valid access request application for personal data, the organisation has a duty to consider the following issues relating to disclosure of information:

• To confirm that the applicant is of an age and capacity to understand the nature of the application

• To take a decision regarding the withholding of access to all or part of a record

• To provide assistance where records may need to be explained to the applicant

For health records the relevant Assistant Director or assigned senior manager (of the service for which the records originate from) is responsible, in conjunction with the relevant Clinician, for providing confirmation that records are disclosable, or that access should be denied or restricted (redacted). The appropriate Assistant Director /clinician or assigned senior manager must complete an access approval form (see Appendix – template letter 4).

Where safeguarding issues are identified, a member of the organisation’s Safeguarding Team must be consulted to ensure that there are no concerns with regards to disclosure. Any concerns must be documented and discussed with the Head of Quality Assurance and Safety and/or the Information Governance Manager.

Where there are confidentiality concerns with regards to release of information (e.g. third party information contained in records), these should be discussed with the Information Governance Manager with input from the Caldicott Guardian where necessary.

To avoid multiple requests for information, the service holding the requested record, will ensure that all sources of information are searched for data relating to the request, including manual and computerised records.

Where a request for access has previously been complied with, the organisation is not obliged to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous request, upon doing so the organisation may charge a reasonable fee.

Subject Access Request process flow

Please refer to Appendix 1 – General SAR Process and Appendix 2 - Sexual Health SAR Pathway

8. Fees to Access Records

Under the Data Protection Act 2018 the organisation cannot charge for complying with a request unless the request is ‘manifestly unfounded or excessive’.

If a data subject makes a request for further copies of the same information the organisation may charge a reasonable fee to cover the cost of supplying this. The fee will be based on the administrative cost of providing the information and will be advised to the applicant at the time of the request if this is relevant.

Manifestly unfounded

If it is clear that the individual has no intention of exercising their right of access, for example if they make a request but then offers to withdraw the request in return for a favour or some benefit from the organisation or if they state in some communication that they intend to use their request to cause disruption to the organisation then this can be considered manifestly unfounded.

It is also manifestly unfounded if the individual makes unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice.

When deciding if a request is manifestly unfounded you must consider the request in the context in which it is made.

Manifestly Excessive

To determine if a request is manifestly excessive, you should determine whether the request is proportionate when balanced against the efforts or costs involved in dealing with the request

Disproportionate Effort

Data Protection legislation does not define “disproportionate effort” but it is clear that there is some (albeit limited) scope for assessing whether complying with a request would result in so much work or expense as to outweigh the individual’s right of access to their personal data.

The concept of disproportionate effort, however, only justifies not providing copies of the information requested, rather than not searching for the information.

Given the significance of employment records, the view of the Information Commissioner is that the defence of disproportionate effort should only be relied upon in exceptional circumstances.

Disproportionate effort is technically only a defence to providing copies of information requested, so the applicant should be given access in some other way, for example allowing them to come in to inspect it.

Cases that involve disproportionate effort will be assessed on a case by case basis and in conjunction with the Data Protection Officer. Advice may be sought from the ICO to assist with this determination.

Multiple Requests

The rules around subject access do not prevent individuals from making multiple requests for information. However, if an individual (or representative) has recently made an identical request, the organisation may be able to reject the later request on the basis that there must be a “reasonable interval” between requests. What amounts to a reasonable interval depends on the nature of the information being requested (e.g. is it sensitive) the purposes for which it is being processed (e.g. is the processing likely to cause detriment to the individual) and the frequency with which the information is altered.

9. Times of Disclosure

Once a valid request has been made the organisation has one calendar month in which to respond.

Where proof of identity/ consent is required, the one month time limit does not start to run until this has been received and accepted. Where additional information or clarification is required in order to satisfy the request the ‘clock’ stops until all the necessary information has been provided

If the one month time limit cannot be complied with it is important that the applicant is made aware of this. An extension may then be agreed with the applicant. Please note that under the terms of Data Protection Legislation in exceptional circumstances the time limit can be extended by two months, for example for particularly complex requests. Where this is the case the applicant must be informed as soon as it is known that it will not be possible to fulfil the request within the time limit and in any event within one month. When informing the subject that more time is needed you must provide them with the details of the data protection officer and the ICO, informing them that they have the right to complain. Non-compliance can result in a complaint being made to the Information Commissioners Office which can issue a monetary penalty of up to £17.5 million or 4% of annual global turnover, whichever is higher for any serious contraventions of the Data Protection Act. For less serious infringements it is £8.7 million or 2% of annual global turnover, whichever is higher

10.Exemptions for the Right of Access

There are certain exemptions that apply with regards to rights of access. These exemptions are not absolute and must be assessed on a case-by-case basis. Additional exception can be found on the ICO website: https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-data-protectionregulation-gdpr/right-of-access/what-other-exemptions-are-there/

Access to all or part of an individual’s record will be denied if: -

• In the opinion of the relevant Service lead, Caldicott guardian or health professional, the information to be disclosed would be likely to cause serious harm to the physical or mental health of the applicant or any other person

• Where the record relates to, or has been provided by, an identifiable third party, unless the third party has consented to disclosure

Confidential references

The organisation is not obliged to disclose a reference it has provided or received from another organisation. The organisation should consider disclosure in any case. Organisation should understand that the contents may need to be disclosed if the subject exercises other legal rights or seeks a legislative approach in the areas of employment and equality law.

Please note that this exemption does not apply to internal references.

Information used for management forecasting/ planning

This exemption can be applied where to disclose the information would likely prejudice the business of the organisation. This exemption might therefore apply where the information requested is concerning planned redundancies or promotions within the organisation. *

Information recording the intention of the organisation in relation to any negotiations with the employee

Personal data that consists of a record of the organisation’s negotiations with an employee is exempt from the right of subject access to the extent that complying with a request would likely to prejudice the negotiations (for example by giving the organisation’s “fall-back” position)*

Information held for the prevention or detection of crime, the prosecution of offenders or the assessment or collection of any tax or duty.

This prevents the right applying to personal data that is passed to statutory review bodies by law-enforcement agencies and ensures that the exemption is not lost when the information is disclosed during a review.*

Legal professional privilege

Legal professional privilege applies in two areas. Firstly, legal professional privilege attaches to any document which was created with the dominant purpose of being used in current or potential litigation. The document can be created by anybody so long as this was its dominant purpose. The second branch of legal professional privilege attaches to any document which was brought into being in order to obtain legal advice from a barrister or solicitor. This will include documents created by third parties as part of the process of giving or receiving legal advice.

* Once the risk of prejudice has passed the information should be considered disclosable. Information may need to be released if the subject seeks a legislative approach in the areas of employment or equality law.

Information in respect of informal grievances is not likely to be covered by legal professional privilege if the information is not the giving or receiving of legal advice from a barrister or solicitor.

Information about third parties

Some of the personal information requested by a data subject might also include personal information about a third party (for example their opinions). The decision on whether to disclose will involve balancing the individual’s right of access against those of the third party in respect of their own personal information.

In general, the organisation should not disclose information in relation to a third party unless:

• The third party has consented to the disclosure

• It is reasonable in all the circumstances to comply with the request without the third party’s consent.

11. Applying an Exemption

Notification of refusal to grant access must be given as soon as possible, in writing. The organisation will record the reason for this decision and will also fully explain the reason to the applicant and inform them of their right to make a complaint to the ICO.

Where it is decided that an exemption is to be applied, and information is to be withheld it is important to:

1) document the application of the exemption, what information has been withheld or redacted and the reasons why.

2) be open with the individual and inform them as to why certain information has been withheld.

3) Inform the individual that if they are not happy with the way their request has been handled, they may complain to the Data Protection Officer or the ICO and provide them with information on how to do so.

Clear documentation and correspondence with an individual on these issues will assist the organisation in the event of a dispute.

Appendix 1: General SAR Process

Appendix 2 - Sexual Health SAR Pathway

Any service user can request any information that our services hold on them. We strongly advise requests to be made through the secure SAR portal. Details of this can be found at: www.provide.ams-sar.com.

Individuals can also request copies of their test results and vaccination records. These requests should be made via the SAR portal. Verification of identity is confirmed at this point.

Include reasons for any omissions.

The SAR team will send the approved, redacted, rejected records to the IG manager for review

Respond to requestor with information requested using either SAR portal, secure email or by recorded post stating 'private and confidential'.

Appendix 3 - Forensic Discovery process - NHSmail: Access to Data Procedure

When dealing with some subject access requests, NHS trusts, boards or other authorities will require access to NHSmail email data held in the name of one or more of their employees.

1. Establish which employees’ email accounts need to be searched and for what period (maximum 2 years)

2. The NHSmail team will require investigation requests to be approved Chief Executive or HR director or equivalent role

3. The NHSmail team will only accept investigation requests submitted from the Local Administrator (IT administrator) of the NHSmail consuming organisation. Please submit your approved request to the IT service desk.

4. IT to download data to secure location

5. Process data – redact, limit, approve via assistant director or assigned approver

6. Respond to requestor

SOURCE: https://comms-mat.s3.eu-west-1.amazonaws.com/CommsArchive/Access+to+Data+Procedure.pdf

Appendix 4 – Template letters and forms

Template letter 1a

Acknowledgement of request for own records and request for ID verification where sufficient ID has not been provided

Dear [name of requester],

Subject access request

This is an acknowledgement of your request [for your medical records, for your child’s medical records, for your sexual health results] which was received by us on [xx/xx/xxxx].

The quickest and most secure way to verify your identity and process your request is via our portal at SAR Portal (ams-sar.com). This allows for the easy and secure sharing of large files and numerous documents. You will be able to view your request/records securely using a download function within the portal, reducing the need for paper copies, DVD files, etc.

However, completing a manual application form by email or post is also available should you choose not to use our secure portal (please see manual form attached). Please be aware that if the records volume is large, it may take several emails to send the records. We strongly recommend you use our Portal at SAR Portal (amssar.com)

Please be aware that your personal data/records can only be provided once you have completed all relevant details on the SAR portal or on a manual application form and your identity has been satisfactorily verified. Once we have received these, we will respond with the requested information within one calendar month. Very occasionally it may not be possible to comply within this time frame, but you will be informed (if this is the case) within one calendar month of receipt of your request to explain why the extension is necessary.

To process your request, we require proof of identity, please upload the following to your request on the portal or send securely by email/post:

If Patient/data subject

- Proof of address in the form of: utility bill, council tax bill, bank/building society statement, mortgage statement, credit/debit card statement. These must have been issued in the last 3 months.

- A photo ID in the form of: Photographic Driving Licence, Passport, A National Identity Card.

If Police:

- The signed Medical Consent Form from the data subject

- A101 form for this incident, or equivalent, signed by reporting officer and the appropriate senior officer. This will provide necessary reassurance that a disclosure for these purposes is appropriate and in compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).

If Parent:

- Proof of address in the form of: utility bill, council tax bill, bank/building society statement, mortgage statement, credit/debit card statement. These must have been issued in the last 3 months.

- A photo ID in the form of: Photographic Driving Licence, Passport, A National Identity Card.

- Proof of parentage in the form of: a full birth certificate or adoption decree for your child.

If Solicitor:

- Signed Medical Consent Form from the data subject

- Request letter signed by requesting Solicitor

If you require any further information please do not hesitate to contact us at [provide.sar@nhs.net // wellbeing.dpt.providewellbeing@nhs.net]

Yours sincerely, The Subject Access Request Team

Template letter 1b

Acknowledgement of request to solicitors where sufficient ID has been provided

Dear [name of requester],

This is an acknowledgement of your request [enter the type of request] which was received on [xx/xx/xxxx]. We will respond with the requested information via secure email within one calendar month. Very occasionally it may not be possible to comply within this time frame but you will be informed (if this is the case) within one calendar month of receipt of your request to explain why the extension is necessary.

We advise that for any future requests that you please submit via our secure portal at SAR Portal (ams-sar.com) in order for you to easily upload any documents required and to receive the information requested securely.

You can use the SAR Portal to provide the necessary information and document/s that we require in order to process your request. You may need to register if you do not already have an account on the portal. Once complete, you will be able to view your request/records securely using a download function within the portal, reducing the need for paper copies, DVD files, etc.

A manual application form (email/post) is also made available, should you choose not to use our secure portal. Please see attached form.

Yours Sincerely,

The Subject Access Request Team

Application for own records

Please use this form if you are requesting your own records.

Important Notes

• Unless requested otherwise, the information will be sent to you electronically by encrypted, secure NHSmail email together with instructions for opening the email from us, securely and free of charge. Therefore, please ensure that you complete the email address box under Section 1 clearly and in full.

• If you require a hard copy of the records to be sent to you, please specify this below. These will be sent to you by recorded delivery and will require your signature on receipt. You also have the option to collect the records personally or you can choose to come in to view the records with an appropriate health professional.

o I require a hard copy of the records sent via recorded delivery ☐

o I would like to come in to view the records with the appropriate health professional ☐

o I would like to collect the records from Provide Headquarters Colchester ☐

• The Data Protection Act 2018 allows an individual to access their own records which can be requested by completing and submitting this form.

• We will provide the relevant information within one calendar month of the date of receipt of the request. Very occasionally it may not be possible to comply with this time frame but if this is the case you will be informed within one calendar month of receipt of your request to explain why the extension is necessary.

• It is your responsibility to provide enough information to enable us to identify your records. Please ensure that you complete the application form as fully as possible so as not to delay your request.

• Information you request under a Subject Access Request is supplied free of charge. If you make a request for further copies of the same information we may charge a reasonable fee to cover the cost of supplying this. The fee will be based on the administrative cost of providing the information and will be explained to you at the time of your request if this is relevant.

• Our Privacy Notice describes how Provide CIC and Provide Wellbeing collects, uses, retains and discloses personal information

https://providecommunity.org.uk/privacy-notices/ or https://providewellbeing.co.uk/privacy-policy/

PLEASE COMPLETE IN BLOCK CAPITALS AND BLACK INK

Section 1: Details of the person whose information is requested

Forename(s) Surname

Date of Birth NHS number if known

Current Address Email Phone number

If, during the period to which the application relates, the name or address were different from the above, please give additional details below:

Forename(s)

Previous Address

Section 2: Information Required

Previous Surname

Location of treatment/attendance (e.g. St Peter’s hospital, home, clinic, ward, etc.)

In the table below, please provide a brief summary of the type of information/records you require Carefully specify what you want from the records. Be as specific as possible; requests which are broad in scope may delay our response to you: Type of records required (e.g. test results, health records, emails, CCTV footage, training records, etc.)

Dates (time) of records required

Service/department (e.g. physiotherapy, sexual health, HR, estates)

Section 3: Identification

Two forms of identification must be provided for the applicant. A copy of each, a photographic ID and a copy of no-photographic ID from the list below is required. Please note they must not be from the same source.

Failure to provide suitable identification may result in your request being delayed.

Please indicate which forms of ID you are providing below.

PHOTOGRAPHIC ID

(if driving license has been submitted for one of the ID’s, it cannot be used again, a different ID must be provided))

Utility Bill (received in the past 3 months) ☐

If you are unable to provide two of the above or have any questions about completing this form, please email provide.sar@nhs.net or https://providecommunity.org.uk/privacy-notices/

Section 6: Declaration

I declare that the information given in this form is correct, to the best of my knowledge and that I am entitled to apply for access to these health records under the Data Protection Act 2018

Applicant’s Name

Applicant’s Signature Date

Please return this completed form and 2 copies of identification to:

Provide CIC or Provide Wellbeing Subject Access Request (SAR) Team 900 The Crescent, Colchester Business Park, Colchester, Essex, CO4 9YQ

Application from a third party for records of a living individual

Please use this form if you are requesting records on behalf of someone else. For example:

You are a parent requesting a copy of your child's record (who is under 16)

You are a solicitor making a request on behalf of a client

You are a member of the continuing healthcare team requesting information on behalf of a patient

You are a police force making a request for information relating to a serious crime

Important Notes

o I require a hard copy of the records sent via recorded delivery ☐

o I would like to come in to view the records with the appropriate health professional ☐

o I would like to collect the records from Provide Headquarters Colchester ☐

• The Data Protection Act 2018 allows an authorised representative to access individual’s record e.g. a solicitor. Third parties must provide evidence to show they are authorised to act on the person’s behalf.

• Information you request under a Subject Access Request is supplied free of charge. If you make a request for further copies of the same information, we may charge a reasonable fee to cover the cost of supplying this. The fee will be based on the administrative cost of providing the information and will be explained to you at the time of your request if this is relevant.

• It is the responsibility of the applicant to provide enough information to enable Provide to identify the requested records. Please ensure that you complete the application form as fully as possible so as not to delay your request.

• Our Privacy Notice describes how Provide collects, uses, retains and discloses personal information

https://providecommunity.org.uk/privacy-notices/ or https://providewellbeing.co.uk/privacy-policy

PLEASE COMPLETE IN BLOCK CAPITALS AND BLACK INK

Section 1: Details of the person whose information is requested Forename(s) Surname

Date of Birth

Current Address

NHS number if known

Email Phone

If, during the period to which the application relates, the name or address were different from the above, please give additional details below:

Forename(s)

Previous Address

Previous Surname

Requestors details (i.e. the authorised party who is requesting the records)

Requestor’s Name

Requestor’s Address

Requestor’s Postcode

Requestor’s Email

Requestors Telephone number

Requestors relation to the patient

Please complete the following or upload the relevant information via the initial request letter.

Section 2: Information Required

In the table below, please provide a brief summary of the type of information/records you require Carefully specify what you want from the records. Be as specific as possible; requests which are broad in scope may delay our response to you: Type of records required (e.g. past test results, health records, emails, CCTV footage, training records, etc.)

Location of treatment/attendance, if applicable (e.g. St Peter’s hospital, home, clinic, ward, etc.)

Dates (time) of records required Service/department (e.g. physiotherapy, sexual health, HR, estates)

Section 3: Identification

Please submit the relevant documents relating to your application

Three forms of identification must be provided for the applicant, of which one must be the child’s birth certificate or proof of guardianship, where applicable. A copy of a photographic ID and a copy of non-photographic ID from the list below is required. Please note they must not be from the same source.

Failure to provide suitable identification may result in your request being delayed.

Please indicate which forms of ID you are providing below.

Parent or guardian requesting for child under 16

PHOTOGRAPHIC ID

Current Passport

Photo Driving Licence

National Identity Card

NON-PHOTOGRAPHIC ID

Paper Driving License (if driving license has been submitted for one of the ID’s, it cannot be used again, a different ID must be provided))

Utility Bill (received in the past 3 months)

Child’s birth certificate

Evidence of Child benefit entitlement

Requests for individuals who lack capacity

If you are requesting health records for an individual who lacks mental capacity and you have authority to act on their behalf please upload a copy of the Power of attorney (for personal welfare) here:

Solicitor Request

If you are a solicitor making a request on behalf of client please upload the following:

Initial Request Letter

Form of authority showing Client consent

Continuing Healthcare Request

If you are from the Continuing Healthcare team please upload the following:

Initial Request Letter

Form of authority or power of attorney for personal welfare

Police Request

For requests from Police please upload the following:

Medical Form

A101 (Put name of form)

Court Request

For requests for records from courts please upload a copy of the Court order requesting the records

Other request

If you are requesting records for any other reason please specify and upload relevant documentation:

Section 4: Declaration

I declare that the information given in this form is correct, to the best of my knowledge and that I am entitled to apply for access to these health records under the Data Protection Act 2018 and that I am entitled to act on the behalf of the person named in section 1

Date

Access to Records Form – Deceased person’s records (Access

to Health Records Act 1990)

Please use this form if you are requesting records on behalf of a deceased person.

Important Notes

o I require a hard copy of the records sent via recorded delivery ☐

o I would like to come in to view the records with the appropriate health professional ☐

o I would like to collect the records from Provide Headquarters Colchester ☐

• The Access to Health Records Act 1990 allows an individual to access deceased person’s (health) records. Third parties must provide evidence to show they are authorised to act on the person’s behalf.

• We will provide the relevant information within 40 days of the date of receipt of the request. Very occasionally it may not be possible to comply with this time frame but if this is the case you will be informed within 40 days of receipt of your request to explain why the extension is necessary.

• Information you request under Access to Health Records Act 1990 is supplied free of charge. If you make a request for further copies of the same information, we may charge a reasonable fee to cover the cost of supplying this. The fee will be based on the administrative cost of providing the information and will be explained to you at the time of your request if this is relevant.

• Our Privacy Notice describes how Provide CIC collects, uses, retains and discloses personal information

https://providecommunity.org.uk/privacy-notices/ or https://providewellbeing.co.uk/privacy-policy

Section 1: Details of the person whose information is requested

Forename(s) Surname

Date of Birth

Current Address

NHS number if known

If the name or address was different from the above, during the period to which the application relates, please give additional details below:

Forename(s) Previous Surname

Previous Address

Section 2: Information Required

In the table below, please provide a brief summary of the type of information/records you require. Carefully specify what you want from the records. Be as specific as possible; requests which are broad in scope may delay our response to you:

Type of records required (e.g. test results, health records, emails, CCTV footage, training records, etc.)

Location of treatment/attendance (e.g. St Peter’s hospital, home, clinic, ward, etc.)

Dates (time) of records required Service/department (e.g. physiotherapy, sexual health, HR, estates)

Section 3: Applicant (location where records should be sent) Forename(s)

Current

Relationship to Patient

Have you previously held a Lasting Power of Attorney for Health and Welfare?

Yes ☐ (please supply evidence) No ☐

Are you a personal representative (the executor or administrator of the deceased estate)?

Yes ☐ (please supply evidence) No ☐

Do you have a claim resulting from the death?

Yes ☐ (please supply evidence) No ☐

Please detail below in brief the reason for requesting the information:

Section 3: Identification

Please submit the relevant documents relating to your application

Two forms of identification must be provided for the applicant. A copy of each, a photographic ID and a copy of non-photographic ID from the list below is required. Please note they must not be from the same source.

Failure to provide suitable identification may result in your request being delayed.

Please indicate which forms of ID you are providing below.

PHOTOGRAPHIC ID

Current Passport

Photo Driving Licence

NON-PHOTOGRAPHIC ID

Paper Driving License (if driving license has been submitted for one of the ID's, it cannot be used again, a different ID must be provided))

Utility Bill (received in the past 3 months)

Section 5: Declaration

I declare that the information given in this form is correct, to the best of my knowledge and that I am entitled to apply for access to these health records under the Health Records Act 1990.

I am acting on behalf of the person named in Section 1

Applicant’s Name

Applicant’s Signature Date

Please return this completed Form and 2 copies of Identification to:

Provide CIC or Provide Wellbeing Subject Access Request Team (SAR) 900 The Crescent, Colchester Business Park, Colchester, Essex, CO4 9YQ

Template letter 3a

Collation of information – Email to services to request records

Dear [service/department],

We have received the following data subject request on [xx/xx/xxxx].

Please would you be able to collate the information required

Once approved, please can you send back to [Provide.sar@nhs.net or wellbeing.dpt.providewellbeing@nhs.net] for us to respond to the requestor.

Name: Dob:

Address: Site seen if applicable: Service area:

The requester specifies the request below [copy and paste the request]:

Please note you should respond within 3 days if you hold the records or not as we have a legal duty to respond to the SAR requests

If you have any questions please contact us by return email at [Provide.sar@nhs.net or wellbeing.dpt.providewellbeing@nhs.net].

Yours Sincerely, The Subject Access Request Team

Template letter 3b

Collation

of information – Email to Sexual

Health Services

Dear Team,

Following on from the information below, we have received a request for medical records. Can you please collate and send back to provide.sar@nshs.net

Service User Name: Dob: Address: Email: Telephone:

Details Of Service Used

Site Seen:

Dates attended:

Information required: [Test Results]

Sexual Health Records Request Pathway

• Record request received by Subject Access Request (SAR).

• Identity verification completed.

• Team SAR Forward request to PROVIDE.EssexSexualHealthService@nhs.net / provide.suffolksexualhealthservice@nhs.net

• IC will assess if this is a health records, results or vaccination request and prepare the notes.

• IC forward request to relevant quadrant Team Lead.

• IC will prepare patient records and send to Team Lead for approval.

• Team Lead will send approved notes to SARs team on provide.sar@nhs.net

• Results or vaccination request received via SAR portal.

• Identity verification completed.

• SAR Team to send to PROVIDE.EssexSexualHealthService@nhs.net / provide.suffolksexualhealthservice@nhs.net

• IC will send email to relevant Team Lead with request.

• Team will email completed request to IC to send to patient via Sexual Health Inbox.

• IC will email letter to verified patient email using encrypted email and delivery / read receipt.

• SAR Team to be informed once actioned.

If individuals require a printed copy of their results or vaccination record, they will need to present to clinic at an appointed time with ID such as a passport or driving licence. If they are unable to provide the copy, their results cannot be released.

Yours Sincerely,

The Subject Access Request Team

Template letter 4

Assistant director/approver - records approval email

Dear [AD/Clinician/approver],

Subject access request [case number]

This request requires your action by [insert date] This will enable us to comply with our legal obligation to respond to the requestor in a timely manner.

The below detailed [patient/patient representative] has made an application to access their health records under the 2018 Data Protection Act.

Data Subject/Patient details:

NHS Number:

Name:

Data Subject/Representative:

The patient records for review can be found here: [link to SharePoint]

We are obliged to disclose personal data of the service user including those we collected (shared to us) from third parties. The data must be considered carefully to check if we have grounds to withhold some records/data.

We must check that disclosing the records will not cause serious harm to the physical or mental health or condition of the data subject or any other person and that there is no disclosure of data relating to other individuals, unless where appropriate to do so.

Please ensure that every document is checked against the correct data subject/patient and reviewed for disclosure. Once this has been done, can you please respond to [Provide.sar@nhs.net or wellbeing.dpt.providewellbeing@nhs.net] and advise:

• Approve: I have no objections to the named data subject/patient/ representative seeing the entire records requested.

o Note: If there are any limitations to the data in the record that can be disclosed, please state reason for limitation/redaction.

• Reject: I do not wish the named data subject/patient/ representative to see the records requested.

o Note: Please provide the reason for rejection.

Kind regards

The Subject Access Request Team

Template letter 5a

Response to data subject – information provided – email/post

Dear [name of data subject],

[Subject access, erasure, etc.] Request dated [xx/xx/xxxx].

Please find enclosed/attached the information you requested: [attach information]

Please contact us in the first instance by return email at [Provide.sar@nhs.net or wellbeing.dpt.providewellbeing@nhs.net], if you have any questions about the information received or about the way your request has been handled.

If you are unhappy with the way we have handled your request, you may report your concern to the ICO through their website at following link https://ico.org.uk/make-acomplaint/

Yours Sincerely, The Subject Access Request Team

Template letter 5b

Response to data subject - No disclosure

Dear [name of data subject],

[Subject access, erasure, etc.] Request dated [xx/xx/xxxx].

Thank you for your request. We regret that we are unable to [provide/erase] the personal data you requested.

The reason being: [give the reason for non-disclosure/failure to erase, for example:

• you were unable to provide us with the necessary ID documents.

• Provide is not the owners of these records, and as such we are unable to release these documents.

• the personal data is under legal privilege as it is relevant to an ongoing legal case or it is part of legal advice given to Provide;

• providing the data would likely prejudice the conduct of Provide business;

• providing the data would likely prejudice negotiations with the data subject or future negotiations;

• the personal data is included in a confidential reference, either given or received in confidence;

• disclosure may cause serious harm to the data subject or other individuals;

• the data subject has expressly indicated that their data must not be disclosed even to those with parental responsibility or power of attorney].

• Other

If you have any questions please contact us either by return email at [Provide.sar@nhs.net or wellbeing.dpt.providewellbeing@nhs.net]

If you are unhappy with the way we have handled your request you may report your concern to the ICO through their website at following link https://ico.org.uk/make-acomplaint/

Yours Sincerely, Subject Access Request Team

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

Subject Access Request policy and procedure

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

The policy is to ensure that there is a systematic approach to the management and process of subject access request

Project/Policy Manager: Information Governance Manager Date: 04/09/2024

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

neutral

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

Positive impact – ensures that all Subject access requests are handled appropriately and that personal information is not disclosed to someone who does not have a right to that information. Policy and procedure to be monitored through the organisation’s Incident Reporting and Complaints processes and reviewed every 2 years.

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations and could form a specific part of the initiative. The consultation process should form a meaningful part of the initiative as it develops and help inform any future action. If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’