While being open is generally to promote a workplace culture, the same is also needed when a patient, family member or friend raises a concern. All incidents require a full investigation but, when it comes to service users, the term ‘duty of candour’ is used when any concern is raised or found.

Duty of candour is when there is a general duty to be open and transparent with people receiving care from this organisation. Regulation 20 explains that both the statutory duty of candour and the professional duty of candour have similar aims, to make sure that those providing care are open and transparent with the people using their services whether or not something has gone wrong.

The organisation will use the following definitions in relation to the duty of candour:

• Openness – enabling concerns and complaints to be raised freely without fear and questions asked to be answered
• Transparency – allowing information about the truth about performance and outcomes to be shared with staff, patients, the public and regulators
• Candour – any patient harmed by the provision of a healthcare service is informed of the fact and an appropriate remedy offered, regardless of whether a complaint has been made or a question asked about it

Introduction

1.1 – Policy Statement

Godiva Group of Practice’s is committed to providing a safe environment for its employees, contractors, visitors and members of the public.  Part of this responsibility is the provision and management of fire safety systems and procedures.  This policy outlines the fire safety arrangements, procedures and responsibilities in place at the organisation.

The requirements of the Regulatory Reform (Fire Safety) Order 2005 place duties on “responsible persons” who are those who have control over the premises and are required to:

• Assess and reduce the potential fire risks and spread of fire in and around the building
• Assess the suitability of the means of escape from the premises
• Ensure those means of escape are available to use
• Ensure the provision of a means of fire detection, fire warning and firefighting equipment
• Establish the action to be taken in the event of a fire
• Provide instruction and training to all employees

This policy should be read in conjunction with:

• Fire marshal or warden guidance
• Personal and General Emergency Evacuation Plan Policy
• Third party confidentiality agreement, incorporating fire safety for visitors
• CQC GP Mythbuster 67 – Reasonable adjustments for disabled people

Control Measures

2.1 – Employees’ Responsibilities

Employees are required to:

• Evacuate on hearing a fire alarm
• Be responsible for their own safety
• Know the evacuation procedures
• Raise any specialist requirement
• Take reasonable care of others
• Co-operate with the organisation on fire safety issues
• Not interfere or misuse anything provided for fire safety
• Report any fire safety problems, e.g., blocked fire exits
• Report any accidents or near misses

2.2 – Fire Detection, Fire Warning and Firefighting Equipment

The organisation has fire safety systems installed and fire protection measures throughout the premises to protect all persons, building and contents. All fire safety equipment must be kept free from obstruction and fire extinguishers must not be removed or repositioned without consultation with the responsible person. Fire extinguishers have a tamper tag added to them and all staff are to be mindful of these tags.

The location and type of all fire safety equipment will be clearly annotated on the building plan and signs have been placed throughout the premises to identify these. Any movement or damage to equipment provided for fire safety purposes must be reported immediately to site co-ordinators

2.3 – Fire Action Signage

Fire action notices are displayed throughout the organisation and can be found on exit routes adjacent to the fire alarm call points or fire extinguishers, the location of which will be identified during the risk assessment.

The location of fire action notices will be identified through the risk assessment process and marked with HSE compliant signage.

2.4 – Fire Doors, Emergency Lighting and means of escape

Fire doors must be kept closed at all times (unless they are doors which automatically close when the alarm is sounded) to maintain compartmentation of the building and to prevent the spread of fire, smoke and toxic fumes.

Corridors, stairways and landings are classed as escape routes and as such should be fit for purpose, kept clear and capable of safely evacuating staff, patients and visitors at any time. Any fire corridor and final exits must have suitable emergency lighting in place and be clearly marked with directional signage that highlights the exit route. Final exit doors are marked with HSE compliant signage and must be kept clear at all times to allow for egress from the building in an emergency. Any issues with means of escape must be reported immediately to Site co-ordinators.

The location of all fire doors and emergency lights will be clearly annotated on the building plan.

2.5 – Flammable Substances

Hazardous substances must be stored, used and disposed of in accordance with COSHH safety requirements, safe working practices and manufacturers’ instructions.

The location of all flammable substances will be marked with HSE compliant signage and annotated on the building plan. Any concerns with the storage or handling of flammable substances must be reported immediately to site co-ordinator or practice manager.

Further reading on COSHH can be found in both the Safe handling of chemicals policy and the COSHH risk assessment guidance document.

Fire Assembly Point

At this organisation, we recognise the need to comply with the Health and Safety at Work etc. Act 1974 and understand this is a legal requirement, not a matter of choice. We will continuously strive to fulfil our responsibilities for all matters pertaining to health and safety.

Furthermore, we will ensure that all our staff are fully aware of their individual and collective responsibilities and that they are committed to maintaining a positive and proactive approach to minimising risk.

The organisation will provide the necessary resources (including financial) to enable all staff to access the necessary training and support, thereby permitting them to work effectively in an environment that is safe for our service users, contractors, visitors and our staff.

Effective communication is essential, and we will encourage our staff to raise any health and safety concerns and urge them to share any potential solutions to mitigate risk, leading to a safe working environment. Additionally, we will consult with our staff on all health and safety matters that may affect them.

This policy sets out the general health and safety duties that employers have towards employees and members of the public. It also sets out the duties that employees have to themselves and to each other. All staff at this organisation have a duty to ensure that they work safely and that their acts or omissions do not result in harm to either themselves or others on the premises.

The following policy sets out the Practices approach to the Freedom of Information (FOI] Act 2000.

The practice will:

• Comply with the FOI Act and sees it as an opportunity to enhance public trust and confidence in the practice
• Ensure that there is always one person with overall responsibility for FOI.  Currently this person is Dr P Bahalkar.
• Maintain a comprehensive ‘Publication Scheme’ that provides information which is readily accessible without the need for a formal FOI Act request.
• Seek to satisfy all FOI Act requests promptly and within 20 working days.  However, if necessary we will extend this timescale to give full consideration to a public interest test.  If we do not expect to meet the deadline, we will inform the requester as soon as possible of the reasons for the delay and when we expect to have made a decision
• Continue to protect the personal data entrusted to us, by disclosing it only in accordance with the GDPR & Data Protection Act 1998
• Provide advice and assistance to requesters to facilitate their use of FOI Act.  We will publish our procedures and assist requesters to clarify their requests so that they can obtain the information that they require.
• Work with the Integrated Care Board, NHS England, the local Area Team and other bodies with whom we work to ensure that we can meet our FOI Act obligations, including the disclosure of any information that they hold on our behalf.
• Apply the exemptions provided in the FOI Act and, where qualified exemptions exist, the practice will disclose the information unless the balance of public interest lies in withholding it.
• Consult with third parties before disclosing information that could affect their rights and interests.  However, according to the FOI Act, the practice must take the final decision on disclosure
• Charge for information requests in line with the FOI Act fees regulations or other applicable regulations, including the GDPR & Data Protection Act 1998
• Record all FOI Act requests and our responses and will monitor our performance in handling requests and complaints
• Ensure that all staff are aware of their obligations under FOI Act and will include FOI Act education in the induction of all new staff

References

• The Freedom of Information Act 2000
• ICO Guide to FOI
• Download: ICO Doctors’ Guidance (PDF)(reproduced below for information)

Guide to information provided by GPs under the model publication scheme

National Data Opt-Out (NDO-O) was introduced along with the Data Protection Act 2018 and GDPR on 25 May 2018. This followed recommendations from the NDG that patients should be able to opt-out of their personal confidential data being used for purposes other than their direct medical care.

The NDG states that, “A patient should be able to state their preference once (online or in person), confident in the knowledge that this will be applied across the health and social care system.”

Further reading can be sought from the National Data Opt–Out Guidance document.

NDO-O only applies to general practices in England.

1.1 – Compliance and Understanding the National Data Opt-Out

NHS Digital provides information for GP practices regarding compliance with and understanding of the National Data Opt-Out. The main points are detailed in this chapter.

1.2 – Setting or Changing an Opt-Out choice

The NDO-O allows a patient to choose if they do not want their confidential patient information to be used for purposes beyond their individual care and treatment – for research and planning.

Anyone who has an NHS number and has registered for care or treatment with the NHS in England can set an opt out if they wish to, even if they do not currently live in England. A patient must register their choice to opt out only once, and that registration applies to all healthcare settings and organisations, not just general practice. An opt out choice can be changed at any time by the patient or their proxy.

Opt-outs can be notified using one of the following:

• Online service – Patients registering need to know their NHS number or their postcode as registered at their GP organisation.
• Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
• NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
• ‘Print and post’ registration form. It can take up to 14 days to process the form once it arrives at National Data Opt Out, Contact Centre, NHS Digital, HM Government, 7 and 8 Wellington Place, Leeds, LS1 9TZ
• Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings Guidance is available on NHS Digital and a Proxy form is available to assist in registration.

1.3 – Patients who can set an opt-out choice on behalf or someone else

A third party can set an opt-out choice on behalf of a patient, by proxy, if:

• They are the parent or legal guardian of the patient who is a child aged 12 or under
• They have a formal legal relationship with the patient for example they have legal power of attorney or are a court appointed deputy

They can only do this using the ‘print and post’ service.

1.4 – Upholding the opt-out and declaring compliance

As the NDO-O policy applies to nearly all organisations, they need to uphold patient choices to opt out by removing the records of any patient before using or disclosing information other than for the purpose of that patient’s immediate healthcare.

The Data Security and Protection (DSP) Toolkit includes an item on compliance with the NDO-O. This requires organisations to self-declare their compliance (or otherwise) with the policy and provide a clear public statement to this effect.

Further reading can be sought in the Data Security and Protection Handbook.

1.5 – Compliance and Implementation Guide

The national data opt-out compliance and implementation guide takes users through the steps they need to follow to achieve compliance by the revised date of 31 July 2022.

Before doing so, it presents a checklist of the process and advises that users should consider:

• How long it will take to be compliant (the advice and guidance of the organisation’s DPO will be invaluable in making this assessment)
• Who should be involved in the implementation

The guide outlines the five steps that need to be taken to achieve compliance. However, as step 2, implementing a technical solution, will be carried out by clinical system suppliers on behalf of GP organisations, they do not need to implement step 3, i.e., set up the technical solution and use the Message Exchange for Social Care and Health (MESH) which accesses the Check for National Opt-Outs Service.

Step 1	Assess data disclosures and update procedures
Step 2	Decide whether to implement a technical solution. Note the four principal GP system suppliers have been commissioned to assist GP organisations to comply with the NDO-O by developing and embedding a technical solution in their systems.
Step 3	Set up the technical solution and use the Message Exchange for Social Care and Health (MESH) which accesses the Check for National Opt-Outs Service. Organisations only need to consider doing this if they hold and generate patient data reports using a system/software other than their clinical system.
Step 4	Implement new processes. This suggests that a Data Protection Impact Assessment (DPIA) should be completed using the format shown at the link which is based on the ICO template. It is strongly advised that completion of the DPIA is left to the organisation’s DPO.
Step 5	Plan communications and declare compliance. This step requires organisations to consider communications and to declare compliance: Internally with all staff Externally with patients including updating the organisation’s website and privacy notice using a suggested wording With other organisations with which the organisation works who may be affected by the organisation becoming compliant with the NDO-O Decide the date to declare compliance Declare compliance

1.6 – Understanding if the data you use or disclose is in scope

This understanding is covered by a series of 10 questions that organisations need to ask themselves:

1. Is the use or disclosure for individual care or research and planning?
2. Is the use or disclosure confidential patient information?
3. Does the organisation have explicit consent for the use or disclosure?
   Note that the NDO-O does not apply where explicit consent has been obtained from the patient for a specific purpose and that there are also three other main exemptions:
   – Communicable diseases and risks to public health, such as the COVID-19 pandemic
   – Overriding public interest
   – Information required by law or court order
4. Is the disclosure for the purpose of the monitoring and control of communicable disease or other risks to public health? If it is, NDO-O does not apply
5. Is the information being disclosed because of a legal requirement?
6. Is the use or disclosure in the overriding public interest?
7. Is the legal basis for the use of disclosure Section 251 approval?
8. Is the use or disclosure to an arms-length body?
9. Is the disclosure to NHS Digital?
10. Is the use or disclosure to support payment and invoice validation?

What is GDPR?

GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.

The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:

• Practices must comply with subject access requests
• Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
• There are new, special protections for patient data
• The Information Commissioner’s Office must be notified within 72 hours of a data breach
• Higher fines for data breaches – up to 20 million euros

What is ‘patient data’?

Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.

What is consent?

Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.

Individuals also have the right to withdraw their consent at any time.

The GDPR came into effect in the UK on 25 May 2018. We are the guardians of health and care data in England, and have made sure we comply with GDPR. This means that your health and care data will carry on being handled securely and in line with the regulations.

Impact on customers and stakeholders

Our systems and services have not changed and there has been no impact on our service delivery.

Impact on the public whose data we hold

Our duty to safeguard patient data has not changed and is our priority. The GDPR creates some new rights for individuals and also it strengthens some of the rights that currently exist under the DPA. We have worked to make sure that these rights are properly implemented, and any changes in the ways we collect, store or share your data are communicated through the website.

For more details please read:

Data Protection Policy

Access to Medical Record

Privacy Policy

Introduction

1.1 – Policy Statement

The law states that organisations must, when requested by an individual, give that person access to their personal health information and, occasionally, certain relevant information pertaining to others. To do this, they must have procedures in place that allow for the easy retrieval and assimilation of this information.

The purpose of this document is to ensure appropriate procedures are in place at Godiva Group of Practice’s to enable individuals to apply for access to health records (commonly referred to as a medical record), whether online or by requesting a copy, and to enable authorised individuals to apply for access to information held about other people by making a subject access request (SAR).

This is particularly relevant to the administration and reception staff; however, all staff should be aware of the available online services and SAR process and be able to advise patients, relatives and carers of the appropriate process.

Failure to comply with the policy and any associated breaches of patient data or confidentiality could lead to prosecution or imposition of penalties by the Information Commissioner’s Office (ICO).

Access to medical records can be provided via:

• An online portal linked to the organisation’s webpage
• A variety of NHS approved apps
• A written SAR including email and/or through social media

This policy is written in conjunction with the following government legislation:

• Access to Health Records Act 1990
• Access to Medical Reports Act 1988
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Data Protection (Subject Access Modification) (Health) Order 2000
• Mental Capacity Act 2005

Throughout this document, references have been taken directly from the ICO.

1.2 – Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the organisation such as agency workers, locums and contractors.

Definition of Terms

2.1 – Personal Identifiable Data (PID)

The ICO states that this is information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.

The UK General Data Protection Regulation (GDPR) definition provides for a wide range of personal identifiers to constitute personal data including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

2.2 – Prospective Access

Future (prospective) records access means access to information and data added to the patient record from a set date onwards. This may be the date that a patient joined the practice or from a date when access has previously been granted.

Patients are being given online account access to their future, or prospective, full general practice health record including free text, letters and documents. Patients will see new information once it is entered or filed onto their record in the clinical system. Patients will not see their historic or past health record information unless they have already been given access to it by their general practice

NHS Digital provides full guidance here.

2.3 – Proxy Access

Proxy access refers to access to online services by somebody acting on behalf of the patient and usually with the patient’s consent, by somebody other than the patient for example the patient’s parent or carer.

Details for when proxy access might be enabled can be found in this RCGP guidance document.

2.4 – Lasting Power of Attorney

A lasting power of attorney (LPA) is a legal document that lets the patient appoint one or more people (known as ‘attorneys’) to either to help make any decisions or to make any decision on the persons behalf.

For further information about this including how to make, register or end an LPA, see here.

2.5 – Responsible Clinician

The responsible clinician is the most appropriate health professional to deal with the access request who is the current or more recent responsible professional involved in the clinical care of the patient in connection with the aspects of information that are the subject of the request. When there is more than one such professional, the most suitable should advise.

2.6 – Sensitive Personal Data

The UK GDPR refers to sensitive personal data as “special categories of personal data”.

The special categories specifically include revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data (when processed to uniquely identify an individual), data concerning health or data covering an individual’s sex life or sexual orientation.

Personal data relating to criminal convictions and offences is not included but similar extra safeguards apply to its processing.

Right to Access

This organisation ensures that all patients are aware of their right to access their data and has privacy notices displayed in the following locations:

• Waiting room
• Organisation website
• Organisation information leaflet

To comply with the UK GDPR, all organisation privacy notices are written in a language that is understandable to all patients and meets the criteria detailed in Articles 12, 13 and 14 of the UK GDPR. There are privacy notices for both the Practice and Children.

The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them. In addition, data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.

Detailed information about access for third parties can be found at Chapter 10.

Patient Access to Online Medical Records

4.1 – Background

Patient Online was designed to support GP organisations offering and promoting an online service to their patient population. The service is referred to as GP online services and is offered to patients in addition to telephone and face-to-face interactions at GP organisations.

As of 31 October 2023, all patients should have been granted online access to their full record, , with new registrants of an organisation having full online access to the digital record for their prospective information starting from the date of their registration for online services.

The NHS Digital document titled Online access to GP health records details how patients with online accounts such as the NHS App will be able to read new entries, including free text, in their health record. This change only applies to future (prospective) record entries and not historic data.

The following links provide supporting information to enable understanding and implementation:

• RCGP GP Online Services toolkit
• NHS Digital
  • Videos to explain key topics
  • Learning from the early adopter sites
  • Essential communication materials and practice readiness checklist for general practice to use to inform their patients and to ensure practices can confidently complete a range of necessary actions that includes staff training and a review of relevant policies and processes
• NHS England Practice guidance Offering patients prospective record access

The organisation will need to be mindful that this level of access will be the default for all patients within the clinical system. It is therefore imperative that organisations know how to manage their workflows ensuring sensitive information is redacted as it is entered onto the clinical system or, in rare circumstances, know when it may be inappropriate to give a patient access to their record. Patients will see new information once it is entered or filed onto their record in the clinical system.

In addition to the detailed coded record, access to a full patient record includes free text consultation notes and documents, i.e., hospital discharge letters, referral letters etc.

4.2 – Registering for online services

At this organisation, staff are to remind patients that GP online services are free and available to all registered patients.  NHS England has published a number of guides and leaflets that provide further detailed information about how patients can access their health record online.

Patients who wish to register for online services to book or cancel appointments, order repeat prescriptions and view their medical records and clinical correspondence online are to complete the registration form at Annex A. Note that this will be for retrospective access as prospective information moving forward will already be available.

Additionally, those applicants wishing to apply for access to retrospective information held about other people must complete the appropriate sections on the registration form also at Annex A and the application should be processed in line with the requirements outlined in the proxy access and third-party requests section.

For those patients unable to visit their own GP organisation, NHS Digital provides access to sign up for online services here where there is a requirement to provide appropriate identification using a mobile phone as part of the process.

Prospective access to full records is subject to the same safeguarding information requirements as applied to DCR access. Requests for access can be refused and further detail is provided in the refusal to comply with a request and coercion sections.

Unlike registration, ID verification is required to ensure that online access is granted only to the patient or their authorised representative(s). All patients will be requested to provide two forms of ID verification in line with NHS England’s Good Practice Guidance on Identity Verification and the organisation accepts appropriate forms of ID outlined in the identity verification section.

Completed documentation will be reviewed by the responsible clinician for processing including the review of the online records for third party references and any information that may cause harm or distress to the patient/applicant that may need to be hidden from online access using confidentiality policies (see Third party information and Non-disclosure sections).

For all applications, requesters should be advised that it will often take several days to process any online service request.

4.3 – Post Registration

Once a patient has registered at the organisation (if not registered via NHS APP) and the request has been processed, they are to be issued with a letter that includes their unique username, password and instructions on how to access the online services.

Only the completed registration form should be scanned into the individual’s healthcare record.

4.4 – Guidance documentation

Further detailed guidance in relation to registering patients for online services can be found here.

Summary Care Records (SCR)

5.1 – About

Summary Care Records (SCR) are an electronic record of important patient information created from GP medical records. They can be seen and used by authorised staff in other areas of the health and care system involved in the patient’s direct care.

Access to SCR information means that care in other settings is safer, reducing the risk of prescribing errors. It also helps to avoid delays to urgent care. At a minimum, the SCR holds important information about:

• Current medication
• Allergies and details of any previous bad reactions to medicines
• The name, address, date of birth and NHS number of the patient

Further reading can be sought from NHS Digital’s Summary Care Records.

Additional information in the SCR, such as details of long-term conditions, significant medical history or specific communications needs, is now included by default for patients with an SCR unless they have previously told the NHS that they do not want this information to be shared.

Should a patient not wish to have any additional information shared, they can complete the SCR patient consent preference form.

Further reading can be sought from NHS Digital’s Additional information on the SCR and a patient information for additional or enhanced summary care records can be found in this poster.

5.2 – National Care Records Service (NCRS)

The platform to authenticate SCR applications (SCRa) is a legacy system and has been switched over to the National Care Records Service (NCRS).

Further information including guidance on what is needed to be undertaken and the benefits of having NCRS can be found at the NHS Digital webpage titled Switching over from SCRa to NCRS.

5.3 – COVID-19 and SCR

To help the NHS to respond to the coronavirus (COVID-19) pandemic, there is currently a temporary change to the SCR that includes COVID-19 specific codes in relation to the suspected, confirmed, shielded patient list and other COVID-19 related information. This information is also retained in the additional information.

Further reading can be sought from NHS Digital’s document titled Summary Care Records – Information for Patients.

Third-Party Requests for Medical Information

6.1 – About

Many requests for medical information would be via a SAR and these would ordinarily be received by either the patient or their representative, or from a solicitor or insurer.

However, requests for medical information can also be received by other means, such as private healthcare providers. In these instances the request would not necessarily be received via a SAR, instead it may simply be a letter that includes the patient’s consent to release the required information.

To promote safer data protection working practices, upon receipt of any request and even with a signed consent form, this organisation will contact the subject (patient) to confirm that this request is bona fide.

6.2 – Subject Access Requests (SAR) to Medical Records

In accordance with Article 15 of the UK GDPR, individuals have the right to access

their data and any supplementary information held by this organisation. Further detailed information is available in the UK GDPR Policy.

SARs are predominantly used for access to, and the provision of, copies of medical records. This type of request need not always be in writing (e.g., letter, e-mail). However, applicants should be offered the use of a SAR application form which allows for the explicit indication of the required information.

The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them. In addition, data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.

When a data subject (individual) wishes to access their data, they are to be encouraged to use the SAR form which can be found at Annex B. All staff must note that the ICO states, “An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data”.

Furthermore, SARs can be submitted online or via social media as detailed within the NHS webpage titled How to get your medical records. Any requests not using the SAR form will still be processed.

To request a SAR, the requester must be:

• The data subject OR
• Have the written permission of the data subject OR
• Have legal responsibility for managing the subject’s affairs to access personal information about that person, such as a lasting power of attorney (LPA)

It is the requester’s responsibility to satisfy this organisation of their legal authority to act on behalf of the data subject. The organisation must be satisfied of the identity of the requester before they can provide any personal information (see Identity verification section).

Requests may be received from the following:

• Competent patients
  • May apply for access to their own records or authorise third party access to their records.
• Children and young people
  • May also apply in the same manner as other competent patients. This organisation will not automatically presume a child or young person has capacity under the age of 16. However, those aged 13 or over are expected to have the capacity to consent to medical information being disclosed.
  • Note the BMA guidance titled Access to health records states the age is 12, although it is 13 with UK GDPR and also that age in the CQC GP Mythbuster 8: Gillick competency and Fraser guidelines.
• Parents
  • May apply to access their child’s health record providing this is not in contradiction of the wishes of the competent child.
  • Further guidance on parental access to a child’s healthcare records is detailed within the BMA guidance titled Children and young people ethics toolkit and at Section 10.4.
• Individuals with a responsibility for adults who lack capacity
  • Are not automatically entitled to access the individual’s health records. This organisation will ensure that the patient’s capacity is judged in relation to the particular decisions being made.
  • Any consideration to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act 2005 in England and Wales and the Adults with Incapacity Act in Scotland.
• Next of kin
  • Have no rights of access to health records.
• Police
  • In all cases, the organisation can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statutes (e.g., Road Traffic Act 2006).
  • Nevertheless, health professionals have a power under the Data Protection Act 2018 and the Crime Disorder Act 1998 to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:
    • To protect the patient or another person’s vital interests, or
    • For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g., when the seriousness of the crime means there is a pressing social need for disclosure)
  • Only information that is strictly relevant to a specific police investigation should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it. The police should be asked to provide written reasons why this information is relevant and essential for them to conclude their investigations.
• Court representatives
  • A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied when the responsible clinician is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
• Patient representatives/solicitors
  • A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf for copies of their medical records.
  • This organisation may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation. It is important to stress to the patient that under a SAR, all health records are provided unless a specific time period is stated and patients should be mindful of giving access to this level of health data.
  • Solicitors who are acting in civil litigation cases for patients should obtain consent from the patient using the form that has been agreed with the BMA and the Law Society. If a consent form from the patient is not received with the application form then no information must be provided until this has been received.
• Requests for insurance medical reports
• SARs are not appropriate should an insurance company require health data to assess a claim. The correct process for this at this organisation is for the insurer to use the Access to Medical Reports Act 1988 when requesting a GP report.
• In most cases, the requester will provide the patient’s signed consent to release information held in their health record. The BMA have issued guidance on requests for medical information from insurers.
• Therefore, this organisation will contact the patient to explain the extent of disclosure sought by the third party. The organisation can then provide the patient with the medical record as opposed to the insurer. The patient is then given the opportunity to review their record and decide whether they are content to share the information with the insurance company.
• Insurers are to be advised that the following fees are applicable and as detailed within BMA Guidance Fees:
  • GP report for insurance applicants £120
  • GP supplementary report £25.00
• It is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the organisation’s SAR form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e., driving licence or passport. Fees may vary depending on requests. Please speak to reception staff for more details.
• Further reading can be sought from the BMA’s Access to health records guidance.

6.3 – Processing a SAR request

Upon receipt of a SAR, a record of this is to be detailed within the health record of the individual to whom it relates. Once the request is received, reception staff will contact the patient and ask to complete the practice access to medical form. Once processed, another entry onto the health record should be made, including the date the record was collected by the patient. Patient will be advised to keep a copy of the record and if a further request for the copies of the record is made then there will be a charge of £50.

Under the Data Protection (Subject Access Modification) (Health) Order 2000, an appropriate healthcare professional (responsible clinician) manages all access matters. Whenever possible, the healthcare professional most recently involved in the care of the patient will review and deal with the request. If, for some reason, they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

To maintain UK GDPR compliance, the data controller will ensure that data is processed in accordance with Article 5 of the UK GDPR and will be able to demonstrate compliance with the regulation (see the organisation’s UK GDPR Policy for detailed information).

Data processors will ensure that the processing of personal data is lawful and at least one of the following applies:

• The data subject has given consent to the processing of his/her personal data for one or more specific purposes

• Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract

• Processing is necessary for compliance with a legal obligation to which the data controller is subject

• Processing is necessary to protect the vital interests of the data subject or another natural person

Individuals will have to verify their identity. It is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. Further information can be sought from the NHS England document titled Good practice guidance on identity verification  and the Identity verification section.

The process upon receipt of a SAR form is illustrated at Annex E which is an aide-memoire/flow diagram for staff. A poster explaining how to access health records for use in waiting room areas can be found at Annex F.

6.4 – Timeframe for responding to requests

In accordance with the UK GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the SAR.

To ensure full compliance regarding SARs, this organisation will adhere to the guidance provided in the UK GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the applicant must be informed in the first month and the reasons for the extension given.

Should the request involve a large amount of information, the data controller will ask the data subject to specify what data they require before responding to the request. Data controllers are permitted to ‘stop the clock’ in relation to the response time until clarification is received.

Further reading can be found in the BMA document titled Access to health records.

6.5 – Fees

With regard to the UK GDPR, SARs are generally free of charge. Only if the SAR is ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged although the circumstances when a fee can be charged are rare and should be on a case-by-case basis.

The ICO has advised that a request could be deemed as ‘excessive’ if an individual was to receive information via a SAR and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee or refuse the request. Postage costs for SARs should not be charged for unless they are ‘unfounded or excessive’.

Further reading can be found in the BMA document titled Access to health records.

6.6 – Method of response to requests

The decision on what format to provide the requested information in should take into consideration the circumstances of the request and whether the individual can access the data in the format provided.

Should an individual submit a SAR electronically, this organisation will reply in the same format (unless the data subject states otherwise).

When the patient/applicant requests their information to be emailed to them, it is strongly recommended that the organisation explains to the patient/applicant the risks (for example, unauthorised interception of the data) of receiving the data via unencrypted means to a non-NHS email address. The organisation should document the patient’s agreement (expressed in writing or via email) to receive their data via unencrypted means in the medical record. If the patient/applicant agrees, a USB stick or a CD can be used as alternative electronic formats.

For those requests that are not made electronically, a paper copy can be provided unless the patient has explicitly requested a different format.

6.7 – Amendments to medical records

Records should not be amended because of a request for access. Indeed, it is a criminal offence under the Data Protection Act 2018 to amend or delete records in response to a SAR. If amendments are made between the time that the request for access was received and the time at which the records were supplied, these must only be amendments that would have been made whether or not the request for access was made. When dealing with a SAR, the most up to date information should be provided.

Information that is clinically relevant must not be deleted from medical records (for electronic records, information can be removed from display but the audit trail will always keep the record complete). Amendments to records can be made provided the amendments are made in a way that indicates why the alteration was made so that it is clear that records have not been tampered with for any underhand reason.

Patients may also seek correction of information that they believe is inaccurate (see the Disputes concerning content of records section).

6.8 – iGPR

When a request is received via iGPR, it should be processed in accordance with the organisation’s iGPR protocol. iGPR will automatically find and redact items in a record that should not be included. To ensure all relevant attachments are included in the report (including any hard copies that are not within the patient’s electronic healthcare record), the report should not be processed on iGPR until it is certain that the entire record has been scanned into the patient’s record within the clinical record system.

Once this has been confirmed, the request can be processed but the staff member processing the request must then assign the report to the responsible clinician who will review this and confirm accuracy before agreeing it can be sent using iGPR.

Further information, including training videos and infographics for iGPR, can be sought here.

6.9 – Organisation disclaimer

The template at Annex G is to be used when issuing patients with copies of their medical records. This outlines the fact that the patient is responsible for the security and confidentiality of their records once they leave the organisation and that the organisation will not accept any responsibility for copies of medical records once they leave the premises.

Refusal to comply with a request

This organisation will only refuse to comply with a SAR when exemption applies or when the request is manifestly unfounded or manifestly excessive. In such situations, the data controller will inform the individual of:

• The reasons why the SAR was refused
• Their right to submit a complaint to the ICO
• Their ability to seek enforcement of this right through the courts

Each request must be given careful consideration and, should it be refused, this must be recorded and the reasons for refusal justifiable.

Being the data controller, the ICO details that an organisation has the right to refuse any online access or SAR although any such refusal will be within the allotted timescale and the reasons for the refusal will be given.

A letter template for refusal can be found at Annex I.

There are occasions when a healthcare professional may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals or when the record contains information relating to a third party. This information can be redacted from the patient’s view but must not be deleted from the record (see non-disclosure section). If system functionality to redact information is not available, the record should not be shared with the patient.

Further reading can be sought from the GMC document titled When you can disclose personal information.

Coercion

The risks of coercion of patients with online access should always be borne in mind. Patients may be forced into sharing information from their record including log-in details, medical history, repeat prescription orders, appointment booking details and other private, personal information. By gaining access to a person’s record, an abuser may gain further control or escalate harm.

Registering patients for online services requires awareness of the potential impact of coercion and children, adults in an abusive relationship and the elderly or otherwise vulnerable adults can all be victims. Access to a patient’s health record can be particularly attractive to an abusive partner, carer or parent.

All staff involved in registering patients for online services are aware of the potential impact of coercion and the signs to look out for to help patients who might be subject to coercion.

Further reading on coercion can be sought within the Home Office webpage titled Domestic abuse: how to get help can provide guidance on actions that can be taken should coercion be suspected.

Non-disclosure

The UK GDPR provides for several exemptions in respect of information falling within the scope of a SAR. In summary, information can generally be treated as exempt from disclosure and should not be disclosed, if:

• It is likely to cause serious physical or mental harm to the patient or another person
• It relates to a third party who has not given consent for disclosure (when that third party is not a health professional who has cared for the patient) and after considering the balance between the duty of confidentiality to the third party and the right of access of the applicant, the data controller concludes it is reasonable to withhold third party information
• It is requested by a third party and the patient had asked that the information be kept confidential or the records are subject to legal professional privilege, or, in Scotland, the records are subject to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation. In such cases, the information will be exempt if, after considering the third party’s right to access and the patient’s right to confidentiality, the data controller reasonably concludes that confidentiality should prevail or it is restricted by order of the courts
• It relates to the keeping or using of gametes or embryos or pertains to an individual being born because of in vitro fertilisation
• In the case of children’s records, disclosure is prohibited by law, e.g., adoption records

The data controller must redact or block out any exempt information. Depending on the circumstances, it may be that the data controller should take steps to explain to the applicant how the relevant exemption has been applied. However, such steps should not be taken if, and insofar as they would, in effect cut across the protection afforded by the exemptions. Indeed, in some cases even confirming the fact that a particular exemption has been applied may itself be unduly revelatory (e.g., because it reveals the fact that the information sought is held when this revelation is itself is unduly invasive of relevant third-party data privacy rights). There is still an obligation to disclose the remainder of the records.

While the responsibility for the decision as to whether to disclose information rests with the data controller, advice about serious harm must be taken by the data controller from the responsible clinician. If the data controller is not the responsible clinician, then the appropriate responsible clinician needs to be consulted before the records are disclosed. This is usually the healthcare professional currently or most recently responsible for the clinical care of the patient in respect of the matters that are the subject of the request. If there is more than one, it should be the person most suitable to advise. If there is none, advice should be sought from another healthcare professional who has suitable qualifications and experience.

Circumstances in which information may be withheld on the grounds of serious harm are extremely rare and this exemption does not justify withholding comments in the records because patients may find them upsetting. When there is any doubt as to whether disclosure would cause serious harm, the BMA recommends that the responsible clinician discusses the matter anonymously with an experienced colleague, their Data Protection Officer (DPO), the Caldicott Guardian or a defence body.

Proxy Access

10.1 – Proxy access to medical records

Some patients find it helpful for a second person to have access to their online GP record.  This is often a family member, medical next of kin, a close friend or a carer whom they trust to act on their behalf. The patient can, however, limit which online services they want the nominated individual to access.

This is called proxy access and arises in both adults and children and is dealt with differently according to whether the patient has capacity or not.

Proxy access should not be granted where:

• The organisation suspects coercive behaviour (See Coercion chapter)

• There is a risk to the security of the patient’s record by the person being considered for proxy access

• The patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily; this should be recorded in the patient’s record

• The responsible clinician assesses that it is not in the best interests of the patient and/or that there are reasons as detailed in denial or limitation of information

The arrangement for proxy access may be formal or informal and this is detailed in the NHS England document titled Proxy Access. Further reading on this subject can be found in the NHS Digital document titled Linked profiles and proxy access.

A more formal approach can be to delegate a lasting power of attorney (LPA). Further information about LPA scan be sought from Chapter 11.

Detailed patient guidance can be found at the NHS E document titled Accessing GP services for someone else, with proxy access.

10.2 – Proxy access in adults with capacity

Under the Data Protection Act 2018, patients over the age of 13 are assumed to have mental capacity to consent to proxy access. When a patient with capacity gives their consent, the application should be dealt with on the same basis as the patient.

Annex C is a consent form to allow nominated persons with capacity access to specific areas of a named person’s medical records.

This form can be used for a named proxy to simply book an appointment or order medication, or for greater access such as to have access to obtaining test results or consultations. The form has tick boxes that specifically allow a named person to have partial or full access to the named person’s healthcare information. This form must be signed by the patient prior to being considered valid. Any concerns with regard to coercion must be discussed with the safeguarding lead.

It should be noted that this form does not permit any third party individual to make healthcare decisions on behalf of the named patient. Furthermore, the patient is responsible for this agreement and any changes or updates that may be required at a later date.

Chapter 12 details the requirement to confirm any third party’s identity.

For children and young people refer to Section 10.4.

10.3 – Proxy access in adults without capacity

Proxy access without the consent of the patient may be granted in the following circumstances:

• The patient has been assessed as lacking capacity to decide on granting proxy access and has registered the applicant as a lasting power of attorney for health and welfare with the Office of the Public Guardian

• The patient has been assessed as lacking capacity to decide on granting proxy access and the applicant is acting as a Court Appointed Deputy on behalf of the patient

• The patient has been assessed as lacking capacity to make a decision on granting proxy access and, in accordance with the Mental Capacity Act 2005 code of practice, the responsible clinician considers it in the patient’s best interests to grant access to the applicant.

• When an adult patient has been assessed as lacking capacity and access is to be granted to a proxy acting in their best interests, it is the responsibility of the responsible clinician to ensure that the level of access enabled, or information provided is necessary for the performance of the applicant’s duties

Annex D provides a template to support these requests.

10.4 – Children and young people’s access

It is difficult to say at what age the child will become competent to make autonomous decisions regarding their healthcare as between the ages of 11 and 16 this varies from person to person. In accordance with Article 8 of the UK GDPR, from the age of 13 young people can provide their own consent and will be able to register for online services.

It should be noted that the age is deemed to be 12 years in the BMA document Access to health records although this should always be assessed by the clinician as to whether they are deemed competent. The CQC’s GP Mythbuster 8: Gillick competency and Fraser guidelines advises that while there is no lower age limit, it would rarely be appropriate for a child under the age of 13 to consent to treatment.

For detailed guidance for children, the RCGP has raised a document titled Children and Young People which explores proxy access and how the child’s 11^th and 16^th birthdays act as specific milestones.

Proxy access without consent

The organisation may authorise proxy access without the patient’s consent when:

• The patient does not have capacity to make a decision on giving proxy access
• The applicant has a lasting power of attorney (health and welfare)
• The applicant is acting as a Court Appointed Deputy on behalf of the patient
• The GP considers it to be in the patient’s best interests

The person authorising access has responsibility to ensure that the level of access enabled is appropriate for the performance of the applicant’s duties.

The nominated individual is to complete the online services registration form at Annex A or the SAR application form at Annex B. Should the organisation opt not to grant the person access to an individual’s record, the responsible clinician will contact the patient and advise them of the reasons why this decision has been reached.

The organisation may refuse or withdraw formal proxy access at any time if they judge that it is in the patient’s best interests to do so.  Formal proxy access may be restricted to less access than the patient has, e.g., appointments and repeat prescriptions only.

Patients who choose to share their account credentials with family, friends and carers (including a care home) must be advised of the risks associated with doing so. Formal proxy access is the recommended alternative in all circumstances.

Further information on competency for children and young people can be sought in the Consent Policy.

10.5 – Parents gaining access to a child’s medical record

This organisation will allow parents access to their child’s medical records if the child or young person consents or lacks capacity and it does not go against the child’s best interests. However, if the records contain information given by the child or young person in confidence then this information should not normally be disclosed without their consent.

It should be noted that divorce or separation does not affect parental responsibility and therefore both parents will continue to have reasonable access to their children’s health records unless legally advised not to do so.

Further reading on this subject can be sought in the GMC document titled Accessing medical records by children, young people and parents. Likewise, there are sections on both separated parents and parental responsibility within The Safeguarding Handbook.

Lasting Power of Attorney

11.1 – About

A lasting power of attorney (LPA) is a legal document that allows individuals to give people they trust the authority to manage their affairs if they lack capacity to make certain decisions for themselves in the future.

To nominate an LPA, the person must be over 18 years old and have the ability to make their own decision (mental capacity). There are two types of LPA, the vast majority of LPAs deal with health and welfare although occasionally there may be a need to be involved with LPAs that property and financial affairs.

For further information about this including how to make, register or end an LPA, see here.

11.2 – Responding to an Access Request

When someone is applying for proxy access on the basis of an enduring power of attorney, an LPA or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian here.

Should an LPA have been granted, this will allow the nominee to access healthcare records for the patient that they are acting on behalf of. This may include sharing medical records with other third parties as they deem appropriate.

An example could be when a patient without capacity is in a care home. A template for this can be found at Annex D.

Should there be any concern about an LPA, then Government advice can be found here.

Identity Verification

12.1. – Requirement

Before access to health records is granted, the patient’s identity and the requestor’s identity in cases of proxy access requests must be verified. There are three ways of confirming patient identity:

• Documentation (forms of identification)
• Vouching
• Vouching with confirmation of information held in the applicant’s records

All applications will require formal identification through two forms of ID, one of which must contain a photo. Acceptable documents include passports, photo driving licences and bank statements but not bills. When a patient may not have suitable photographic identification, vouching with confirmation of information held in the medical record can be considered by the data controller or responsible clinician. This should take place discreetly and ideally in the context of a planned appointment.

It is extremely important that the questions posed do not incidentally disclose confidential information to the applicant before their identity is verified.

12.2 – Adult Proxy Access Verification

Before the organisation provides proxy access to an individual or individuals on behalf of a patient further checks must be taken:

• There must be either the explicit informed consent of the patient or some other legitimate justification for authorising proxy access without the patient’s consent

• The identity of the individual who is asking for proxy access must be verified as outlined above

• The identity of the person giving consent for proxy access must also be verified as outlined above. This will normally be the patient but may be someone else acting under a power of attorney or as a Court Appointed Deputy

12.3 – Child proxy access verification

Before the organisation provides parental proxy access to a child’s medical records the following checks must be made:

• The identity of the individual(s) requesting access via the method outlined above
• That the identified person is named on the birth certificate of the child

In the case of a child judged to have capacity to consent, there must be the explicit informed consent of the child.

12.4 – How to set up a Proxy Access

NHS Digital’s Linked profiles and proxy access details how to add proxy users to the clinical system to allow parents, family members and carers to access health services on behalf of other people.

Deceased Patients

13.1 – Access to Deceased Persons Medical Records

The UK GDPR does not apply to data concerning deceased persons.  However, the ethical obligation to respect a patient’s confidentiality extends beyond death. There are several considerations to be considered prior to disclosing the health record of a deceased patient.

Such considerations are detailed in the Access to Health Records Act 1990. Unless the patient requested confidentiality while alive, under the terms of this Act, this organisation will only grant access to either:

• A personal representative (executor of the deceased person’s estate); or
• Someone who has a claim resulting from the death

Under section 5(4) of the Access to Health Records Act 1990, no information that is not directly relevant to a claim should be disclosed to either the personal representative or any other person who may have a claim arising out of the patient’s death.

It should be noted that the GP contract changed for 2022/23 and has now removed the requirement for practices to print and send copies of the electronic record of deceased patients to Primary Care Support England. Consequently as of 1 August 2022, requests for patients’ medical records via the Access to Health Records Act now lie with the organisation.

GP records of deceased patients are retained for 10 years after which time they will be destroyed as detailed within the Records Retention Schedule.

Further detailed information is available within the Access to Deceased Patients Records Policy and the Medical Protection Society article titled Disclosures after death.

13.2 – Chargeable fees for Deceased Patients

Legislative changes to the Data Protection Act 2018 have also amended the Access to Health Records Act 1990 which now states access to the records of deceased patients and any copies must be provided free of charge.

However, when health information is to be disclosed for the deceased in the absence of a statutory basis, e.g., when a solicitor or insurance company requests a medical report or information to confirm death or an interpretation of what is in the records, this is classed as private work over and above that which is already available in the record.

Any fees charged should be reasonable and proportionate to cover the cost of satisfying a request.

Further reading can be found in the BMA document titled Access to health records.

13.3 – Chargeable fees for a SAR

Should a SAR be initiated from a solicitor and they are asking for a report to be written or the request is asking for an interpretation of information within the record, this request goes beyond a SAR and therefore a fee can be charged. The organisation may ask the nature of the request from the solicitor to confirm if this should be charged for or not.

If the solicitor confirms that they are seeking a copy of the medical record, then this should be treated as a SAR and complied with in the usual way.  Fees are further detailed at Section 6.5 and within the BMA webpage titled Access to health records.

Employee Requests

Employees and ex-employees of the organisation have a right to request a copy of their personal data including employment record, occupational health records, complaints files, significant event files and any other relevant correspondence. Not all personal data that an organisation holds about an individual needs to be provided as certain exemptions exist.

For example, legally privileged documents do not need to be disclosed or when personal data is processed for the purposes of management forecasting or management planning in relation to business planning.

It is also worth bearing in mind that while the ICO advises that employers should be prepared to take reasonable efforts to find and retrieve the requested information, they will not be required to act unreasonably or disproportionately regarding the importance of providing subject access.

The requestor does not need to provide a reason for making a SAR, however they must state who they are and provide appropriate ID. The requestor should specify a date range, subject matter and the people who they believe have sent or received information about them.

An employer cannot refuse to supply information if documents provide third party references. These should simply be redacted on the copy provided to the requestor.

Article 15(1) UK GDPR states that an employer must provide the information requested together with certain additional information.

The additional information includes:

• The purpose for which the employer is processing the data

• Categories of the personal data being processed

• Who receives or has received the personal data from the employer

• How long the employer keeps personal data or the criteria used in deciding how long to keep the information

• Information about where the employer got the personal information from if that information was not collected directly from the employee

• If the employer does cross-border data transfers, information about how data security is safeguarded

• Whether the employer uses automated decision-making and profiling and, if so, details the auto-decision logic used and what this means for the employee

The procedure for employees or ex-employees undertaking a SAR follows the same process as detailed in the section Procedure for Access.

Article 15(3) UK GDPR states that on receipt of a SAR, the employer must give the requestor a copy of their personal information without charge but can charge a reasonable fee for additional requests. If the request is made by e-mail, then the employer must provide the information in a commonly used electronic format unless the requestor requires the information in a different format.

Further reading can be found in the ICO document titled How should we supply information to the requester?

Denial or Limitation of Information

Access will be denied or limited when, in the reasonable opinion of the responsible clinician, access to such information would not be in the person’s best interests because it is likely to cause serious harm to:

• The person’s physical or mental health, or
• The physical or mental health of any other person
• The information includes a reference to any third party who has not consented to its disclosure

A reason for denial of information must be recorded in the medical records and when possible and appropriate, an appointment will be made with the patient to explain the decision.

Third Party Information

Patient and organisational records may contain confidential information that relates to a third person. This may be information from or about another person. It may be entered in the record intentionally or by accident.

It does not include information about or provided by a third party that the patient would normally have access to, such as hospital letters.

All confidential third party information must be removed or redacted. This will be reviewed and highlighted by the appropriate responsible clinician or data controller. If this is not possible then access to the information will be refused.

Former NHS Patients Living Outside the UK

Patients no longer resident in the UK have the same rights to access their information as those who still reside here and must make their request for information in the same manner.

Original health records should not be given to an individual to take abroad with them. However, this organisation may be prepared to provide a summary of the treatment given while resident in the UK.

Disputes Concerning Content of Records

Once access to records has been granted, patients or their proxy may dispute their accuracy or lack understanding of medical codes.

Patients or their proxy may notice and point out errors in their record, unexpected third party references and entries they object to or want deleted. The right of rectification and erasure is established within the UK GDPR.

Any queries will be directed to the data controller who will contact the patient. They will investigate swiftly and thoroughly to identify the source and extent of the problem.

The responsible clinician and Caldicott Guardian/data controller will then decide on the most appropriate action. When the dispute concerns a medical entry, the clinician who made the entry should be consulted and consideration given as to whether it is appropriate to change or delete an entry.

When it is not possible or practical to contact the clinician concerned, the Caldicott Guardian or data controller should be consulted. If it is not possible to amend the records, a meeting with the patient or their proxy should be organised to explain why.

Advice MUST be sought from the DPO should a patient wish to apply their UK GDPR rights of:

• Rectification (Article 16 UK GDPR)
• Erasure (Article 17 UK GDPR)
• Restriction of processing (Article 18 UK GDPR)
• Data portability (Article 20 UK GDPR)
• Right to object (Article 21 UK GDPR)

When it is not appropriate to amend a medical record, an entry may be made declaring that the patient disagrees with the entry. If the patient further disputes the accuracy once a decision has been made, they will be referred to the complaint’s procedure and/or the Health Ombudsman.

Complaints

This organisation has procedures in place to enable complaints about access to health records requests to be addressed and as detailed within the Complaints Procedure.

Specific for data complaints, the complainant may wish to take their complaint direct to the ICO. Alternatively, they may also wish to seek independent legal advice.

Guidance from the DPO should be sought should any data complaint be received.

Care Quality Commission (CQC)

This practice is committed to preserving, as far as is practical, the security of data used by our information systems. This means that we will take all reasonable actions to;

Maintain the Confidentiality of all data within the practice by:

• Ensuring that only authorised persons can gain access to our systems
• Not disclosing information to anyone who has no right to see it

Maintain the integrity of all data within the practice by:

• Taking care over input
• Ensuring that all changes are reported and monitored
• Checking that the correct record is on the screen before updating
• Reporting all apparent errors and ensuring that they are resolved

Maintain the availability of all data by:

• Ensuring that all equipment is protected from intruders
• Ensuring that backups are taken at regular, predetermined intervals
• Ensuring that contingency is provided for possible failure or equipment theft and that any such contingency plans are tested and kept up to date

Additionally we will take all reasonable measures to comply with our legal responsibilities under:

Data protection act 2018: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

The Health and Safety at Work Act (1992): https://www.hse.gov.uk/pUbns/priced/l24.pdf

The Access to Health Records Act (1990): https://www.legislation.gov.uk/ukpga/1990/23/contents

The following IT systems are in use at the practice:

• Referral Management (using NHS numbers in referrals)
• Electronic Appointment Booking (the facility to book routine appointments online and, similarly, to cancel appointments
• Online booking of repeat prescriptions
• Summary Care Record (uploading details of your current medication and allergies to the national “spine” so that these are available for doctors involved in your care elsewhere)
• GP to GP transfers (the electronic transfer of records from practice to practice when you re-register
• Patient Access to records (the facility to view your medical records online).

If you are not already registered for online access and would like to be please complete our online form.

If you would like access to your medical records enabled or would like to opt out of the local or national summary care record, please contact reception.