4
Individuals have a right to be informed about the processing of personal
data. This information should be freely available at no charge, except
in exceptional circumstances where requests are manifestly unfounded
or excessive, in particular because of their repetitive character. This
includes access to medical notes, where a charge was applied under
previous Data Protection legislation.
The protection of data subjects in relation to the processing of personal
data is a fundamental right. However, it is not an absolute right; it must
be considered in relation to other fundamental rights, in accordance
with the principle of proportionality. The NHS Orkney Data Protection
Policy sets out the conditions under which NHS Orkney may restrict
data subject’s rights.
Individuals have the right, under the General Data Protection
Regulations to request access to, or a copy of, information an
organisation holds about them. This information may be held on
computer, in a manual paper system, video, digital image, photograph,
x-rays, email, text message or by any other new or existing medium or
media. This is called a Subject Access Request (SAR).
Anyone making such a requested is entitled to be given a description
of:
Which data (categories) are being processed.
Details of the data controller, including contact details.
Contact details of the Data Protection Officer.
Purposes of the data processing, applicable legal basis and whether
there is a statutory or contractual requirement to process data.
Other organizations that data may be shared with.
Whether there is any data processing taking place outside of the EEA.
The retention period for the data categories.
Individual rights to rectification, erasure, withdraw consent/object/opt
out, data portability, ability to take complaints to the ICO.
Additionally, third parties such as family members or solicitors can act
as an agent on behalf of a data subject. When requests of this nature
are received there must be explicit consent from the data subject for
this agent to act on their behalf, or where this isn’t possible due to
issues with capacity, evidence of clear legal authority such as power of
attorney must be provided.
The General Data Protection Regulation applies only to living persons.
There are limited rights of access to personal data of deceased persons
under the Access to Health Records Act 1990.
Individuals wishing to make a Subject Access Request should be given
NHS Orkney’s Subject Access Request Form (Appendix A) and