1
Subject Access Requests
Policy
Policy Author: Freedom of Information Officer
Policy Owner (for updates) Freedom of Information Officer
Version Control
Version Number Version 1.3
Date of Original Document September 2018
Last Change and Approval Date Updated addresses June 2019
Last Review Date September 2018
Next Formal Review Date September 2020
Location and Access to Documents
Location of master document G Drive
Access to document for staff Information Governance Blog
Post holders names at last review
FOI Officer: Jenna Johnston
Lizzy Walls
2
If you require this or any other NHS Orkney publication
in an alternative format (large print or computer disk for
example) or in another language, please contact the
Freedom of Information Officer
Telephone: (01856) 888220 or
email [email protected]
3
Index
Page
1
Introduction
4
2
Recognising and
Receipt of a
Subject
Access
Request
5
2.1 Receipt of a request 5
2.2 Requests from children 5
2.3 Requests from third parties 6
3
Acknowledge the request
6
3.1 Not able to verify identity of requester 6
3.2 Send acknowledgement of request 7
4
Seeking clarification
7
5
Compiling response information
8
5.1 Collating the Data – FOI Officer 8
5.2 Collating the Data – Departments 8
5.3 Potential Redactions 8
6
Collating a response
9
7
Approval process
9
7.1 Clinical data request 9
7.2 Non-clinical data request 10
8
Issuing a response
10
9
Recording Information
10
1
0
Reporting
11
1
1
Further information
11
APPENDICES
Appendix A Subject Access Request Form 12
Appendix B Subject Access Request Form - Guidance 18
Appendix C Identity verification letter template 22
Appendix D Acknowledgement letter template 23
Appendix E Clarification request letter template 24
Appendix F Final response letter template 25
Appendix G Subject Access Request process flow chart 26
Appendix H Data Protection – Health Records Request (SAR)
Sign off
28
4
1
Introduction
Individuals have a right to be informed about the processing of personal
data. This information should be freely available at no charge, except
in exceptional circumstances where requests are manifestly unfounded
or excessive, in particular because of their repetitive character. This
includes access to medical notes, where a charge was applied under
previous Data Protection legislation.
The protection of data subjects in relation to the processing of personal
data is a fundamental right. However, it is not an absolute right; it must
be considered in relation to other fundamental rights, in accordance
with the principle of proportionality. The NHS Orkney Data Protection
Policy sets out the conditions under which NHS Orkney may restrict
data subject’s rights.
Individuals have the right, under the General Data Protection
Regulations to request access to, or a copy of, information an
organisation holds about them. This information may be held on
computer, in a manual paper system, video, digital image, photograph,
x-rays, email, text message or by any other new or existing medium or
media. This is called a Subject Access Request (SAR).
Anyone making such a requested is entitled to be given a description
of:
Which data (categories) are being processed.
Details of the data controller, including contact details.
Contact details of the Data Protection Officer.
Purposes of the data processing, applicable legal basis and whether
there is a statutory or contractual requirement to process data.
Other organizations that data may be shared with.
Whether there is any data processing taking place outside of the EEA.
The retention period for the data categories.
Individual rights to rectification, erasure, withdraw consent/object/opt
out, data portability, ability to take complaints to the ICO.
Additionally, third parties such as family members or solicitors can act
as an agent on behalf of a data subject. When requests of this nature
are received there must be explicit consent from the data subject for
this agent to act on their behalf, or where this isn’t possible due to
issues with capacity, evidence of clear legal authority such as power of
attorney must be provided.
The General Data Protection Regulation applies only to living persons.
There are limited rights of access to personal data of deceased persons
under the Access to Health Records Act 1990.
Individuals wishing to make a Subject Access Request should be given
NHS Orkney’s Subject Access Request Form (Appendix A) and
5
associated guidance (
Appendix
B
), it is not mandatory for a requester
to use this form.
2
Recognising and Receipt of a Subject Access Request
2.1 Receipt of a request
A Subject Access Request (SAR) can comprise many forms:
Request to access any or all personal data held by NHS Orkney
Request to rectify any inaccurate or incomplete information
Request to be forgotten or to restrict processing
Right to obtain information and reuse it for their own purposes
Right to object to processing of personal information
A SAR can be made verbally (including by telephone), in writing, or
electronically. Data subjects or their agents are not obligated to use the
term “Subject Access Request”, or other relevant terms such as
“Subject Data Request” when making a request relating to their
personal data. If a data subject seems unsure how to make a request in
relation to their data, staff should direct them to the FOI Officer to assist
with this process. The Data Protection Officer can also provide advice.
A request may be received directly by the FOI Officer. A request may
also be received by other members of staff. All requests should be
forwarded to the FOI Officer using the Data Protection email address
When a request is received by the FOI Officer it should be logged on
the current SAR log spreadsheet as soon as possible. This spreadsheet
can be found on the G: Drive in the GDPR folder.
All relevant details for the request and applicant should be added to the
spreadsheet.
A reference number shall be generated by the spreadsheet. If at this
stage it is possible to verify the identity of the data subject placing the
request, a deadline of one calendar month from the receipt date of the
request applies.
NHS Orkney will adopt a 28 calendar day internal deadline so as to
ensure compliance within the one month deadline.
If a request is received through the post log the date the request was
received as the date the letter was received by NHS Orkney; this may
be several days after the date given on the letter.
2.2 Requests from children
Children have the same rights as adults regarding their personal data.
6
Requests placed by individuals in these circumstances should be
treated as full and legitimate requests as per the legislation, though
additional care should be taken to ensure that such individuals have
appropriate capacity when making these requests.
Further guidance on this can be found in NHS Orkney’s Data Protection
Policy.
2.3 Requests from third parties
A third party, e.g. a solicitor may make a valid SAR on behalf of an
individual. However, where a request is made by a third party on behalf
of another living individual, appropriate and adequate proof of that
individuals consent or evidence of a legal right to act on behalf of that
individual e.g. power of attorney must be provided by the third party.
3
Acknowledge the request
3.1 Not able to verify identity of requester
A SAR is not valid if the identity of the data subject requesting their
personal information cannot be verified.
Where it is not possible to verify the identity of a data subject,
individuals should be asked to complete NHS Orkney’s Subject Access
Request Form (Appendix A) accompanied by photocopies of one
official document or a countersignature. The official document must
show the data subjects name, current postal address (where hard
copies are requested), date of birth and signature, for example: birth
certificate, driving licence, passport, medical card, bank statement,
utility bill, rent agreement. Ideally, this should be a photographic identity
document such as passport or driving licence.
An application can be countersigned by any one of the following:
Member of Parliament, Justice of the Peace, Minister of Religion, a
professionally qualified person (e.g. teacher, doctor, lawyer, engineer),
Bank Officer, Civil Servant, Police Officer or a person of similar
standing. A family member or relative should not provide a counter
signature.
An example of wording to be used when requesting this information is
provided within Appendix C.
If the original request contains enough information to verify the identity
of the data subject, or upon receipt of documents verifying their identity,
then an acknowledgement letter should be sent either via post or email.
Should there be no response to the request after 30 calendar days, a
reminder letter should be sent. If there is again no response to this
reminder then after an additional 30 calendar days the request can be
closed.
7
3.2 Send acknowledgement of request
If a request is received in person by the FOI Officer it is assumed that
NHS Orkney has acknowledged the request and provided details of the
time scales etc.
Requests for information received by email or post should be
acknowledged within 3 working days of receipt.
The acknowledgement of receipt should be sent by email unless the
applicant has not provided an email address in which case the
acknowledgement should be posted.
The request reference number and deadline dates should be provided
on the acknowledgement.
See Appendix D for the acknowledgement response template.
4
Seeking clarification
If the nature of the request is unclear, the individual should be
requested to provide clarification or more details. For example what
time scales to cover; what services or groups of staff they have
interacted with. Any request for clarification should be made as soon as
possible.
Applicants do not have to state their reason for the request and should
not be asked this question.
When asking for clarification bear in mind that the intention of the law is
for personal data to be owned by the data subject and our statutory
duty is to provide advice and assistance.
Once clarification is received from the applicant a new 30 working day
clock is started. Asking for clarification should never be used as a
delaying technique.
Please see Appendix E for templates to be used when requesting
clarification. Individual clarification requests should be treated differently
as some may require specific assistance.
Should there be no response a request for clarification after 30 calendar
days, a reminder letter should be sent. If there is again no response to
this reminder then after an additional 30 calendar days the request can
be closed.
8
5
Compiling response information
5.1 Collating the Data – FOI Officer
For a subject access request, using information supplied by the data
subject, the FOI Officer should consider where information could be
held and ask relevant departments to conduct as search within the
parameters of the request details.
For all other requests, we must consider whether it is possible to
comply with the request. For example, if a person has asked to be
forgotten, we may need to consider applying an exemption. These
exemptions will apply on a case by case basis and advice should
always be sought from the Data Protection Officer. There may also be
technical barriers to complying. Any decision not to comply with a
request must be documented and must be explained to the requestor.
To ensure adequate time to collate a final response to the SAR in
compliance with the statutory deadline of one calendar month,
departments should be given a maximum of 21 calendar days to collate
information for the request and return it to the FOI Officer. The
timescale can be extended by up to 60 additional calendar days with
the express approval of the Senior Information Risk Owner or their
nominated deputy.
5.2 Collating the Data - Departments
Upon receiving a SAR from the FOI Officer, departments should begin
collating the relevant information as soon as possible, noting the
internal deadline of 21 calendar days given.
Departments should ensure, where relevant to the request, that both
electronic and manual filing systems are considered along with email,
digital records, telephone recordings and other media options.
Where possible information should be provided in a digital format to
assist with making copies.
Information must be in an intelligible form and explanations should be
provided for pseudonyms, abbreviations etc.
5.3 Potential Redactions
When collating personal data in response to a request, departments
9
should consider whether redactions need to be applied to components
of the information.
Redactions should be considered for the following:
All clinical data should be reviewed by a relevant clinician and
consideration should be given to redacting any information likely
to cause serious harm to the mental or physical health of any
individual.
Data and information held from other agencies may be disclosed
but should be discussed with the originating body first.
A personal record may contain reference to third parties and
redaction of their information should be applied.
Information should not be disclosed where there is a statutory or
court restriction on disclosure e.g. adoption records.
References written for current or former employees are exempt
(but not those received from third parties).
In the event that a department requires assistance with the redaction
process they should contact the FOI Officer as soon as possible for
advice.
6
Collating a response
Following receipt of information from all relevant departments a
response letter should be drafted by the FOI Officer following the
template. (Please see Appendix F).
Where redactions have been applied or exemptions used for all or part
of the data, an explanation for this should be included in the final
response.
The FOI Officer should always ensure that the correct contact details,
reference number, title and dates are entered on the response.
The response must always include details of how the requester can
complain to the ICO if they wish to.
7
Approval process
7.1 Clinical data request:
Hospital medical notes must be reviewed by a clinician prior to release.
The Medical Director or a deputy shall review the notes. The sign off
10
form must be completed by the reviewing clinician (see
Appendix H
).
Patient notes collated by departments such as physiotherapy, dietetics,
radiology shall be approved for release by a senior member of the
department.
7.2 Non-clinical request:
Collated information which is not clinical should be approved by the
Data Protection Officer (DPO) or Senior Information Risk Owner
(SIRO). If the DPO or SIRO are not present then their nominated
deputies should be consulted for approval instead.
If approval is not given initially the FOI Officer should make necessary
amendments based on comments and re-send amended response.
8
Issuing a
response
Once approved the response can be issued to the requester. A few
points should be considered before issue:
All of the requested data should be provided in a logical order, in
the format that the requester asked for if relevant, and in digital
or hard copy if not.
If redacted documents are being provided extreme care should
be taken to ensure that the method of redaction cannot be
amended after issue.
Digital responses should be provided in PDF format where
possible, and the PDF document password protected.
Passwords can be stored in the relevant SAR request folder.
Medical notes must be sent out via recorded delivery. It is good
practice to double envelope.
If medical notes are to be issued on a CD, the CD must be
encrypted and the relevant password must be issued in a
separate letter.
It is also important if the thirty day deadline has passed always provide
an apology with the response.
9
Recording information
It is very important to collect correct information relating to each
request.
For performance reporting, management and audit purposed as much
information as possible on the process followed should be collected for
11
every request.
Details of any exemptions used, date reply was sent, information
providers and approving managers should be recorded within the main
SAR log spreadsheet tab.
Information on exemptions used should be collected within the SAR log
spreadsheet.
1
0
Reporting
Quarterly reports on performance management must be sent to the
Information Governance Committee.
An annual report providing greater detail should be completed for the
Information Governance Committee.
1
1
Further details
Information Commissioner's Office
45 Melville Street
Edinburgh
EH3 7HL
Tel: 0303 123 1115
Email: [email protected]
12
Appendix A: Subject Access Request Form
Please fill in this application form using BLOCK CAPITALS and black ink.
Section 1:
Personal Details
Please fill in this section as fully and accurately as you can, with the personal
details of the person this access request is about. This will help us trace the
personal information you need.
First
Name:
Last
Name:
Address:
Postcode
:
Date of
Birth:
Home Phone Number:
Other Phone Number:
CHI (community health index) or
hospital number (if known)
Email Address
(this will only be used to process
requests, we cannot send
confidential information by email)
If the person this access request is about has changed their name or lived at a
different address during the periods of treatment you are interested in seeing
information about, please provide these details.
Previous name:
Previous address:
Dates
from and to:
13
Section 2: Information you want to access
Give details in the boxes below of the records or information you want to access.
E.g ward, clinic, departments or services. Also give full details of the periods of
treatment or care you are interested in.
Ward, clinic, department, specialty or service
Dates from
Dates to
Section 3: Who is Applying For Access to the
Information
Please tick the relevant box that applies:
I am the person named in Section 1 Go to Section 6
I have been asked to act on behalf of the person named in Section 1, and
that person has filled in Section 5. Go to Section 4
I am the parent or guardian of the person named in Section 1, and that
person is under 16 years old and has a general understanding of what it
means to request access to personal information (in Scotland, the law
presumes this for children aged 12 years and above), and they have filled in
Section 5 Go to Section 4
I am the parent or guardian of the person named in Section 1, and that
person is under 16 years old and is not able to understand the request
Go to Section 6
I have been appointed by the court to manage the affairs of the person
named in Section 1 and enclose proof of this (please provide a certified
copy)
Go to Section 7
I hold a welfare power of attorney in relation to the person named in Section
1 and enclose proof of this (please provide a certified copy) Go to
Section 7
14
Section 4: Details
of the Person Acting on Behalf of Others
You must fill in this section if the person named in section 1 has given you
permission to act on their behalf
Name:
(Please print)
Address and postcode we
should send a reply to:
Contact phone number:
Email Address
(this will only be used to
process requests, we cannot
send confidential information
by email)
Now please complete Section 5
15
Section 5: Permission
You must fill in this section if you are the person named in Section 1 and you have
given the person named in Section 4 permission to act on your behalf.
I give you, NHS Orkney, permission to give _____________________________
(enter the name of the person acting on your behalf) the personal information
requested in this form. I have given them permission to act on my behalf.
Signature: ____________________________________ Date: / /
Print Name: ____________________________________
Now go to Section 6
Section 6: Identification/Countersignature
Everyone must complete this section UNLESS you are providing:
A certified copy of a Power of Attorney document
A certified copy of a Guardianship Order
The information we hold is confidential and we must get proof of your identity and
your right to receive any relevant information. There are two ways you can do this,
please place a tick in the relevant box next to your preferred option:
1 – Provide One Form of Identification (ID)
We require proof of identification and current address. The following is a list of
documents we will accept
Proof of ID
Copy of the identification/photographic page from a current passport
Copy of the identification/photographic section of a current driving licence
Other forms of photo ID including travel pass, work badge
Proof of Address
Copy of a recent utility bill or bank statement
Copy of current rental agreement
Copy of recent pay slips
Please do not send original documents.
Any financial details can be redacted (blacked out) or removed.
OR
16
2 - Countersignature
The other way to confirm a person’s identity is by providing a countersignature.
You only need to confirm the identity of the person applying, and be a witness
when they sign the declaration (Section 7). You do not need to see the rest of the
form.
A family member or relative should not be asked to sign.
In some cases, we may ask the person applying for more documents as proof of
their identity.
I (write your full name) ____________________________
confirm that I have known (name of the person applying)
_____________________________ for _______ years, and I was present when
they signed the declaration.
Signature: Date: / /
Full Name:
Profession
(for
example
teacher)
Address:
Postcode:
Phone
Number:
17
Section 7: Declaration
You must sign this section, and if providing a countersignature to confirm your ID
the person you have named in Section 6 (the counter signatory) must be present
when you sign.
Releasing information
Keeping personal information confidential and secure is extremely important to us.
We use recorded delivery to send documents by post. If you choose to collect the
information in person please ensure you have arranged a time with a member of
staff and bring along a form of identification with you (see description in Section 6
detailing what we will accept).
I confirm that the information I have given is correct and that I am entitled to apply
for access under the conditions of the General Data Protection Regulation 2016.
Signature: ____________________________________________
Print Name: ____________________________________________
Date: / /
Send your filled-in form to:
Email:
or
post:
Freedom of Information Officer
NHS Orkney
The Balfour
Foreland Road
Kirkwall
Orkney
KW15 1NZ
18
Appendix B: Subject Access Request Form – Guidance
The General Data Protection Regulation (GDPR) gives people the right to know
what personal information an organisation has about them. To use this right, you
can make what is known as a ‘subject access request’ (SAR).
Only the following people may apply for access to personal information.
The person who the information is about.
Someone acting on behalf of the person who the information is about.
You have a right to know whether or not we have any information about you, and a
right to have a copy of that information. You have a right to know the following.
What kind of information we keep about you.
The reason we are keeping it and how we use it.
Who gave us your information
Who we might share your information with and who might see your
information.
You also have the right to have any codes or jargon in the information explained.
You won’t be able to see information that could:
cause serious harm to your physical or mental health, or anyone else’s
identify another person (except members of NHS clinical staff who have
treated the patient), unless that person gives their permission.
If you need any more advice about your rights under the General Data Protection
Regulation, please contact NHS Orkney’s Data Protection Officer or, you can
contact the Information Commissioner’s Office:
Data Protection Officer
NHS Orkney
The Balfour
Foreland Road
Kirkwall
Orkney
KW15 1NZ
Phone – 01856 888055
Email: [email protected]
The Information Commissioner’s Office –
Scotland
45 Melville Street
Edinburgh
EH3 7JL.
Phone: 0131 244 9001
Email: [email protected]
If you want to make a subject access request, please fill in the form attached.
Fee
Data will be provided free of charge. There may be a charge of a ‘reasonable fee’
when a request is manifestly unfounded or excessive, particularly if it is repetitive.
19
A reasonable fee may occur when complying with requests for further copies of the
same information. This does not mean that there will be a charge for all
subsequent access requests.
The fee must be based on the administrative cost of providing the information.
Response time
The statutory timescale set out in the General Data Protection Regulation (GDPR)
is one calendar month although we are able to extend the period of compliance by
a further two months where a request is complex or numerous. If we have any
problems getting your information we will keep you up to date on our progress.
How long records are kept
The usual rules to do with keeping records are that:
o adult general hospital records are kept for six years after the date of the last
entry;
o maternity records are kept for 25 years after the birth of the last child;
o children’s and young people’s records are kept until the child’s or young
person’s 25th birthday; and
o mental-health records are kept for 20 years after the date of the last contact.
This may help you in considering what types of records you are applying to see.
Points to consider
Making false or misleading statements to access personal information which you
are not entitled to is a criminal offence.
Accessing health records and information is an important matter. Releasing
information may in certain circumstances cause distress. You may want to speak to
an appropriate health professional before filling in the form.
We ask for proof of ID or a countersignature (see section 6) because we have
confidential information and we must get proof of your identity and your right to
receive any relevant information.
Notes to help you fill in the form
Personal information
Personal information is information we hold about people in medical records,
patient administration and information systems, clinical systems, and other
databases or files. We may hold personal information on paper or on computer.
20
Health professionals
An appropriate health professional may include your hospital doctor, nurse, midwife
or health visitor, dentist, optician, pharmacist, clinical psychologist, occupational
therapist, dietician, physiotherapist, podiatrist or speech and language therapist.
Section 1: Personal details
This is the person to whom the data relates. Please ensure that this section is
completed as fully and accurately as possible to enable us to trace all the required
information.
Section 2: Information you want to access
Please complete as much of this section as you can. Whether you wish to receive
all the information held or only information relating to one or more specific episodes
of care or treatment it will help us to find your details with the minimum of delay.
The General Data Protection Regulation covers both manual (paper) and
computerised records.
If you wish to view the original record you will be invited to attend the hospital or
clinic at a convenient time, along with a health professional or appropriate other
person. If you wish to receive photocopies these will be produced within 30 days.
If you have only asked for a copy of the relevant records, the healthcare
professional responsible for your care may invite you to see them so that they can
explain the information in your record. You do not have to take up this invitation,
but it may be in your best interests to do so.
Section 3: Who is Applying for Access to the Information
The person making the application must complete this section.
● If you are the patient (see section 1 above) – sign then proceed to Section 6
● If you are acting on behalf of others (see section 4 below) the organisation
will require the patients authorisation before data can be released. The
‘Permission’ section of the form must be signed by the patient (section 5) The
exception is if you have proof of authority – e.g. Power of Attorney/Welfare
Guardianship documents. If this is the case, a certified copy will need to be
provided.
● If the patient is a child i.e. under 16 years of age the application may be
made by someone with parental responsibilities, in most cases this means a
parent or guardian. If the child is capable of understanding the nature of the
application his/her consent should be obtained or alternatively the child may
submit an application on his/her own behalf. Generally children will be
presumed to understand the nature of the application if aged between 12 and
16. However, all cases will be considered individually.
Section 4: Details of the Person Acting on behalf of Others
The applicant is the person who is applying on behalf of the patient to get access to
the records.
21
Section 5: Permission
If applicable, the patient must complete this section authorising the organisation to
release information to the named applicant.
Section 6: Identification/Countersignature
Everyone must complete this section UNLESS you are providing:
A certified copy of a Power of Attorney document
A certified copy of a Guardianship Order
Because of the confidential nature of the information held by the organisation, it is
essential for us to obtain proof of your identity and your right to receive any
relevant information.
For this purpose it is essential that you provide either proof of your identity or get
the application countersigned.
1 – Provide one Form of Identification
Examples of these can be found in section 6
2 – Countersignature
Anyone who knows the applicant personally can sign this section as
long as it’s not a family member or relative.
Section 7: Declaration
This must be completed by the applicant.
Send your filled-in form to:
Email:
or
post:
Freedom of Information Officer
NHS Orkney
The Balfour
Foreland Road
Kirkwall
Orkney
KW15 1NZ
22
Appendix C: Identity verification letter template
Dear <Name>,
RE: Subject Access Request verification required
Thank you for your correspondence requesting access to personal data held by NHS
Orkney.
The release of this information is subject to the General Data Protection Regulation, which
governs access to personal data. As a result, we are required by law to gain the
appropriate proof of identity and consent before we can proceed with your application.
We would therefore be grateful if you would complete the enclosed Subject Access
Request form and return it to as soon as possible, along with all required proofs of
identification. If you wish you may bring the original documents to the address on this letter
and we will photocopy them for you. Additionally, if you require any assistance completing
the form, please contact me and I will be glad to assist.
Yours sincerely,
Freedom of Information Officer
NHS Orkney
Data Protection
The Balfour
Foreland Road
Kirkwall
Orkney KW15 1NZ
www.ohb.scot.nhs.uk
<Requester Name>
<Requester Address>
Date: <Enter Date>
Tel: 01856 888 220
Fax: 01856 888 211
Email: orkney[email protected]
23
Appendix D: Acknowledgement letter template
Dear <Name>,
RE: Acknowledgement Subject Access Request Reference Number: SAR
201X1X/XXX
Thank you for your correspondence requesting access to personal data held by NHS
Orkney. I can confirm that we have / (now received) appropriate proof of identity and
consent and will / (now) proceed with your request. The reference number attached to this
request is 20XXXX-XX.
The statutory timescale set out in the General Data Protection Regulation is 30 calendar
days. As such, you should receive a response no later than <deadline> unless we require
further clarification. Should we encounter any difficulties with complying with your request
or require further clarification, I will contact you as soon as possible to advise.
Yours sincerely,
Freedom of Information Officer
NHS Orkney
Data Protection
The Balfour
Foreland Road
Kirkwall
Orkney KW15 1NZ
www.ohb.scot.nhs.uk
<Requester Name>
<Requester Address>
Date: <Enter Date>
Tel: 01856 888 220
Fax: 01856 888 211
Email: orkney[email protected]
24
Appendix E: Clarification request letter template
Dear <Name>,
RE: Clarification Subject Access Request Reference Number: SAR 201X1X/XXX
I write to you in reference to your request to access personal data, reference number
20XXXX-XX. In order to complete your request, I would like clarification on the following
points: <Points clarity sought on>
Under the terms of General Data Protection Regulation, NHS Orkney will place your
request on hold until we receive the requested clarification. When we receive the
additional requested information from you we will be able to respond to your request within
30 calendar days of receiving the clarification. Therefore we would appreciate a response
as soon as possible in order to again proceed with your request.
If I can be of any assistance or you would like to discuss this further, please don’t hesitate
to contact me.
Yours sincerely,
Freedom of Information Officer
NHS Orkney
Data Protection
The Balfour
Foreland Road
Kirkwall
Orkney KW15 1NZ
www.ohb.scot.nhs.uk
<Requester Name>
<Requester Address>
Date: <Enter Date>
Tel: 01856 888 220
Fax: 01856 888 211
Email: orkney[email protected]
25
Appendix F: Final response letter template
Dear <Name>,
RE: Response Subject Access Request Reference Number: SAR 201X1X/XXX
I write to you in response to your request to access personal data, reference number
20XXXX-XX.
*I am pleased to inform you that we have completed your request. Please find
attached/enclosed the full response.
*I must advise you that, in line General Data Protection Regulation, NHS Orkney has
applied an exemption on the release on some of the information requested because
<explain exemptions>. Please find enclosed the information not subject to this
exemption.
*I must advise you that, in line with the General Data Protection Regulation, NHS Orkney
has applied an exemption on the release on the information requested because <explain
exemptions>.
If you are dissatisfied with the way NHS Orkney has dealt with your request you have a
right to appeal to the Information Commissioner’s Office.
Requests for appeal should be made in writing to: Information Commissioner's Office, 45
Melville Street, Edinburgh, EH3 7HL. Tel: 0303 123 1115 or Email: scotland@ico.org.uk.
If you have any further questions or concerns relating to this request, please don’t hesitate
to contact me.
Yours sincerely,
Freedom of Information Officer
NHS Orkney
Data Protection
The Balfour
Foreland Road
Kirkwall
Orkney KW15 1NZ
www.ohb.scot.nhs.uk
<Requester Name>
<Requester Address>
Date: <Enter Date>
Tel: 01856 888 220
Fax: 01856 888 211
Email: orkney[email protected]
26
Appendix G: Subject Access Request Process Flow Chart
Send reminder letter after 30 days.
If no further response received
after an additional 30 days request
can be closed.
NO
Send reminder letter after 30 days.
If no further response received
after an additional 30 days request
can be closed.
ID and completed form received?
Generate deadline on
spreadsheet. Send
acknowledgement letter to
requester.
Send letter requesting
identification along with SAR form
and guidance to requester.
YES
YES
SAR received by FOI Officer.
Log details of request on SAR log spreadsheet and create
folder for request in G: Drive folder.
Is there sufficient information included in the request to
verify the identity of the requester?
NO
YES
Using the information provided in the request, is it clear
what data is being asked for by the requester?
Send letter requesting clarification
from the requester.
Clarification received from
requester?
Send request to individuals
and departments relevant to
the request. Log dates sent
on spreadsheet and create
internal deadline of 21 days.
YES
NO
NO
Individuals and departments should check their records in
line with request.
Is there clinical data, such as patient notes, included in the
data collated?
Medical records asked to collate
hospital notes.
Departments such as x-ray,
physiotherapy, dietetics, etc asked to
collate and approve notes for release
YES
Is there third party data included in the data collated?
NO
If it is possible to separate third party
information, the department should remove or
redact it. If it is not, the department should
advise the FOI Officer who should exempt
YES
YES
Send final response using secure
method (i.e. Royal Mail Recorded
Delivery)
Log completion of request in SAR log spreadsheet.
Once collated, all relevant information should be sent to
the FOI Officer.
FOI Officer should draft a final response containing the final information for
approval.
CLINICAL INFORMATION—, medical director or deputy to approve, the
sign off sheet MUST be completed
NON-CLINICAL INFORMATION— Approval should be sought from the
DPO / SIRO or deputy.
Response draft approved?
NO
Amend draft according to
guidance and send for
reapproval.
28
Appendix H: Data Protection – Health Records Request (SAR) Sign off
Data Protection – Health Records Request (SAR) Sign off
SAR reference number – 201819/
Patient name:
Patient CHI number:
Request received from:
Details:
Date from: Date to:
I ........................................................................................................................
(Health professional undertaking review)
confirm that I have reviewed the relevant section of the health record of the patient named
above as per the Subject Access Request (SAR).
It was necessary/not necessary (delete as appropriate) to make a partial exclusion or
redaction to the record.
* Please indicate below the reason for any exclusion/redaction
..........................................................................................................................
..........................................................................................................................
..........................................................................................................................
Signed ..............................................................................................................
(Health professional undertaking review)
Date ..................................................................................................................
