What is an individual entitled to?
Individuals have the right to obtain the following from the Trust:
confirmation that we are processing their personal data;
a copy of their personal data (health records most cases); and
other supplementary information
What evidence is required?
The below proofs must be providing following a request for records.
Requests from patient directly - Photo ID of patient.
Requests for adult records from other family member - Photo ID of requestor; plus photo ID of patient, plus letter of consent (signed and dated) or other proof of authority.
Requests for childrenís records from other family member or guardian - Childís birth certificate, plus photo ID of parent/guardian named on birth certificate.
Requests from solicitor for adult records - Photo ID of the patient/client, plus letter of consent (signed and dated) or other proof of authority. Requests from solicitor for childrenís records - Childís birth certificate, plus Photo ID of litigation friend.
If applying for a deceased patientís records you will need to provide proof that you the personal representative of the patient Evidence will include a copy of Letters of Administration or grant of probate , copy of the relevant section of the Will confirming you are the Executor of the estate . Evidence of your claim, the nature of the claim, If you are a person with a claim arising out of the patientís death , you would need to evidence of your claim, the nature of the claim, clarification of the claimantís relationship to the patient.
We will never require original documentation, scanned copies or photographs of the ID are acceptable as long as the image is clear. All proof documents should be sent to SAR.WhittHealth@nhs.net. However should you wish to send us a secure encrypted message for this purpose, you can do this by registering for a free Egress account here
How will the data be provided?
The Trust provides responses to requests in commonly used electronic formats unless requested otherwise.
Will there be a fee?
In most cases a fee cannot charge be charged to comply with a subject access request.
However, where the request is manifestly unfounded or excessive a reasonable fee can be charged for the administrative costs of complying with the request. A fee will be charged for further duplicate or paper copies following a request. Paper copies are charged at 60p per page not including postage.
How long do we have to comply?
A subject access request must be complied with within one month of receipt. Applicants are required to provide proof of identification, the time is calculated from the day the relevant proofs are received.
Requests for records of deceased individuals are handled under the Access to Health Records Act 1990 and must be complied with within 40 days. As well as proof of identification applicants are required to provide authenticating details to prove their status as the personal representative of the patient or as a person with a claim arising out of patientís death. Where possible applicant should specify the parts of the deceased health record they require for the reasons outlined above. The time is calculated from the day the relevant proofs are received.
Can we extend the time for a response?
We can extend the time to respond to a subject access request by a further two months if the request is complex or if we have received a number of requests from the same individual.
Can we ask an individual to clarity their request?
Applicants may be asked to clarify their request. If the additional information is not provided, we will endeavour to comply with the request by making reasonable searches.
Requests made on behalf of others?
The GDPR does not prevent an individual making a subject access request via a third party. In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, it is the third partyís responsibility to provide evidence of this entitlement.
Requests for information about children
When a request is made for information about children it will be considered whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then explicit consent will be required from the child. The age for giving consent to data processing prescribed by the UK General Data Protection Regulation (UK GDPR) / Data Protection Act 2018 (DPA18) is 13.
What if the data includes information about other people?
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
Data protection legislation requires that information of third parties is removed prior to disclosure. Some information may be removed where it was provided in confidence or where it's disclosure could cause harm or lead to impairment of care.
Can a request be refused?
A subject access request can be refused if it is manifestly unfounded or excessive. If we do refuse a request, we will inform the applicant within one month of receipt of the request.
The Trust is required to keep health records safe and confidential. Every member of staff working for, or with the NHS, has a duty to keep any information that they come across completely confidential.
Apart from clinical and administrative staff involved with providing care, the Trust will only share information that other healthcare professionals involved in patient care need to know about. These may include patients' GP, dentist, health visitor or community nurse.
By law the Trust may sometimes have to provide information to other agencies, for example when a formal court order has been issued or when we encounter infectious diseases which may be a risk to others.