Subject Access Requests
Last updated06 Oct 2021 08:45
Main Address
- The Whittington Hospital NHS Trust,
Access to Health Records,
C/O Clinic 1B
Level 1 Out Patient Block,
Magdala Avenue,
London
N19 5NF - sar.whitthealth@nhs.net
- Opening Hours
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. In a health setting requests will largely be made by patients and their appointed representatives (such as solicitors)for copies of their health records from both acute and community services but this can extend to current and ex-staff members.
How can individuals make a subject access request?
Individuals can make a request by completing the below application from:
All proof documents should be sent to SAR.WhittHealth@nhs.net. Should you wish to send us a secure encrypted message for this purpose, you can do this by registering for a free Egress account here
Opening Hours
8:30-17:00
Further Information
What is an individual entitled to?
Individuals have the right to obtain the following from the Trust:
-
confirmation that we are processing their personal data;
-
a copy of their personal data (health records most cases); and
-
other supplementary information
How will the data be provided?
The Trust provides responses to requests in commonly used electronic formats unless requested otherwise.
Will there be a fee?
In most cases a fee cannot charge be charged to comply with a subject access request.
However, where the request is manifestly unfounded or excessive a reasonable fee can may be charged for the administrative costs of complying with the request. A fee will be charged for further duplicate or paper copies following a request. Paper copies are charged at 60p per page not including postage.
How long do we have to comply?
A subject access request must be complied with within one month of receipt. Applicants are required to provide proof of identification, the time is calculated from the day the relevant proofs are received.
Request for deceased individuals data must be complied with within 40 days. As well as proof of identification applicants are required to provide authenticating details to prove their status as the personal representative of the patient or as a person with a claim arising out of patient’s death. Where possible applicant should specify the parts of the deceased health record they require for the reasons outlined above. The time is calculated from the day the relevant proofs are received.
Can we extend the time for a response?
We can extend the time to respond to a subject access request by a further two months if the request is complex or if we have received a number of requests from the same individual.
Can we ask an individual to clarity their request?
Applicants may be asked to clarify their request. If the additional information is not provided, we will endeavour to comply with the request by making reasonable searches.
Requests made on behalf of others?
The GDPR does not prevent an individual making a subject access request via a third party. In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, it is the third party’s responsibility to provide evidence of this entitlement.
Requests for information about children
When a request is made for information about children it will be considered whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then explicit consent will be required from the child. The age for giving consent to data processing prescribed by the UK General Data Protection Regulation (UK GDPR) / Data Protection Act 2018 (DPA18) is 13.
What if the data includes information about other people?
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
Data protection legislation requires that information of third parties is removed prior to disclosure. Some information may be removed where it was provided in confidence or where it's disclosure could cause harm or lead to impairment of care.
Can a request be refused?
A subject access request can be refused if it is manifestly unfounded or excessive. If we do refuse a request, we will inform the applicant within one month of receipt of the request.
Confidentiality
The Trust is required to keep health records safe and confidential. Every member of staff working for, or with the NHS, has a duty to keep any information that they come across completely confidential.
Apart from clinical and administrative staff involved with providing care, the Trust will only share information that other healthcare professionals involved in patient care need to know about. These may include patients' GP, dentist, health visitor or community nurse.
The Trust is required to keep health records safe and confidential. Every member of staff working for, or with the NHS, has a duty to keep any information that they come across completely confidential.
Apart from clinical and administrative staff involved with providing care, the Trust will only share information that other healthcare professionals involved in patient care need to know about. These may include patients' GP, dentist, health visitor or community nurse.
By law the Trust may sometimes have to provide information to other agencies, for example when a formal court order has been issued or when we encounter infectious diseases which may be a risk to others.