HANDLING requests to access sensitive patient information can be a minefield for practices. No manager wants to get it wrong and find themselves facing the consequences of breaching the Data Protection Act (DPA).
Under the 1998 DPA, anyone has the right to find out what information an organisation holds about them by making a subject access request. In a bid to help data controllers navigate this tricky area, the Information Commissioner’s Office (ICO) has published its new Subject access code of practice. It provides useful step-by-step guidance for responding to such requests efficiently and in accordance with the law and good practice.
Some highlights include the following.
The purpose of the code
The guidance explains that subject access is one of the rights afforded to individuals under the sixth principle of the DPA. Subject access requests (SARs) are then made under section 7 of the DPA. As well as clarifying individual rights, it also provides guidance on the limited circumstances in which personal data is exempt from subject access.
What is subject access?
This enables an individual to find out what personal data an organisation holds about them, why they hold it and who they disclose it to, and is fundamental to good information governance.
Subject access provides a right for the requester to see their own personal data, but not an absolute right to view or obtain copies of actual documents containing that data. Some documents may, for example, contain sensitive third party information that it is not practical to redact and the relevant data may have to be disclosed in another format.
What is personal data?
It must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the organisation’s possession).
In relation to patients, this will include information about their physical or psychological health made by a health professional. It may also relate to information supplied by a third party, such as a close relative, which the health professional considers to be relevant. If such information is contained in a medical or dental record, it is classified as “personal sensitive data” under the Act.
Does a SAR have to be in a particular format?
In short, no. However, a SAR needs to be in writing and the responsibility to confirm the identity of the individual making the request rests with the data controller.
Some organisations provide forms for patients to complete when making a SAR. You cannot insist on this, but a specific form may assist the requester to provide the information you need to deal with their request.
Can I charge a fee?
The maximum fee a data controller can charge for processing a SAR is usually £10, but different fee limits apply where the request concerns health records. If the original record is held in written format only, or in a combination of written and electronic formats, then a maximum charge of £50 can be made to process the SAR. Otherwise the £10 fee would apply.
It is important for healthcare providers to be consistent in how any charges are applied to patient requests. A written policy or protocol can be helpful, and may minimise the risk of any allegations of discriminatory practice.
Is there a time limit for responding?
In most cases you must respond to a subject access request promptly (the Department of Health suggests 21 days) and at least within 40 calendar days of receiving the SAR in writing, along with any applicable fee.
Is any information exempt from subject access requests?
Yes. Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a SAR.
Information may be exempt because of its nature or because of the effect its disclosure is likely to have. In health terms, this could relate to sensitive information contained in the record that the patient is unaware of, and that would be likely to cause serious psychological or physical harm if they found out. This can be a difficult judgement call and it is important that any such decisions are made by health professionals and not, as in some instances we have encountered, by an administrator.
The General Medical Council also provides guidance to doctors in this area and this states that potentially harmful information does not equate to something that would make the patient upset or angry if they find out about it.
There are also some restrictions on disclosing information, including where it relates to another individual or third party, and where information has been provided by a relative about a patient in confidence.
The consent of the third party is generally required before they can be identified, unless it is impracticable to do so, or reasonable to dispense with this requirement. Third party considerations do not apply to the identity of other health professionals and this must remain as part of any copy record supplied.
The code also addresses important areas such as locating and retrieving relevant information and dealing with requests which involve other people’s information.
If in doubt members are encouraged to contact MDDUS for advice before proceeding.
The Subject access code of practice is available on the ICO website.