Standard Operating Procedure

Responding to Requests for Personal Information

(Data Protection Act 1998 and Access to Health
Records 1990)
Subject Access Requests

Document Author Authorised

Written By: Information Governance Authorised By: Chief Executive
Specialist

Date:
Date:

Lead Director: Company Secretary

Effective Date: Review Date:

Approval at: Information Governance Date Approved:
Steering Group
Version Number: 2.0

Page 1 of 7
 1 Introduction
This Standard Operating Procedure sets out what staff should do when receiving a request
for personal information, in line with the Data Protection Act (DPA)1998 and/or the Access to
Health Records Act (AHRA)1990.

Under almost all circumstances these requests will be received and processed centrally by
the Information Governance Team. However, there may be occasions when in the interests
of patient safety, or expediency this may not be possible/necessary. Typically this would
apply for service areas out of normal office hours.

This Standard Operating Procedure provides examples of the rare occasions when requests
can be processed by staff not working in the Information Governance Team. However, it
must be recognised that these occasions will be infrequent . Similarly it is prudent to note
that no single Standard Operating Procedure can cover every eventuality and as such,
where staff are unsure they must liaise with the Information Governance Team who will
provide professional advice and assistance.

Regardless of who processes a request for information, the correct procedure must be
followed in order to ensure compliance with relevant legislation.

It is important that all staff are familiar with this Standard Operating Procedure as any
member of Trust staff may be the first point of contact for a request for personal information
and they must understand and be able to articulate the correct process to follow, and be able
to provide advice to others, including patients, service users and their carers.

It is prudent to note that under the DPA 1998, requests for access to records must be met
within 40 calendar days, however, where possible requests should be processed more
quickly, therefore it is imperative that any request is dealt with as expediently as possible.

2 On Receiving a Request for Personal Information Direct from the

Applicant (not by the Information Governance Team)
The majority of requests for personal information will be received by the Information
Governance (IG) Department, who have specific qualifications and specialist expertise and
are therefore equipped to process these requests, ensuring adherence with legislative
requirements. On average the Information Governance Team process circa 1000 requests
per annum, around 700 of which are paid for Subject Access Requests, a further 300 are
unpaid requests often from other statutory bodies. Staff in the Information Governance
Department, are fully versed in the legislation surrounding requests for personal information
in order to provide assurance to the Trust that requests are processed lawfully and
legislation is not being breached. Therefore it is important that this team are utilised where
requests have been made.

Therefore should staff receive a request directly, they must ensure that they direct the
individual making the request to the Information Governance Department promptly. Advice
on how to make requests for information, can be found on the Trust website at
www.iow.nhs.uk/Patients-and-Visitors/access-to-records/access-to-records.htm

However, under certain and very specific circumstances, it may be appropriate for requests
to be processed within the team receiving the request, where this is not the IG team. If this
is within office hours, any decision to process such a request must be discussed and
authorised by the Information Governance Team. Out of hours (where there is an urgent

Page 2 of 7
requirement which cannot wait until the next working day), the same discussion and
authorisation must initially be with the Bed Manager who will escalate further if required to
the Senior Manager on Call (SMOC) or the Executive Director on Call (EDOC) where
required.

Please note where a member of staff requests certain information through the Human
Resources team, the Human Resources Team process for responding to requests for
records for employees Standard Operating Procedure (HR SAR SOP) must be followed.
Where other teams receive requests for records from employees they should share with the
employee any information that they would have received anyway, for example Job
Descriptions, Supervision notes, Appraisal information, but all other requests must be dealt
with by the Information Governance team as a Subject Access Request.

In addition to the above, examples of where requests should be complied with by the
department receiving the request rather than the Information Governance Team include:-

Where the patient (known to the service, and known to have capacity) requests a
copy of their latest clinical letter in accordance with their rights/entitlement under the
NHS Constitution, or one that was previously supplied to them as they have
misplaced their copy/copies.
The Diagnostic Imaging department will provide individual patient imaging and
reports as an electronic copy in Disc format under the following circumstances:-
o Images/examination taken on the day - no report yet available.
o Images/examination taken peviously and a report available.
o More than one examination if the events are clinically related with reports (this
will be at the discretion of the Superintendent Radiographer or other
delegated officer)
o Should a patient request a report at a later date after having received their
disc direcly from the Diagnostic Imaging department than this will be provided
by Diagnostic Imaging as a paper copy as part of the original request
o Any other situation where the clinical information is felt necessary for a
patients care pathway - to be a clinical judgement made by a Head of Service
on a case by case basis.
o The following exclusions apply:-
o Where a patients request their full imaging history- this will need to be
requested via Information Governance through a full Subject Access request
process.
This must be undertaken in accordance with the Subject Access provisions of the
DPA 1998 a charge of 10 will be made for the disc. All relevant documentation in
relation to the request will be completed and retained within the Diagnostic Imaging
department, and shared with the Information Governance dept for completeness.

Where the person making the request is not the patient themselves, it is the Trust policy that
any request for information should be processed by the Information Governance Department
to ensure compliance with the legislation. However, any urgent requests made out of hours
should be directed to the Bed Manager for consideration.

Any request authorised for release out of hours outside of the Information Governance Team
must be notified the next working day to the Information Governance team. The Information
Governance team will be responsible for maintaining a central log of all such requests for
monitoring and reporting purposes.

Page 3 of 7
 3 On Receiving a Request for Information from the Information
Governance Department.
As indicated above the majority of requests will be processed by the Information
Governance team. However, for them to be able to process such requests they need the full
support and cooperation of staff working across the Trust.

Where a request for assistance is received by a staff member they must complete the
following steps:-

1. Ensure that they have clarity on the information being requested and timescales for
disclosure.
2. Ensure that all information requested is supplied to the Information Governance
Team as soon as possible upon receipt of the request, either through hard copies
from the originals or where possible through electronic records being shared directly
with the IG team.
3. Please note all requests for records relating to Trust employees must be dealt with in
line with the Human Resources Team process for responding to requests for records
from employees Standard Operating Procedure available on the Trust intranet.

4 Information Governance Team - Processing Requests for Personal

Information
As indicated above the majority of requests will be completed by the Information
Governance team in line with the steps set out below. NB the IG team may be notified of a
request at any point in the process from another department and must seek to support them
in complying with the correct steps in the process as below.

1. Ensure that the request has been made in writing (either by letter of by completing
the Access to Records Application Form).
2. Ensure that the application form/letter is date stamped on receipt to ensure there is a
valid audit trail.
3. Once a request is received a formal record must be created to log the request, this
should be completed on the appropriate Control Sheet (Appendix B, C & D as
appropriate) and must be completed with the following information as a minimum
initially:-

Patient Name
Previous Name(s) where applicable
Date of Birth
Applicant Name (if different from the patient)
Applicants Reference if provided
Information Requested including specific treatment/accident dates when
provided
If Consent is given and is valid
Date application received

Whilst the request is being processed, the hard copy control sheet is to be filed in the
Valid Requests concertina file located within the Infromation Governance Specialists
(IGS) office. This office is locked when not in use and no records are left unattended in
view of the clear desk approach across the Trust. The office is located along a corridor
which is locked at all times. The door requires a security code for entry.

Page 4 of 7
Once the request has been completed, the control sheet is then filed in the Completed
Requests lockable filing cabinet located within the locked corridor.

4. Ensure the request is a valid request, taking into account any consent issues, the
identity of the applicant and seeking clarity on the extent of the request and clearly
record this on the control sheet. Provide advice to the applicant as appropriate if
they are unsure as to the extend of the information they require.

Consent :- Identify whether the consent provided is clear and explicit and
provides the correct authority for the release of the requested records.
Consider whether the applicant is legally able to make the request, i.e. is the
applicant the patient to whom the record(s) relates and if so do they have the
capacity to make the request, or does the applicant have the correct Lasting
Power of Attorney in place and has it been registered with the Office of the
Public Guardian in order for them to legally make the application. If consent
is insufficient, circle No on the control sheet and identify what other
information is required to validate the request.
Identity of Applicant:- Consider whether there is sufficient evidence to confirm
the identity of the applicant If satisfactory evidence of ID has not been
provided, circle No and note down the reason.
Sufficient information to enable location of information requested:- Ensure
there is clarity regarding what information has been requested and why?
Where necessary it may be appropriate to support the applicant in
determining what records they need to be provided with in order to undertake
the activity they require. Complete the Information Requested section in full

5. Register the request on the appropriate Log of Requests, using the following naming
convention: patient name, year of request, next sequential index number,
followed by a symbol chosen at random this unique identifier creates an
encryption code which must be used in all correspondence White and Pink Control
Sheet (refer to Appendix B & C as mentioned above) requests must be entered onto
the Subject Access Log of Requests, and filed within the paper record as above. The
log is saved within the Trust network, located on the Access to Information secure
drive. Access to this drive is limited to members of the Information Governance team
only.
6. Green Control Sheet (refer to Appendix D as mentioned above) requests must be
entered onto the Non-Subject Access Log of Requests (also located within the
secure drive above), and filed within the paper record as above.
7. Record the encryption code on the control sheet.
8. Ascertain whether records are held in relation to the patient.

Log into the relevant electronic system e.g. Patient Centre, Symphony, E-Care
Logic, PARIS
Search for patient using necessary identifiers, e.g. surname, Christian name,
date of birth. Select correct patient and write patients IW number onto Control
Sheet. At this point, note any previous names onto the Control Sheet.
Identify what records are held in relation to the time period of records requested
and write the date requested against each category of information on the Control
Sheet. If no specific time periods of records are requested, treat as an All
Records request and complete all relevant boxes on the Control Sheet.

9. Identify if a fee is due and record this onto the Control Sheet.

10 if the records are held electronically only

Page 5 of 7
 50 if the records are held manually or a mixture of manual and electronic.

10. Prepare the appropriate response letter to the applicant by addressing to the
applicant, completing Data Subjects name in the header, adding applicants
reference, adding Trust Reference, which should consist of senders initials, patients
IW Number and patient initials e.g. LS/IW12345/AB. Amend
Acknowledgement/Charge letter to request any additional information required as
already identified, i.e. appropriate consent, evidence of identity, further information to
enable location of records

11. If the appropriate fee was enclosed with the application then prepare an
Acknowledgement Letter
12. If the appropriate fee needs to be requested, then prepare a Charge Letter
13. Record the number of new requests received onto the Statistics log which is saved
within the Trust network, located on the Access to Information secure drive.
14. Record Payment received date onto the Control Sheet.
15. Calculate 40 calendar day statutory deadline using the Calculator stored in Subject
Access Daily Tasks folder and add these dates to the Control Sheet.
16. Add the request to the Daily Tasks log in date order, including Name, Date of Expiry
and the records that have been requested. Also, colour code the final column.

Red Awaiting records.

Clear Records received and ready to scan
Amber Ready to third party
Green Ready to send

17. Write a receipt for the payment and keep the top copy of the receipt in the application
wallet. Write the receipt number onto the Control Sheet. Write the receipt number on
the back of the cheque and keep the cheque/cash inside the receipt book, which
must be kept in a locked drawer/filing cabinet.
18. Update Log of Requests and Statistics with payments received on relevant date and
amount received.
19. Request all records, using the appropriate template email. If Symphony records are
required then access the relevant record and print this off and keep in the wallet
ready for scanning. When Mental Health files are required, request the records from
Sevenacres Medical Records Team, complete and attach a Consultant Review
memo asking for it to be printed and sent with the file to the relevant MH
Consultant/Senior Clinician for completion and onward forwarding to Information
Governance. If name of MH Consultant/Senior Clinician is known, record this on the
Control Sheet together with date sent.
20. When records are received, note the date received onto the relevant column on the
Control Sheet. If a small set of original records are received, e.g. physio, scan these
on the same day and return originals to the relevant department. Once scanned,
date and initial the relevant box on the Control Sheet. If small sets of copy records
are sent, then these must be kept in the back of the Control Sheet wallet. Large sets
of records should be kept in the locked Information Governane secure records
cupboard, until they can be scanned and returned to the relevant department. NB no
originals should be retained once the records have been scanned, these must be
returned to the relevant department. Should a department require a record be
returned to them prior to scanning due to a clinical need, this must be recorded on
the control sheet and complied with expediently.
21. When the MH Consultant/Senior Clinician has reviewed the file and completed the
Review Document and sent the file back, the date of receipt must be added to the
Control Sheet and the file placed in the cupboard.

Page 6 of 7
22. Records must be scanned in order of the date of expiry detailed on the Daily Tasks
list, in accordance with Scanning Guidelines (separate document) unless there is a
specific reason why not to do this. Professional judgement must be used at all times
to ensure the department is able to comply with the highest number of requests and
maintain patient safety, whilst also preventing financial or reputational damage to the
Trust.
23. After each record is scanned, date and initial the relevant box on the Control Sheet.
24. Once all records have been received and scanned, prepare two envelopes and place
behind the control sheet in preparation for send out. One envelope must be
addressed to Information Governance and the other must be addressed to the
recipient of the records. This must be stamped with Recorded Delivery on the left
hand side. The recipients envelope must also have the last three digits of the
encryption code written on the bottom left hand corner as an identifier.
25. Place the request pack on the Third Party shelf in the lockable cupboard located
within the IGS officeready to be reviewed by the IGS. Complete the date on the
Control Sheet in the relevant box.
26. IGS will review the request and if any redactions are identified these will be noted on
the relevant section on the reverse of the Control Sheet. The IGS will complete the
relevant boxes on the control sheet and place on the relevant section on the shelf.
27. Any redactions noted on the Control Sheet are undertaken by the IG Assistant and
then handed back to the relevant IGS for checking. When this action has been
completed, the IGS will initial the relevant section on the Control Sheet. Once this is
complete, the request is then placed on the relevant section of the shelf.
28. Select relevant files and encrypt them using 7Zip and the allocated encryption code.
Burn the files onto a CD. Prepare send out letter using the appropriate template.
29. Place the CD, Xray images, letter and envelopes with the Control Sheet. The IGS
will quality check all correspondence and CDs using the allocated encryption code
and then seal this into the self-addressed envelope, which is then double wrapped
into the recipient envelope.
30. A Recorded Delivery log is created and will be sent with the post.
31. Enter the date of completion onto the Log, Statistics and remove the entry from the
Daily Tasks list. When this is completed, tick the relevant box on the Control Sheet.
If the request had any misfiles this must be put onto the log as well. Files can then be
returned to Medical Records and the relevant box on the Control Sheet can be
ticked.
32. When the Recorded Delivery log is received back from the Post Room, the allocated
numbers must be entered on to the log where they are saved for tracking purposes.
Once the recorded delivery numbers have been entered on to the log, the Recorded
Delivery sheet from the post room can then be confidentiality destroyed.
33. The Control Sheets must be filed in the filing cabinet in alphabetical order.
34. In line with the Records Management Code of Practice for Health and Social Care
2016, all records relating to Subject Access Requests will be destoyed after 3 years
of closure of the Subject Access Request, unless a complaint or appeal has been
received. Where a complaint or appeal has been received, records will be retained
for 6 years from the date of closure of the appeal/complaint. This relates to all
electronic records, which must be deleted as per the above timescales, and also any
paper records which must be destoyed by disposing within either a confidential waste
bin or confidential waste bag, as per the Trust contract with an approved supplier.

Page 7 of 7