The Data Protection Act 1998

What does the Data Protection Act mean to me?

The Data Protection Act 1998 (DPA) applies to anyone who holds or has access to information about a living individual. It provides principles under which all organisations, including the NHS, operate when handling personal data.

The DPA also gives members of the public the statutory right of access to personal data related to themselves, such as their Health Records.

Staff also have the statutory right of access to personal data held within their own staff record.

How do I request access to my own medical records?

Freedom of Information (FOI) excludes requests for personal information. An individual’s access to their patient records/clinical information is still covered by the Data Protection Act for which different procedures apply.

If you only want to view the information held about you, this can be done free of charge under supervision. This should be arranged with the clinician treating you or the information governance manager.

If you would like to request a copy of your own medical records, or access to patient records as a personal representative of a deceased patient please download the relevant form below or contact the patient access office supervisor on 01642 854460 who will post you a form out to complete.

Access to health records form (82kb)
In order to view PDF documents you will need Adobe PDF Reader


Access to health records form where patient is deceased (84kb)
In order to view PDF documents you will need Adobe PDF Reader

Once complete, please return these forms to:

Patient access office supervisor
Health records
The James Cook University Hospital
Marton Road
Middlesbrough
TS4 3BW
Tel: 01642 854460

Health records subject access request procedure

Introduction

The Data Protection Act 1998 gives every living person the right to apply for access to information held on them by an organisation. This is known as ‘Subject Access’. This document lays out the procedure that should be followed when an application from a patient to access their health records is received.

Data Protection within the trust is the responsibility of the information governance manager, information governance department, ground floor Murray Building, The James Cook University Hospital.

Health records

A health record is defined as a record consisting of information about the physical or mental health or condition of an individual made by or on behalf of a health professional in connection with the care of that individual. It can be in computerised or manual form (or both) and may include such things as hand written notes, letters, lab reports, x-rays etc.

Receipt of an application

All requests for access to health records are dealt with under a legal requirement. These requests are dealt with by different departments within the organisation depending on the type of application:

  • If the application is from an individual or their representative where no litigation against this trust is indicated – this application is dealt with by the patient access Office supervisor, health records department, The James Cook University Hospital.
  • If the application is from an individual or their representative where litigation against the trust is indicated – this application is dealt with by the legal services department, directorate of quality assurance, The James Cook University Hospital.
  • Applications for x-rays are dealt with by the x-ray department.

The application

All applications to see health records must be made on the trust’s Access to Health Records Form. It must contain enough information for the organisation to identify the applicant and locate the information.

If the application does not state what information is required from a specific period of time, it is assumed that access is required to the whole medical records file. There is no requirement for the individual to give a reason why they wish to access their records.

The application should always contain the written consent of the patient (or their legal representatives) to the release of the information.

Direct access – The Data Protection Act does not provide applicants with the right to directly inspect their health records (for example while in hospital), but the Department of Health Policy on ‘Direct Access’ states that patients who actually wish to see their records should be allowed to do so if possible, subject to given exemptions and there are no compelling reasons to the contrary. For further guidance around Direct Access contact the information governance manager.

Fees

A fee may be charged to view health records or to be provided with a copy of them. To provide copies of patient health records the maximum costs are:

  • Health records held totally on computer: up to a maximum £15 charge.
  • Health records held in part on computer and in part manually: up to a maximum £50 charge.
  • Health records held totally manually: up to a maximum £50 charge.

It is recommended that all records are collected personally. However, in the event that records are posted, it is possible that postage costs will be in addition to the costs indicated above.

To allow patients to view their health records (where no copy is required) the cost is £15, unless the records have been added to in the last 40 days.

If a person wishes to view their health records and then wants to be provided with copies, this would still come under the one access request. The £15 fee for viewing would be included within the maximum fee for copies of health records.

Time limits

The Department of Health states that NHS organisations should endeavour to comply with subject access requests within 21 days, rather than the 40 days specified in the Data Protection Act 1998.

Consulting the health professional

Before information is released to a patient the health professionals with responsibility for the patient will authorise the release of records by signing a disclosure consent form.

Consent

The trust has a consent policy which should be adhered to.

Parental responsibility

As a general rule a person with parental responsibility will have the right to apply for access to a child’s health record. However, there may be exceptions to this. For further guidance please see the Department of Health Document ‘Guidance for Access to Health Records Requests Under the Data Protection Act 1998’

Withholding information

There are certain circumstances where information can be withheld from a subject access request. Access can be denied or limited where the information might cause serious harm to the physical or mental health or condition of the patient, or any other person, or where giving access would disclose information relating to or provided by a third person who had not consented to disclosure. The organisation is not obliged to inform the patient that information has been withheld.

Supplying the information

Information supplied should be provided in a permanent form unless this causes the organisation ‘disproportionate effort’ or the patient agrees to receive it in another form, (if for example the printed version is very lengthy or held in a remote archive). The data supplied must be intelligible and any abbreviations should be explained.

If an individual requests to view a record without obtaining a copy, an appointment will be made with a lay administrator. In these circumstances, the lay administrator must not comment or advise on the content of the record and if the applicant raises enquiries, an appointment with a suitable health professional should be offered.

Inaccurate information

If information recorded on the health record is inaccurate, patients have the right to have the information corrected. However, if the patient disputes the accuracy but the Clinician maintains the information is correct, the information will remain unchanged but a note will be added to the records recording the nature of the dispute.

Subsequent subject access requests

Organisations do not have to comply with a subsequent request where they have already complied with an identical or similar request by the same individual, unless a reasonable interval has elapsed. In deciding what a reasonable interval is, the nature of the data, why the data is used and the frequency with which the data is altered should be taken into consideration.

Access to the health records of deceased persons

The Data Protection Act 1998 does not have any provision for access to the health records of the deceased. Access, under these circumstances, is governed by the Access to Health Records Act 1990. The personal representative (executor or administrator of the estate) of the deceased or any person who may have a claim arising out of the patient’s death may apply for access.

Access should not be allowed if the patient indicated while alive that they did not wish to be given to a particular person. (Please note there are two different access forms one for Data Protection Act 1998 and one for Access to Health Records 1990).

Complaints and appeals

An individual has the right make a complaint under the Trust’s Complaints Procedure and should be advised to write with details to: Patient Relations Department, 2nd Floor, The Murray Building, The James Cook University Hospital.

NB If your complaint is still within the 40 day time limit for requests, please contact the Information Governance Manager directly.

Alternatively an individual may prefer to take their complaint direct to the Information Commissioner (contact details below).

Further guidance

For further guidance please see the Department of Health document ‘Guidance for Access to Health Records Requests Under the Data Protection Act 1998’ or from the:

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545700
Website: www.informationcommissioner.gov.uk