The Data Protection Act

What does data protection legislation mean to me?

Data protection legislation applies to anyone who holds or has access to information about a living individual. It provides principles under which all organisations, including the NHS, operate when handling personal data.

It also gives members of the public the statutory right of access to personal data related to themselves, such as their Health Records.

Staff also have the statutory right of access to personal data held within their own staff record.

Data Protection Impact Assessments

The Information Commissioners Office (ICO) have identified Data Protection Impact Assessments (DPIA) as a key tool in addressing confidentiality and privacy concerns, which form part of the key requirements for the Data Security and Protection Toolkit (DSPT).

A DPIA is a process to help identify and minimise the data protection risks of a project.

We must do a DPIA for processing that is likely to result in a high risk to individuals.  This includes some specified types of processing e.g. special categories of personal data – health data.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data or if you are making a significant change to an existing process.

Please see below completed DPIAs:

Ref No. Project name Project description
1 Referapatient (pilot) Electronic referral system for neurosurgery and spinal surgery.
2 UK data Computer Aided Theragnostics (ukCAT) Use machine learning to develop prognostic models for cancer outcomes.
3 Medtronic Diabetes System Semi-automated electronic recording of patient’s blood glucose levels.
4 Sir Robert Ogden Macmillan Centre Psychology Services To use technology to provide tailored more accessible psychological services to users of the Sir Robert Ogden Macmillan Centre.
5 Cerebral Palsy Cerebral Palsy Integrated Pathway Database to provide standardised assessments for children with cerebral palsy.
6 Medopad Supporting an approved research study to collect quality of life data from patients who recently underwent colorectal surgery.
7 Body Warn video BWVCs are a video recording system that is typically used to record interactions with other people.  BWV that can be fixed to the individual’s clothing and is capable of capturing video and audio information falls under the category of BWVC.

How do I request access to my own medical records?

Freedom of Information (FOI) excludes requests for personal information. An individual’s access to their patient records/clinical information is still covered by the Data Protection Act for which different procedures apply.

If you only want to view the information held about you, this can be done free of charge under supervision. This should be arranged with the clinician treating you or the information governance manager.

If you would like to request a copy of your own medical records, or access to patient records as a personal representative of a deceased patient please download the relevant form below or contact the patient access office supervisor on 01642 854460 who will post you a form out to complete.

Subject Access Request Form

Once complete, please return to:

Patient Access Team 
Murray Building
The James Cook University Hospital
Marton Road
Tel: 01642 854460

Health records subject access request procedure


Data protection legislation gives every living person the right to apply for access to information held on them by an organisation. This is known as ‘Subject Access’. This document lays out the procedure that should be followed when an application from a patient to access their health records is received.

Health records

A health record is defined as a record consisting of information about the physical or mental health or condition of an individual made by or on behalf of a health professional in connection with the care of that individual. It can be in computerised or manual form (or both) and may include such things as hand written notes, letters, lab reports, x-rays etc.

Receipt of an application

All requests for access to health records are dealt with under a legal requirement. These requests are dealt with by different departments within the organisation depending on the type of application:

  • If the application is from an individual or their representative where no litigation against this trust is indicated – this application is dealt with by the Patient Access Team.
  • If the application is from an individual or their representative where litigation against the trust is indicated – this application is dealt with by the Legal Services Department.

The application

All applications to see health records should be made on the Trust’s Access to Health Records Form.  It must contain enough information for the organisation to identify the applicant and locate the requested information.

If the application does not state what information is required from a specific period of time, it is assumed that access is required to the whole medical records file. There is no requirement for the individual to give a reason why they wish to access their records.

The application should always contain the written consent of the patient (or their legal representatives) to the release of the information.

Time limits

Current legislation requires that the Trust responds to requests for subject access with one calendar month.

Parental responsibility

As a general rule a person with parental responsibility has the right to apply for access to a child’s health record.  However, there may be exceptions to this, for example when the child does not wish their record to be disclosed.

Withholding information

There are certain circumstances where information can be withheld from a subject access request.  Access can be denied or limited where the information might cause serious harm to the physical or mental health or condition of the patient, or any other person, or where giving access would disclose information relating to or provided by a third person who had not consented to disclosure.  The Trust is not obliged to inform the patient that information has been withheld.

Supplying the information

Information supplied should be provided in a permanent form unless this causes the organisation ‘disproportionate effort’ or the patient agrees to receive it in another form, (if for example the printed version is very lengthy or held in a remote archive).  The data supplied must be intelligible and any abbreviations should be explained.

If an individual requests to view a record without obtaining a copy, an appointment will be made with a lay administrator. In these circumstances, the lay administrator must not comment or advise on the content of the record and if the applicant raises queries, an appointment with a suitable health professional should be offered.

Inaccurate information

If information recorded on the health record is inaccurate, patients have the right to have the information corrected. However, if the patient disputes the accuracy but the Clinician maintains the information is correct, the information will remain unchanged but a note will be added to the records recording the nature of the dispute.

Subsequent subject access requests

Organisations do not have to comply with a subsequent request where they have already complied with an identical or similar request by the same individual, unless a reasonable interval has elapsed. In deciding what a reasonable interval is, the nature of the data, why the data is used and the frequency with which the data is altered should be taken into consideration.

Access to the Health Records of deceased persons

Access to the health record of deceased persons is governed by the ‘Access to Health Records Act 1990’.  The personal representative (executor or administrator of the estate) of the deceased or any person who may have a claim arising out of the patient’s death may apply for access.

Access should not be allowed if the patient indicated while alive that they did not wish to be given to a particular person. To make a request for a deceased person, the following form should be completed:

Request for Access Under the Health Records Act 1990

Once complete, please return to:

Patient Access Team
Murray Building
The James Cook University Hospital
Marton Road
Tel: 01642 854460

Complaints and appeals

An individual has the right make a complaint under the Trust’s Complaints Procedure and should be advised to write with details to: Patient Relations Department, The Murray Building, The James Cook University Hospital, TS4 3BW.

Alternatively an individual may prefer to take their complaint direct to the Information Commissioner (contact details below).

Further guidance

Further guidance on all aspects of data protection can be found on the website of the Information Commissioner:

Tel:  0303 123 1113