General Data Protection Regulations
Access to records
All data subjects have the right of access to and copies of their personal data whether they are held on paper or on computer.
Our data retention periods and the right to have inaccurate data corrected.
You have the right of access to the data that we hold about you and to receive a copy. Access may be obtained by making a request in writing. We will provide a copy of the record within 40 days of receipt of the request and an explanation of your record should you require it.
Access refusal policy
Under certain, very limited circumstances we may refuse access to or copies of personal records.
These could include:
- Where we have concerns about safety or a safeguarding concern;
- Excessive or repeated requests for the same information that has already been provided.
In these circumstances we will demonstrate how the request fits these criteria in accordance with GDPR and we will provide the individual with an explanation for the refusal unless this could put them at risk.
Complying with the GDPR
The GDPR requires that personal data must be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate and kept up to date (inaccurate personal data must be erased or rectified without delay);
- Kept in a form which permits identification of data subjects for no longer than is necessary;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
We may be asked to disclose information, documents or records held by the practice. Requests for personal information are made under data protection legislation and under freedom of information legislation for information about the NHS services provided by the practice.
Requests for personal information or for information about the practice that is not included in the practice information leaflet should be passed to Dr Aliya Stretton.
This policy describes who can request information and how and the practice procedures for managing these requests.
Requests for personal information
Personal information is any information that allows an individual to be identified. This includes information where the individual is not named but a cross-reference to other information held by the practice would allow identification.
Data protection legislation allows individuals to request access to their personal information. Those eligible to request access include:
- A person aged [16 years or older (for practices in England, Wales and Northern Ireland) OR 12 years or older (for practices in Scotland)];
- The parents or guardians of a child under the age of 16 years and in connection with the health and welfare needs of the child;
- A child under the age of 16 years who has the capacity to understand the information held by the practice. Children aged 11 years and under are deemed too young;
- A third party, such as a solicitor, who has the written consent of individual concerned – checks should be undertaken to ensure that the consent is genuine – for example, by checking the patient’s signature or contacting the patient directly to confirm that they have given consent for the information to be disclosed.
If a request concerns information about a deceased person, those eligible to request access include:
- The administrator or executor of the deceased person’s estate;
- A person who has a legal claim arising from the person’s death – the next of kin, for example.
The person should explain why the information requested is relevant to their claim.
If the information requested includes information about third parties, it can be disclosed if the third party gives consent or is a health professional involved in the care of the patient.
The request must be made in writing and describe the type of information required with dates, if possible, and include sufficient information to ensure correct identification (name, address, date of birth, for example). You must check that the person asking for information has the right to do so and, if necessary, ask for proof of identity.
We will provide the requested information within one month of receiving the request or confirming the individual’s identity.
We will usually provide the information requested in electronic form using secure means, unless the individual asks for the information in paper format or otherwise agreed. The individual may also come to the practice to view the original version under supervision and on practice premises.
We will provide the information in a way that can be understood by the individual making the requests and may need to provide an explanation to accompany dental clinical notes.
Unfounded or excessive requests
Where requests are manifestly unfounded or excessive (particularly if they are repetitive), we can:
- Refuse to respond.
If we refuse to respond to a request, we will explain the reasons and informing the individual of their right to complain to the Information Commissioner’s Office and to a judicial remedy.
Requests for information about the practice
Freedom of information legislation allows anyone to ask for information about the provision of NHS services. The available information is described fully in the practice guide to information available under FOIA and the model publication scheme. If the requested information is part of a larger document, we will disclose only the relevant part.
A freedom of information request cannot include clinical records or financial records.
The request must be made in writing and should describe the information that they want and with dates, if possible. The individual making the request does not have to give a reason.
We will provide Information within 20 working days of receiving the request or confirmation of identity or, if applicable, from the receipt of the fee.
Requests for other information should be referred to Dr Aliya Stretton. If we do not hold the information requested, we will inform the individual within the 20-working-day time limit.
We will provide information in a way that is convenient for the person who requested it, which may be in writing, by allowing the applicant to read it on the premises, or, if the information is held electronically, in a useable electronic format.
We are not required to respond to:
- Vexatious requests for information, for example, requests that are designed to cause inconvenience, harassment or expense;
- Repeated requests for the same or similar information (unless the information changes regularly, for example performance or activity information).
In either situation, you should seek advice from Dr Aliya Stretton.