Download original attachment
(PDF file)
This is an HTML version of an attachment to the Freedom of Information request 'Re: Data Protection Act'.
 
By email  
 
Our Ref: 10/03/05/lk/050 
Health Protection Agency
 
Communications 
 
Public Information Access 
Marie Griffiths 
61 Colindale Avenue 
London 
[FOI #30210 email] 
NW9 5DF 
 
Tel +44 (0)20 8327 6629 
 
Fax +44 (0)20 8327 6633 
 
 
www.hpa.org.uk 
 
Email: [Health Protection Agency request email] 
1 April 2010 
 
 
 
Dear Ms Griffiths 
 
Re: responsibilities under the Data Protection Act 1998 
 
Thank you for your Freedom of Information request dated 5 March 2010 regarding 
the Health Protection Agency’s (HPA) responsibilities under the Data Protection Act 
1998. 
 
Under section 1 (1) (a) of the Act I can confirm that the HPA holds of the information 
you require. 
 
I have responded to your questions in the order you raised them below. 
 
 
1.  How many requests do you get under DPA each year? 
 
The reported number of subject access requests for personal information (made 
by the data subject or agents acting on their behalf) and handled under the Data 
Protection Act is published in our Annual report. Therefore the information you 
have requested is exempt from disclosure under section 21- Information 
accessible to applicant by other means exemption. 
 
However in accordance with our section 16 duty to provide advice and assistance 
please see the information you have requested in the table below. 
 
 
Annual Report 
Number of DPA requests 
2009 
10 
2008 
13 
2007 

2006 

2005 
We do not hold * 
 
*the HPA became a non-departmental public body on 1 April 2005 following Royal assent of the 
Health Protection Act 2004. Therefore, the HPA did not exist in 2004 when the data for this Annual 
Report would have been collated. 
 
Whilst the HPA recognises its obligations under the DPA, for test result requests 
we always advise members of the public to seek their personal information from 
their GP or healthcare provider. This is because your healthcare provider is better 
placed to provide any necessary support and give the information in context, for 
example, a GP can provide additional guidance to a patient where test results 
have an impact on the patients’ care pathway. If the applicant has already 
received the information from their healthcare provider and still wants the results 
from us then we will oblige. 
 
2.  How do you verify the authenticity of DPA requests? 
 
The HPA verifies the authenticity of DPA requests by asking for two pieces of 
confirmatory personal information, for example, date of birth and address together 
with the applicants signed authority. 
 
3.  Do you conduct regular DPA audits/have an auditing policy 
 
The HPA conducts regular internal audits covering all areas of information 
governance (please refer to attached audit charter). The regular programme of 
audits would cover the review of arrangements for safeguarding personal 
information during the course of responding to subject access requests. 
 
The HPA assesses itself annually against the NHS Information Governance 
Toolkit. Standard 206 – requires established confidentiality audit procedures to 
monitor access to confidential information. Moreover, the HPA is subject to an 
annual review by the Care Quality Commission, this includes an assessment of 
the HPAs information handling procedures. 
 
To ensure continued compliance with relevant statutory and professional 
obligations and best practice in information governance the HPA: 
 
-  has documented procedures for auditing access to personal information in the 
form of a Caldicott 18 point audit; 
-  has clearly defined roles and responsibilities for staff responsible for audit; 
-  provides appropriate training to those involved in audit; 
-  reports any breaches via a secure centralised management reporting system 
for reporting incidents, including escalation of breaches to senior 
management, where appropriate; 
-  produces lessons learned if examples of breaches or potential breaches can 
be used to improve current practice and, or raise awareness. 
 
 
 
 
 
4.  do you maintain data on errors in information covered by DPA 
 
The HPA records incidents involving personal data through local reporting 
mechanisms into a central system. For the last two reporting periods there are no 
incidents which fall under the criteria for reporting to the Information Commissioner’s 
Office. In addition, in this period there were no information losses whose release 
could have put individuals at risk of harm or distress. 
 
I can confirm the HPA has never made errors relating to the administration of subject 
access requests. 
 
(a) If so, please provide data for the past 5 years 
 
This information available in the HPA’s annual report, for your convenience, please 
see table below: 
 
 
Total number of protected 
Year 
personal data related incidents 
2009/10 0 
2008/09 0 
2007/08 2* 
2006/07 0 
2005/06 2* 
 
*Note that the incidents were categorised as category II incidents, i.e. they were losses of 
inadequately protected electronic equipment, devices or paper documents from outside secured 
premises. 
 
 I hope you have found this information useful, however, if you are dissatisfied with 
this response and would like a copy of the HPA complaints procedure then please 
contact Mr George Stafford, Complaints Manager at: Health Protection Agency, 61 
Colindale Avenue, London NW9 5EQ. 
 
Please note that you have the right to an independent review by the Information 
Commissioner’s Office if a complaint cannot be resolved through the HPA complaints 
procedure. The Information Commissioner’s Office can be contacted by writing to 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire 
SK9 5AF. 
 
Please contact me if you require any further information or assistance. 
 
Yours sincerely 
Leigh Kelly 
Freedom of Information Officer 
Health Protection Agency 

Document Outline