Information Request – Medical records access log

Roedd y cais yn rhannol lwyddiannus.

Dear Midlands Partnership NHS Foundation Trust,

I understand that medical records such as records held by the Doctor's
surgery that I am registered with will be held electronically. I assume
that these records will be network based with the possibility that they
can be accessed at more than one location and may not necessarily be
'stored' at the local surgery that I am registered with; my implication
being that I imagine my medical records will be stored externally and
'served over the network' from some central location.

Accordingly, if I wished to obtain a list or copy of the log file of all
the 'locations' and 'users' that have accessed my medical records
specifically, as maintained by the GP and surgery that I am registered
with since 1 January 2013, could you advise as to:

(a) Whether my assumptions in paragraph two above are correct and if so
where those electronic records in actuality are stored?

(b) If this type of data (log files pertaining to who has accessed my
files, where files were accessed from and dates and times of access) is
held?

(c) Who I should direct such a request to (request for log files) that
holds or can obtain and supply this overarching view/log of who has
accessed my records (employee name or similar), where (location) access to
the medical records originated from (e.g., surgery name or hospital name,
but not limited to these two locations) and the dates and times of any
logged accesses?

(d) What mechanisms are in place to prevent unauthorised staff (e.g.,
staff in other surgeries) from accessing my medical records?

Yours faithfully,
Mr Luce

FOI (RRE) MPFT, Midlands Partnership NHS Foundation Trust

Dear Mr. Luce,

I write to acknowledge receipt of your email in which you requested
information under the FOI Act 2000.

Your request is being considered and you will receive a response within
the statutory timescale of 20 working days, from the date of receipt, as
defined by the Freedom of Information Act 2000.

The Act defines a number of exemptions which may prevent release of the
information you have requested. There will be an assessment and if any of
the exemption categories apply then the information will not be released.
You will be informed if this is the case within 20 working days, together
with your rights of appeal.

If the information you are requesting contains reference to a third party
then they may be consulted prior to a decision being taken on whether or
not to release the information to you. You will be informed within 20
working days if this is the case.

If you have any queries or concerns, please do not hesitate to contact
me.  May l ask that you quote the above reference number on all your
correspondence.

PLEASE NOTE: As of 1^st June 2018 South Staffordshire and Shropshire
Healthcare NHS Foundation Trust has merged with Staffordshire and
Stoke-on-Trent Partnership NHS Trust to become Midlands Partnership
Foundation Trust.

Yours sincerely

 

 

Aled Evans

FOI Officer

Midlands Partnership Foundation Trust

Trust HQ, St George’s Hospital

Corporation Street

Stafford
ST16 3AG

Tel: 01785 221104 Ext 7128998

Email: [1][email address]

 

 

dangos adrannau a ddyfynnir

FOI (RRE) MPFT, Midlands Partnership NHS Foundation Trust

1 Atodiad

Dear Mr. Luce,

 

Is this request specifically about GP records (which we do not hold) or
any health record we may hold? Is this specific to your records or records
in general?

 

I shall place your request on hold until we receive the above
clarification.

 

If I can be of any assistance in the meantime please do not hesitate to
contact me

Thanks.

Kind regards

Aled Evans

Freedom Of Information Officer

Midlands Partnership Foundation Trust

Trust HQ

St George’s Hospital

Corporation Street

Stafford
ST16 3SR

Tel: 01785 221104 Extension: 7128998

Email: [1][MPFT request email]

 

[2]cid:image001.png@01D3FBF5.6CCEAE40

 

 

 

 

 

From: Evans Aled (RRE) MPFT On Behalf Of FOI (RRE) MPFT
Sent: 19 March 2019 11:11
To: Mr Luke <[FOI #562472 email]>
Subject: FOI/2407

 

Dear Mr. Luce,

I write to acknowledge receipt of your email in which you requested
information under the FOI Act 2000.

Your request is being considered and you will receive a response within
the statutory timescale of 20 working days, from the date of receipt, as
defined by the Freedom of Information Act 2000.

The Act defines a number of exemptions which may prevent release of the
information you have requested. There will be an assessment and if any of
the exemption categories apply then the information will not be released.
You will be informed if this is the case within 20 working days, together
with your rights of appeal.

If the information you are requesting contains reference to a third party
then they may be consulted prior to a decision being taken on whether or
not to release the information to you. You will be informed within 20
working days if this is the case.

If you have any queries or concerns, please do not hesitate to contact
me.  May l ask that you quote the above reference number on all your
correspondence.

PLEASE NOTE: As of 1^st June 2018 South Staffordshire and Shropshire
Healthcare NHS Foundation Trust has merged with Staffordshire and
Stoke-on-Trent Partnership NHS Trust to become Midlands Partnership
Foundation Trust.

Yours sincerely

 

 

Aled Evans

FOI Officer

Midlands Partnership Foundation Trust

Trust HQ, St George’s Hospital

Corporation Street

Stafford
ST16 3AG

Tel: 01785 221104 Ext 7128998

Email: [3][email address]

 

 

dangos adrannau a ddyfynnir

Dear Mr. Evans,

Thank you for your prompt reply and your assistance with this matter.

I would like to understand generally:
Whether access logs are kept for any data pertaining to any NHS user
What information such logs contain (especially whether location and staff identifiers are included)
If access logs exist, whether they may be requested by NHS users and if not, why this is so
What checks are in place to ensure access is legitimate (especially 'policed' checks, rather than rules/regulations)

I would also like to know specifically who to contact for an access log of my own Summary Care Record. I had assumed GP records were collected/held regionally but I am glad to hear that this is not the case.

Many thanks

FOI (RRE) MPFT, Midlands Partnership NHS Foundation Trust

Dear Mr. Luce,

Thanks for the clarification, I shall forward this to the relevant team and hope to have a response for you shortly.

Thanks.

Kind regards

Aled Evans

Freedom Of Information Officer
Midlands Partnership Foundation Trust
Trust HQ
St George’s Hospital
Corporation Street
Stafford
ST16 3SR
Tel: 01785 221104 Extension: 7128998
Email: [MPFT request email]

dangos adrannau a ddyfynnir

FOI (RRE) MPFT, Midlands Partnership NHS Foundation Trust

2 Atodiad

Dear Mr. Luke,

Further to your recent request made under the Freedom of Information Act
2000, please see detailed below the Trust’s response:

I would like to understand generally:

 

Whether access logs are kept for any data pertaining to any NHS user What
information such logs contain (especially whether location and staff
identifiers are included) If access logs exist, whether they may be
requested by NHS users and if not, why this is so

 

For Summary Care Records please see here for further information:
[1]https://digital.nhs.uk/services/summary-...

 

What checks are in place to ensure access is legitimate (especially
'policed' checks, rather than rules/regulations)

 

For Summary Care Records please see above link.

 

For Midlands Partnership NHS Foundation Trust systems user access can be
monitored via the Health Informatics Service to key systems and
Information Governance approval is required. An audit form needs to be
completed and approved and is kept with Information Governance.

 

I would also like to know specifically who to contact for an access log of
my own Summary Care Record. I had assumed GP records were collected/held
regionally but I am glad to hear that this is not the case.

 

For further information on accessing your Summary Care Record please see
here: [2]https://digital.nhs.uk/services/summary-...

 

We would be grateful if you could take a minute to fill out our Freedom of
Information Customer Satisfaction Survey (attached) and let us know about
your experience.

Please contact me in the first instance if you have any queries or
questions regarding the Trust's response.  However, if you have any
complaints about the handling of your enquiry, please contact:

Ms Lian Stibbs
Head of Information Governance and Records Access Management
Midlands Partnership Foundation Trust

Trust Headquarters St George's Hospital Corporation Street Stafford
ST16 3SR
Email: [3][email address]

You also have a right of appeal to the Information Commissioner at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 01625 545700
Website: [4]www.informationcommissioner.gov.uk

PLEASE NOTE: As of 1^st June 2018 South Staffordshire and Shropshire
Healthcare NHS Foundation Trust has merged with Staffordshire and
Stoke-on-Trent Partnership NHS Trust to become Midlands Partnership
Foundation Trust.

Yours sincerely

 

Hannah Rogers

 

FOI Officer

Midlands Partnership Foundation Trust

Trust HQ, St George’s Hospital

Corporation Street

Stafford
ST16 3AG

Tel: 01785 221104 Ext 7128278

Email: [5][email address]

[6]cid:image001.png@01D3FBF5.6CCEAE40 

 

References

Visible links
1. https://digital.nhs.uk/services/summary-...
2. https://digital.nhs.uk/services/summary-...
3. mailto:[email address]
4. http://www.informationcommissioner.gov.uk/
5. mailto:[email address]

Dear FOI (RRE) MPFT,

Many thanks for your reply.

To summarise then, it is possible to see who and when a user (staff) accessed an NHS service user's (patient) data, for key (but presumably not all) systems within the trust. But this is not actively policed.

Any NHS service user (or only staff members?) may request access logs from the Health Informatics Service with an audit form.

If I've correctly understood, would you be able to mention where an audit form can be found and where a completed form would be submitted to?

Yours sincerely,

Mr Luke