This is an HTML version of an attachment to the Freedom of Information request 'Data Loss Incidents'.


 
 
 
Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
 
Document Information 
Board Library 
Document 
Document 
Original 
Assured By 
Review Cycle 
Reference 
Type 
Subject 
Document 
Author 
GOV_IGCM_01 Policy 
and 
Data 
Information 
Trust Board 
3 Years 
Procedure  
Protection 
Governance 
Manager 
 
Version Tracking 
Version Date 
Revision 
Description 
Editor 
Approval 
Status 
1.0 
21/02/2005 
Approved on behalf of the Board by the 
Information 
Approved 
IM&TSG 
Governance 
Manager 
1.1 
20/11/2007 
Reviewed for accuracy and addition of 
Information 
Draft 
Subject Access Request and Safe Haven 
Governance 
Procedures 
Manager 
1.2 
29/01/2008 
Formatted to new Trust standard and 
Information 
Draft 
renamed to reflect Integrated Governance 
Governance 
Forum of origin. 
Manager 
1.3 
08/02/2008 
Incorporated Modernisation & Workforce 
Information 
Draft 
Integrated Governance Committee 
Governance 
comments 
Manager 
1.3 
03/03/2008 
Policy assured at Workforce and 
Information 
Draft 
Modernisation 
Governance 
Manager 
1.3 
04/03/2008 
Policy assured at Integrated Governance 
Information 
Draft 
Committee 
Governance 
Manager 
1.3 
26/03/2008 
Approved by the Board of Directors 
Information 
Approved 
Governance 
Manager 
2.0 27/03/2008 
Published 
Information 
Approved 
Governance 
Manager 
2.01 
06/11/2009 
Complaints procedure updated 
Information 
Draft 
Governance 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
Manager 
3.00 
6/11/2009 
   Published 
Information 
Approved 
Governance 
Manager 
3.01 11/11/2010 
Administrative 
update 
Information 
Draft 
Governance 
Manager 
4.00 21/01/2011 
Reviewed by Information Governance 
Executive 
Approved 
Management Group  
Director of 
 
Finance and 
    
 
Commerce 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
2 of 29
 

link to page 4 link to page 4 link to page 4 link to page 4 link to page 5 link to page 6 link to page 9 link to page 10 link to page 10 link to page 10 link to page 11 link to page 12 link to page 12 link to page 12 link to page 12 link to page 12 link to page 12 link to page 14 link to page 21 link to page 28 link to page 29 GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
 
Table of Contents 
 
1. 
Introduction ....................................................................................................................... 4 
2. 
Purpose.............................................................................................................................. 4 
3. 
Scope ................................................................................................................................. 4 
4. 
Roles and Responsibilities .............................................................................................. 4 
5. 
Policy Statement ............................................................................................................... 5 
6. 
Definitions ......................................................................................................................... 6 
7. 
Service User Information.................................................................................................. 9 
8. 
Security of Staff and Service User Information............................................................ 10 
9. 
Sharing and Disclosure of Service User Information .................................................. 10 
10.  Subject Access Requests .............................................................................................. 10 
11.  Staff Training ................................................................................................................... 11 
12.  Contracts of Employment .............................................................................................. 12 
13.  Disciplinary Procedures and Enforcement................................................................... 12 
14.  Standards ........................................................................................................................ 12 
15.  Related Policy Documents ............................................................................................. 12 
16.  Monitoring ....................................................................................................................... 12 
17.  References....................................................................................................................... 12 
18.  Appendix “A”: Subject Access Request Procedure.................................................... 14 
19.  Appendix “B”: Safe Haven Procedures ........................................................................ 21 
20.  Appendix “C”: Fax Header Sheet .................................................................................. 28 
21.  Appendix “D”: Safe Haven External Fax Request for Information............................. 29 
 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
3 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
1. Introduction 
Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the 
provisions of a considerable number of items of legislation and regulation affecting the 
stewardship of personal data. 
The AWP Overarching Information Governance Policy defines the Trust’s mandated 
approach for compliance and effective management in each of the following six areas of 
Information Governance. 
•  Information Governance Assurance 
•  Confidentiality & Data Protection Assurance 
•  Information Security Assurance 
•  Clinical Information Assurance 
•  Secondary Use Assurance 
•  Corporate Information Assurance 
Each of these six areas has a discreet and detailed policy and associated procedures 
which collectively constitute the top level documentation of the Trust’s Information 
Governance Management System (IGMS). 
2. Purpose 
This document sets out AWP’s policy for addressing its legal obligation to comply with 
the Data Protection Act of 1998 (DPA) which enshrines citizens’ rights to the privacy 
and confidentiality of information about them that is held or processed by the Trust (in 
support of Article 8 of the Human Rights Act of 1998, the “right to respect for private and 
family life”). 
3. Scope 
This Policy applies to Personal Data (staff, service user and other data subject 
information) that is either held or processed by the Trust across all Directorates and 
Strategic Business Units. 
4.  Roles and Responsibilities 
4.1. 
The Chief Executive 
The Chief Executive is accountable for the Trust’s compliance with all applicable 
legislation and regulation, including those described in this policy and associated 
procedures. 
4.2. 
Directors of Strategic Business Units 
Service and Clinical Directors of Strategic Business Units (SBUs) are jointly and 
severally responsible for the implementation of this policy and associated 
procedures uniformly across administrative and clinical functions within their 
Strategic Business Units. 
4.3. Executive 
Directors 
Executive Directors are responsible for the implementation of this policy and 
associated procedures across their Directorates. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
4 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
4.4. The 
Caldicott 
Guardian 
The Caldicott Guardian is responsible for championing the principles of Data 
Protection and Confidentiality across the Trust. 
4.5. 
The Information Governance Manager 
The Information Governance Manager is responsible for the maintenance and 
review of this policy and associated procedures. 
4.6. 
The Data Protection Officer 
The Information Governance Manager, who is also the Trust’s Data Protection 
Officer, is responsible for: 
•  Maintaining Information Commissioner notifications 
•  Facilitating Data Protection and Confidentiality training across the Trust 
•  Co-ordinating the administration of subject access requests 
•  Acting as the initial point of contact for any data protection issues which may 
arise within the Trust 
•  Recording any Data Protection and Information Security incidents which 
constitute breaches of Trust policy 
4.7. 
The Information Technology Security Specialist  
The Information Technology Security Specialist is responsible for achieving 
compliance with NHS and legal standards of information technology security, 
across the organisation, with particular emphasis on technical data protection 
issues. 
4.8. Individual 
Staff 
All Trust staff and those working on behalf of the Trust in any capacity that work 
with e.g. have access to personal data are required to adhere to this policy and to 
follow the associated procedures where appropriate. 
4.9. Expert 
Advice 
Expert advice in support of this policy will be provided by the Information 
Governance Manager and the Caldicott Guardian.  
5. Policy 
Statement 
All Personal Data held or processed by the Trust, either as the Data Controller, will be 
held and processed in accordance with the requirements of the Data Protection Act 
1998 (the Act). 
The “Eight Principles” of the Act are: 
Personal Information about living people must be processed fairly and lawfully, and 
must: 
1)  Only be processed in accordance with the Act (or not processed at all), 
2)  Only be processed for a recognised legal purpose, 
3)  Be adequate for, and proportionate to the purpose, 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
5 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
4)  Be correct (accurate and up to date), 
5)  Be kept only long enough to achieve the stated purpose, 
6)  Be processed in accordance with the data subject’s rights, 
7)  Be processed and handled safely and securely, 
8)  Not be sent outside of the EEA (European Economic Area) unless that country 
ensures adequate level of protection of the data subjects in relation to the 
processing of the data. 
 
All Personal Data held or processed by the Trust  as a Data Processor, will be held and 
processed in accordance with the seventh principle of the DPA which states that 
personal data must be processed and handled safely and securely, 
 
5.1. 
Policy Principles  
The principles of this Data Protection Policy are: 
The Trust will implement appropriate organisational and technical measures to 
ensure that: 
•  Personal Data processed by the Trust is treated in accordance with the 
requirements of the Data Protection Act 1998, in order to ensure that: 
o  Data Subjects’ rights in terms of Article 8 of the Human Rights Act of 
1998, the right to “respect for private and family life”, are upheld across 
all flows of Personal Data in the Trust’s control, 
•  Planning of organisational and service activity will be undertaken in conjunction 
with a formal Privacy Impact Assessment to determine appropriate, effective 
and affordable Data Protection controls, and to implement them across the  
•  The quality and integrity of recorded Personal Data will be developed and 
maintained to ensure that it is fit for the purposes for which it was collected, 
•  Compliance with the regulatory framework will be audited, monitored and 
maintained. 
6. Definitions 
The following terms are used in the Data Protection Act 1998 and this policy, with 
specific meanings as described: 
6.1. Data 
Section 1(1) of the 1998 Data Protection Act defines ‘data’ as: 
Information which - 
a)  Is being processed by means of equipment operating automatically in 
response to instructions given for that purpose, 
b)  Is recorded with the intention that it should be processed by means of such 
equipment, 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
6 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
c)  Is recorded as part of a relevant filing system or with the intention that it 
should form part of a relevant filing system, 
d)  Does not fall within paragraph (a), (b) or (c) but forms part of an accessible 
record, or 
e)  Is recorded information held by a public authority and does not fall within any 
of paragraphs (a) to (d). 
6.2. 
Relevant Filing System 
A relevant ‘filing system’ is defined in (s.1(1)) as: 
‘Any set of information relating to individuals to the extent that, although the 
information is not processed by means of equipment operating automatically in 
response to instructions given for that purpose, the set is structured, either by 
reference to individuals or by reference to criteria relating to individuals, in such a 
way that specific information relating to a particular individual is readily accessible.’ 
6.3. Accessible 
Records 
Paragraph (d) of the definition of ‘data’ includes accessible records. Section 68 of 
the Act defines accessible records as a health record, and educational record or an 
accessible public record. In the context of this policy, the terms “information” and 
“data” refer to any item of personal data about living individuals, held in “accessible 
records” including manual files, computer databases, videos and other automated 
media, such as personnel and payroll records, medical records, other manual files, 
microfiche/film, pathology results, prescriptions, photographs, x-rays, scans and 
even telephone recordings. 
6.4. Data 
Subject 
A ’data subject’ is defined as any individual who can be identified using the 
information or data held, i.e. the “subject” of the data, or from combinations of the 
data and other information which the data Controller has, or is likely to have in 
future. 
6.5. Personal 
Data 
‘Personal Data’ is defined in schedule 1(1) as: 
a)  data which relate to a living individual who can be identified — 
b)  from those data, or 
c)  from those data and other information which is in the possession of, or is 
likely to come into the possession of, the data controller. 
 
Personal Data includes: 
‘data which relate to a living individual who can be identified: 
(a) from those data, or  
(b) from those data and other information which is in the possession of, or is likely 
to come into the possession of, the data controller, and includes any expression of 
opinion about the individual and any indication of the intentions of the data 
controller or any other person in respect of the individual’. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
7 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
6.6. 
Sensitive Personal Data 
‘Sensitive Personal Data’ is defined in schedule 2 as personal data relating to any 
one or more of the following: 
•  Racial or ethnic origin 
•  Political opinions 
•  Religious or other beliefs of a similar nature 
•  Trades Union membership 
•  Physical or mental health conditions 
•  Sexual life 
•  The commission or alleged commission by the data subject of any offence 
•  Any proceedings for any offence committed or alleged to have been committed 
by the data subject, the disposal of such proceedings or the sentence of any 
court in such proceedings 
Data Controllers are forbidden from processing sensitive personal data unless one 
or more of 19 specified conditions are met. These conditions are: 
•  Explicit consent 
•  Employment law obligations 
•  Vital interests of the data subject 
•  Not-for-profit organisation existing for political, philosophical, religious or trade 
union purposes 
•  Information made public by the data subject 
•  Legal rights 
•  Public functions (administration of justice, etc.) 
•  Medical purposes 
•  Records on racial equality 
•  Unlawful activity detection 
•  Protection of the public 
•  Public interest disclosure 
•  Confidential counselling 
•  Insurance and pensions – family data 
•  Insurance and pensions – processing 
•  Religion and health – equality or opportunity 
•  Political opinions 
•  Research 
•  Police processing 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
8 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
6.7. Data 
Controller 
A ‘data controller’ is a ‘person who (either alone or jointly or in common with other 
persons) determines the purpose for which and the manner in which any personal 
data are, or are to be, processed’ (s. 1(1)). 
6.8. Processing 
‘Processing’, in relation to information or data, means: 
a)  obtaining, recording or holding the information or data or carrying out any 
operation or set of operations on the information or data, including — 
b)  organisation, adaptation or alteration of the information or data, 
c) retrieval, consultation or use of the information or data, 
d)  disclosure of the information or data by transmission, dissemination or 
otherwise making available, or 
e) alignment, combination, blocking, erasure or destruction of the information or 
data. 
 
This definition of ‘processing’ is so broad as to include, for all practical purposes, 
anything that is done with information, including simply calling it up on a computer 
screen, reading a manual file, moving information over a network, email or on a 
portable memory device, and even includes recording of CCTV images and 
telephone recordings. 
6.9. Notification 
The Trust is required by the Act to ‘notify’ the Information Commissioner of all 
processing that takes place within the organisation, including each class of 
information processed, and the purpose for which it is processed. 
Any changes to the classes of information processed, or the reasons for processing 
must be registered with the Information Commissioner by the Data Protection 
Officer. 
7.  Service User Information  
All service users must be provided with information on the use and disclosure of 
confidential information about them that is held by the Trust. Staff should make sure 
that information leaflets on patient confidentiality and information disclosure are 
available in a format that is understandable to the service user, and staff should 
check, where practicable, that service users have read and understood the leaflets. 
Staff should make clear to service users, in a way that is appropriate to that 
individual, when information is recorded and under what circumstances the health 
record will be accessed. 
Staff must check that patients are aware of the choices available to them and that 
they have the right to choose whether or not to agree to information that they have 
provided in confidence being shared. Staff should communicate effectively with 
service users to ensure they understand what the implications may be if they 
choose to restrict the disclosure of certain information. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
9 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
Leaflets and posters for service user can be found on the leaflets page on the 
Information Governance pages of Ourspace 
8.  Security of Staff and Service User Information 
All staff and service user information, whether it is held manually or in an automated 
system, will be kept secure in accordance with the Trust’s Records Management 
and Information Security Policies. 
9.  Sharing and Disclosure of Service User Information 
All Data Controllers wishing to participate in information sharing agreements with 
AWP will be required to sign up to the most recent version  of the Information 
Sharing Principles Agreement produced by the Avon IM&T Consortium in 
conjunction with organisations in the NHS, Social Services and partner 
organisations. This agreement is to be supported by “second tier” Information 
Sharing Protocols (produced by AWP) for each flow of personal data. 
These second tier agreements will describe the data sets to be shared, the 
mechanism for sharing, and the roles of the originating and receiving Data 
Controller. To avoid confusion, they will not contain further descriptions of the Data 
Protection Act or the principles of information sharing. AWP will host a secure file 
sharing portal for managing all bulk flows of personal data between the parties 
described in the second tier information sharing protocols. AWP will not support the 
exchange of bulk transfers of personal data on other forms of media, including, for 
example, CD, DVD or paper. 
10.  Subject Access Requests  
Section seven (7) of the Act allows an individual to: 
Be informed by any data controller whether personal data of which that individual is 
the data subject are being processed by or on behalf of that data controller. 
 
And if is the case to, to be given by the data controller a description of: 
•  The personal data of which that individual is the data subject 
•  The purposes for which they are being or are to be processed and, 
•  The recipients or classes of recipients to whom they are or may be disclosed 
•  To have communicated to him in an intelligible form: 
•  The information constituting any personal data of which that individual is the 
data subject  
•  And any information available to the data controller as to the sources of 
those data 
 
 Service User can obtain this information from the Trust by making a written 
request. This is known as a ‘Subject Access Request’. The Trust’s approach to 
dealing with Subject Access Requests by service users or staff is detailed in the 
Subject Access Request Procedure, attached as Appendix A to this document. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
10 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
10.1. 
Third Party Information 
Where the Trust cannot comply with a subject access request without disclosing 
information relating to another individual who can be identified from that 
information, the Trust is not obliged to comply with the request unless - 
•  the other individual has consented to the disclosure of the information to the 
person making the request, or 
•  it is reasonable in all the circumstances to comply with the request without the 
consent of the other individual. 
10.2. Staff 
Information 
All staff information will be handled in accordance with the DPA in terms of its 
collection, processing, storage, retention and disposal. Any member of staff current, 
past or potential (applicant) who wishes to have a copy of their information under 
the Subject Access provisions of the DPA may submit a Subject Access Request to 
the Data Protection Officer. 
11. Staff Training 
The Trust will provide appropriate training and awareness programs to ensure staff 
are aware of their responsibilities for Data Protection, Confidentiality and 
Information Security. These awareness initiatives will be included in the Trust’s 
Core Induction programme, and will be presented by the Caldicott Guardian or the 
Information Governance Manager. 
11.1. Induction 
Training 
The Induction Training program for Information Governance shall include: 
•  personal responsibilities 
•  confidentiality of personal information 
•  relevant Trust Policies and Procedures 
•  principles of the Data Protection Act 
•  individuals’ rights of access to information 
•  general good practice guidelines covering security and confidentiality 
•  awareness of where to seek advice and support on matters concerning Data 
Protection, Confidentiality and Information Security 
All new starters at the Trust will be required to attend mandatory Information 
Governance training as part of the Trust induction process. 
A register will be maintained of all staff attendance at induction and other training 
sessions. 
11.2. Specialist 
Training 
Additional specialist training such as Information Security for System Managers 
may be provided for those with job functions that include responsibility for specialist 
areas such as system or workgroup managers. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
11 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
11.3. 
Information Governance Training Tool 
All staff are encourage to undertake the Information Governance Training modules 
that have been allocated to them within the Information Governance Training Tool.
12.  Contracts of Employment 
The Human Resources Directorate is to ensure that all staff have valid contracts of 
employment which will include specific clauses for Data Protection and 
Confidentiality. 
13.  Disciplinary Procedures and Enforcement 
Breaches of this Data Protection Policy will be addressed through the Trust’s 
Disciplinary Procedures. A copy of these procedures is available from the Board 
Policy Library on SharePoint. 
14. Standards 
This policy and related procedures or protocols will be assessed in terms of the 
standards defined in the Data Protection Act of 1998, and the Department of Health 
publication - Confidentiality: NHS Code of Practice. 
15.  Related Policy Documents 
This Policy should be read in conjunction with the following IG Policies: 
•  AWP Overarching Information Governance Policy 
•  AWP Information Security Policy 
•  AWP  Health & Social Care Records Policy 
•  AWP Records Management Policy 
•  AWP Freedom of Information Policy 
16. Monitoring 
This policy will be monitored and audited by the Information Governance Manager 
in accordance with the requirements stated in the Overarching Information 
Governance Policy. 
17. References 
17.1. 
References and Legal Framework 
In addition to the Data Protection Act 1998, the legislation listed below also refers to 
issues of security and or confidentiality of Personal Data: 
17.2. 
Data Protection Act 1998 
17.3. 
Freedom of Information Act 2000 
17.4. 
Computer Misuse Act 1990 
17.5. 
Access to Health Records Act 1990 (where not superseded by the Data 
Protection Act 1998) 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
12 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
17.6. 
Copyright, Designs and Patents Act 1988 (as amended by the Copyright 
(Computer Programs) Regulations 1992 
17.7. 
Crime & Disorder Act 1998 
17.8. 
The Directive on Privacy and Electronic Communications (2002/58/EC) 
17.9. 
Electronic Communications Act 2000 
17.10. Regulation 
of 
Investigatory Powers Act 2000 
17.11.  Lawful Business Practice Regulations 2000 
17.12.  Criminal Justice & Court Services Act 2000 (where Multi Agency Public 
Protection Panels & Information exchange is set out) 
17.13.  A full list of legislation can be reviewed within the NHS Information 
Governance Guidance on Legal and Professional Obligations at the 
following link: 
http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/Publications
PolicyAndGuidance/DH_079616

17.14.  Additionally, the NHS has mandated a number of relevant regulations 
including: 
17.15.  Connecting for Health’s Information Governance Toolkit 
17.16.  The Caldicott Report 1998 
17.17.  The International Standards Organisation Standard for Information Security 
Management, 
17.18.  Data Quality Assurance to include NHS Data Dictionary, Hospital Episode 
Statistics (HES) and Mental Health Minimum Data Set (MHMDS) 
17.19. Confidentiality: 
NHS Code of Practice 
17.20.  NHS Records Management: Code of Practice 
17.21.  Information Security Management: NHS Code of Practice 
17.22.  BS10012:2009 Data Protection: Specification for a Personal Information 
Management System 
17.23.  The Care Record Guarantee 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
13 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
18.   Appendix “A”: Subject Access Request Procedure 
18.1. Summary 
of 
Procedure 
Data Subjects (people about whom the Trust holds Personal Data records) are 
entitled to request to see and obtain copies of these records. 
A request from a Data Subject to a Data Controller to see such records is known as 
a Subject Access Request. 
In general, Subject Access Requests are to be processed in accordance with the 
Data Protection Act 1998, within 40 working days of receipt of the request. The 
NHS aspires to a standard of 21 working days. 
This document describes the process for dealing with Subject Access Requests, 
including what was formerly known as “Access to Health Records”. Requests for 
access to health records relating to the deceased will continue to be made under 
the Access to Health Records Act 1990. 
This procedure applies to Subject Access Requests by service users, staff or other 
Data Subjects wishing to obtain access to the data held by the Trust about them. 
18.2. 
Informal Access Request by a Service User 
Practitioners can share their own professional information with the service user. 
They may also withhold access to information if they believe it could lead to serious 
mental or physical harm to the service user or another person. 
They must not disclose information that identifies another person (“third party”) 
without their consent. 
If the service user asks for information to be corrected, they should refer to 
guidance on corrections in section 17.10. 
They must not disclose information recorded by another practitioner unless that 
practitioner has agreed to the disclosure. Any request for informal access that 
would involve such information should be treated as a formal access request.  The 
practitioner should assist the service user in putting their request in writing, if 
required. 
18.3. 
Responsibility for Processing Formal Subject Access Requests 
(SARs) 

18.3.1. Service User SARs 
Service Users may submit a SAR using the SAR form provided by the 
Trust. This may be submitted to any member of the Trust, but should 
ideally be submitted to a member of the clinical Team they receive care 
from. 
Staff receiving a SAR from a service user are required to do the following: 
ƒ  Ensure that the standard Trust SAR Form is completed, 
identification and proof of address is provided. 
ƒ  Provide the completed SAR Form to the local Health and Social 
Care Records representative for processing. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
14 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
ƒ  The local Health and Social Care Records representative is to 
acknowledge receipt of the SAR using the standard Trust letter. 
ƒ  The local Health and Social Care Records representative is to 
follow the remaining SAR process as detailed below in section 
17.4. 
18.3.2. Subject Access Requests by Staff and others 
Staff and other Data Subjects may submit a SAR using the SAR form 
provided by the Trust. This may be submitted to any member of the Trust, 
but should ideally be submitted to a member of the Human Resources 
Directorate or the Information Governance Manager. 
Staff receiving a SAR from a service user are required to do the following: 
ƒ  Ensure that the standard Trust SAR Form is completed, 
identification and proof of address is provided. 
ƒ  Provide the completed SAR Form to the local Human Resources 
representative or the Information Governance Manager. 
ƒ  The Information Governance Manager is to acknowledge receipt 
of the SAR using the standard Trust letter. 
ƒ  The Information Governance Manager is to follow the remaining 
SAR process as detailed below in section 17.4. 
18.4. Receipt 
of 
Requests 
If a request is made via personal letter, then the Data Subject Access form and 
covering letter should be sent to the applicant for completion. Once received the 
following steps should be followed: 
•  The Acknowledgement Letter must be sent which advises the applicant that a 
fee may be payable in relation to the request. 
•  Check MARACIS  or RiO as appropriate for hospital/NHS numbers and site 
indicator to establish location of records.  If the site indicator does not record 
the location of the records, contact the last practitioner involved in the service 
users care. 
•  The records should be retrieved from records stores or archives and MARACIS  
or RiO  as appropriate.  The records should be reviewed to establish if a charge 
should be incurred in accordance with the charges set out in section 17.7. 
•  If a charge is to be levied the standard Receipt and Return of ID and Fees 
Letter should be sent to the applicant by recorded delivery only. 
•  The consultant or other lead practitioner must be identified. 
•  The records must be sent to the consultant or lead practitioner in a safe and 
secure manner. 
•  They must include the standard Professional Scrutiny Letter and the Granting 
Access to Health Records Form Note that, in law, only a health (not social care) 
practitioner can fulfil this responsibility for health records. 
•  Monitor the progress of the request, ensuring that the request is responded to 
promptly. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
15 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
•  All details regarding the request must be entered into the Subject Access 
Database. 
18.5. 
Responsibilities of the Consultant and Lead Practitioner 
On receipt of the health records, the practitioner should: 
•  Identify information that should not be disclosed under either the “serious harm” 
or “third party” provisions.  Please refer to section 17.9.2. 
•  Provide an explanation of any codes or abbreviations that are likely to be 
unintelligible to the recipient. 
•  If the request is to view (not receive a copy of) the health and social care 
record, the practitioner should say who will undertake the supervised viewing in 
order for the service user to be contacted and an appointment made. 
18.6. 
Responsibilities of Local Health & Social Care Records 
Representative 

On receipt of the response from the practitioner, the records clerk/manager should: 
•  Consult the Caldicott Guardian/Information Governance Manager if denying 
access is being considered. 
•  Notify the Caldicott Guardian/Information Governance Manager in writing of the 
reasons why access is being denied, with details of the withheld information. 
•  If appropriate, contact any third parties requesting permission to disclose using 
the standard Third Party Consent Letter and await for response prior to 
disclosure. 
•  Ensure that the appropriate fee has been received prior to commencing 
photocopying. 
•  Ensure that those areas where access is not to be given are removed from the 
notes or excluded when photocopying. 
•  Make arrangements for copying or supervised viewing as appropriate. 
•  Update the Subject Access Database to reflect the current status of the 
request. 
18.7. Supervised 
Viewing 
The supervised viewing must not take place until the charge (if applicable) has 
been received. 
A practitioner supervising a service user’s viewing of their records should answer 
any questions or refer the questions to another practitioner. 
A non-practitioner supervising a service user’s viewing of their records should not 
seek to respond to questions relating to the content of the record, but should refer 
the matter to the relevant practitioner. 
Update the Subject Access Database to reflect the current status of the request. 
18.8. 
Sending Records to the Service User 
The records can only be sent to the service user via recorded delivery as a 
minimum, and must be marked Private and Confidential  - Addressee Only. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
16 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
The Subject Access Database must be updated to reflect the current status of the 
request. 
18.9. Non-disclosure 
There are three provisions for non-disclosure. 
18.9.1. Serious harm 
Access can be denied if permitting access to the information would be 
likely to cause serious harm to the physical or mental health or condition of 
the service user or any other person (which may include a practitioner).  
For social care records, this provision is strictly that disclosure would 
prejudice the carrying out of social work by causing serious harm. 
18.9.2. Third Party Information 
The overriding rule is that the Trust should supply as much information as 
can be supplied without disclosing the identity of the third party.  The 
identity is disclosed if the third party can be identified either from the 
information provided, or from that information and other information likely to 
be in the possession of the data subject.  This does not apply if the third 
party is a practitioner involved in the care of the service user or where the 
third party has given permission for the service user to see that part of the 
record which concerns them. 
18.9.3. Expectation of Disclosure 
If a request for access is made by someone other than the service user, 
such as a parent for a child, there is a further provision for non-disclosure.  
Access can be refused if the service user had provided the information in 
the expectation that it would not be disclosed to the applicant, or had 
indicated that it should not be so disclosed.  Access can also be refused if 
the information was obtained as the result of any examination or 
investigation to which the service user consented on the basis that 
information would not be so disclosed. 
Access may no longer be denied on the grounds that the records were made before 
the introduction of the relevant legislation. 
The advice of the Caldicott Guardian/Information Governance Manager should 
always be sought if denying access is being considered, including as to whether the 
service user should be informed that information has been withheld (as knowing 
that information has been withheld might itself cause serious harm). 
Where access to health and social care records is denied, the Caldicott 
Guardian/Information Governance Manager must be informed in writing with a clear 
explanation of the reasons for denying access and a description of the information 
withheld. 
18.10.  Corrections to Records 
Service users can ask for factual information to be corrected if it is inaccurate.  The 
Trust must correct information that is factually incorrect. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
17 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
A practitioner does not have to correct information that they believe to be accurate if 
a service user disagrees with it.  They should make a note in the relevant part of the 
record of the matters alleged to be inaccurate, and should not delete entries. 
In the event that a question of accuracy is taken to a court, the court can order that 
inaccurate information is rectified, blocked, erased or destroyed. 
18.11. Special 
Conditions 
Once the request has been received, no amendments to or deletions from the 
record must be made that would not otherwise have been made. 
It is not necessary to comply with a request where an identical or similar request by 
the same individual has already been complied with, unless a reasonable period of 
time has elapsed.  If you wish to take advantage of this condition, you should 
consult the Caldicott Guardian. 
18.12.  Applications from People other than Data Subjects 
A number of other people are entitled to make requests for access to health and 
social care records, and certain special provisions apply.  In other respects, the 
procedure to be followed is as above. 
18.13.  People Who May Apply for Access To Health and Social Care Records 
The following people may apply for access to health and social care records: 
•  A named person who has the service user’s written permission to do so, e.g. a 
solicitor, advocate or relative 
•  A person appointed by the courts to manage the service user’s affairs. 
•  A named person acting in loco parentis for a child. 
•  A named person who has a claim arising from a deceased person’s death. 
•  The personal representative of a deceased person. 
18.14.  Confirmation of Authority 
The manager receiving the request should ensure that the appropriate written 
authority is received, such as consent from the service user or suitable legal 
documentation. 
If a request is received from a solicitor enclosing a consent form for general release 
of health and social care records, it may be appropriate to contact the solicitor 
and/or service user to seek a clearer definition of which part of the records is 
expected to be released.  Many solicitors investigating compensation claims for 
particular incidents under “no win, no fee” ask for a general consent form to be 
signed, and then seek release of all records, when the person concerned is under 
the impression that only records relevant to the incident are to be requested. 
18.15.  Claims and Compensation 
If a request for access is known to be in relation to claims or compensation, the 
Information Governance Manager must be informed that access has been 
requested, and must be consulted.  The Information Governance Manager will then 
liaise with the responsible manager in relation to the request. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
18 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
18.16. Standard 
Letters 
The following standard letters are to be used by the Trust for consistency in 
responding to SARs. 
Standard letters include: 
•  Data Subject Access Application Form 
•  Acknowledgment Letter 
•  Requesting a Fee Letter 
•  Professional Scrutiny Letter 
•  Granting Access to Health Records From 
•  Disclosure of Records 
•  Non Disclosure of Records 
18.17.  Charging and Fees 
The Trust is entitled to charge for SARs as follows: 
•  Solicitors - £50.00 
•  Services Users & Staff  - £10.00 Administration Fee (£10.00 + 10p per double 
sided A4 sheet of photocopied notes) 
•  Recorded Delivery posting costs estimated on weight of photocopying. 
•  This charge must be itemised, and must not exceed £50.00 inclusive of all of 
the above. 
Fees can be waived depending on the context of the request and the requestor’s 
circumstances. Advice should be sought from the Health & Social Care Records 
when considering waiving fees. 
18.18.  Charges for Viewing Records  
Records held entirely on computer - up to a maximum of £10 charge unless the 
records have been added to in the last 40 days, where there is no charge 
Records held manually - up to a maximum of £10 charge unless the records have 
been added to in the last 40 days, where there is no charge. 
Where the records are part held on computer and part manual - up to a maximum 
of £10 charge unless the records have been added to in the last 40 days, where 
there is no charge. 
If the service user, staff member or other Data Subject viewed their records and 
then wanted copies, the £10 maximum charge for viewing would be included in the 
maximum £50 charge for copies. This would still be classed as one access request. 
It has been agreed with the Head of the Exchequer that fees for access to records 
should be raised locally in order for the Health & Social Care Records 
Manager/Clerk to ensure payment is received prior to disclosure. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
19 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
18.19. Complaints 
 
Requestors who are dissatisfied with any element of the way their request is 
handled may write to the Chief Executive to request a review. 
If, following a review by the Chief Executive, the requestor remains dissatisfied, 
they may apply directly to the Office of the Information Commissioner for a decision. 
The Information Commissioner will not generally make a decision until the Trust's 
internal complaints procedure has been followed. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
20 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
 
19.  Appendix “B”: Safe Haven Procedures 
19.1. Introduction 
The Trust Safe Haven Procedures set out requirements for best practice when 
transmitting Personal Data, to ensure the privacy and confidentiality of information 
in transit and at the point of receipt / delivery. 
The term ‘Safe Haven’ was originally implemented to support contracting 
procedures. The Caldicott Report 1997 extended this concept to a term recognised 
throughout the NHS to describe the administrative arrangements to safeguard the 
confidential transfer of personal data between organisations or sites. 
This document will detail the procedures to be adopted when handling incoming 
and outgoing personal data by any of the following: 
•  Fax 
•  Post 
•  Email  
•  Telephone 
19.2. Objectives 
of the Procedure 
The key objectives of this procedure are: 
•  To ensure that all personal data is handled in accordance with the Caldicott 
Principles. 
•  Justify the purpose for using personal data. 
•  Only use personal data when absolutely necessary. 
•  Only use the minimum amount of personal data necessary. 
•  Access to personal data should be on a strict need to know basis. 
•  Everyone with access to personal data must be aware of their responsibilities. 
•  Everyone must understand and comply with the law. 
•  To ensure that the legal obligations of the Data Protection Act 1998 are 
adhered to. 
•  To provide a consistent approach to the way personal data is handled 
•  To provide guidance of the correct way to handle personal data. 
19.3. 
Scope of this Procedure 
This procedure applies to all employees of the Trust including permanent, 
temporary and contract employees, students, and volunteers, who come into 
contact with Personal Data. It applies equally to service user, staff and other Data 
Subjects. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
21 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
19.4. 
Breaches of Confidentiality 
All breaches of confidentiality must be reported whether they are the result of action 
taken by the Trust or a third party. These should normally be reported to your line 
manager, the Information Governance Manager and recorded on an Adverse 
Incident Report Form. If your line manager is unavailable then report the incident to 
the Information Governance Manager. What is personal data? 
19.5. 
Personal Data can be any of the Items Listed Below 
o Surname 
o Forename 
o Initials 
o Address 
o  Date of Birth 
o Postcode 
o Gender 
o Occupation 
o Telephone 
Number 
o Ethnic 
Group 
o NHS 
Number 
o  National Insurance Number 
o  Local Identifier (e.g. hospital number) 
o  Other data (e.g. death, diagnosis) 
19.6. 
Using Fax Communications 
19.6.1. Physical Location 
As far as possible a safe-haven must be established as a clearly 
identifiable part of the organisation’s premises. Where particular healthcare 
functions are based in a number of locations, safe-haven procedures 
should apply to each location. Throughout the Trust there are a number of 
designated safe-haven areas. Senior managers must ensure safe haven 
areas are set up for sending and receiving faxes and postal information. 
Guidance can be sought from the Information Governance Manager. The 
requirement for additional fax equipment must be justified, taking into 
account the risks to personal data and the location of the machine.  Details 
of the new equipment must be reported to the Information Governance 
Manager for inclusion in the list. Further guidance on the location of fax 
machines can be sought from the Information Governance Manager. Such 
areas must be physically secured as far as possible, that is, lockable and 
access to them should be restricted to those whose work requires it. 
Restriction to the area may take the form of card access, number pad and 
lock and key.   
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
22 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
19.6.2. Outgoing Fax Communications 
When sending a fax containing personal data it should be sent to a known 
Safe Haven fax machine.  However it is appreciated that this is not always 
possible.  In these cases additional steps will need to be taken to uphold 
the security of the information. 
ƒ  Telephone the intended recipient of the fax to let them know that 
you are going to send a fax containing personal data. 
ƒ  Ask the recipient to wait by the fax machine while the fax is sent. 
ƒ  Ask the recipient to immediately acknowledge receipt of the fax. 
ƒ  Ensure that the fax cover clearly states the intended recipients’ 
names, does not identify the personal data and contains a 
confidentiality disclaimer. The standard AWP template that 
should be used by all staff is contained in the Safe Haven 
Procedures at Appendix C.  A copy can be obtained from the 
Information Governance Manager. 
ƒ  Double check the fax number before sending the fax. 
ƒ  Use pre-programmable numbers for regular recipients. 
ƒ  Request a report sheet to confirm the transmission was 
successful. 
If you receive a request to fax personal identifiable to a new fax number 
then the Safe Haven External Request Form contained in the Safe Haven 
Procedures at appendix D, should be used to confirm the fax is indeed a 
Safe Haven fax. 
Do not send a fax to a destination where you know it will not been seen for 
some time.  Do not leave the fax machine unattended while the information 
is being transmitted. 
19.6.3. Incoming faxes 
Fax machines are located in various locations throughout AWP where 
transmissions will be received by staff.  As with outgoing messages, 
incoming ones must also be subject to secure handling procedures. 
•  The intended recipient of the fax should be contact 
immediately a fax is received for them. 
•  Whilst awaiting collections, the fax should be placed away 
from public and other staff members view. 
•  If the fax is not collected the same day, it should be place 
in a sealed envelope, marked ‘confidential’ and sent to the 
intended recipient. 
•  Occasionally, confidential faxes will be received where the 
intended recipient is not clear.  In these cases, they should 
be passed to a nominated person within leach location.  It 
is suggested that a senior manager should assume this 
responsibility. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
23 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
19.7. Postal 
Communications 
19.7.1. Outgoing  
Wherever possible, personal data should be sent through the internal mail 
system, delivered personally or collected in person. 
If it is necessary to send personal data via mailing services, the following 
steps should be taken: 
ƒ  Confirm the name, department and address of the intended 
recipient 
ƒ  Ensure the contents of the letter cannot be seen through the 
envelope 
ƒ  Ensure the envelope is properly sealed 
ƒ  Mark the envelope ‘Private and Confidential – to be opened by 
addressee only 
ƒ  If appropriate, send the information by recorded delivery 
ƒ  If appropriate request confirmation of receipt from the recipient 
19.7.2. Incoming Post 
Incoming mail should always be opened away from public areas.  Under no 
circumstances should items addressed to an individual and marked 
‘Private and Confidential’ be opened by the staff responsible for opening 
the Trust’s post. They should be sent to the individuals Line Manager, or 
Personal Assistant as agreed between themselves. 
Items marked to a department and an individual, should be passed to the 
Head or Manager of that department. 
Items not marked with a name or department and are not labelled ‘Private 
and Confidential’ should be opened by the post staff to establish the 
intended recipient. 
Any unmarked items that contain personal data should be placed in a 
sealed envelope and passed to the individual with responsibility for the 
Safe Haven. 
19.8. Email 
Communications 
19.8.1. Outgoing Personal Data 
There are a number of  risks of associated with sending  personal data via 
email which must taken into account before deciding to use email as a 
means of communication: 
ƒ  There is a risk that the email communication will not just remain 
with the personal data, as there is the ability for it to be forwarded 
to other users, as well as the risk of unauthorised disclosure.   
ƒ  There is of course the increased risk that messages could be 
mistakenly transmitted to an unintended recipient.   
ƒ  Person confidentiality may be breached. This could occur not 
only if the email is misdirected, but also if family and friends of 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
24 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
the person access the email from a shared computer. In addition, 
confidentiality may be breached if there is access to the 
clinician’s email system by third parties such as, for example, 
clinical support staff.   
ƒ  Risk also arises because there is often no way of guaranteeing 
that the personal data has picked up an email and is aware of its 
content.  This is particularly significant pending on the urgency of 
the information communicated.   
ƒ  In a similar context, there remains the very real risk that emails 
which are sent by patients will not be considered promptly by 
clinicians.  This could result in urgent clinical communication 
being missed.  Likewise emergency or urgent communication 
would not be distinguishable on the computer system.  
Consequently there would be an onus on clinicians to ensure that 
urgent emails are picked up promptly.   
Consequently staff should take appropriate precautions if they intend to 
use this method of communication. This must include obtaining the 
person’s consent to communicate in this way, and including a copy of this 
consent in the relevant record.  
19.8.2. Email between staff about a Service User 
Taking into account the risks documented above, personal data can only 
be sent from an AWP email account, to an AWP email account, for 
example: 
xxxxxxxxx.xxxxxxx@xxx.xxx.xx  to xxxxxxxxx.xxxxxxx@xxx.xxx.xx   
or 
from a NHS.net email account to an NHS.net email account, for example: 
xxxx@xxx.xxx  to xxxx@xxx.xxx
Third parties, e.g. organisations that have legitimate reasons to have 
access to personal data are able to request a third party nhs.net account.   
Emails containing confidential information should be clearly marked 
‘Confidential’ and the service user or staff member name should not be 
identified in the subject line of the email. 
Advice can be obtained from the Information Governance Manager. 
19.8.3. Email Disclaimer 
The Trust does not have an approved email disclaimer nor does it 
recommend personal disclaimers are added by individuals. The use of a 
disclaimer will not offer any protection with regards to negligence either by 
the Trust or its staff.  However all staff have a legal duty to protect all 
personal data confidentially. The duty to protect personal data 
confidentially applies irrespective of the form in which the data is 
transmitted. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
25 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
19.8.4. Incoming Email 
Although AWP has little control over emails received within the Trust, staff 
should still remain aware of the dangers of opening messages from 
unknown or untrusted sources.  All staff are reminded that they must sign 
and adhere to the Acceptable Use Policy. 
Emails containing personal data received in error, should be forwarded on 
to the correct location, if known, as soon as possible and deleted from the 
mailbox of the original receiver.  The sender should be informed that the 
message has not reached its intended destination and has been deleted. 
19.9. Telephone 
Communication 
Personal data should not be discussed using a ‘hands free’ capability 
unless the phone is in a single user office or car, and no other persons are 
present. 
When taking a telephone call, be aware that some types of information 
cannot be shared over the phone: 
Information requested by the Police must not be given over the telephone.  
Specific information sharing protocols are in operation and requests for 
information must be made in writing using official police paperwork. 
Requests for information made by the press or media must be forwarded to 
the Chief Executive of the Trust as documented within the Caldicott 
Guidance – Using and Sharing Service User Information. 
The following steps should be taken when personal data is requested over 
the telephone: 
ƒ  Confirm the name of the person making the request along with 
their job title, department and organisation (if applicable). 
ƒ  Establish the reason for the request. 
ƒ  Take a contact telephone number.  This should be a main 
switchboard number not a mobile or direct line number. 
ƒ  If you are in any doubt of the caller’s identity, call them back 
preferably via a main switchboard if possible. 
ƒ  If in doubt, check the information can be released and telephone 
the caller back. 
ƒ  Provide the information only to the person making the request – 
do not leave a message either with somebody else or on an 
answering machine. 
19.10.  Speaking to Relatives or Next of Kin 
When speaking to persons claiming to be relatives or next of kin of a 
service user, the service user should ideally speak directly to the caller, or 
staff should ask the service user what details they would like to divulge to 
the caller. 
Always: 
o  Check identity of caller and data subject’s full name. 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
26 of 29
 

GOV_IGCM_01 : Data Protection Policy including Subject Access Request and 
Safe Haven Procedures 
o  If in doubt, call back using a documented number. 
o  Or – allow service user to speak directly to the caller. 
o  Or – ask service user what they would like you to pass onto the caller. 
o  If unsure pass call to senior member of staff. 
19.11.  What Information Can you share with staff? 
Staff have the right to relevant information in order to support their role in caring for 
the service user. 
Check identity of the member of staff – name, department and nature of enquiry. 
If you have to give clinical information, be aware of others who may be listening. 
19.12. Providing 
Information to a GP Practice 
Check the identity of the caller and the service user’s full name, NHS and hospital 
numbers. 
If in doubt, call back using documented GP Practice number. 
If unsure pass call to senior member of staff. 
19.13.  What information can you give to Employers? 
No information without documented consent from the service user. 
19.14.  Using the telephone to contact Service Users 
If you think you may need to contact a service user by phone, ask if you can leave 
messages and ensure that you document this in the service user’s health and social 
care records. If you need to contact the service user urgently and they are not 
available, please leave your name, telephone number and a brief message asking 
them to call you back.   
DO NOT MENTION THE HOSPITAL OR LEAVE ANY CLINICAL INFORMATION 
Unless you can guarantee that the message will be delivered to and received by the 
correct service user then do not leave a message. 
19.15.  Advice from Connecting for Health on leaving telephone messages 
Unless one has the service user’s consent to do so and can guarantee that the 
message will be delivered to and received by the correct service user, then 
confidentiality concerns suggest it is a route that should not be taken. 
Doctors who wish to provide a telephone or on-line service should consider 
carefully whether such a service will serve their service user’s interests, and if 
necessary, seek advise from their professional association or medical defence 
society. 
 
 
Location:  
Version: 
Status: 
Date: 
Page:
http://sharepoint/C17/BoardLibrary/Policies/
4.0 
Approved 
21/01/2011 
27 of 29
 


 
20.  Appendix “C”: Fax Header Sheet 
 
 
 
 
To 
From
Name 
Name
Address 
Address
 
 
 
 
Tel 
Tel:
Fax 
Fax:
 
Facsimile Transmission 
Any transmission problems call  on the phone number above 
 
Urgent 
 Routine 
 Confidential 
 Number 
 Date 
 
of Pages 
 
 
 
 
 
CONFIDENTIALITY 
This facsimile transmission is strictly confidential and intended solely for the addressee.  
It may contain information, which is covered by legal, professional or other privilege.  If 
you are not the intended addressee, you must not disclose, copy or take any action in 
reliance on this facsimile and please dispose of it confidentially.  If you have received 
this facsimile in error, please notify us as soon as possible. 
 
 
Message: 
 
DO NOT MENTION ANY PERSONAL INFORMATON ON THIS COVER SHEET 
 
 


 
21.  Appendix “D”: Safe Haven External Fax Request for Information 
 
 
 
To 
From 
Name 
Name 
Address 
Address 
 
 
 
 
Tel 
Tel:
Fax 
Fax:
Facsimile Transmission 
Any transmission problems call on the phone number above 
Urgent 
 Routine 
 Confidential
Number 
of 
 Date 
 
Pages 
 
REQUEST TO RECEIVE PERSONAL DATA VIA FAX 
Trust staff to complete 
 
I/we (insert name/department etc) ________________________________________have been 
requested by (insert person and company etc_________________________________) to fax sensitive 
personal data (as defined by the Data Protection Act 1998) to fax number (insert fax number 
__________________________). 
 
In order to ensure that the information we send will be treated in accordance with the Data Protection Act 
1998 and other relevant legislation, the Trust requires the following declaration is complete prior to 
commencement of the service. 
 
Company/organisation to complete 
 
I confirm that fax number (insert fax number) ________________________ is designated as a Safe 
Haven, i.e. it is in an area that is physically secure, lockable, with access restricted to those whose work 
requires it. 
 
I confirm that any personal data received via the Safe Haven fax will be treated in accordance with the 
Data Protection Act 1998 principles and other relevant legislation to ensure confidentiality. 
 
I confirm that should a breach of confidentiality arise it will be reported immediately to the Information 
Governance Manager for investigation. 
 
Signature_____________________________________________________________________ 
Job Title______________________________________________________________________ 
Telephone Number______________________________________________________________ 
Date_________________________________________________________________________ 
 
 
 

Document Outline