DPA infringements on patient notes and safeguarding system/s

[Name Removed] made this Freedom of Information request to Hywel Dda University Health Board This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was partially successful.

Dear Hywel Dda University Health Board,

The intention of this request is to enable understanding of the ways in which NHS patient notes can be accessed, or changed by NHS employees - without the permission to do so.

And what safeguards can be out in place to prevent illegal access , or medical record tampering.

The request therefore concerns this case, already in the public domain:
::

Ex-nurse fined for illegally accessing confidential records

A former nurse from Carmarthenshire who has been fined for breaching the Data Protection Act, had illegally accessed more than 3,000 confidential medical records, it has emerged.
Elaine Lewis, 63, from Llansteffan, was fined £650 by Llanelli magistrates.
She was also ordered to pay costs of £664 and a victim surcharge of £65.
Lewis had worked at Glangwili hospital and was sacked by Hywel Dda University Health Board for breaching patient confidentiality.
The records also included those of work colleagues.
The health board sent letters to all the patients involved last July after the data breach came to light.
It also referred the case to the office of the Information Commissioner's Office (ICO) which brought the prosecution.
Health board chief executive Steve Moore said: "Patient confidentiality is of paramount importance to us and since the initial incident we have put in place a series of measures to strengthen our information governance processes and procedures.
"We know that this has been a distressing case for those affected and we hope that our actions have demonstrated our ongoing commitment to ensuring that we avoid something similar from ever happening again.
"Now that the investigation is complete we will be writing again to each patient directly affected by this matter to apologise and offer further support."

http://www.bbc.co.uk/news/uk-wales-south...

:::

I would like to know-

1. What system was in place which allowed the nurse to access patient records?

2. The method of discovery of DPA breaches.
( For example : Were they reported by patients, by audit, or by inbuilt security feature?)

3. The system which replaced the one in which the records were accessed.

4. The 'series of measures' that were put in place to stop DPA breaches occurring again.

5. The occupations of employees who can erase, or change any initial input to patients records.
(Nb this would exclude the INITIAL additions to patient records by the attending medical staff).

::::

Request Title/summary within scope.

I am writing to make an open government request for all the
information to which I am entitled under the Freedom of Information
Act 2000.

Please send me original recorded information, which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.

If this request is too wide or unclear, and you require a clarification, I would be grateful if you could contact me as I understand that under the Act, you are required, as a duty, to advise and assist requesters.(Section 16 / Regulation 9).

ICO guidance:

https://ico.org.uk/media/for-organisatio...

If my request is denied in whole or in part, I ask that you justify
all deletions by reference to specific exemptions of the act.

I will also expect you to release all non-exempt material. I reserve
the right to appeal your decision to withhold any information or to
charge excessive fees.

If any of this information is already in the public domain, please
can you direct me to it, with page references and URLs if
necessary.

Please confirm or deny whether the requested information is held ( section (Section 1(1)(a) and consider whether information should be provided under section 1(1)(b), or whether it is subject to an exemption in Part II of the Act.

If the release of any of this information is prohibited on the
grounds of breach of confidence, I ask that you supply me with
copies of the confidentiality agreement and remind you that
information should not be treated as confidential if such an
agreement has not been signed.

I request that the response be provided to me as electronic copies, via WDTK.

The information should be immediately readable - and, as a freedom of Information request, not put in a PDF or any closed form, which some readers may not be able to access.

I understand that you are required to respond to my request within
the 20 working days after you receive this letter. I would be
grateful if you could confirm in writing that you have received
this request.

::::::::

Please consider the Decision on the provision original documents on file, rather than newly written letters of response.
https://ico.org.uk/media/action-weve-tak...

::::

'However, if the requester expresses a preference to inspect the original documents (or copies of those documents) then we would expect the authority to provide them with a reasonable opportunity to view the originals (or copies), where practicable'.

https://ico.org.uk/media/for-organisatio...

Nb This request does not require a letter, drafted by the External Affairs department, or any other written input by reputational defence employees - and purporting to be the response to a FOIA request.

Yours faithfully,

[Name Removed]

FOI HywelDda (Hywel Dda UHB - Freedom of Information), Hywel Dda University Health Board

 

Dear Sir/Madam

 

Information Requested Under The Freedom Of Information Act 2000

 

Thank you for your recent request for the supply of information relating
to Data Protection Act breaches.   

 

Under the Act, the Health Board is required to supply the information to
you within 20 working days.  In terms of your request, this means that the
information should be provided by 5 April 2017.    If this is not
possible, a further letter will be sent advising you of the progress made
in satisfying your request.

 

Please find attached our [1]leaflet giving guidance on our procedure for
managing requests for information that is covered under the Freedom of
Information Act 2000.

 

Yours sincerely

 

 

 

Swyddog Rhyddid Gwybodaeth/Freedom of Information Officer

Bwrdd Iechyd Prifysgol Hywel Dda/Hywel Dda University Health Board

 

References

Visible links
1. http://www.wales.nhs.uk/sitesplus/862/op...

Dear FOI HywelDda (Hywel Dda UHB - Freedom of Information),
Non compliance with FOIA.

Yours sincerely,

[Name Removed]

Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer), Hywel Dda University Health Board

1 Attachment

Dear Sir/Madam

 

Please find attached the response to your request for information under
the Freedom of Information Act.

 

Best wishes

Kathryn

 

Kathryn Thomas

Senior Corporate Information Officer/Uwch Swyddog Gwybodaeth Corfforaethol

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239682 (WHTN 01825 4682)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

 

References

Visible links
1. mailto:[email address]

You state: ( and please note that you were asked to reply in an open form)

Dear Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer),

Dear Sir/Madam

Information Requested Under The Freedom Of Information Act 2000

Further to your request of 7 March 2017, I am now able to provide you with the information requested in regard to data protection breaches.

Your request:

I would like to know-

1. What system was in place which allowed the nurse to access patient records?

2. The method of discovery of DPA breaches.
(For example: Were they reported by patients, by audit, or by inbuilt security feature?)

3. The system which replaced the one in which the records were accessed.

4. The 'series of measures’ that were put in place to stop DPA breaches occurring again.

5. The occupations of employees who can erase, or change any initial input to patients records.
(Nb this would exclude the INITIAL additions to patient records by the attending medical staff).

Our response:

As the request received specifically relates to a data breach incident that occurred within Hywel Dda University Health Board (UHB) the response below reflects this. However, the responses to the questions may have differed slightly if the questions posed were generic.

1. The system in place in Hywel Dda University Health Board (UHB) is the Myrddin Patient Administration System (PAS). This system only allows individuals with agreed access to view an electronic hospital record, not a patient’s full medical record. The electronic hospital record provides details of hospital appointments, clinics and visits, as well as test results and some letters with access being appropriate to need.

2. Senior staff identified a concern at the end of 2015 and instigated the investigation which revealed the extent of the breach. The Health Board then followed its own disciplinary procedure. This involved collecting evidence from witnesses and reviewing the extent of the breach.

.........2. The method of discovery of DPA breaches.
(For example: Were they reported by patients, by audit, or by inbuilt security feature?)

Response: You have not specified the method.
HOW was the concern identified to senior staff?
If you are confused by the term, please provide original data.

3. The Myrddin PAS system described in point 1 above continues to be used as the Patient Administration system for the Health Board.

4. All members of staff are informed that protecting patient confidentiality is a fundamental aspect of patient care and this message is conveyed when an employee starts their employment with the Health Board, throughout their employment and each time an individual member of staff logs into the patient administration system. It is also a condition of their contract of employment.

Response -As with any organisation. This is a specific request.

Comprehensive and regular training is provided to all employees on the importance of confidentiality and data protection (and there are Information Governance and Data Protection policies, which are based on legislative requirements) are in place. Staff members who need to see electronic hospital patient records are provided with regular training in the PASsystem (Myrddin CiS). Additional training is also provided, which includes detail on what constitutes both appropriate and inappropriate access to patient identifiable information. Regular staff communication updates and reminders on these issues are also conveyed to all staff.

Since January 2016, The Health Board has implemented the National Intelligent Integrated Auditing Solution (NIIAS). This system is licensed for use by all NHS Wales Health Boards and Trusts and helps monitor electronic information systems and flag up potential instances of unauthorised access to patient information, for further investigation.

5. Only employees with the appropriate approved access are able to make changes or updates to patient records. Access to systems are strictly controlled through the Health Board’s policies and procedures. Staff are aware through training and the Health Board’s policies and procedures that changes to patient records must only be carried out for legitimate purposes around the provision of patient care.

5. The occupations of employees who can erase, or change any initial input to patients records.
(Nb this would exclude the INITIAL additions to patient records by the attending medical staff).

Response: Please provide the occupations of employees, as per request.

You have provided general information, instead of the specific information requested.
Please refer to request.

I trust this provides you with the information you require. However should you be dissatisfied with the way your request has been handled by the UHB or you have other concerns, you have the right to appeal and request a review of our decision, you should write to:

​Board Secretary

As you failed to comply with the 20 day legal limit, and now provided a review, you might like to reconsider the response by reading the request more closely ....and providing a proper response to the request on the points raised.

Please note: please keep in mind that this is not a public relations exercise, it is a FOIA request, with legal constraints.

I would therefore remind you that original data is requested as an FOIA response and not a letter from public relations, or other protective reputational department. I will therefore now hold you to the letter of the request.

If you fail to respond within a week, I will forward to the ICO as a complaint.

Please respond promptly.

Yours sincerely,

[Name Removed]

Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer), Hywel Dda University Health Board

Dear Sir/Madam

 

Request for a review under Freedom of Information Act 2000

 

Thank you for your request for a review of the information provided to you
in regard to data protection breaches, in particular the request therefore
concerns a case, already in the public domain.

 

In accordance with the Health Board’s policy on Freedom of Information, I
have now requested a review of the information provided to be undertaken. 
As per the Health Board’s policy you will be provided with a full response
within the next 20 working days and will therefore receive a reply by 22
May 2017.

 

In the meantime, if you require any further assistance or clarification
please do not hesitate to contact me.

 

Yours sincerely

 

Kathryn

 

 

Kathryn Thomas

Senior Corporate Information Officer/Uwch Swyddog Gwybodaeth Corfforaethol

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239682 (WHTN 01825 4682)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

 

References

Visible links
1. mailto:[email address]

[Name Removed] (Account suspended) left an annotation ()

What happens after I make my request?

The authority must reply to you within 20 working days. It may:

give you the information you’ve asked for; ....no
tell you it doesn’t have the information;....no
tell you that another authority holds the information or transfer the request on your behalf.. no

refuse to give you the information, and explain why; No .. no response
under the Freedom of Information Act, say that it needs more time to consider the public interest in disclosing or withholding the information, and tell you when to expect a response. This should not be later than 40 working days after the date of your request. It can only extend the time limit in certain circumstances, and it must explain why it thinks the information may be exempt;

:::

The request then went into review of the non- response - instead of bring reported to ICO for non-compliance.

:::

Public Authorities cannot extend FOIA requests indefinitely by failure to respond to them.

Dear Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer),

As stated....

You have completed the review requested - after failure to follow the FOIA within 20 days.

You seem to be stating that you can compete review, after review....,and possibly the third review that as well.

As I disagree with your first review I will forward this a a complaint to the ICO.

Yours sincerely,

[Name Removed]

Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer), Hywel Dda University Health Board

I am on annual leave from 24 April 2017 until Wednesday 26 April 2017.  In
my absence please contact Sara Prosser on 01267 239688 or email
[email address]

 

Many thanks

Best wishes

Kathryn Thomas

Senior Corporate Information Officer

__________________________________________________________________

Byddaf ar fy ngwyliau o 24 Ebrill 2017 tan ddydd Mercher 26 Ebrill 2017.
Yn fy absenoldeb cysylltwch â Sara Prosser ar 01267 239688 neu mewn ebost
[1][email address]

 

Diolch yn fawr

 

Cofion gorau / Best wishes

Kathryn Thomas

Uwch Swyddog Gwybodaeth Corfforaethol / Senior Corporate Information
Officer

 

 

References

Visible links
1. mailto:[email address]

[Name Removed] (Account suspended) left an annotation ()

Complaint :

To: casework@ico.org.uk

Report a concern about how an organisation handled your information

Please only reply by email to save postal visits and the environment.

In any response please include my reference which is:

-DPA infringements on patient notes and safeguarding system/s-

Please read the whole request, including the title.

NB - ANNOTATIONS

Please note that annotations on the request do NOT form part of the correspondence and are not sent to , or received, by Public Authority concerned.

Thank you

1. Details of the organisation your concern is about
Organisation:  
   
Hywel Dda University Health Board

Contact name:  
Kathryn Thomas

Senior Corporate Information Officer

  
Address:   

Hywel Dda University Health Board

Springfield Building

Withybush General Hospital

Fishguard Road

Haverfordwest

Pembrokeshire

Postcode
SA61 2PZ​

Telephone:  01267 239682 (WHTN 01825 4682) 
  
Email:  via WDTK
    
2. Your relationship with the organisation
     
Member of the public
3. What is your concern?
Hywel Dda University Health Board has stated that it has already provided the final response

The review is clearly labelled as :
-FOI 118 17 final response 1.doc-

It has therefore completed its review.
Even with the extra time on its final response I gave it,it has failed to comply with the terms of the request.

There is a clear public interest in finding out how and why patient information
is accessed, abused and the measures taken to stop further breaches of this
sort from happening to NHS records.

:::::

The request refers to the specific incident stated-

The request:

Dear Hywel Dda University Health Board,

The intention of this request is to enable understanding of the ways in which NHS patient notes can be accessed, or changed by NHS employees - without the permission to do so.

And what safeguards can be out in place to prevent illegal access , or medical record tampering.

The request therefore concerns this case, already in the public domain:
::

Ex-nurse fined for illegally accessing confidential records

A former nurse from Carmarthenshire who has been fined for breaching the Data Protection Act, had illegally accessed more than 3,000 confidential medical records, it has emerged.
Elaine Lewis, 63, from Llansteffan, was fined £650 by Llanelli magistrates.
She was also ordered to pay costs of £664 and a victim surcharge of £65.
Lewis had worked at Glangwili hospital and was sacked by Hywel Dda University Health Board for breaching patient confidentiality.
The records also included those of work colleagues.
The health board sent letters to all the patients involved last July after the data breach came to light.
It also referred the case to the office of the Information Commissioner's Office (ICO) which brought the prosecution.
Health board chief executive Steve Moore said: "Patient confidentiality is of paramount importance to us and since the initial incident we have put in place a series of measures to strengthen our information governance processes and procedures.
"We know that this has been a distressing case for those affected and we hope that our actions have demonstrated our ongoing commitment to ensuring that we avoid something similar from ever happening again.
"Now that the investigation is complete we will be writing again to each patient directly affected by this matter to apologise and offer further support."

http://www.bbc.co.uk/news/uk-wales-south...

:::

I would like to know-

1. What system was in place which allowed the nurse to access patient records?

2. The method of discovery of DPA breaches.
( For example : Were they reported by patients, by audit, or by inbuilt security feature?)

3. The system which replaced the one in which the records were accessed.

4. The 'series of measures' that were put in place to stop DPA breaches occurring again.

5. The occupations of employees who can erase, or change any initial input to patients records.
(Nb this would exclude the INITIAL additions to patient records by the attending medical staff).

::::

Request Title/summary within scope.

I am writing to make an open government request for all the
information to which I am entitled under the Freedom of Information
Act 2000.

Please send me original recorded information, which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.

If this request is too wide or unclear, and you require a clarification, I would be grateful if you could contact me as I understand that under the Act, you are required, as a duty, to advise and assist requesters.(Section 16 / Regulation 9).

ICO guidance:

https://ico.org.uk/media/for-organisatio...

If my request is denied in whole or in part, I ask that you justify
all deletions by reference to specific exemptions of the act.

I will also expect you to release all non-exempt material. I reserve
the right to appeal your decision to withhold any information or to
charge excessive fees.

If any of this information is already in the public domain, please
can you direct me to it, with page references and URLs if
necessary.

Please confirm or deny whether the requested information is held ( section (Section 1(1)(a) and consider whether information should be provided under section 1(1)(b), or whether it is subject to an exemption in Part II of the Act.

If the release of any of this information is prohibited on the
grounds of breach of confidence, I ask that you supply me with
copies of the confidentiality agreement and remind you that
information should not be treated as confidential if such an
agreement has not been signed.

I request that the response be provided to me as electronic copies, via WDTK.

I understand that you are required to respond to my request within
the 20 working days after you receive this letter. I would be
grateful if you could confirm in writing that you have received
this request.

::::::::

Please consider the Decision on the provision original documents on file, rather than newly written letters of response.
https://ico.org.uk/media/action-weve-tak...

::::

'However, if the requester expresses a preference to inspect the original documents (or copies of those documents) then we would expect the authority to provide them with a reasonable opportunity to view the originals (or copies), where practicable'.

https://ico.org.uk/media/for-organisatio...

Nb This request does not require a letter, drafted by the External Affairs department, or any other written input by reputational defence employees - and purporting to be the response to a FOIA request.

Yours faithfully,

Jt Oakley

---

[........Nb The PA did not respond with 20 days, , did not ask for a clarification or give S16 help and assistance.]

The Public Authority failed to reply within the statutory time.
I gave it extra time - instead of sending to the ICO - to review its non-response.

When it provided its stated 'final response' , it did not respond to the terms of the request.
It provided a letter, which I has specifically stated I did not want.
If I had wanted a letter, I would not have requested for data under FOIA
My request is for data on file relating to the specified case.

:::::

You state: ( and please note that you were asked to reply in an open form)

Dear Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer),

Dear Sir/Madam

Information Requested Under The Freedom Of Information Act 2000

Further to your request of 7 March 2017, I am now able to provide you with the information requested in regard to data protection breaches.

Your request:

I would like to know-

1. What system was in place which allowed the nurse to access patient records?

2. The method of discovery of DPA breaches.
(For example: Were they reported by patients, by audit, or by inbuilt security feature?)

3. The system which replaced the one in which the records were accessed.

4. The 'series of measures’ that were put in place to stop DPA breaches occurring again.

5. The occupations of employees who can erase, or change any initial input to patients records.
(Nb this would exclude the INITIAL additions to patient records by the attending medical staff).

Our response:

As the request received specifically relates to a data breach incident that occurred within Hywel Dda University Health Board (UHB) the response below reflects this. However, the responses to the questions may have differed slightly if the questions posed were generic.

1. The system in place in Hywel Dda University Health Board (UHB) is the Myrddin Patient Administration System (PAS). This system only allows individuals with agreed access to view an electronic hospital record, not a patient’s full medical record. The electronic hospital record provides details of hospital appointments, clinics and visits, as well as test results and some letters with access being appropriate to need.

2. Senior staff identified a concern at the end of 2015 and instigated the investigation which revealed the extent of the breach. The Health Board then followed its own disciplinary procedure. This involved collecting evidence from witnesses and reviewing the extent of the breach.

.........2. The method of discovery of DPA breaches.
(For example: Were they reported by patients, by audit, or by inbuilt security feature?)

Response: You have not specified the method.
HOW was the concern identified to senior staff?
If you are confused by the term, please provide original data.

3. The Myrddin PAS system described in point 1 above continues to be used as the Patient Administration system for the Health Board.

4. All members of staff are informed that protecting patient confidentiality is a fundamental aspect of patient care and this message is conveyed when an employee starts their employment with the Health Board, throughout their employment and each time an individual member of staff logs into the patient administration system. It is also a condition of their contract of employment.

Response -As with any organisation. This is a specific request.

Comprehensive and regular training is provided to all employees on the importance of confidentiality and data protection (and there are Information Governance and Data Protection policies, which are based on legislative requirements) are in place. Staff members who need to see electronic hospital patient records are provided with regular training in the PASsystem (Myrddin CiS). Additional training is also provided, which includes detail on what constitutes both appropriate and inappropriate access to patient identifiable information. Regular staff communication updates and reminders on these issues are also conveyed to all staff.

Since January 2016, The Health Board has implemented the National Intelligent Integrated Auditing Solution (NIIAS). This system is licensed for use by all NHS Wales Health Boards and Trusts and helps monitor electronic information systems and flag up potential instances of unauthorised access to patient information, for further investigation.

5. Only employees with the appropriate approved access are able to make changes or updates to patient records. Access to systems are strictly controlled through the Health Board’s policies and procedures. Staff are aware through training and the Health Board’s policies and procedures that changes to patient records must only be carried out for legitimate purposes around the provision of patient care.

5. The occupations of employees who can erase, or change any initial input to patients records.
(Nb this would exclude the INITIAL additions to patient records by the attending medical staff).

Response: Please provide the occupations of employees, as per request.

You have provided general information, instead of the specific information requested.
Please refer to request.

I trust this provides you with the information you require. However should you be dissatisfied with the way your request has been handled by the UHB or you have other concerns, you have the right to appeal and request a review of our decision, you should write to:

​Board Secretary

As you failed to comply with the 20 day legal limit, and now provided a review, you might like to reconsider the response by reading the request more closely ....and providing a proper response to the request on the points raised.

Please note: please keep in mind that this is not a public relations exercise, it is a FOIA request, with legal constraints.

I would therefore remind you that original data is requested as an FOIA response and not a letter from public relations, or other protective reputational department. I will therefore now hold you to the letter of the request.

If you fail to respond within a week, I will forward to the ICO as a complaint.

Please respond promptly.

Yours sincerely,

https://www.whatdotheyknow.com/request/d...

This is a request asking :
1. how patient data breaches occurred
2. and the specifics involved in
making the system secure.
Which officers gave the power to access patient records delete, or change them.

I am interested in how the NHS system of recording and protecting data
can be so easily breached.

:::
ICO guidance :
What happens after I make my request?

The authority must reply to you within 20 working days. It may:

give you the information you’ve asked for; ....no
tell you it doesn’t have the information;....no
tell you that another authority holds the information or transfer the request on your behalf.. no

refuse to give you the information, and explain why; No .. no response
under the Freedom of Information Act, say that it needs more time to consider the public interest in disclosing or withholding the information, and tell you when to expect a response.
This should not be later than 40 working days after the date of your request. It can only extend the time limit in certain circumstances, and it must explain why it thinks the information may be exempt;

:::

Via WDTK, the request then went into Review of the non- response - instead of being reported to ICO for non-compliance.

:::
Complaint -
Public Authorities cannot extend FOIA requests indefinitely by failure to respond to them.
I have given the Public Authority extensions at three stages.

It stated it had completed its final response.

Even after that, I gave it extra time to comply with the request.

It still has not responded to the request in a proper manner by providing the data on record -as specifically requested, under FOIA.

It has provided a letter. Which didn't exist at the time of request.

I specifically requested that it did not provide 'a letter'.

If I wished to receive a letter, I would gave written to its public relations department.

It is data on file that I wished to read.

The Public Authority has provided no explanation of why it has ignored the terms of the request.

Since this case has been investigated, the requested on file data must exist.

---
Something else. Please give details.
     
Please send us copies of relevant documents that support your concern.

https://www.whatdotheyknow.com/request/d...

4. What have you done to raise your concern with the organisation?

https://www.whatdotheyknow.com/request/d...
     
Please send copies of any documents you have showing how you raised your concern with the organisation.
https://www.whatdotheyknow.com/request/d...

5. What did the organisation say?
https://www.whatdotheyknow.com/request/d...

I am on annual leave from 24 April 2017 until Wednesday 26 April 2017. In
my absence please contact Sara Prosser on 01267 239688 or email
[email address]

     
Please send copies of any documents you have showing the organisation’s response to your concern.
6. Reference number
FOI 118 17

Please tell us any reference number that the organisation has given you, eg account number, policy number etc.

As above.
     
7. Your details
Or, if you’re filling this in on behalf of someone else, put their details here.

Please only reply by email to save postal visits and the environment.

8. Declaration
▪ I have included all the necessary supporting evidence.
▪ I understand that the ICO may need to share the information I have provided so they can look into my concern. I have indicated any documents or information that I don’t want the ICO to share.
▪ The information I have provided is accurate, to the best of my knowledge.
▪ I understand that the ICO will electronically store the information relating to my concern including the documents I have provided and keep the electronic records for two years, or for longer if it is appropriate. The ICO will destroy the original hard copies after six months.
I agree.
9. Sending your form to us
By email
1. Fill in this form and save it to your computer.
2. Open a new email, with ‘Concern about an organisation’s handling of personal information’ in the subject line.
3. If you have all your supporting documents electronically, attach them to your email.
4. Email the completed form to casework@ico.org.uk

By post​
If you have only paper copies of any of your supporting documents, print this form and post it with all your supporting documents to:
Customer Contact
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

8. Declaration
▪ I have included all the necessary supporting evidence.
▪ I understand that the ICO may need to share the information I have provided so they can look into my concern. I have indicated any documents or information that I don’t want the ICO to share.
▪ The information I have provided is accurate, to the best of my knowledge.
▪ I understand that the ICO will electronically store the information relating to my concern including the documents I have provided and keep the electronic records for two years, or for longer if it is appropriate. The ICO will destroy the original hard copies after six months.
I agree.
9. Sending your form to us
By email
1. Fill in this form and save it to your computer.
2. Open a new email, with ‘Concern about an organisation’s handling of personal information’ in the subject line.
3. If you have all your supporting documents electronically, attach them to your email.
4. Email the completed form to casework@ico.org.uk

By post​
If you have only paper copies of any of your supporting documents, print this form and post it with all your supporting documents to:
Customer Contact
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer), Hywel Dda University Health Board

Dear Sir/Madam

 

Further to my acknowledgement of your request for a review of the
information provided to you under the Freedom of Information Act, I need
to clarify with you what information you feel is missing from the response
as this is a little unlclear.  Once we receive this from you, we can
progress this appeal further.

 

Best wishes

Kathryn

 

Kathryn Thomas

Senior Corporate Information Officer/Uwch Swyddog Gwybodaeth Corfforaethol

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239682 (WHTN 01825 4682)

E-bost: Email: [1][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

 

From: Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer)
Sent: 21 April 2017 13:20
To: [FOI #393890 email]
Subject: FOI/118a/17 - appeal acknowledgement

 

Dear Sir/Madam

 

Request for a review under Freedom of Information Act 2000

 

Thank you for your request for a review of the information provided to you
in regard to data protection breaches, in particular the request therefore
concerns a case, already in the public domain.

 

In accordance with the Health Board’s policy on Freedom of Information, I
have now requested a review of the information provided to be undertaken. 
As per the Health Board’s policy you will be provided with a full response
within the next 20 working days and will therefore receive a reply by 22
May 2017.

 

In the meantime, if you require any further assistance or clarification
please do not hesitate to contact me.

 

Yours sincerely

 

Kathryn

 

 

Kathryn Thomas

Senior Corporate Information Officer/Uwch Swyddog Gwybodaeth Corfforaethol

Hywel Dda University Health Board/Bwrdd Iechyd Prifysgol Hywel Dda

Corporate Offices

Ystwyth Building/Adeilad Ystwyth

Hafan Derwen

St David's Park/Parc Dewi Sant

Job's Well Road/Fynnon Job

Carmarthen/Caerfyrddin

Carmarthenshire/Sir Gaerfyrddin

SA31 3BB

 

Rhif Ffôn / Telephone Number: 01267 239682 (WHTN 01825 4682)

E-bost: Email: [2][email address]

 

Bwrdd Iechyd Prifysgol Hywel Dda yw enw gweithredol Bwrdd Iechyd Lleol
Hywel Dda / Hywel Dda University Health Board is the operational name of
Hywel Dda Local Health Board

 

 

References

Visible links
1. mailto:[email address]
2. mailto:[email address]

Dear Kathryn Thomas (Hywel Dda UHB - Senior Correspondence Officer),

Thank you but you:

1. Ignored my request ...past the legal 20 days
2. Gave me no S16 help, to clarify it
3. Then stated you had given a final response , so you clearly understood I'd asked for your non-response fto be reviewed.
4. And did not Respond in the extra time I gave you to apply yourself to both the clarification and the terms of the original request - after your final response.

The complaint is now with the ICO - as I've run out of patience.

Yours sincerely,

[Name Removed]

[Name Removed] (Account suspended) left an annotation ()

There seems to be no choice on WDTK format to state request has Vine as a complaint to the ICO.

Bev Thorne (Hywel Dda UHB -Personal Assistant), Hywel Dda University Health Board

1 Attachment

Good Afternoon,

In respect of your recent FOI request, please find attached Hywel Dda’s
UHB response.

Kind regards

 

Bev Thorne

CP i Joanne Wilson, Ysgrifenyddes y Bwrdd/PA to Joanne Wilson, Board
Secretary

Bwrdd Iechyd Prifysgol Hywel Dda/ Hywel Dda University Health Board

Adeilad Springfield/ Springfield Block

Ysbyty Cyffredinol Llwynhelyg/ Withybush General Hospital

Heol Abergwaun/ Fishguard Road
Hwlffordd/Haverfordwest
Sir Benfro/Pembrokeshire
SA61 2PZ 

 

WHTN 01720 4644 or 01825 4644

Rhif Ffôn/ Telephone Number: 01267 239644

E-bost / mail to:  [1][email address]

 

 

References

Visible links
1. mailto:[email address]?subject=[email address]

Dear Bev Thorne (Hywel Dda UHB -Personal Assistant),

Thank you.

But, once again, you still have responded by explanatory letter - and not data - as requested by an FOIA request.

It is also in format , which cannot be readily read by all interested parties-as requested.

::

However, the main points have been covered and I appreciate your latter effort to respond to the request.

But - by not sticking to an FOIA response - and including data held instead of your own explanation, some points remain unclear on the processing of confidential records - as scoped by the request.

::::

Paper files

You state that the employees in your list can ADD to all confidential medical files - but NOT remove any information held on file.

This would,of course, include any paper files.

Could you therefore confirm that NO paper patient files are held, as your personal letter of response suggests?

Or if they do, that each written addition to a paper file has to contain the employee identifier as you state?

And that paper records cannot be removed from files.

This would even be to correct a mistake- a crossing out for instance -which would render the addition to the file unreadable.

Or files rewritten, for 'clarity' , at a later date.

:::

My request asks which officers ( job titles ) can remove data.

You state that only a judge can remove ANY data from any patient's confidential file ( including those any held on paper).

Could you please confirm that no senior management, or IT professionals have access to computer confidential patient files and have the ability to delete any information on them - without leaving an identifier trace.

Yours sincerely,

[Name Removed]

Hywel Dda University Health Board

As a result of the recent International Cyber Incident, which is affecting
the NHS, this email has been deleted and will not be sent on to the
recipient.

This has been implemented as a proactive precautionary measure.

We will review the situation on Friday 19th May 2017.

NHS Wales Informatics Service

    From: [FOI #393890 email]
    To: [email address]
    Subject: Re: Freedom on Information request

[Name Removed] (Account suspended) left an annotation ()

ICO - 24/5

Thank you for your correspondence of 25/04/17 in which you make a complaint about the above public authority’s handling of your request for information.

Your complaint has been accepted as eligible for further consideration and will be allocated to a case officer as soon as possible.

We aim to deal with complaints in chronological order and, because of the number of complaints we are required to deal with, there may be a delay in allocating your case. Where possible and appropriate your case may be accelerated. Once your case is allocated to an officer they will contact you to explain how your complaint will be progressed.

[Name Removed] (Account suspended) left an annotation ()

From the ICO.September 19

Hywel Dda Health Board have contacted me in relation to your above referenced complaint. They have identified a considerable volume of information to send to you in respect of this request, however, it is too bulky to sent via its email system. The Health Board would therefore like to send it directly to your postal address. Could you confirm at your earliest opportunity whether you are happy for me to forward your postal address to the Health Board?

Asked that the information be sent by email...(or put on WDTK) as other authorities break data down into consequent email messages... including the ICO.

====

Nothing received. So far. 19/10

[Name Removed] (Account suspended) left an annotation ()

Paper copies of files have now been received at my personal address, even though I stated that they should be supplied via WDTK, or failing that, email.

Incredibly there are breaches of S40 in the paper response....which is a tad ironic - as the Hywel Dda court case involved breaches of personal data.

Dear Hywel Dda University Health Board,

Thank you.

I will destroy the personal files (S40) by mistake.

Yours faithfully,

[Name Removed]

[Name Removed] (Account suspended) left an annotation ()

And yet - after all these checks..

http://www.walesonline.co.uk/news/wales-...

It’s everywhere in the NHS, it’s just that this does something about it when it catches a nosy employee.