I’m a health and social care provider, how do I deal with a request for records from a service user or their family?
Health and social care providers will often be presented with requests for records from service users or their relatives. It is important for providers to only disclose information to those with authority to request it.
The United Kingdom General Data Protection Regulation (UK GDPR) gives individuals the right of access to their own personal data. However, this legislation only applies to living individuals. The rules after death are different.
GDPR subject access requests
When individuals make a request for their own personal data, this is a subject access request (SAR). A SAR can be made in writing or verbally and can be made on an individual’s behalf. If you receive a SAR, the usual position is that you have one month to comply.
The UK GDPR sets out several exemptions allowing organisations to withhold information however these need to be carefully balanced against the rights of the individual. If you receive a request, we can advise about what exemptions may apply and what you must disclose.
Failure to comply with a legitimate SAR amounts to a breach of the UK GDPR and potential sanctions by Information Commissioner’s Office (ICO).
What do we need to ask for to establish authority?
When you receive an SAR, you need to confirm the identity of the individual making the request as soon as possible. There may also be capacity issues requiring careful consideration.
If the request is made by a third party, you need to request evidence that the individual has consented to the request and proof of relationship. It is not enough that someone is “next of kin” which is commonly misinterpreted as having legal status.
Post-death records requests
The rules relating to the disclosure of a deceased service user’s records differ to those surrounding SARs. Technically, the rules after death do not extend to care records (and refer only to health records) but we recommend taking a pragmatic approach. If the deceased had an attorney whilst alive, this does not necessarily give that person rights after they die.
Care providers should deal with these requests carefully as disclosure is subject to several technicalities. There may be consequences for disclosing information to someone who is not entitled to it, including claims for breach of confidence.
In the event of a request of this nature, you should contact us for advice about what documents you need to ascertain legal authority of the requester.
What about requests under the Freedom of Information Act 2000?
This legislation does not give individuals access to receive their personal data and is unlikely to apply to social care providers which are not public bodies. The exception being the NHS, together with GPs and dentists, which must provide information about their NHS work.
What do you need to do?
As a provider, you should ensure you have the correct policies in place to enable staff to identify and deal with requests for information. It is also important that people know how to access their data and where to direct it so it can be dealt with in accordance with strict time constraints.
Providers should get in touch and seek advice from our experts on receipt of any request for service user information or personal data. Alternatively, if you require advice on the data governance and compliance procedures you have in place, please get in touch and our team would be happy to help.