1. Policy Statement
Tomorrow Cardiovascular Screening Ltd views the correct and lawful handling of personal data as integral to its success and dealings with third parties and its employees.
This Policy outlines the procedure for the making and handling of Subject Access Requests (SARs) and includes the required form in Appendix A for the submission of a Subject Access Request to Tomorrow Cardiovascular Screening.
2. What do we do when we receive a subject access request?
Checking of identity
2.1 We will first check that we have enough information to be sure of your identity. Usually we will have no reason to doubt a person’s identity, for example, if we have regularly corresponded with them. However, if we have good cause to doubt your identity we can ask you to provide any evidence we reasonably need to confirm your identity. For example, we may ask you for a piece of information held in your records that we would expect you to know: a witnessed copy of your signature or proof of your address.
2.2 If the person requesting the information is a relative/representative of the individual concerned, then the relative/representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data. If you have been appointed to act for someone under the Mental Capacity Act 2005, you must confirm your capacity to act their behalf and explain how you are entitled to access their information. If you are the parent/guardian of a child under 16, we will need to consider whether the child can provide their consent to you acting on their behalf.
2.3 Should you make a data subject access request but you are not the data subject, you must stipulate the basis under the General Data Protection Regulation Act that you consider makes you entitled to the information.
Collation of information
2.4 We will check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this. We will gather any manual or electronically held information (including emails) and identify any information provided by a third party or which identifies a third party. This is limited to emails held for the last 2 years only.
2.5 If we have identified information that relates to third parties, we will write to them asking whether there is any reason why this information should not be disclosed. We do not have to supply the information to you unless the other party has provided their consent or it is reasonable to do so without their consent. If the third party objects to the information being disclosed we may seek legal advice on what action we should take.
2.6 Before sharing any information that relates to third parties, we will where possible anonymise information that identifies third parties not already known to the individual (e.g. the Authority employees), and edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The GDPR legislation requires us to provide information not documents.
Issuing our response
2.7 Once any queries around the information requested have been resolved, copies of the information in a permanent form will be sent to you except where you agree, where it is impossible, or where it would involve undue effort. In these cases, an alternative would be to allow you to view the information on screen at the Authority.
2.8 We will explain any complex terms or abbreviations contained within the information when it is shared with you. Unless specified otherwise, we will also provide a copy of any information that you have seen before.
3. Will we charge a fee?
3.1 We can charge a £10 fee (plus up to £50 for photocopying) for the processing of any Subject Access Request. If we do charge a fee we will inform you promptly of this.
4. What is the timeframe for responding to subject access requests?
We have 40 calendar days starting from when we have received all the information necessary to identify you, to identify the information requested, and any fee required, to provide you with the information or to provide an explanation about why we are unable to provide the information. In many cases, it will be possible to respond in advance of the 40 calendar day target and we will aim to do so where possible.
5. Are there any grounds we can rely on for not complying with a subject access request?
5.1 If you have made a previous subject access request we must respond if a reasonable interval has elapsed since the previous request. A reasonable interval will be determined upon the nature of the information, the time that has elapsed, and the number of changes that have occurred to the information since the last request.
5.2 The Act contains a number of exemptions to our duty to disclose personal data and we may seek legal advice if we consider that they might apply. Possible exemptions would be: information covered by legal professional privilege, information used for research, historical and statistical purposes, and confidential references given or received by the Authority.
What do we do with your data?
We will only use your personal data when the law allows us to.
We may share your data with other health bodies or organisations, but only where it is necessary to fulfil our duty to provide our services, and within all relevant laws and regulations governing the use of patient or personal data.
All data is kept on encrypted systems at Tomorrow Cardiovascular Screening Ltd.