How you can access your records

Subject access request

The Data Protection Act 2018 and Access to Health Records Act 1990 gives you a right to access the information we hold about you on our records. You can request this information by contacting the Information Governance department via information.request@candi.nhs.uk

Please complete the application form for access to health records. The Trust will need to verify your identity and may request copies of official documents in addition to your signature.

An indication of what information you are requesting to enable the Trust to locate it in an efficient manner.

• Request for access to personal information about me form
• Request for access to personal information relating to a deceased patient form
• Request for personal information about someone else
• Use of photographs

If you think any information is inaccurate or incorrect, please let us know. We do not charge for any requests for information under the Data Protection Act 2018 and we are required to comply within 30 days. Where your request cannot be met within 30 days the Trust will write to you with an explanation as to why the request cannot be met and an estimated date of when you can expect to receive your information.

Data controller

The Data controller responsible for keeping your information confidential is:

Email: information.request@candi.nhs.uk

Telephone: 0203 317 7100 

The Trusts ICO Registration Number is: Z8583439

Please consider the size and the relevance of your request. Although the Trust is obligated to consider your request for information, the resources and time spent to provide access to records can also be used to provide patient care. Focusing your request on the most relevant information or time period will help the Trust

The Information Commissioner, an independent organisation, is responsible for regulating the provisioning of personal information under the Data Protection Act 2018. If you have any questions regarding your rights of access to personal information you are free to contact the Information Commissioner, found at www.informationcommissioner.gov.uk or the Trust's Data Protection Officer or Caldicott Guardian via information.request@candi.nhs.uk.

Making a request for personal information as a third party

If you are making a request to access someone else's information, or wish to access someone's information with them being present, the process is basically the same as above. Please provide a written request to the Trust.

In the case of access to information as a third party the Trust must make a judgement of whether the subject of the information has the capacity or ability to grant consent. A clinically certified member of staff will make judgments of capacity. If in the professional clinical opinion of our staff the person does not have capacity to provide consent, access will not be given at that time, although capacity may be re-considered at a later date. Judgments of capacity will be the sole responsibility of the Trust.

Where consent is not given or cannot be given, the Trust may still be able to provide information if:

• The Trust believes or can be convinced it is in the best interest of the subject of the information, or is in the best interest of the public to release the information.
• The Trust receives, in writing, notification of a statutory "gateway" for the information to be released. Such notification needs to include justification as to why the information can be released via the "gateway" and where the description of this gateway can be found in legislation.
• The Trust receives a court order for the release of the information. In the interest of protecting the Trust and requestors, court orders will often be a preferred vehicle for disclosure.

For further information on release of patient information to third parties please contact  information.request@candi.nhs.uk

Requesting personal health information about the deceased

Information about the deceased can be requested using the Access to Health Records Act 1990. The Trust, in line with NHS directives, considers the deceased to have the same rights of confidentiality and privacy as the living. Except for the statements below, where the Access to Health Records Act does not provide guidance or frameworks the Trust will use the equivalent in the Data Protection Act or those provided in the NHS Records Code of Practice for Health and Social Care.

In order to obtain personal information about a deceased person, one needs to provide a written request (as above, using the form provide here or any other written request) as well as provide proof of the "claim" requiring the health records.

Under the Access to Health Records Act 1990 only those who may have a claim requiring access to the health records will be granted access. The Trust will consider any legitimate and justified requirement an acceptable "claim" so long as proof is given that the health records are required. Legitimate and justified requirements are more likely to be acceptable if they are legally supported or originate from authoritative organisations (e.g.: Executor of an Estate, Coroner, law courts, Social Services). In the instances of court proceedings, this will generally require a court order to request the records.

If an individual provides the Trust with consent for third parties to access their records prior to their death, the Trust will endeavour to ensure their wishes are carried out after their death. Equally if an individual had expressed a wish that their records are not accessed after their death, the Trust will endeavour to ensure their wishes are carried out. 

For further information regarding legitimate and justified requirements to access deceased health records, please contact the Information Governance Manager via information.request@candi.nhs.uk.

Requesting employee records

If you are requesting employment records from the Care Trust i.e. staff only, please contact Hr.support@candi.nhs.uk and information.request@candi.nhs.uk

Your legal rights

Under certain circumstances, you have rights under data protection laws and General Data Protection Regulation in relation to your personal data:

• Request access to your personal data (commonly known as a subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. There are exceptions to the right to deletion. Your health and care providers are legally required to maintain your records in accordance with the retention Record management code of practice for health and social care
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party)
• Request restriction  enables you to ask us to suspend the processing of your personal data in the following scenarios in certain scenarios.

If you wish to exercise this right set out above, please contact us on Request, Information Information.Request@candi.nhs.uk