Individual Rights Policy

1. Introduction

NHS Portsmouth CCG (the CCG) is under a legal duty to comply with ‘individual’s rights’
requests under the Data Protection Legislation, in relation to personal information that it holds. It is a legal requirement that all requests for personal information held by the CCG are handled in accordance with data protection legislation.

This policy and accompanying standard operating procedure (SOP) sets out the approach
that the CCG will take in responding to these requests along with useful guidance and steps to follow when requests are received anywhere within the CCG.

2. Scope and Definitions

Scope

It is the responsibility of ALL CCG staff to respond to and help process requests under the individual rights set out in data protection legislation as soon as it is received by the CCG.

Any personal data in relation to an individual, no matter what format, where or how it is stored by the CCG falls into the scope of information that can be requested by individuals (i.e. data subjects) under the ‘Individuals Right’s contained within the Data Protection Legislation. All requests must be reviewed, without delay to see if the request can and should be complied with.

Requests received by third parties in regard to access to a data subjects personal data (e.g. the Police or Home Office) should be handled using the process described within the Standard Operating Procedure.

Definitions

Commercially confidential Data/Information
Business/Commercial information, including that subject to statutory or regulatory obligations, which may be damaging to the CCG or a commercial partner if improperly accessed or shared. Also as defined in the Freedom of Information Act 2000 and the Environmental Information Regulations.

Controller
A controller determines the purposes and means of processing personal data. Previously known as Data Controller but re-defined under the GDPR.

Personal Confidential Data
Personal and Special Categories of Personal Data owed a duty of confidentiality (under the common law). This term describes personal information about identified or identifiable individuals, which should be kept private or secret. The definition includes dead as well as living people and ‘confidential’ includes information ‘given in confidence’ and ‘that which is owed a duty of confidence’. The term is used in the Caldicott 2 Review: Information: to share or not to share (published March 2013).

Personal Data
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processor
A processor is responsible for processing personal data on behalf of a controller. Previously known as Data Processor but re-defined under the GDPR.

Special Categories’ of Personal Data
‘Special Categories’ of Personal Data is different from Personal Data and consists of information relating to:

The racial or ethnic origin of the data subject
Their political opinions
Their religious beliefs or other beliefs of a similar nature
Whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1998
Genetic data
Biometric data for the purpose of uniquely identifying a natural person
Their physical or mental health or condition
Their sexual life

Abbreviation	Meaning
CCG	Clinical Commissioning Group
CSU	Commissioning Support Unit
DC	Data Custodian
DPA	Data Processing Agreement
DPA 2018	Data Protection Act 2018
DPO/DDPO	Data Protection Officer/Deputy Data Protection Officer
FPN	Fair Processing Notification (privacy notice)
GDPR	General Data Protection Regulations
IAO	Information Asset Owner
ICO	Information Commissioners Office
IG	Information Governance
IT	Information Technology
SCW	South, Central and West CSU
SIRO	Senior Information Risk Owner

3. Details of the policy and compliance with the data protection legislation

3.1 ACKNOWLEDGING INDIVIDUAL RIGHTS

The General Data Protection Regulation (GDPR) provides rights for individuals which fall into 2 distinct categories. Firstly, where an individual wants to know what (or why) data the CCG is processing about them and/or have access /a copy of that data.

Secondly where an individual wants the CCG to make changes to what or how the CCG is processing their personal data, or for the CCG to pass on their personal data to another party. In these requests, the individual is not requesting access to, or a copy of the data itself:

An individual or their representative can exercise several data subject rights to the CCG. These do not confer automatic agreement to the request but will be duly considered by the CCG – the Appendix and SOP contains more in depth detail regarding each of the rights.

These rights include but are not limited to the following:-

obtain from the CCG confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, request access to the personal data (a Subject Access Request/Right of Access)
obtain from the CCG without undue delay the rectification of inaccurate or incomplete personal data processed by the CCG concerning him or her (Right to Rectification )
obtain from the CCG the erasure of personal data concerning him or her in certain circumstances (Right to Erasure)
obtain from the CCG restriction of processing of personal data concerning him or her in certain circumstances (Right to Restriction)
receive the personal data concerning him or her, which he or she has provided to the CCG, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller in certain circumstances (Right to Data Portability)
object to processing of an individual’s personal data in certain circumstances (Right to Object)
not be subject to a decision based solely on automated processing by the CCG (Rights related to automated decision making including profiling)

It should be noted that there are exemptions to some of these rights and whilst the CCG must acknowledge the request, there may be legal grounds for not complying with it. Detailed guidance can be found in the SOP.

3.2 RECOGNISING AN INDIVIDUAL’S RIGHTS REQUEST

A request can be made verbally or in writing.
It can also be made to any part of the organisation and does not have to be to a specific person or contact point.
A request does not need to mention the phrase containing the right being exercised or the relevant GDPR Article to be a valid request. As long as the individual has clearly described their request; this is valid. We will check with the requester that we have understood their request and request any identification/authorisation (if required).
We will record the details of all requests we receive.

The format that an Individual’s Rights request is received may differ from request to request. In essence, if an individual writes to the CCG or speaks to the CCG and asks for access, changes or objections of any kind to the personal data the CCG is processing about them (whether perceived or actually processing their data) it should be considered and handled where appropriate as an Individual’s Rights request.

CCG Staff can submit a request for access to their personal data verbally or in writing to the HR People Centre via telephone on 023 9283 4591 or email ccghr@portsmouthcc.gov.uk.

Members of the public who would like to exercise their individual rights under the GDPR can submit their requests to:

NHS Portsmouth CCG
CCG headquarters
4th Floor, 1 Guildhall Square
Portsmouth
PO1 2GJ

or email: pccg.enquiries@nhs.net

3.3 REFUSING A REQUEST

If the CCG considers that a request is ‘manifestly unfounded’ or excessive we can:

request a “reasonable fee” to deal with the request; or
refuse to deal with the request

In either case we will need to justify the decision.

3.4 CHARGING A FEE

Individuals rights request are free of charge however the CCG may in some circumstances be able to charge a fee such as for repetitive requests.
We should base the reasonable fee on the administrative costs of complying with the request.
If we decide to charge a fee we should contact the individual promptly and inform them.
We do not need to comply with the request until we have received the fee.

3.5 INFORMATION FOR REQUESTORS

The CCG must inform the individual without undue delay and within one month of receipt of the request:

If the CCG are not taking action:

the reasons we are not taking action;
their right to make a complaint to the ICO;
their ability to seek to enforce a right through a judicial remedy

If we are requesting further information:

if we are requesting a reasonable fee or
need additional information to identify the individual
we need to extend the response time

We are actioning the request:

Respond to the request

3.6 CALCULATING RESPONSE TIME

Under the Data Protection Legislation the CCG has one Calendar month to respond to any request. In order to provide clarity to staff in the organisation, an operational decision has been taken to adopt a 28 day response time in line with the Information Commissioners Office suggestion of ‘For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month’ see ICO Individual Rights Guidance for further details.

The CCG will calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding date 28 days from that point.

3.7 EXTENDING THE RESPONSE TIME

We can extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual. We will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.

However, it is the ICO’s view that it is unlikely to be reasonable to extend the time limit if:

it is manifestly unfounded or excessive;
an exemption applies; or
you are requesting proof of identity before considering the request

3.8 VERIFYING IDENTITY

If the CCG has doubts about the identity of the person making the request we can ask for more information. However, it is important that we only request information that is necessary to confirm who they are. We will take into account what data we hold, the nature of the data, and what we are using it for.

We will let the individual know without undue delay that we need more information from them to confirm their identity. We do not need to comply with the request until we have received the additional information.

4. Roles and Responsibilities

CCG Accountable Officer
It is the role of the CCG Executive Management Team to define CCG policy in respect of Information Governance, taking into account legislative and NHS requirements. The Accountable Officer is also responsible for ensuring that sufficient resources are provided to support the requirements of the policy.

Audit Committee
The Audit Committee is responsible for overseeing day to day Information Governance issues; developing and maintaining policies, standards, procedures and guidance; coordinating Information Governance in the CCG and raising awareness of Information Governance.

Information Asset Owners
Information Asset Owners (IAO’s) are responsible for ensuring that Individual Rights requests are processed and responded to in line with Data Protection Legislation.

Data Custodians
Data Custodians (DC’s) are responsible for processing Individual Rights requests within their own service area and ensuring that they are responded to in line with Data Protection Legislation.

CCG Data Protection Officer and the IG team
The CCG Data Protection Officer will provide advice and guidance in complex or disputed situations or decisions where required.

CCG Service Leads
Service Leads are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance. Part of this obligation is to ensure that all staff are trained and made aware of their obligations under this policy.

CCG Staff
All staff, whether permanent, temporary, contracted, or contractors are responsible for ensuring that they are aware of and comply with the obligations under this policy.

5. Training

All staff are required to complete training using the NHS Data Security Awareness Level 1 modules provided by NHS Digital via the e-LfH platform or approved face to face training (if offered). Bespoke training on Individual’s Rights will be provided to relevant teams and staff by the SCW IG team where this is included in the relevant service level agreement.

6. Public sector equality duty- equality impact assessment

An Equality Impact Analysis (EIA) has been completed. No adverse impact or other significant issues were found. A copy of the EIA is attached at Appendix B.

7. Monitoring compliance and effectiveness

The application of this policy and the accompanying standard operating procedures will be monitored by the CCG through quarterly updates to the Audit Committee. Requests for anonymised details on individual’s Rights Requests will be requested from each department’s IAO and Data Custodian/Information Asset Administrator.

8. Review

This document may be reviewed at any time at the request of either staff or management, or in response to new legislation or guidance, but will automatically be reviewed every year.

9. References and associated documents

Legislation

All staff are required to comply with Data Protection Legislation. This includes

the General Data Protection Regulation (GDPR),
the Data Protection Act (DPA) 2018,
the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time

In addition, consideration will also be given to all applicable Law concerning privacy confidentiality, the processing and sharing of personal data including

the Human Rights Act 1998,
the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,
the common law duty of confidentiality and
the Privacy and Electronic Communications (EC Directive) Regulations

Consideration must also be given to the

Electronic Communications Act 2000
Freedom of Information Act 2000
Other relevant Health and Social Care Acts
Access to Health Records Act 1990

Guidance

CCG Standard Operating Procedures – INDIVIDUALS RIGHTS UNDER THE DATA PROTECTION LEGISLATION AND ACCESS TO HEALTH RECORDS ACT
ICO Guidance
NHS Digital looking after your information
Dept. of Health and Social Care 2017/18 Data Security and Protection Requirements
NHS England Confidentiality Policy
Records management: Code of Practice for Health & Social care
Confidentiality: NHS Code of Practice – Publications – Inside Government – GOV.UK
Confidentiality: NHS Code of Practice – supplementary guidance
GMC guidance for managing and protecting personal information
NHS Choices Your Health and Care Records

Appendix A: the individual rights in more detail

THE RIGHT TO BE INFORMED (GDPR ARTICLES 12, 13 AND 14)

The CCG must provide individuals with information including (but not limited to):

Our purposes for processing personal data,
Our retention periods for that personal data, and
who it will be shared with

This is called ‘privacy information’ or ‘Fair Processing Information’ and we must provide privacy information to individuals at the time we collect personal data from them. If we obtain personal data from other sources, we must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

How and what information should be provided
The information we provide to people must be

concise,
transparent,
intelligible,
easily accessible, and
it must use clear and plain language

We put our Fair Processing Notice on our website.

We must regularly review, and where necessary, update our privacy information. We must bring any new uses of an individual’s personal data to their attention before we start the processing.

THE RIGHT OF ACCESS BY THE DATA SUBJECT (SUBJECT ACCESS REQUEST – GDPR ARTICLE 15)

What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information.

What is an individual entitled to?
Individuals have the right to obtain the following from the CCG:

confirmation that we are processing their personal data;
a copy of their personal data; and
other supplementary information such as
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipient we disclose personal data to;
- retention period for storing personal data or, where this is not possible, our criteria for determining how long we will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
  information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards we provide if we transfer personal data to a third country or international organisation

Much of this supplementary information is provided in our privacy notice.

What about requests made on behalf of others?
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney if the individual lacks mental capacity.

What about the records of deceased individuals?
The Data Protection Legislation only relates to living individuals. However requests for access to personal data relating to deceased individuals can also be made under another piece of legislation – the Access to Health Records Act (AHRA) 1990. The same rules apply regarding ‘fees’ etc. under the GDPR; however requests under the AHRA must be completed with 40 calendar days instead of 1 calendar month. The request must still be logged and actioned without undue delay.

THE RIGHT TO RECTIFICATION (GDPR ARTICLE 16 AND 19)

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

This right has close links to the accuracy principle of the GDPR (Article 5(1) (d)). However, although we may have already taken steps to ensure that the personal data was accurate when we obtained it; this right imposes a specific obligation to reconsider the accuracy upon request.

What do we need to do?
If we receive a request for rectification we should take reasonable steps to check that the data is accurate and to rectify the data if necessary. We should take into account the arguments and evidence provided by the individual.

THE RIGHT TO ERASURE (GDPR ARTICLE 17 AND 19)

Individuals have the right to have their personal data erased if:

the personal data is no longer necessary for the purpose which we originally collected or processed it for;
we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent;
we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
we are processing the personal data for direct marketing purposes and the individual objects to that processing;
we have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
we have to do it to comply with a legal obligation; or
we have processed the personal data to offer information society services to a child

There is an emphasis on the right to have personal data erased if the request relates to data collected from children. This reflects the enhanced protection of children’s information, especially in online environments, under the GDPR. For further details about the right to erasure and children’s personal data please read the ICO guidance on children’s privacy.

RIGHT TO RESTRICT PROCESSING (GDPR ARTICLE 18 AND 19)

Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, we are permitted to store the personal data, but not use it.

This right has close links to the right to rectification (Article 16) and the right to object (Article 21).

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information we hold or how we have processed their data. In most cases we will not be required to restrict an individual’s personal data indefinitely, but we will need to have the restriction in place for a certain period of time.

THE RIGHT TO DATA PORTABILITY (GDPR ARTICLE 20)

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Some organisations in the UK already offer data portability through the midata and similar initiatives which allow individuals to view access and use their personal consumption and transaction data in a way that is portable and safe. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

THE RIGHT TO OBJECT (GDPR ARTICLE 21)

An individual has the right to object to

processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics

RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION MAKING AND PROFILING (GDPR ARTICLE 22)

The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if we are carrying out solely automated decision-making that has legal or similarly significant effects on them. The processing is defined as follows:

Automated individual decision-making (making a decision solely by automated means without any human involvement).

Examples include an online decision to award a loan; or a recruitment aptitude test which uses pre-programmed algorithms and criteria. Automated individual decision-making does not have to involve profiling, although it often will do.

Profiling (automated processing of personal data to evaluate certain things about an individual) and includes any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Appendix B: Equality Impact Assessment

wdt_ID	1.	What is it about?

wdt_ID	2.	Who is using it?

wdt_ID	3.	Impact

wdt_ID	4.	So what (outcome of this EIA)?

Version Number: 1.1
Status: Final
Issue/approval date: 19/08/19
Next review date: 1/04/21

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-193552407-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

On this page

Scope

Definitions

Legislation

Guidance