The GDPR and the Data Protection Act 2018 (both referred to in this document as the Data Protection legislation) give individuals (data subjects) certain rights regarding information held about them (personal data). The Data Protection legislation also place obligations on those who process personal data (data controllers).
The definition of ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Anyone processing personal data must also comply with the data protection principles set out in the data protection legislation
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Data Protection legislation sets out the right of a data subject to access personal data held about them. However, this right of access is subject to a number of exemptions that are set out in the Data Protection Act 2018.
The ICO’s website contains further information on the Data Protection legislation and the right of access.
The personal data recorded on this form will be used only to enable us to deal with your request and for no other purpose. NHS Resolution’s privacy notice can be found on this website.
Making a request
This form may be used if you wish to make a subject access request under the Data Protection legislation to NHS Resolution for personal information that you believe we may hold about you.
A data controller is not obliged to comply with a request unless it is supplied with such information as it may reasonably require in order to satisfy itself as to the identity of the person making the request and to locate the information which that person seeks. Accordingly, while you may have already made a request to us by other means, we may still require you to supply us with additional information (as set out in this form).
If you are requesting information on behalf of the data subject, you will need the data subject to sign the authority for you to act on their behalf in Section C and the declaration in Section E.
There is no fee for processing a subject access request under the Data Protection legislation.
Unless NHS Resolution has indicated otherwise, you should also provide the following identity documentation:
- a copy of either your passport or driving licence (photo ID);
a copy of one utility bill showing your current residential address.
Submitting the request
Please send the completed form and copy identity documentation to FOI@resolution.nhs.uk.
How will we process your request?
We will verify and shred your proof of identity documentation. We will aim to acknowledge receipt of your request within two working days. We may ask you to clarify the request where its terms are not clear to us or where we need additional information in order to search for the requested information.
Upon our receipt of a valid request, we will arrange for searches to be carried out for the requested personal information.
We may subsequently ask you whether you require copies of particular communications which we suppose may already be in your possession (e.g. correspondence previously sent to you by us or by other parties).
Where the personal information requested by you is contained in records of communications with third parties (e.g. an employer or contracting body, a regulator, or a public authority), we will normally seek the views of each such third party on the issue of disclosure. We do this to inform our decision-making as to whether the disclosure of certain information (e.g. the personal information of staff members of the third party) would be lawful.
We will send the response to you securely by email, or if you wish to received it by post, we will send it to your residential address or to the business address of your representative by recorded delivery.
There is a one calendar month timeframe for responding to subject access requests. We will endeavour to respond to your request within one calendar month of receipt of a valid request.
Please note we do not hold medical records or correspondence between you and other NHS Providers (unless it is part of a formal claim that has been submitted to us).
You will need to contact the NHS Provider you have been in contact with or receiving a service from directly. If you are unsure of their contact details please visit the NHS England website here for further details.
Page last updated on: