In this section
Data Protection and GDPR
The General Data Protection Regulation 2018 gives patients the right to apply for access to their medical records (these are known as subject access requests).
If you wish to view your records or have copies supplied, you can apply either by writing, email, or telephone or by downloading the application form from here.
To access records from York Hospital
Subject Access Team
Health Records Department
To access records from Scarborough, Bridlington and Malton hospitals
Subject Access Team
Medical Records Department
(01723) 342369 / (01723) 342088
Access to case notes for deceased patients
If you wish to access medical records for a patient who is deceased then these applications are made under the terms of the Access to Health Records Act 1990. You can apply either by writing, email or telephone to the same Subject Access Team as outlined above. Alternatively, you can download the application form from here.
Can access be refused?
There are sometimes circumstances when access can be refused:
- Where disclosing the personal data would reveal information which relates to and identifies another person, unless that person has consented to the disclosure
- Where permitting access to the data would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person
- Where the request for access is made by another on behalf of the data subject, such as a parent or child, access can be refused if the data subject had either provided the information in the expectation it would not be disclosed to the applicant, or had indicated it should not be disclosed. Equally, if the data was obtained as a result of any examination or investigation to which the data subject was subject to, and consented to, on the basis that the information would not be disclosed.
What charges are made?
Under the General Data Protection Regulation 2018 no charges will be made unless requests are excessive or additional copies are required.
How long will my application take?
Once we have received your completed application, we will process this, usually within the prescribed timescale of 30 calendar days. In exceptional circumstances the request can sometimes take longer, however, in this instance we would contact you to advise you accordingly.
Our Subject Access teams are happy to help if you have any problems or queries in respect of making an application.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals.
To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is also good practice to do a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.
The DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
At York Teaching Hospitals NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.
Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002
The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of Covid-19. Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure. This will remain in force until at least 30th September 2020.
For additional information, please see our Covid-19 and your information: Supplementary privacy notice on Covid-19 for patients.
If you would like a copy of a Data Privacy Impact Assessment please contact the Information Governance Team on (01904) 726201 or by email at: InformationGovernanceTeam@York.nhs.uk
- Control of Patient Information notice
- Data Protection
- Freedom of Information Policy
- Privacy notice
- Covid-19 and your information: Supplementary privacy notice on Covid-19 for patients
- Children privacy notice
- Foundation Trust Members Privacy notice
- Integrated privacy notice
- LLP Estates and Facilities privacy notice
- Occupational Health privacy notice
- Volunteers privacy notice