This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. Hide this message

About us

Data Protection and GDPR

The General Data Protection Regulation 2018 gives patients the right to apply for access to their medical records (these are known as subject access requests).

If you wish to view your records or have copies supplied, you can apply either by writing, email, or telephone or by downloading the application form from here.


To access records from York Hospital

Subject Access Team
Health Records Department
York Hospital
Wigginton Road
York
YO31 8HE

(01904) 725680
subjectaccessrequests@york.nhs.uk


To access records from Scarborough, Bridlington and Malton hospitals

Subject Access Team
Medical Records Department
Scarborough Hospital
Woodlands Drive
Scarborough
YO12 6QL

(01723) 342369 / (01723) 342088
sghsubjectaccessrequests@york.nhs.uk


Access to case notes for deceased patients

If you wish to access medical records for a patient who is deceased then these applications are made under the terms of the Access to Health Records Act 1990.  You can apply either by writing, email or telephone to the same Subject Access Team as outlined above.  Alternatively, you can download the application form from here.


Can access be refused?

There are sometimes circumstances when access can be refused:

  • Where disclosing the personal data would reveal information which relates to and identifies another person, unless that person has consented to the disclosure
  • Where permitting access to the data would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person
  • Where the request for access is made by another on behalf of the data subject, such as a parent or child, access can be refused if the data subject had either provided the information in the expectation it would not be disclosed to the applicant, or had indicated it should not be disclosed. Equally, if the data was obtained as a result of any examination or investigation to which the data subject was subject to, and consented to, on the basis that the information would not be disclosed.

What charges are made?

Under the General Data Protection Regulation 2018 no charges will be made unless requests are excessive or additional copies are required.


How long will my application take?

Once we have received your completed application, we will process this, usually within the prescribed timescale of 30 calendar days.  In exceptional circumstances the request can sometimes take longer, however, in this instance we would contact you to advise you accordingly.

Our Subject Access teams are happy to help if you have any problems or queries in respect of making an application.


Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project, especially for processing that is likely to result in a high risk to individuals.

To assess the level of risk, both the likelihood and the severity of any impact on individuals must be considered.  High risk could result from either a high probability of some harm, or a lower possibility of serious harm.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data, sometimes it is a mandatory data protection requirement.

The DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

At York Teaching Hospitals NHS Foundation Trust we work closely with suppliers and colleagues across the Trust to ensure that this GDPR obligation is carried out, recorded and regularly reviewed.


COPI Notice

Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002

The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of Covid-19. Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure. This will remain in force until at least 30th September 2020.

For additional information, please see our Covid-19 and your information: Supplementary privacy notice on Covid-19 for patients.


If you would like a copy of a Data Privacy Impact Assessment please contact the Information Governance Team on (01904) 726201 or by email at: InformationGovernanceTeam@York.nhs.uk

For answers to frequently asked questions about all aspects of access to medical records, you can visit the Information Commissioner's website.

IMG_4122

Feedback

IMG_3801

Our Hospitals

Chinese Poland

View all languages >

Coronavirus - useful information

The latest health information about Coronavirus can be found at www.gov.uk/coronavirus.

Information and updates about our services can be found on this website here.

From Monday 15 June 2020, visitors and outpatients coming into our hospitals will be asked to wear a face covering at all times, to help us reduce the spread of Covid-19.  A face covering can be as simple as a scarf or bandana that ties behind the head.  It should cover your mouth and nose while allowing you to breathe comfortably.  For more information click here