1. Policy Statement
The Manchester Vein Clinic views the correct and lawful handling of personal data as integral to its success and dealings with third parties and its employees.
This Policy outlines the procedure for the making and handling of Subject Access Requests (SARs) and includes the required form in Appendix A for the submission of a Subject Access Request to IVS.
2. What do we do when we receive a subject access request?
Checking of identity
2.1 We will first check that we have enough information to be sure of your identity.
Often we will have no reason to doubt a person’s identity, for example, if we
have regularly corresponded with them. However, if we have good cause to
doubt your identity we can ask you to provide any evidence we reasonably need
to confirm your identity. For example, we may ask you for a piece of
information held in your records that we would expect you to know: a witnessed
copy of your signature or proof of your address.
2.2 If the person requesting the information is a relative/representative of the
individual concerned, then the relative/representative is entitled to personal data
about themselves but must supply the individual’s consent for the release of
their personal data. If you have been appointed to act for someone under the
Mental Capacity Act 2005, you must confirm your capacity to act their behalf
and explain how you are entitled to access their information. If you are the
parent/guardian of a child under 16, we will need to consider whether the child
can provide their consent to you acting on their behalf.
2.3 Should you make a data subject access request but you are not the data
subject, you must stipulate the basis under the General Data Protection Regulation Act that you consider makes you entitled to the information.
Collation of information
2.4 We will check that we have enough information to find the records you
requested. If we feel we need more information, then we will promptly ask you
for this. We will gather any manual or electronically held information (including
emails) and identify any information provided by a third party or which identifies
a third party. This is limited to emails held for the last 2 years only.
2.5 If we have identified information that relates to third parties, we will write to them
asking whether there is any reason why this information should not be
disclosed. We do not have to supply the information to you unless the other
party has provided their consent or it is reasonable to do so without their
consent. If the third party objects to the information being disclosed we may
seek legal advice on what action we should take.
2.6 Before sharing any information that relates to third parties, we will where
possible anonymise information that identifies third parties not already known to
the individual (e.g. the Authority employees), and edit information that might
affect another party’s privacy. We may also summarise information rather than
provide a copy of the whole document. The GDPR legislation requires us to provide
information not documents.
Issuing our response
2.7 Once any queries around the information requested have been resolved, copies
of the information in a permanent form will be sent to you except where you
agree, where it is impossible, or where it would involve undue effort. In these
cases, an alternative would be to allow you to view the information on screen at
6.8 We will explain any complex terms or abbreviations contained within the
information when it is shared with you. Unless specified otherwise, we will also
provide a copy of any information that you have seen before.
3. Will we charge a fee?
3.1 We can charge a £10 fee (plus up to £50 for photocopying) for the processing of any Subject Access Request. If we do charge a fee we will inform you promptly of this.
4. What is the timeframe for responding to subject access requests?
We have 40 calendar days starting from when we have received all the
information necessary to identify you, to identify the information requested, and
any fee required, to provide you with the information or to provide an
explanation about why we are unable to provide the information. In many cases,
it will be possible to respond in advance of the 40 calendar day target and we
will aim to do so where possible.
5. Are there any grounds we can rely on for not complying with a subject
5.1 If you have made a previous subject access request we must respond if a
reasonable interval has elapsed since the previous request. A reasonable
interval will be determined upon the nature of the information, the time that has
elapsed, and the number of changes that have occurred to the information since
the last request.
5.2 The Act contains a number of exemptions to our duty to disclose personal data
and we may seek legal advice if we consider that they might apply. Possible
exemptions would be: information covered by legal professional privilege,
information used for research, historical and statistical purposes, and
confidential references given or received by the Authority.
What do we do with your data?
All data is kept on encrypted systems at the Manchester Vein clinic.
At the Manchester vein clinic we take pictures of the treatment area using and encrypted IPad so we can compare your treatment area after you have had the procedure if you require a reveiw with a consultant or clinical vascular practitioner.
On occasion we may use photos of treatment areas only for promotional content however, on arrival you have the option to opt out of images being used for promotional marketing when completing our comnsultation form.
We will never use a patient image without permission.