Would really welcome opinions/views please?
We receive numerous subject access requests from claims handling companies who are not registered with the Solicitor's Regulation Authority or with the Claims
Regulation Service (https://www.claimsregulation.gov.uk/search.aspx). These contain consent – which, frankly, anyone
could have signed – and often relate to patients who were discharged some time ago. In accordance with section 7(3) of the Data Protection Act, which permits us to satisfy ourselves that the requester is entitled to the records, our acknowledgement/response
contains the following wording
(please give us a tenner and)
Proof of identity for the patient(copy of driving licence, passport or birth certificate) OR headed correspondence containing your SRA registration number or Claims Management Company Authorisation number
OR a letter from SRA registered solicitor who appointed you in this matter, confirming your appointment to manage this specific request on the Solicitor’s behalf.
The response is usually just a cheque, then increasingly aggressive series of ‘chaser’ telephone calls where we explain that as data controllers, we do have a
duty to ensure that we are releasing health records with proper authority, reiterating the above request, etc. This takes the caller off script, as we get nowhere. We’ve stopped sending chaser letters as these don’t have any effect: the claims handling computer
systems can’t handle them.
I’m proposing changing the wording to
(please give us a tenner and)
Please forward the fee of £10.00 for electronic records. By sending us this fee, you are confirming that you have valid authority to obtain these records from us, and that no liability for a breach of confidentiality
is attached to Nottingham CityCare Partnership for disclosure of these records to you in exact accordance with your request. Alternatively, in accordance with section 7(3)(a) of the Data Protection Act, please forward proof etc (as current version).
I’m well aware that the above still doesn’t give us a leg to stand on, it might make them pay attention? If it ever did come to an ICO investigation, I have evidence
in spades to demonstrate that we have repeatedly tried to implement a checking process and that the organisations concerned have not co-operated, so we’re now avoiding detriment to service users caused by delays to their request. Basically, it’s a balance
of risk – patients complaining because we are holding up claims, time-consuming (and sometimes rude) claims handler calls vs potential ICO penalty.
In the meantime, I’ve reinforced to my poor admin support that rude callers must be referred to me – I’m responsible for policy, so if companies don’t like it,
I’ll take the flack. To cheer me up, I’ve also flagged the three most frequent correspondents to the regulator.
What does everyone else do in relation to these checks? I find it hard to believe that “no-one else” asks these claims handlers for proof as often claimed …
Thanks and regards
Sandre
Sandre Jones
Information Governance Lead
Nottingham Citycare
T: 0115 883 9534
Nottingham CityCare Partnership CIC is registered as a company limited by guarantee.
Company Registration Number: 07548602
Registered address: 1 Standard Court, Park Row, Nottingham, NG1 6GN
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)