Skip to content

NHS Derby and Derbyshire Integrated Care Board

Subject Access Request Policy


1.          The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information.

2.          This policy explains how the public can make a subject access request to the ICB by the submission of a written request either by post or email.

3.          This policy provides an outline of the requirement for ICB staff to ensure the provision of comprehensive, appraised, appropriately redacted and accurate information in response to subject access requests and in line with Data Protection Act 2018.




NHS Derby and Derbyshire Integrated Care Board Subject Access Request Policy


NHS Derby and Derbyshire Integrated Care Board Subject

Access Request Procedure

Description of Amendment(s):

Version 0.1 – Initial Draft

Version 1.0 – final (approved)

Financial Implications:

Not Applicable

Policy Area:

Corporate Delivery

Version No:

Version 1.0


Emma Holt, Information Governance Officer

Approved by:

Audit & Governance Committee, 8th February 2024

Effective Date:

February 2024

Review Date:

January 2026

List of referenced policies

IG01: Information Governance Framework Policy

Key Words section (metadata for search facility online)

Individual rights

Subject access

Data Protection Act

Personal information


Reference Number


Target Audience

ICB approved policies apply to all employees, contractors, volunteers, and others working with the ICB in any capacity. Compliance with ICB policy is a formal contractual requirement and failure to comply with the policy, including any arrangements which are put in place under it, will be investigated and may lead to disciplinary action being taken.








  1. Introduction. 4
  2. Purpose. 4
  3. Scope. 4

3.2…….. Definitions. 4

  1. Roles and Responsibilities. 5

4.2…….. All Staff 5

4.3…….. Information Governance Team.. 6

4.4…….. Information Asset Owners. 6

  1. How to make a Subject Access Request 6
  2. Responding to a Subject Access Request 7

6.3…….. Searching for personal data. 8

6.4…….. Amending data that is the subject of a request 8

6.5…….. Review of the information. 8

6.6…….. Exemptions. 9

6.7…….. Response. 9

6.8…….. Sending the response. 10

  1. Complaints about the Subject Access Request Response. 10
  2. Monitoring Compliance and Effectiveness of the Policy. 10
  3. Equality Statement 10
  4. Due Regard. 11
  1. Introduction

    • This policy applies to NHS Derby and Derbyshire Integrated Care Board, subsequently referred to in this document as the ICB.
    • Data protection legislation sets out that data subjects should have the right of access to their own personal data. This policy sets out how the ICB seeks to enable data subjects to exercise their right of access in accordance with the requirements in the Data Protection Act 2018.
  2. Purpose

    • This policy explains how the public can make a subject access request (SAR) to the ICB by the submission of a written request either by post or email.
    • This policy provides an outline of the requirement for ICB staff to ensure the provision of comprehensive, appraised, appropriately redacted and accurate information in response to SARs and in line with Data Protection Act 2018.
    • This policy explains to staff what the legal requirements are for the ICB to respond to requests and what the legal right of individuals are under Data Protection Act 2018.
    • This policy applies equally to personal data, and special categories of personal data, that may be used to administer the provision of healthcare services, to inform research or to manage and administer the ICB workforce, and all other business functions of the ICB.
  3. Scope

This policy applies to all SARs received by the ICB.

  1. Definitions

“Data Controller”

means the person or the organisation that collects personal data and decides on how to use, store or distribute that data;

“Data Processor”

means any person or organisation (other than an employee of the data controller) that processes personal data on behalf of the data controller;

“Data Protection Act 2018”

governs the processing of Personal Data. The legislation requires that personal data including special categories of personal data, which are regarded as more sensitive, must be processed by Data Controllers in accordance with the Act, which incorporates the data protection principles set out in the General Data Protection Regulations;

“Data Subject” or “Natural Person”

means an individual who is the subject of the personal data;

“Personal Data”

means any information held about an individual who can be identified from that information. For example, name, address, postcode, NHS number etc. Any personal data must be treated as confidential;


operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Special Category Data”

means processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited;

“Subject Access Request”

is a request made verbally or in writing, by or on behalf of an individual, to access and receive a copy of their personal data.

  1. Roles and Responsibilities

    • This policy applies to all staff, or those working on behalf, or representing the ICB in the management of all personal data that is collected, stored, processed, and destroyed by the ICB.
    • All Staff
      • All Derby and Derbyshire ICB staff are expected to:
        • have knowledge of this policy and adhere to the Data Protection Act 2018 and Caldicott Principles, in accordance with their employment contract clauses and data security and protection training;
        • send any requests for personal information to the Information Governance Team; and
        • co-operate with and assist the Information Governance Team to coordinate responses to SARs within the one month deadline.
      • All staff should be aware that due to the timescales involved in dealing with requests for information, it is sometimes necessary during prolonged staff absence to access individual accounts such as email to carry out searches and retrieve the required information.
      • Under no circumstances should staff delete any person identifiable information after receiving a SAR.
      • Staff have the same rights under the Data Protection Act as any member of the public and are therefore entitled to make a SAR for their own information.
    • Information Governance Team
      • The ICB’s Information Governance Team:
        • act as the central point for receipt and management of SARs;
        • ensure the identity of the requester is appropriate to the request, taking account of any ongoing relationship between the ICB and the individual;
        • ensure that where requests are made on behalf of data subjects that the appropriate checks are made regarding identity, consent and addresses for responses;
        • acknowledge receipt of the request and inform the requester when a response can be expected;
        • ensure relevant teams are contacted to undertake timely, robust and comprehensive searches;
        • ensure the collation of all information provided by staff in all formats in a timely manner;
        • review the content of all information provided by staff to ensure appropriate content and removal of duplication where necessary;
        • ensure the application of exemptions where necessary, i.e. removal of third‑party personal information, legal privilege information, and information with the potential to cause harm; and
        • ensure the provision of a response to the requester in a requested format or method of provision.
      • Information Asset Owners

The IAO of the area of work concerned will perform a thorough search for information when requested by the Information Governance Team and provide it within the timescale set out in that request.

  1. How to make a Subject Access Request

    • Before releasing personal data to an individual, the ICB requires:
  • valid identification in the form of a driving licence, passport etc. if you are making the request for yourself;
  • written authority from the data subject and/or a valid Power of Attorney if you are making the request on behalf of someone else;
  • the Data Subject’s full name;
  • the Requester’s contact details (address, email etc.);
  • the Data Subject’s date of birth (if relevant – e.g., for medical records);
  • any information used by the ICB to identify the Data Subject (such as account numbers, reference numbers, NHS number etc.);
  • clear and specific details about what is being requested; and/or
  • any further details that will help identify what the Requester wants (such as dates, names, file numbers etc.).
    • Requests for information should be made in writing or email and sent to the Information Governance Team:


Address: NHS Derby and Derbyshire ICB Information Governance Team, Scarsdale Nightingale Close, Off Newbold Road, Chesterfield S41 7PF

  • When the ICB acknowledges your request, we will inform you of the date a response can be expected. If the ICB holds the data requested and it is not legally exempt from disclosure the information must be supplied within one month of receipt of the request.
  • In very exceptional circumstances the ICB may need extra time to consider your request and have the right to extend by an extra two months. If this is the case, you will be informed within the first month.
  • The ICB will advise if we do not hold your personal information but will normally provide copies of any information requested.
  • When the ICB receives a request from a legal representative/advocate or someone acting on behalf of the data subject, consent will be required. This must be a hard copy signature explicitly consenting to the release of the data subject information indicated in the request. The data subject must make it clear where the response should be sent. However, the ICB may request additional documented proof of identity and confirmation of the request from the data subject.
  1. Responding to a Subject Access Request

    • The ICB has one month from the date of receiving the request and the validation of identity to:
  • gather information from all work areas;
  • collate the information gathered;
  • appraise and apply any legal exemptions;
  • remove duplication where necessary; and
  • redact and respond.
    • All requests for personal information, regardless of the format or method of requests, received into the ICB must be sent to the Information Governance Team immediately so that this process can begin.
    • Searching for personal data
      • The Information Governance Team will ask the relevant ICB services to undertake a reasonable and proportionate search for the personal data requested.
      • A record of the search parameters and strategy used must be clearly recorded for each case, as advised by the ICB.
    • Amending data that is the subject of a request
      • It is a criminal offence for staff to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure to a person who has made a SAR unless:
        • the data would have been amended in any event; and/or
        • it is reasonably believed that the individual is not entitled to receive the requested information.
      • Accordingly, where any normal or routine amendment or deletion of data is proposed following receipt of a SAR, this should be discussed in the first instance with the Information Governance Team.
      • The ICB will aim to provide data held at the time the SAR was received. However, in some cases routine use of the data may result in it being amended while the request is being dealt with. The ICB may therefore supply the information held as at the date of the response, even if this is different to that held when the request was received.
    • Review of the information
      • Once the relevant information has been located, the Information Governance Team, in conjunction with an agreed ICB service lead, will review the data prior to disclosure and will determine whether any exemptions apply.
      • The subject access right is to information, i.e., personal data, and not to documentation. Accordingly, the team may extract the requester’s personal data from documentation or redact information which is not the requester’s personal data when preparing a response. Where appropriate, the team may provide relevant contextual information to assist the applicant, as advised by the ICB.
      • For complex requests, the ICB nominated lead and the appropriate ICB service lead will review the information prior to disclosure. In the most sensitive cases, further escalation and review may be necessary.
    • Exemptions
      • The ICB may be exempt from complying, in full or in part, with a SAR if:
        • the information sought is mixed data and there is not the consent of the other data subject to release the information, and it is not reasonable in the circumstances to disclose the data;
        • the disclosure would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders;
        • the disclosure would prejudice the ICB regulatory functions, or the functions of another regulator;
        • the information contains legally privileged personal data;
        • disclosure would be likely to prejudice the ICB negotiations with the data subject.
      • Some personal data that the ICB holds will be ‘mixed’ data relating to the requester and a third party. For example, records obtained during a Continuing Health Care services assessment may contain data belonging both to the author of the statement and the data subject. The Information Governance Team, together with the relevant services lead will assess whether it is appropriate to seek consent in these cases before deciding whether to apply an exemption.
    • Response
      • Where the ICB holds data about a data subject, the response will contain the following information:
        • the purpose of the processing;
        • the categories of the personal data concerned;
        • the recipients or categories of recipient to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
        • where possible, the expected period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
        • the data subject’s right to have inaccurate personal data rectified or erased and to request restriction or object to the processing of personal data;
        • the right to lodge a complaint with the Information Commissioner’s Office (ICO);
        • where the personal data is not collected from the data subject, any available information as to their source;
        • in cases of automated decision-making, including profiling, information about the reasons for the decision-making or profiling, as well as the expected consequences of such processing for the data subject;
        • in the case of transfer of the data subject’s personal data to a third country or an international organisation, the appropriate safeguards that we arranged in relation to the transfer;
        • an explanation of whether and why any exemptions have been applied to the personal data we hold.
      • Sending the response
        • Should requesters of information require a response to be provided in a particular language, format or method, including easy read format, then this need will be met by the ICB wherever possible.
        • Information is typically provided in a printed copy when responding by post and PDF document when responding by email. When an email response is provided, where the recipient’s email address does not conform to the secure email standard (DCB1596) the response will be sent through the Egress portal.
  1. Complaints about the Subject Access Request Response

    • The ICB will, where appropriate, review responses that applicants are not happy with, to resolve any complaint or dispute in a proportionate manner. Complaints about responses should be sent to the Information Governance Team in the first instance.
    • If you think personal information is missing or has not been provided, you should clearly list, in writing, what other information you think the ICB holds. This will help with a review of records.
    • In the event that a complaint resolution regarding a SAR cannot be reached internally, the Information Commissioners Office (ICO) has a general duty to investigate complaints from members of the public who believe that an organisation has failed to respond correctly to a request for information. You can make a complaint to the ICO in writing to:

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113 Fax: 01625 524510

  1. Monitoring Compliance and Effectiveness of the Policy

Compliance with this policy will be monitored through the Information Governance Assurance Forum (IGAF). SARs will be logged and reported to IGAF in anonymised or statistical format.

  1. Equality Statement

    • The ICB aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no one receives less favourable treatment due to their protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act.
    • In carrying out its function, the ICB must have due regard to the PSED. This applies to all activities for which the ICB is responsible, including policy development, review and implementation.
  2. Due Regard

This policy has been reviewed in relation to having due regard to the PSED of the Equality Act 2010 to eliminate discrimination; harassment; victimisation; to advance equality of opportunity; and foster good relations between the protected grou

Last Updated: Friday 23rd February 2024 - 11:30:am

Subscribe to our Newsletter

Joined Up Care Derbyshire produces a bi-monthly newsletter which provides important updates on health and care developments around the city and county.

Previous copies of the newsletter can be found on our website.

If you would like to receive this newsletter, please visit our newsletter page to sign up.