Data Subjects’ Rights Policy

This is the approved Data Subjects’ Rights Policy for the NHS Counter Fraud Authority.

Contents

Introduction

Guidance from the Information Commissioner’s Office advocates that organisations should have a policy in place, to ensure the receipt of a ‘rights request’ (whether verbally or in writing), is recorded and responded to without undue delay. Highlighting the importance of being aware of the circumstances and when the time for responding to a request can be extended and to ensure that organisations have appropriate methods and processes in place to erase, suppress or otherwise cease processing personal data.

The purpose of this policy is to outline how the NHS Counter Fraud Authority (NHSCFA), will respond to rights requests in relation to the processing of personal data.

Under the General Data Protection Regulation (GDPR), individuals have a number of enhanced rights relating to the way in which the NHSCFA (the “data controller”) may handle their personal data.

These rights are detailed below. Whether a particular right applies will depend on the NHSCFA’s purpose and its lawful basis for processing the personal information.

The right to be informed

This right covers some of the key transparency requirements of the GDPR. It is about providing individuals with clear and concise information about what the NHSCFA does with their personal data. Articles 13 and 14 specify what individuals have the right to be informed about and that information is detailed in the ‘privacy notice’ on our website.

Where the NHSCFA shares personal data with another organisation we will tell you who we are giving your information to unless we are relying on an exception or an exemption. We will do this by either naming the organisation or the categories that they fall within (e.g. crime and prevention/policing).

The right of access

This right is commonly referred to as the ‘subject access’ right and gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why the NHSCFA is using their data and to check that we are doing so lawfully.

In addition to providing a copy of the individuals’ personal data (where appropriate), the NHSCFA must also provide individuals with the following information:

  • the purposes of its processing
  • the categories of personal data concerned
  • the recipients or categories of recipient we disclose the personal data to
  • our retention period for storing the personal data or, where this is not possible, our criteria for determining how long we will store it
  • the existence of their right to request rectification, erasure or restriction or to object to such processing
  • the right to lodge a complaint with the ICO or another supervisory authority
  • information about the source of the data, where it was not obtained directly from the individual
  • the existence of automated decision-making (including profiling); and
  • the safeguards we provide if we were to transfer personal data to a third country or international organisation.

Much of this information is provided within the NHSCFA’s privacy notice.

The right to rectification

Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed, but this will depend on the purposes of the NHSCFA’s processing.

Where the NHSCFA receives a request for rectification it will take reasonable steps to satisfy itself that the data is accurate and to rectify the data if necessary. We will take into account the arguments and evidence provided by the individual. What steps are reasonable will depend in particular, on the nature of the personal data and what it will be used for.

The right of erasure

Under Article 17 individuals have the right to have personal data erased, also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose for which it was originally collected or processed
  • we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent
  • we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing
  • the organisation is processing the personal data for direct marketing purposes and the individual objects to that processing (NHSCFA does not process any personal data for direct marketing purposes)
  • the organisation has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle)
  • the organisation has to comply with a legal obligation

The right to erasure does not apply if processing is necessary for one of the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • for archiving purposes in the public interest, scientific and historical research or statistical purposes, where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims

The right to restrict processing

Under Article 18 GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that NHSCFA uses their data and is an alternative to requesting the erasure of data.

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information the NHSCFA holds or how we have processed their data. In most cases NHSCFA will not be required to restrict an individual’s personal data indefinitely, but we will need to have the restriction in place for a certain period of time.

Individuals have the right to request NHSCFA restrict the processing of their personal data in the following circumstances:

  • the individual contests the accuracy of their personal data and we are verifying the accuracy of the data
  • the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the 1st principle of the GDPR) and the individual opposes erasure and requests restriction instead
  • NHSCFA no longer needs the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim; or
  • the individual has objected to our processing their data under Article 21(1), and we are considering whether our legitimate grounds override those of the individual.

The NHSCFA will automatically restrict the processing of personal data while it is considering its accuracy or the legitimate grounds for processing the personal data in question.

The right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a data controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

The right to data portability only applies when:

  • the lawful basis for processing this information is consent or for the performance of a contract; and
  • the organisation is carrying out the processing by automated means (i.e. excluding paper files).

Information is only within the scope of the right to data portability if it is the personal data that the individual provided to the controller.

Reporting of incidents Direct Marketing

Individuals have the absolute right to object to the processing of their personal data where it is undertaken for direct marketing purposes. The NHSCFA does not process any personal data for direct marketing purposes.

Public Task

Individuals have a qualified right to object to processing carried out for:

  • a public task or in the public interest
  • the exercise of official authority vested in the organisation; or
  • the organisation’s legitimate interests (or those of a third party)

In these circumstances there is no absolute right to object to processing and the processing may continue if:

  • the NHSCFA can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

When deciding whether compelling, legitimate grounds exist that overrides the interests of an individual, the NHSCFA will consider the reasons why an individual has objected to the processing of their data. In making a decision, the NHSCFA will demonstrate that it has balanced the individual’s interests, rights and freedoms against its own compelling, legitimate grounds.

Where the NHSCFA is satisfied that it does not need to stop processing the requester’s personal data, it will inform the individual in writing. An explanation of the decision will be provided and the individual will be informed of their right to make a complaint to the ICO (or another supervisory authority) and their ability to seek to enforce their right through a judicial remedy.

Research

Article 21(4) states:

‘Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her personal situation, shall have the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest’.

Where the NHSCFA is relying upon the public task lawful basis, and an objection to processing is received, the NHSCFA will consider the objection together with the additional steps outlined below.

If the NHSCFA intends to refuse an objection on the basis that it is carrying out research or statistical work solely for the performance of a public task carried out in the public interest, it will also be made clear in the organisation’s privacy notice that it is only carrying out the processing on that basis.

Where an objection is received NHSCFA may still be able to continue processing the personal data, if it can demonstrate that it has a compelling legitimate reason or the processing is necessary for legal claims.

Where NHSCFA is satisfied that it does not need to stop processing the personal data, the NHSCFA will inform the individual. An explanation of the organisation’s decision will be provided and the individual will be informed of their right to make a complaint to the ICO (or another supervisory authority) and their ability to seek to enforce their right through a judicial remedy.

Making a rights request

The GDPR does not specify how valid right requests have to be made and therefore they can be made verbally or in writing. Furthermore, a request does not have to be made to a specific person or contact point.

Requesters do not have to include specific reference to the right being exercised or the relevant GDPR Article, so as long as sufficient information is provided to enable the right being exercised to be identified and the required reasons to support the request is submitted.

Where an individual wants to make a rights request to the NHSCFA in respect of the organisation’s processing of their personal data, the individual must:

  • Provide sufficient information to confirm their identity (individuals may be asked to provide further additional information to help confirm this)
  • Provide sufficient information to enable the right being exercised to be identified, which must be support by the relevant required reasons, based upon the individual’s particular situation,
  • Where a request is detailed or complexed the individual may be asked to submit their request in writing to ensure that it is properly understood, recorded and actioned (where appropriate)
  • Provide appropriate correspondence details (postal/valid email address), to enable a written response to be provided.

Is a fee payable?

In most cases NHSCFA will not charge a fee for a rights request.

There may be instances where a request is considered by the NHSCFA to be manifestly unfounded or excessive. In these instances the NHSCFA is permitted to charge a “reasonable fee” for the administrative costs of complying with a request.

Complying with a request

Where the NHSCFA receives a rights request and it has no identifiable grounds for refusing it, the NHSCFA will action the individual’s request as appropriate.

Refusal to comply with request

The NHSCFA will inform the individual without undue delay and within one month of receipt of the request, where it is unable to action it.

The individual will be informed of:

  • the reasons NHSCFA cannot undertake the requested action
  • their right to make a complaint to the ICO (or another supervisory authority); and
  • their ability to seek to enforce this right through a judicial remedy.

Can we refuse to comply for other reasons?

The NHSCFA may refuse to comply with a rights request if is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If it is considered that a rights request is manifestly unfounded or excessive the NHSCFA can:

  • request a "reasonable fee" to deal with it; or
  • refuse to deal with it.

In either case the NHSCFA will provide a written reason for its decision.

Time for complying

A rights request must be acted upon without undue delay and at the latest within one month of receipt by NHSCFA.

The time period is calculated from the day after NHSCFA receives the request (irrespective of whether the ‘day after’ is a working day or not), until the corresponding calendar date in the next month. If the corresponding date falls on a weekend or a public holiday, the date to respond will be the next working day.

Can the time for a response be extended?

The time for NHSCFA to respond to a rights request can be extended by a further two months if the request is complex or a number of requests have been received from an individual. Where an extension of time is required the individual will be informed within one month of receipt of their request, with an explanation why an extension is necessary.

Reporting of incidents

If NHSCFA has any doubts about the identity of the individual making the rights request, we will request additional identity information and/or confirmation of authority where made by a representative. NHSCFA will only request the information necessary to confirm the identity of the requester, having regard to the data that it holds and what it is being used for.

If more information is needed from an individual to confirm their identity before responding to their request, they will be informed of this by the NHSCFA as soon as possible. The period for responding to the request will then begin once the NHSCFA receives the additional requested information.