Data Subjects’ Rights Policy
This is the approved Data Subjects’ Rights Policy for the NHS Counter Fraud Authority.
Guidance from the Information Commissioner’s Office advocates that organisations should have a policy in place, to ensure the receipt of a ‘rights request’ (whether verbally or in writing), is recorded and responded to without undue delay. Highlighting the importance of being aware of the circumstances and when the time for responding to a request can be extended and to ensure that organisations have appropriate methods and processes in place to erase, suppress or otherwise cease processing personal data.
The purpose of this policy is to outline how the NHS Counter Fraud Authority (NHSCFA), will respond to rights requests in relation to the processing of personal data.
Under the General Data Protection Regulation (GDPR), individuals have a number of enhanced rights relating to the way in which the NHSCFA (the “data controller”) may handle their personal data.
These rights are detailed below. Whether a particular right applies will depend on the NHSCFA’s purpose and its lawful basis for processing the personal information.
This right covers some of the key transparency requirements of the GDPR. It is about providing individuals with clear and concise information about what the NHSCFA does with their personal data. Articles 13 and 14 specify what individuals have the right to be informed about and that information is detailed in the ‘privacy notice’ on our website.
Where the NHSCFA shares personal data with another organisation we will tell you who we are giving your information to unless we are relying on an exception or an exemption. We will do this by either naming the organisation or the categories that they fall within (e.g. crime and prevention/policing).
This right is commonly referred to as the ‘subject access’ right and gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why the NHSCFA is using their data and to check that we are doing so lawfully.
In addition to providing a copy of the individuals’ personal data (where appropriate), the NHSCFA must also provide individuals with the following information:
Much of this information is provided within the NHSCFA’s privacy notice.
Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed, but this will depend on the purposes of the NHSCFA’s processing.
Where the NHSCFA receives a request for rectification it will take reasonable steps to satisfy itself that the data is accurate and to rectify the data if necessary. We will take into account the arguments and evidence provided by the individual. What steps are reasonable will depend in particular, on the nature of the personal data and what it will be used for.
Under Article 17 individuals have the right to have personal data erased, also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Individuals have the right to have their personal data erased if:
The right to erasure does not apply if processing is necessary for one of the following reasons:
Under Article 18 GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that NHSCFA uses their data and is an alternative to requesting the erasure of data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information the NHSCFA holds or how we have processed their data. In most cases NHSCFA will not be required to restrict an individual’s personal data indefinitely, but we will need to have the restriction in place for a certain period of time.
Individuals have the right to request NHSCFA restrict the processing of their personal data in the following circumstances:
The NHSCFA will automatically restrict the processing of personal data while it is considering its accuracy or the legitimate grounds for processing the personal data in question.
The right to data portability gives individuals the right to receive personal data they have provided to a data controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
The right to data portability only applies when:
Information is only within the scope of the right to data portability if it is the personal data that the individual provided to the controller.
Individuals have the absolute right to object to the processing of their personal data where it is undertaken for direct marketing purposes. The NHSCFA does not process any personal data for direct marketing purposes.
Individuals have a qualified right to object to processing carried out for:
In these circumstances there is no absolute right to object to processing and the processing may continue if:
When deciding whether compelling, legitimate grounds exist that overrides the interests of an individual, the NHSCFA will consider the reasons why an individual has objected to the processing of their data. In making a decision, the NHSCFA will demonstrate that it has balanced the individual’s interests, rights and freedoms against its own compelling, legitimate grounds.
Where the NHSCFA is satisfied that it does not need to stop processing the requester’s personal data, it will inform the individual in writing. An explanation of the decision will be provided and the individual will be informed of their right to make a complaint to the ICO (or another supervisory authority) and their ability to seek to enforce their right through a judicial remedy.
Article 21(4) states:
‘Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her personal situation, shall have the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest’.
Where the NHSCFA is relying upon the public task lawful basis, and an objection to processing is received, the NHSCFA will consider the objection together with the additional steps outlined below.
If the NHSCFA intends to refuse an objection on the basis that it is carrying out research or statistical work solely for the performance of a public task carried out in the public interest, it will also be made clear in the organisation’s privacy notice that it is only carrying out the processing on that basis.
Where an objection is received NHSCFA may still be able to continue processing the personal data, if it can demonstrate that it has a compelling legitimate reason or the processing is necessary for legal claims.
Where NHSCFA is satisfied that it does not need to stop processing the personal data, the NHSCFA will inform the individual. An explanation of the organisation’s decision will be provided and the individual will be informed of their right to make a complaint to the ICO (or another supervisory authority) and their ability to seek to enforce their right through a judicial remedy.
The GDPR does not specify how valid right requests have to be made and therefore they can be made verbally or in writing. Furthermore, a request does not have to be made to a specific person or contact point.
Requesters do not have to include specific reference to the right being exercised or the relevant GDPR Article, so as long as sufficient information is provided to enable the right being exercised to be identified and the required reasons to support the request is submitted.
Where an individual wants to make a rights request to the NHSCFA in respect of the organisation’s processing of their personal data, the individual must:
In most cases NHSCFA will not charge a fee for a rights request.
There may be instances where a request is considered by the NHSCFA to be manifestly unfounded or excessive. In these instances the NHSCFA is permitted to charge a “reasonable fee” for the administrative costs of complying with a request.
Where the NHSCFA receives a rights request and it has no identifiable grounds for refusing it, the NHSCFA will action the individual’s request as appropriate.
The NHSCFA will inform the individual without undue delay and within one month of receipt of the request, where it is unable to action it.
The individual will be informed of:
The NHSCFA may refuse to comply with a rights request if is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If it is considered that a rights request is manifestly unfounded or excessive the NHSCFA can:
In either case the NHSCFA will provide a written reason for its decision.
A rights request must be acted upon without undue delay and at the latest within one month of receipt by NHSCFA.
The time period is calculated from the day after NHSCFA receives the request (irrespective of whether the ‘day after’ is a working day or not), until the corresponding calendar date in the next month. If the corresponding date falls on a weekend or a public holiday, the date to respond will be the next working day.
The time for NHSCFA to respond to a rights request can be extended by a further two months if the request is complex or a number of requests have been received from an individual. Where an extension of time is required the individual will be informed within one month of receipt of their request, with an explanation why an extension is necessary.
If NHSCFA has any doubts about the identity of the individual making the rights request, we will request additional identity information and/or confirmation of authority where made by a representative. NHSCFA will only request the information necessary to confirm the identity of the requester, having regard to the data that it holds and what it is being used for.
If more information is needed from an individual to confirm their identity before responding to their request, they will be informed of this by the NHSCFA as soon as possible. The period for responding to the request will then begin once the NHSCFA receives the additional requested information.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.