Guidance on Dealing with DPA Requests (Excluding SAR)

This is the formal policy for dealing with requests under the Data Protection Act that are not SARs.

Published: 1 May 2024

Version: 4.0

1. Introduction

1.1 Organisations that have a crime prevention, law enforcement or tax collection function may seek to request personal information held by the NHS Counter Fraud Authority (NHSCFA), to prevent or detect a crime, apprehend or prosecute an offender or for taxation/benefit purposes. Under the Data Protection Act 2018 these organisations can submit a Schedule 2: Part 1, Section 2 request for the disclosure of personal information.

1.2 NHSCFA may be able to release this information by applying the relevant Schedule 2: Part 1 exemption under the 2018 Act. There is no obligation on the NHSCFA to release information even if the exemption applies, as the NHSCFA may decide that it should not release any of the requested information. The exemption is not an automatic or a blanket exemption and must be applied on a case-by-case basis.

1.3 Where a Business Unit has genuine concerns about releasing any personal information (because for example it considers that it has other legal responsibilities, such as the information being confidential), then the matter should be referred to the Information Governance (IG) Team. The IG team may in certain circumstances inform the requesting party that it will need to obtain a court order requiring the release of the information.

Note:

While this guidance document focuses on the exemption for the prevention or detection of crime, apprehension or prosecution of an offender or for tax/benefit purposes as an example, the same process and considerations outlined below will be applicable where another exemption is cited and applied.

This guidance ONLY applies to requests for person identifiable information; any requests for non-personal data should be referred to the IG team.

2. What is a Schedule 2: Part 1 request?

2.1 These requests are not Subject Access Requests (SAR) but are classed as ‘third party’ requests for disclosure. Where a relevant exemption applies under the Data Protection Act 2018, such requests will be exempt from the rights afforded to a data subject under the General Data Protection Regulations (GDPR) 2016.

2.2 Although these requests are not SARs, in order to maintain a good audit trail and to ensure that all disclosures are properly recorded with reasons given for any disclosure, all requests received by business units should be logged and retained – See the example at Appendix 1. These requests should be dealt with by the relevant business units as part of their ‘business as usual’ function and do not need to be logged by the IG Team.

2.3 Where a request involves the regular disclosure of substantial information, for example more than what would normally be disclosed within ‘business as usual’ requests, these should be referred to the IG Team for consideration ideally as part of a formal Information Sharing Agreement (ISA). Further advice can be sought from the IG Team.

3. Considerations

3.1 For every Schedule 2: Part 1 request for the disclosure of personal information, the following (non-exhaustive) matters should be considered:

  • Are you satisfied the requester is who they say they are (remember only written request for disclosures are to be considered)?
  • Is it clear the request for information is in respect of the cited exemption (e.g. for the prevention or detection of crime or apprehension or prosecution of an offender)?
  • If the requested information is not disclosed, will this significantly harm any attempt by the requesting party in achieving their objective (e.g. there is a risk that the investigation will/may be impeded)?
  • Is further information required from the requester to satisfy you that the cited exemption applies?

4. Am I required to release the information?

4.1 While wherever possible, we would like to assist third party requesters, for example in the detection and prevention of crime or the apprehension or prosecution of offenders, the need to be satisfied it is appropriate to release the information under the exemption will always be paramount.

4.2 Where there are genuine concerns about the release of personal information (for example you think we have other legal obligations such as the information being confidential), then the matter should be referred to the IG Team. The IG team may in certain circumstances advise the requesting party that it will need to seek a court order requiring the release of the information.

4.3 Should a court decide we are required to disclose the information, we would not be in breach of the Data Protection Act 2018 by obeying the order to disclose.

5. General requests

5.1 On occasions, business units may receive requests for the disclosure of personal information from professional and/or regulatory bodies that possess their own statutory powers to request the disclosure of information.

5.2 Assistance with such request can be sought from the IG Team upon completion of the ‘Request for Assistance’ template at Appendix 2. Once the form is completed it should be forwarded to the Information Governance Officer, Helen Moore.

6. Further information

6.1 If you require more information about this process or disclosure advice generally, please contact the IG Team.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close