CH173-Accessing Records of a Deceased Person Policy
{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Accessing Records of a Deceased Person Policy
1. Purpose
The purpose of this policy is to ensure that {{org_field_name}} handles requests for access to the records of deceased individuals in a lawful, sensitive, and transparent manner. This policy supports compliance with the Access to Health Records Act 1990, UK GDPR, Data Protection Act 2018, and relevant sections of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, particularly Regulation 17 (Good Governance) and Regulation 10 (Dignity and Respect). It aims to protect the confidentiality of the deceased while enabling appropriate access in line with legal and ethical obligations.
2. Scope
This policy applies to all staff involved in handling personal data, including care records, correspondence, assessments, and any related documentation about individuals who were supported by {{org_field_name}} and who have since passed away. It applies to all formats of records including electronic, handwritten, and archived documents. The policy also covers how we respond to access requests made by relatives, legal representatives, healthcare professionals, or authorities with a legitimate interest.
3. Related Policies
This policy should be read alongside:
- CH04 – Good Governance Policy
- CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy
- CH14 – Receiving and Acting on Complaints Policy
- CH34 – Confidentiality and Data Protection (GDPR)-Service User Policy
- CH35 – Duty of Candour Policy
- CH36 – Initial Assessment and Care Planning Policy
4. Policy Details
4.1 Legal Framework and Responsibilities
Under the Access to Health Records Act 1990, the personal representative of the deceased (usually the executor of the will or administrator of the estate) and anyone who may have a claim arising from the person’s death has the legal right to request access to relevant health records. This applies only to records created since 1 November 1991. The Data Protection Act 2018 does not apply to deceased individuals, but the duty of confidentiality remains. Requests must be handled sensitively and with due regard to privacy, ethics, and legal obligations.
4.2 How Requests Are Made
Requests must be made in writing and submitted to the Registered Manager {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}} or the Data Protection Officer {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}. The requester must provide evidence of their identity and their legal right to access the information, such as a grant of probate, letters of administration, or proof of a claim. Verbal requests will not be acted upon until a written application and proof of entitlement are provided.
4.3 Assessing the Validity of Requests
On receiving a request, the Registered Manager and Data Protection Officer review:
- The identity and entitlement of the applicant
- Whether the information requested is relevant and proportionate
- Any known wishes of the deceased regarding confidentiality
- Whether disclosure would cause serious harm to the mental or physical health of any third party If concerns arise, legal advice will be sought before proceeding. In some cases, access may be limited or denied if it conflicts with the deceased’s wishes or legal exemptions apply.
4.4 Processing and Responding to Requests
Once the request is validated, we respond within 21 days (or up to 40 days where appropriate). Copies of records are provided in a secure format either electronically or by secure post. Access to original records is only permitted on-site and under supervision. The response includes only the relevant parts of the record and excludes information about third parties unless consent is obtained or it is reasonable to disclose.
4.5 Safeguarding Confidentiality
Even after death, the duty of confidentiality continues. Staff must ensure that information is not disclosed beyond the scope of the request or to unauthorised parties. The care and dignity of the deceased person are upheld by limiting access to what is necessary and lawful. Any breach of confidentiality will be reported and investigated under our governance and safeguarding procedures.
4.6 Storage, Retention, and Disposal of Records
Records of deceased individuals are stored securely for a minimum of eight years in accordance with NHS records management guidance. After this period, records are disposed of using approved confidential waste services. Any access requests received during the retention period are documented and logged. Archived records are reviewed annually to determine eligibility for secure destruction or continued retention.
4.7 Staff Training and Awareness
All staff involved in handling records are trained in data protection, confidentiality, and information governance. They are made aware of the special considerations required when dealing with the records of deceased individuals. Refresher training is provided annually or following changes in legislation or policy. Staff must escalate any uncertain or complex requests to the Data Protection Officer.
4.8 Monitoring and Governance
The Registered Manager and Data Protection Officer maintain a log of all requests and monitor compliance with this policy. Any refusals, complaints, or breaches are investigated and reported in line with our governance framework. Learning from these cases informs staff training and continuous improvement.
5. Policy Review
This policy is reviewed annually, or sooner if there are legislative updates, changes in CQC expectations, or significant data protection developments. The review is conducted by the Data Protection Officer and approved by the Registered Manager. Updates are communicated to staff through training and internal communications, and staff understanding is checked during supervision.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.