Obtain blood results
| Authority | Manx Care |
|---|---|
| Date received | 2025-09-26 |
| Outcome | All information sent |
| Outcome date | 2025-10-23 |
| Case ID | 4959837 |
Summary
The requester asked for Manx Care's written policy regarding individual access to their own test results. The authority responded by releasing the full 'Data Protection Policy' (Version 1.8) and confirmed all information was sent.
Key Facts
- The request was received on 26 September 2025 and concluded on 20 October 2025.
- Manx Care released 21 pages of information across 2 documents.
- The disclosed document is the 'Data Protection Policy' Version 1.8, effective from September 2022.
- The policy was ratified by the Executive Management Committee on 9 December 2022.
- The policy supersedes the previous 'Data Protection and Confidentiality Policy' and 'Breach Notification Policy and Procedure'.
- The requester has the right to an internal review or appeal to the Information Commissioner if dissatisfied.
Data Disclosed
- 4959837
- 2025-09-26
- 2025-10-23
- 21
- 2
- 1.8
- Sept 2022
- October 2024
- 9 Dec 22
- 27 Sept 2022
- 30 Sept 2022
- 11 Sept 2023
- 0.5
- 1.7
- Page 2 of 19
Original Request
A copy of Manx Care's written policy covering an individual's access to their own test results when requested by the individual
Data Tables (8)
| Author | ||
|---|---|---|
| Owner | ||
| Version Number | 1.8 | |
| Document effective from | Sept 2022 | |
| Next review due | October 2024 | |
| Intended audience | Manx Care All Staff and partner agencies | |
| Superseded documents | • Data Protection and Confidentiality Policy • Breach Notification Policy and Procedure | |
| Stakeholders consulted prior to implementation | Information Governance Advisory Board | |
| Ratified by Date: | Executive Management Committee 9 Dec 22 | |
| Previous Reviews: | Annual Review Sept 2023 DHSC Sept 2022 | |
| Changes made during last review | clarification of special category data |
| VERSION | VERSION | DATE | DATE | REVISION AUTHOR | REVISION AUTHOR | SUMMARY OF CHANGES | SUMMARY OF CHANGES |
| 0.5 | 27 Sept 2022 | Complete re-write and split of Data Protection & Confidentiality Policy into two separate policies and one procedure on advice from DHSC; i.e. a. Data Protection Policy (now ver 1.7); b. Confidentiality Policy; c. Breach Notification Procedure. | |
|---|---|---|---|
| 1.7 | 30 Sept 2022 | Initial version sent out to NCQG for consultation. Corrected version to 1.7 plus made other minor amendments in policy following comments from NCQC. | |
| 1.8 | 11 Sept 2023 | Clarification of special category data |
| NAME | TITLE |
| NAME | POSITION | SIGNATURE | DATE |
| DATA SUBJECT REQUEST | TIMESCALE |
| The right to be informed | When data is collected (if supplied by data subject) or within one month (if not supplied by data subject) |
| The right of access | One month |
| The right to rectification | One month |
| The right to erasure | Without undue delay |
|---|---|
| The right to restrict processing | Without undue delay |
| The right to data portability | One month |
| The right to object | On receipt of objection |
Full Response Text
Manx Care Noble’s Hospital, Strang Braddan, Isle of Man IM4 4R (01624) 650 000
Our ref: 4959837 20 October 2025
Dear
We write further to your request, received 26 September 2025, which states:
"A copy of Manx Care's written policy covering an individual's access to their own test results when requested by the individual"
Response
Enclosed is a copy of the information that is being released to you.
Please quote the reference number 4959837 in any future communications.
Your right to request a review
If you are unhappy with this response to your freedom of information request, you may ask us to carry out an internal review of the response, by completing a complaint form and submitting it electronically or by delivery/post.
An electronic version of our complaint form can be found by going to our website at https://services.gov.im/freedom-of-information/Review . If you would like a paper version of our complaint form to be sent to you by post, please contact me and I will be happy to arrange for this. Your review request should explain why you are dissatisfied with this response, and should be made as soon as practicable. We will respond as soon as the review has been concluded.
If you are not satisfied with the result of the review, you then have the right to appeal
to the Information Commissioner for a decision on;
1. Whether we have responded to your request for information in accordance with
Part 2 of the Freedom of Information Act 2015; or
2. Whether we are justified in refusing to give you the information requested.
In response to an application for review, the Information Commissioner may, at any
time, attempt to resolve a matter by negotiation, conciliation, mediation or another
form of alternative dispute resolution and will have regard to any outcome of this in
making any subsequent decision.
More detailed information on your right to a review can be found on the Information Commissioner’s website at www.inforights.im. Should you have any queries concerning this letter, please do not hesitate to contact me. Further information about freedom of information requests can be found at www.gov.im/foi.
I will now close your request as of this date.
Yours faithfully
Data Protection Policy
Author
Owner
Version Number
1.8
Document effective from
Sept 2022
Next review due
October 2024
Intended audience
Manx Care All Staff and partner agencies
Superseded documents
•
Data Protection and Confidentiality Policy
•
Breach Notification Policy and Procedure
Stakeholders consulted prior to
implementation
Information Governance Advisory Board
Ratified by
Date:
Executive Management Committee
9 Dec 22
Previous Reviews:
Annual Review Sept 2023 DHSC
Sept 2022
Changes made during last review
clarification of special category data
Revision history
VERSION DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Manx Care Data Protection Policy
Manx Care Data Protection Policy Ver 1.8.docx
Page 2 of 19
0.5
27 Sept
2022
Complete re-write and split of Data Protection &
Confidentiality Policy into two separate policies and one
procedure on advice from DHSC; i.e.
a. Data Protection Policy (now ver 1.7);
b. Confidentiality Policy;
c.
Breach Notification Procedure.
1.7
30 Sept
2022
Initial version sent out to NCQG for consultation.
Corrected version to 1.7 plus made other minor
amendments in policy following comments from NCQC.
1.8
11 Sept
2023
Clarification of special category data
Distribution
NAME
TITLE
Approval
NAME
POSITION
SIGNATURE
DATE
Contents
1 Introduction ................................................................................................................. 5
2 Purpose and Scope ....................................................................................................... 6
2.1 Purpose ............................................................................................................................ 6
2.2 Scope ................................................................................................................................ 6
2.3 Personal information relating to others ............................................................................. 6
2.4 Implications for non-compliance ........................................................................................ 6
3 Data Protection Policy .................................................................................................. 6
3.1 The Applied General Data Protection Regulation ................................................................ 6
3.2 Definitions ........................................................................................................................ 7
3.2.1 Personal data ...................................................................................................................................... 7
3.2.2 Processing ............................................................................................................................................ 7
3.2.3 Processor .............................................................................................................................................. 7
Manx Care Data Protection Policy
Manx Care Data Protection Policy Ver 1.8.docx
Page 3 of 19
3.2.4 Personal data breach ........................................................................................................................... 7
3.2.5 Processing of special categories of personal data .............................................................................. 7
3.2.6 Controller ............................................................................................................................................ 8
3.2.7 Consent ............................................................................................................................................... 8
3.3 Principles relating to processing of personal data ............................................................... 8
3.4 Rights of the individual ...................................................................................................... 9
3.5 Lawfulness of processing ................................................................................................. 11
3.5.1 Consent ............................................................................................................................................. 11
3.5.2 Contract ............................................................................................................................................ 11
3.5.3 Legal obligation ................................................................................................................................ 11
3.5.4 Vital interests ................................................................................................................................... 11
3.5.5 Public task ......................................................................................................................................... 11
3.5.6 Legitimate interests.......................................................................................................................... 11
3.6 Special Category Data ...................................................................................................... 12
3.7 Principles relating to processing of personal data ............................................................. 12
3.7.1 Lawfully and fairly ............................................................................................................................. 12
3.7.2 Purpose limitation .............................................................................................................................. 12
3.7.3 Data minimisation .............................................................................................................................. 12
3.7.4 Accuracy ............................................................................................................................................. 13
3.7.5 Storage limitation .............................................................................................................................. 13
3.7.6 Personal Integrity and confidentiality (security) ............................................................................... 13
3.7.7 Accountability ................................................................................................................................... 13
3.8 Privacy by design ............................................................................................................. 13
3.9 Contracts involving the processing of personal data ......................................................... 14
3.9.1 Subject matter and duration of processing ....................................................................................... 14
3.9.2 Obligations and rights of the controller ............................................................................................. 14
3.9.3 Documented instructions .................................................................................................................. 14
3.9.4 Confidentiality ................................................................................................................................... 14
3.9.5 Security ............................................................................................................................................. 14
3.9.6 Sub-processing ................................................................................................................................... 14
3.9.7 Assistance ........................................................................................................................................... 15
3.9.8 End of contract ................................................................................................................................... 15
3.9.9 Evidence of compliance .................................................................................................................... 15
3.10 International transfers of personal data ......................................................................... 16
3.11 Data Protection Officer .................................................................................................. 16
3.12 Breach Notification of Personal Data .............................................................................. 16
3.13 Addressing compliance to the Applied GDPR .................................................................. 18
4 Distribution and Implementation ................................................................................ 18
4.1 Distribution Plan ............................................................................................................. 18
4.2 Training Plan ................................................................................................................... 19
5 Monitoring ................................................................................................................. 19
6 Equality Impact Assessment ........................................................................................ 19
Manx Care Data Protection Policy
Manx Care Data Protection Policy Ver 1.8.docx
Page 4 of 19
Tables
Table 1: Timescales for data subject requests ............................................................................. 10
Manx Care Data Protection Policy
Manx Care Data Protection Policy Ver 1.8.docx
Page 5 of 19
1 Introduction
In conduct of its everyday operations in the delivery of health and care services, Manx Care
makes use of a variety of data about identifiable individuals, including data about:
•
Current, past and prospective employees;
•
Patients,
•
Service Users;
•
Other stakeholders
In collecting and using this data, the organisation is subject to a variety of legislation
controlling how such activities may be carried out and the safeguards that must be put in
place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps
Manx Care is taking to ensure that it complies with it.
This policy applies to all systems, people and processes that constitute the organisation’s
information systems, including board members, directors, staff, suppliers and other third
parties who have access to Manx Care systems.
The following policies and procedures are relevant to this document:
Data Breach Notification Procedure
Data Protection Impact Assessment Procedure
Data Protection Policy
Confidentiality Policy
Bring your own device Policy
Data Storage and Transmission Policy
Email Policy and related procedures
Information Security Policy
Information and Records Management Policy
Information and Records Retention Policy
Manx Care Data Protection Policy
Manx Care Data Protection Policy Ver 1.8.docx
Page 6 of 19
2 Purpose and Scope
2.1 Purpose
The purpose of this policy and associated procedures is to support staff by describing Manx
Care’s commitment to, and principles for, ensuring that personal data and special categories
of data are processed in a lawful and appropriate manner.
2.2 Scope
The scope of this policy and associated procedures cover the processing of personal data
and special categories of data, however held, relating to:
•
Patient/client/service user information;
•
Staff information;
•
Other stakeholders e.g. members of the public.
2.3 Personal information relating to others.
The policy and associated procedures apply to everyone working or acting on behalf of
Manx Care including all permanent and temporary staff, contractors, students, volunteers
and researchers. Any individual who has authorised access to personal data and special
categories of data will be expected to have read and to comply with this policy.
2.4 Implications for non-compliance
Manx Care aims to support all its staff in adhering to good working practices. Inevitably
failure to comply with the requirements of the Data protection legislation may result in
Manx Care facing prosecution, including enforcement action and financial penalty against it.
Of most significant impact will be the loss of public confidence in Manx Care’s ability to
protect confidential data.
3 Data Protection Policy
3.1 The Applied General Data Protection Regulation
The Applied General Data Protection Regulation (Applied GDPR)
[Response truncated — full text is 42,629 characters]