Subject Access Requests (SAR)
The Data Protection Act (DPA), the General Data Protection Regulations (GDPR) gives every living individual (or authorised representative ) the right to apply for access to their personal information and for deceased individuals, the Access to Health Records Act 1990.
Who can make an access request?
An application for access to personal data may be made to the Practice by any of the following:
- an individual
- a person authorised by the individual in writing to make the application on an individual’s behalf e.g. solicitor, family member, carer
- a person having parental responsibility for the individual where he/she is a child.
- a person appointed by a court to manage the affairs of an individual who is deemed incompetent
- individuals who hold a health and welfare Lasting Power of Attorney
- where the individual has died, the personal representative and any person who may have a claim arising out of the individual’s death (the executor of the deceased’s will; someone who has been appointed as an Administrator of the Estate by the Courts; someone who has the written consent of either of the above to be given access, someone who is in the process of challenging the deceased’s will)
The Police may, on occasion, request access to personal data of individuals. Whilst there is an exemption in the Data Protection Act which permits the Practice to disclose information to support the prevention and detection of crime, the Police have no automatic right to access; however they can obtain a Court Order.
A patient can authorise their solicitor or another third party to make a SAR. As long as the solicitor has provided the patient’s written consent to authorise access to the records, the SAR process should be followed as usual.
Insurance companies however do not have the same privileges to access patient records – the ICO has said that insurance companies using SARs to obtain full medical records is an abuse of the process (the DPA 2018 still says that information must be adequate, relevant and not excessive in relation to the purpose the data is processed).
It is a criminal offence to make a SAR to access information about individuals’ convictions and cautions – the law sets out various levels of fines, and a clause in the DPA 2018 will soon be enacted to extend this to cover medical records. If you suspect that a SAR from an insurer is not relevant or excessive then it should be reported to the ICO and the Association of British Insurers.
Individuals wishing to exercise their right of access should:
- Make a written application to the Practice holding the records, including via email
- Provide such further information as the Practice may require to sufficiently identify the individual
An individual may also raise a request using a subject access request form, however this is not mandatory.
Fees and Response Time
Under GDPR the Practice must provide information free of charge. However, we can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee must be based on the administrative cost of providing the information only.
If the request involves creating a medical report or interpreting the information in an existing medical record or report, then this would be a request under the Access to Medical Reports Act (AMRA). Unlike a Subject Access Request, these requests will require new material to be created. This would mean that a fee is payable in such circumstances.
The request must be complied with without delay and at least within one calendar month of receipt of the request. This period can be extended for a further two months where requests are complex or numerous, however the Practice must inform the individual within one month of receipt of the request and explain why the extension is necessary.
The Release Stage
The format of the released information must comply with the requester’s wishes. Where no specific format is requested, the Practice should provide the information in the same manner as the original request. For example, requests received via email can be satisfied via email.
Once the records have been collated, redacted where applicable and signed off by the Caldicott Lead, they should be sent to the requester. On no account must the original record be released.
If sending the information via email, the Practice will:
- Check that the individual wishes to receive the information via email.
- Check the email address, and send an email to the address requesting confirmation of receipt, in order to verify the address.
- If in doubt about the recipient email address, the practice will not send the information via email.
- Test that the individual can receive, and access, a test email and attachment via NHSmail’s [Secure] encryption service. The individual will need to register to access the information via Trend Micro upon receipt.
- Usually send the information via a secure email from NHSmail, using [Secure] at the start of the subject line, and request the receiver acknowledges receipt.
- Depending on the volume of data to be sent, the information may need to be split across multiple [Secure] emails, due to the maximum attachment files size. The individual should be made aware of this where this is the case.
Confidential information will not be sent by email unless:
- the email address of the recipient is absolutely verified, and
- the information is sent securely
- policy stipulations (unless the patient clearly expresses a preference to receive unencrypted information in this way)If sent by post:
If sent by post:
- the record should be sent to a named individual
- by recorded delivery
- marked “private and confidential”
- “for addressee only”
- and the Practice details should be written on the reverse of the envelope.Confidential medical records should not be sent by fax.
Confidential medical records should not be sent by fax.
Proof of identity / Evidence - Before the practice can release any information we will need to verify proof of ID of the Data Subject and/or the Data Subjects representative and supporting documentation as per the list in the table below
|Type Of Applicant||Type Of Documentation|
|A||An individual (the data subject) applying for his/her own records||
One copy of identity required ,e.g. copy of birth certificate, passport, driving licence,
one copy of a utility bill or medical card, bank statement
|B||Someone applying on behalf of an individual (Representative)||
One item showing proof of the patient’s identity
one item showing proof of the representative’s identity (see examples in ‘A’ above)
|C||Person with parental responsibility applying on behalf of a child||
Copy of birth certificate of child
copy of correspondence addressed to person with parental responsibility relating to the patient
|D||Power of Attorney/Agent applying on behalf of an individual||
Copy of a court order authorising Power of Attorney/Agent
proof of the patient’s identity (see examples in ‘A’ above)
Access may be denied or restricted where:
- The record contains information which relates to or identifies a third party that is not a care professional and has not consented to the disclosure. If possible, the individual should be provided with access to that part of the record which does not contain the third party information
- Access to all or part of the record will prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental well-being of the individual or any other person is likely. If possible the individual should be provided with access to that part of the record that does not post the risk of serious harm
- Access to all or part of the record will seriously harm the physical or mental well-being of the individual or any other person. If possible the individual should be provided with access to that part of the record that does not pose the risk of serious harm
- If an assessment identifies that to comply with a SAR would involve disproportionate effort under section 8(2)(a) of the Data Protection ActComplaints and Appeals
Complaints and Appeals
The applicant has the right to appeal against the decision of the Practice to refuse access to their information. This appeal should be made to
Dr Claire Cochrane-Dyet
Data Protection Officer
Thornhills Medical Practice
Larkfield Health Centre
Kent. ME20 6Q
If an applicant is unhappy with the outcome of their access request, the following complaints channels should be offered:
- Meet with the applicant to resolve the complaint locally
- Advise a patient to make a complaint through the complaint’s process
If individuals remain unhappy with the Practice response, they have the right to appeal to the Information Commissioner’s Office:
Information Commissioner’s Office
Telephone: 0303 123 1113