The UK General Data Protection Regulation (UK GDPR) gives individuals the right of access to their personal data from any person or organisation that holds information about them. This right is commonly exercised through a ‘subject access request’ (SAR).
What you need to know from a digital primary care perspective
A patient may ask you for the information you hold about them. The request can be made in writing, by email or verbally. It can be submitted to any part of the organisation and does not have to be directed to a specific person.
Providing patients with online access to their GP record will empower them to access their record themselves. It should, therefore, reduce the number of SARs you receive. If you have other forms of records about the patient that are not held in a digital format, SARs will also apply to those records as well.
It is important to remember there may be other parts of the clinical record that are not visible through online access methods (for example, audit trails or internal messages passed between members of the team that relate to a patient’s record). There may also be e-mail communication held elsewhere within the practice that will also fall under the remit of a SAR if these records identify the patient. For example, an internal email from a receptionist to a nurse about a missed appointment would be subject to a SAR if the content identifies the patient.
What you need to do
Standard forms can make it easier for you to recognise a SAR and for individuals to include all the details you might need to locate their information. The UK General Data Protection Regulation recommends that organisations provide ways for individuals to make requests electronically. You could, therefore, consider designing a subject access request form that encourages individuals to complete and submit to you electronically. It is not, however, compulsory for individuals to use such a form.
If your practice receives a SAR, it should be dealt with promptly. Your organisation has one calendar month to respond from the date of the request.
You will need to confirm the identity of the requestor. If the request is made by someone else on behalf of the patient, you will need to check the identity of the requestor, and that they have suitable authority to act on behalf of the patient (such as consent from the patient or having lasting power of attorney for the patient).
Exemptions from disclosure
You will then need to review the requested information to ensure that it does not include any information that is exempt from disclosure. Information may be withheld from the requestor when:
- you believe that disclosure of the information is likely to cause serious physical or mental harm to the individual or another person
- the records contain information that is related to a third party (see below)
- the record contains medically harmful information – such as a terminal diagnosis the patient does not yet know
There is more information about these issues and others, like coercion, and safeguarding, in the other articles in this series.
Third-party information is information that has not come directly from the patient themselves or those treating them. An example is a daughter expressing concern about her mother’s alcohol intake.
If a record contains information that relates to a third party who has not given their consent for disclosure, it may be reasonable not to disclose that information if you believe the duty of confidentiality you owe to the third party outweighs the individual’s right of access. In these circumstances you would need to redact the third-party information. You should inform the requestor if you have redacted information from a record and give the reason for the redaction. It is also good practice to record any reasons for withholding such information from disclosure.
The names and roles of health and care professionals who have been involved in providing care to the patient would typically be disclosed under a SAR.
You do not have to provide a person with a copy of their health and care records if you believe their subject access request is ‘manifestly unfounded or excessive’.
Subject access requests that fall into this category are likely to be one of the following:
- repetitive (for example, regular requests for copies of records especially where there has been little or no change to the record since the previous request)
- aimed at disrupting your organisation
- targeted against an individual
Decisions about whether a SAR falls into this category must be taken on a case-by-case basis and you should be able to justify your decision with evidence. Guidance from the Information Commissioner’s Office (ICO) on manifestly unfounded and excessive requests is available.
Practices may charge a fee when there are excessive requests. The ICO provides more guidance when a fee may be charged.
It is a legal requirement of the UK GDPR for an organisation to respond to a SAR. Failure to comply with a legitimate SAR request results in a risk of breaching the UK GDPR and a potential sanction by the ICO.
SARs and Freedom of Information (FOI) requests are different:
- SARs relate to personal data held by an organisation
- FOIs relate to non-personal information held by the organisation
If a person mistakenly asks for a copy of their record under the FOI, contact them and clarify their request and confirm what they want a copy of. It unacceptable to not respond to a SAR just because the person asked for it under the wrong access legislation.
SARs relating to children
Parents or legal guardians of children can submit a request for the child’s record, and these should be treated as a valid request, and processed accordingly (along with parental identity checks). If a child is deemed to have capacity to deal with their affairs, then a parent or legal guardian cannot submit a request on their behalf, unless the child consents. There is an article on online access by children and young people in this series.
SARs from individuals with powers of attorney
A person with a lasting power of attorney (LPA) for health and welfare has been appointed by a court to manage their affairs of an individual when they no longer have capacity to do so themselves. A SAR can, however, only be submitted by the data subject (the patient) or by a person authorised by them to make a SAR on their behalf.
It is generally appropriate to comply with a SAR request submitted by a person who holds LPA. They effectively become the person they are acting on behalf of. As with all SAR requests, proof of identity checks need to be carried out, and records redacted where legally allowed.
Related GPG content
- Registering patients for online services
- Identity (ID) verification
- Safeguarding – to follow