What is a Subject Access Request?
A request for copies of the information about you held by us. Once received we aim to complete this request within 30 days.
A request for access to health records in accordance with the GDPR can be made in writing to the Practice by completion of the form available by clikcing here or by emailing CPICB.georgeclaresurgeryadmin@nhs.net.
All requests should be documented. The documented request should then be passed on to either the Practice Manager or the Information Governance lead. Requests must be recorded in the Subject Access Request Register.
A request does not have to include the phrase “subject access request” or “Article 15 of the GDPR” or “data protection” or “right of access”.
The requester should provide enough proof to satisfy the Practice of their identity (and the Practice is entitled to verify their identity using “reasonable means”). The Practice must only request information that is necessary to confirm who they are. The Practice should request any identity verification as soon as possible after the request has been received.
The default assumption when a requester asks for “a copy of their GP record” is that the information requested by the individual is the entire GP record. However, the Practice may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The GDPR permits the Practice to ask the individual to specify the information the request relates to (Recital 63) where the Practice is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely).
A patient, or their representative, is under no obligation to provide a reason for the request, even if asked by the Practice.
Secure Online Records Access
The Practice can offer, if appropriate, for a requester to be enabled to securely access their full GP electronic record online. This would then allow them to access all information that they might be seeking. Access should follow identify verification, and a review of the record.
Recital 63 of the GDPR states:
“Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
Patients Living Abroad
For former patients living outside of the UK and whom once had treatment for their stay here, under GDPR they still have the same rights to apply for access to their UK health records. Such a request should be dealt with as someone making an access request from within the UK.
Patient Representatives
A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.
The Practice must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney (Legal Power of Attorney for Health and Welfare) in the case of an individual who no longer has the mental capacity to manage their own health.
The Practice is entitled to send the information requested directly to the patient if we think that the patient may not understand what information would be disclosed to a third party who has made a request on their behalf.
A next of kin has no rights of access to medical record, unless they have Power of Attorney.
Court Representatives
A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
Children
No matter their age, it is the child who has the right of access to their information.
Before responding to a subject access request for information held about a child, we should consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should usually respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
When considering borderline cases, The Practice should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
A person with parental responsibility is either:
- the birth mother, or
- the birth father (if married to the mother at the time of child’s birth or subsequently) or,
- an individual given parental responsibility by a court
(This is not an exhaustive list but contains the most common circumstances).
If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.
If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, their mother and the father applies for access to the child’s records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.
In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.
Notification of Requests
The Practice will keep a Subject Access Request Register of all requests in order to ensure that requests and response deadlines are monitored and adhered to.
Fees
The Practice must provide a copy of the information free of charge.
However, the practice may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.