4th Nov 2019
DATE OF NEXT REVIEW:
What is Subject Access?
Individuals have the right to request and receive a copy of the information that is held about them. This is known as a subject access request. This right of subject access means that patients can make a request under the Data Protection Act and GDPR to any organisation processing their personal data. The Act calls these organisations ‘data controllers’. Individuals can ask the organisation that is holding, using or sharing the personal information, to supply them with copies of both paper and computer records and related information held about them. This is a ‘subject access request’ (SAR).
What if the request is about a child?
Even if a child is too young to understand about a SAR their personal data does not belong to anyone else.
Before responding the Practice will consider whether the child is mature enough to understand their rights. If the Practice is confident that the child can understand then the Practice must respond to the child rather than a parent or guardian. The Practice should consider:-
- The child’s level of maturity and ability to make decisions
- Nature of the personal data
- Any court orders
- Duty of confidence owed to the child
- The consequences of providing a parent or guardian with this information
- The detriment if an SAR is not provided
- Views of the child for disclosing information to a parent or guardian
Can a SAR be made on behalf of others?
If the Practice is satisfied that the third party making a request is entitled to act on behalf of the individual then yes. Evidence for proof of entitlement might be a written authority to make the request or it could be a more general power of attorney.
A 3rd party including legal representatives can ask for a patient record on behalf of the patient and the Practice cannot charge for this, however the Practice must ensure that appropriate consent is in place before releasing the information.
What information is an individual entitled to?
Subject access is most often used by individuals who want to see a copy of the information an organisation holds about them. However, subject access goes further than this and an individual is entitled to be:
- Told whether any personal data is being processed (including where there is no information held)
- Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people
- Given a copy of the personal data
- Given details of the source of the data (where available)
Is any information exempt from subject access?
Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a SAR. Information may be exempt because of its nature or because of the effect its disclosure is likely to have.
Beyond the ‘excessive or unfounded’ clause the Practice can also refuse to provide data where the patient already has the information. Other relevant exceptions include where:
- It would involve a disproportionate effort (eg, letters from the 1960s that are no longer relevant)
- It would disclose comments about a third party to the patient (except for others involved in their care)
- It could result in harm to the patient or anyone else
- The information is subject to a court order or is privileged, or subject to fertilisation or adoption legislation.
Is there any more detailed information & How do I make a SAR request?
Please see the full SAR policy under the “Downloads” section at the top of this page. This document will also furnish you with template letters to help you make a request.