Subject Access Requests
The General Data Protection Regulation (GDPR), which was implemented in the UK through the Data Protection Act 2018, gives individuals the right of access to their personal data from any health and care organisation that holds records on them.
This right is commonly referred to as ‘subject access’. This guidance is intended to help you understand what a Subject Access Request (SAR) is. There are also common questions relating to SARs.
During the COVID-19 period the Information Commissioner’s Office (ICO) recognises that organisations may not be able to respond within the usual timeframes. You can read more about this in the COVID-19 FAQs.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
A SAR is a request that can be made in writing, by email or verbally asking for access to the personal information a company or organisation holds on you. This is a legal right that any individual in the UK is entitled to exercise at any point for free.
You can ask someone else to submit a subject access request for you, for example, a solicitor or family member acting on your behalf. You may be asked to provide confirmation that you have asked them to do this.
Whilst a SAR gives you the right to obtain a copy of your personal data, it should be noted that there are other ways to obtain your health and care records. The NHS is seeking to empower people and transform their experience of health and care by giving them the ability to access, manage and contribute to digital tools, information and services - for example, most patients can now request access to their GP record online, including via the NHS App.
Can children make a request?
All patients and service users have a right to access their own health and care records, including children. A child with competency (meaning they are considered mature enough to understand the situation) can exercise their own subject access rights. If they are not deemed competent, a person with parental responsibility may be permitted to exercise the child’s right to make a SAR on their behalf if it is evident, they are are acting in the child’s best interest.
Guidance for healthcare workers
As a health and care professional, or someone supporting the health and care of patients and service users, you need to know that patients have the right to access their records and who in your organisations is responsible for responding to these subject access requests.
Your organisation has one month to action and respond to a SAR. So you need to forward the request to the appropriate person or team as quickly as possible. If you are involved in responding to a request, see the section for information governance (IG) professionals for further information.
Guidance for IG professionals
These key points will support you in meeting the requirements of the GDPR:
- Review your SAR procedures.
- Be aware of reduced timescales to action a SAR. You now have one month from the receipt of the request. For example, a request received on 3 September must have been responded to by 3 October.
- Enable your patients and service users to access their records online, rather than providing photocopies.
- If you need to communicate your refusal to a SAR to the patient and service user, you should provide information about their rights to complain to the Information Commissioner’s Office (ICO).
Failure to comply with a legitimate SAR results in a risk of breaching the GDPR and a potential sanction by the ICO. The maximum fine that can be issued by the ICO is 4% of global turnover or 20 million euros (or equivalent in sterling).
Article 15 of the GDPR sets out the information which individuals have the right to be provided with. This includes:
- what personal data is being processed
- the purposes for which the personal data is being processed
- who holds the personal data and where it has been disclosed
- how long the data will be retained for.
Your organisation should make available to your patients and service users, in its privacy notice, information about rights under Article 15 of the GDPR and how they can be exercised.
A SAR must come from the individual themselves or a person acting on their behalf (also see section on children). It must also be accompanied by sufficient information to enable you to verify the identity of the individual and then locate their personal data.
Confirming identification is important as it helps to stop organisations from inadvertently disclosing personal data, either accidentally or as the result of deliberate fraudulent action by a third party. If the SAR has been submitted by a third party or agent on behalf of an individual, there should be evidence that the individual has consented to this.
If the information provided by the individual in their request is insufficient to confirm their identity, you can ask them for more information. For example, you may need to request information such as:
- proof of identification - for example, driving licence, passport, birth or marriage certificate
- proof of relationship/authority (for example, requesting information about a child or by an agent). Note that where a person is requesting information about a child you must make reasonable efforts to verify that a person does, in fact, hold parental responsibility for that child.
There are several exemptions that are set out under the Data Protection Act 2018 which allow information to be withheld from the individual that has made the request. Some of the current exemptions include the following:
- you believe that disclosure of the information is likely to cause serious physical or mental harm to the individual or another person
- confidential references provided by an employer in support of a person’s application for employment are exempt from SARs
- employers do not have to disclose information which relates to legal advice or legal proceedings as this is covered by legal professional privilege
- personal data which relates to management information such as management forecasting.
In addition, you do not have to provide a person with a copy of their health and care records if you believe their subject access request is “manifestly unfounded or excessive”. Or should you choose to respond you may charge a reasonable fee for doing so. Subject access requests that fall into this category are likely to be repetitive (for example, regular requests for copies of records especially where there has been little or no change to the record since the previous request), aimed at disrupting your organisation or targeted against an individual. Decisions about whether an SAR falls into this category must be taken on a case-by-case basis and you should be able to justify your decision with evidence. ICO guidance on manifestly unfounded and excessive requests is available.
Subject Access Requests (SARs) and children
A child can exercise their own data protection rights so long as they are deemed competent to do so. Generally, children aged 13 and over, are considered competent to make a SAR unless there is information to suggest otherwise. If the child (of any age) does not have sufficient understanding to exercise their rights themselves, you may allow a person with parental responsibility to exercise the child’s right to make a SAR.
If a SAR is made on behalf of a child who is deemed to lack capacity to act on their own behalf, information may be sent to a person with parental responsibility. However, this is not a decision that should be made automatically. In all cases the best interests of the child should be considered. It is possible to restrict information going to a parent where it is not considered to be in the best interests of the child, for example, where there are “do not disclose” notes on the child's record.
In most cases your organisation cannot charge an administration fee for responding to a SAR, though “reasonable” fees can still be charged for manifestly unfounded, repeated requests or excessive requests. See the Exemptions section.
Third party Subject Access Requests
Individuals can authorise third parties (for example, solicitors) to make a SAR on their behalf. Health and care providers releasing information to solicitors acting for their patients and service users should ensure they have the individual’s written consent.
There are very few circumstances when a health and social care provider will be able to lawfully decline such requests as the request should be treated as if it came directly from the individual. You should also be aware that failure to respond appropriately to a legitimate SAR from a third party may lead some (for example, solicitors) to make an application to the local court for pre-action disclosure resulting in costs (between £800 and £1,200) payable to the third party.
It is important to draw a distinction between SARs (made by someone acting on the patient’s behalf) and requests made under the Access to Medical Reports Act (AMRA). Requests under the AMRA are made by a third party who is not necessarily acting on the patient’s behalf - for example, an insurance company. If the request from the solicitor is for a copy of the patient and service user’s health record (or extracts of the record) it is deemed to be a SAR. If the request is asking for a report to be written, or it is asking for an interpretation of information within the record, this request would go beyond a SAR. It is likely that such requests will fall under the AMRA framework for which fees can be charged.
Third party data
If the individual’s record contains information that relates to a third party who has not given their consent for disclosure, it may be reasonable (except where third parties are staff who have been involved in the provision of direct health and care services to the individual) not to disclose that information if you believe the duty of confidentiality you owe to the third party outweighs the individual’s right of access. You may need to consider redacting it and record any reasons for withholding such information from disclosure. This excludes health or social care professionals who have been involved in providing care to the patient.
Integrated care records
For integrated care records (where an individual's records are connected from across the health and care system) all organisations must have policies and procedures in place to ensure the appropriate management of SARs. There also needs to be a process in place to ensure that SARs are responded to, which should be detailed in the joint controller arrangement. An example of a process which has worked well in some areas is the establishment of an information sharing group which leads on the request. Each contributing organisation would be asked to send their redacted data to the information sharing group who would respond to the individual. It must be made clear to individuals that this is the process in case because some individuals may not want information sent outside the organisation that holds it. In such cases the ‘holding’ organisation should deal with the request on an exclusive basis.