Subject Access Requests FAQs
This page answers some of the common questions relating to Subject Access Requests (SARs) and supplements the existing SARs guidance.
Should a health and care professional review the response to the SAR before it is sent to the individual?
This will depend on the case. It is important that potentially harmful information, such as a terminal diagnosis that has not yet been communicated to the individual or information that might identify a third party, is not released.
An administrator may carry out an initial check for potentially harmful information. Where the administrator is unsure or identifies information that may lead to significant harm or distress, either to the individual or a third party, a health and care professional should review the response. The health and care professional can then decide whether that information should be released via a SAR.
How should I handle third party information found in a record that has been requested under SAR provisions?
The Information Commissioner's Office (ICO) has provided full guidance on requests which involves informaion about other individuals such as a family member. This includes a three-step process:
Step one - Does the request require disclosing information that identifies another individual?
For example, is it possible to withhold the information.
Step two - Has the other individual provided consent?
It is good practice to contact the third party and ask them if they are happy for it to be disclosed. If they are, then you can disclose it. If not, then it should be redacted from the SAR response.
When trying to find the contact details of a third party, staff should restrict themselves to information that is readily available to them in relation to the SAR, for example, the information that has been collected in relation to the SAR and publicly available information. They should not trawl through other health and care records.
Step three - Is it reasonable to disclose without consent?
Where a duty of confidence exists it is usually reasonable to withhold third-party information unless you have the third party’s consent to disclose it.
Does a requester need to be informed that information has been redacted?
Information may need to be redacted if:
- the release may cause serious harm or distress to the requester or another person
- it identifies a third party
It is good practice to inform the requester that information has been redacted. If the requester subsequently requests to see it, you should refuse the request because it is exempt under data protection legislation.
If it is the professional judgement of a health and care professional to withhold harmful clinical information and informing the requester of this decision might cause serious harm to the requester or a third party, then the requester should not be informed about this decision.
In all cases, where information is withheld from being released under SAR provisions, the organisation must justify and document the decision to withhold that piece of information in case it is challenged at a future time.
How should we deal with a SAR that specifically asks for information contained in emails when there may be hundreds?
SARs relate to all personal data that relates to an identifiable person, so you will need to find all emails that contain information that relates to the requester. In deciding whether information contained in an email relates to the requester and should be disclosed in response to the SAR, you should consider:
- the content of the information
- the purpose or purposes for which you are processing it
- the likely impact or effect the information could have on the individual
Once you have established the emails contain personal data about the requester, they should be treated in the same way as other forms of information held by your organisation about that person. This includes reviewing and redacting third party information.
An email search may return a large number of actionable emails that it might not be possible to comply with the request within the one month time limit. In this case you may contact the requester and ask them if they would like to narrow the scope of the request. The scope could, for example, be narrowed to emails between particular dates, people or subjects. If the requester agrees, then you can filter the results down to those that are relevant and then action these accordingly.
If the requester does not wish to narrow down the scope, then you will still need to comply unless an exemption applies. However, you can advise them that complying with the request may take longer than the one month response time and explain why. It should also be remembered that a proportionate effort should be made to comply with a request that deals with a large number of emails. An example of this is, by prioritising the emails with the most relevant content. In all cases, it is important to keep the requester informed of the situation, so alternative actions can take place if necessary.
When is it reasonable to turn down a SAR?
A SAR can reasonably be turned down in the following circumstances:
- The request is vexatious, which is decided by the organisation receiving the request. An example of a vexatious request may be the person submitting the same request every day for a week. The first request would be valid, but the subsequent ones could be turned down as vexatious.
- A recently completed SAR is subsequently submitted by the person, covering the same timeframe. You would need to action any information that is created between the completion of the last SAR and the date the new one is received.
- You do not hold the information - you cannot provide what you do not hold. An example might be, a patient submitting a SAR to a hospital with a similar name to yours or they are mistaken on where they have received treatment.
- You do not have evidence of consent from the person the SAR relates to, for example, a third party requests the records on behalf of the person, but does not include a signed consent form from the person.
- The requester cannot suitably prove their ID. You must be satisfied that the request comes from the person the SAR relates to, and not someone pretending to be that person in order to unlawfully obtain their personal data.
Can we release a SAR to someone holding a lasting Power of Attorney (LPA) for health and welfare?
A person with a lasting power of attorney (LPA) has been appointed by the individual to manage their affairs when they no longer have capacity to do so themselves. However, a SAR can only be exercised by the data subject or by a person authorised by the data subject to make a SAR on their behalf.
Can a SAR be submitted by someone on behalf of an individual who has lost capacity but doesn’t have an LPA in place?
If the data subject is no longer able to provide authorisation, for example, because they have lost mental capacity to make these decisions, you must decide whether the provisions of the Mental Capacity Act 2005 allows you to disclose the individual's record. It is generally appropriate to comply with a SAR made on the individual’s behalf by a person with a LPA. However, you may also allow a person without a LPA to make a SAR if they can provide evidence to show that they are acting in the individual’s best interests, for example, to support benefit claims or social care provision.
Can a charge be made for a request to access records when the request comes from a third party, for example, a solicitor acting on behalf of the individual?
No, third parties are able to make a SAR in cases where they are acting on behalf of an individual and where their interests are aligned, for example, solicitors pursuing personal injury claims on behalf of their client. Third parties will need to provide evidence that they have the authority to act on the individual's behalf.
In cases where the interests of the third party is not aligned with the individual, for example, an insurance company assessing a claim then a SAR will not be an appropriate route to access information.
Should the names of admin staff working in health and care organisations be disclosed in a SAR?
Health and care staff with a range of responsibilities, including clinical, management or administrative, will have access to patients and service users’ records as part of their job role. Your organisation has a duty to be transparent about this. In addition, IT systems used by health and care organisations should record information about who has accessed a health and care record, when they accessed the record and whether they viewed the record or changed its content. Individuals have the right to seek access to this information.
Information that may identify staff who have viewed or contributed to a health or care record is not generally exempt from disclosure should an individual request it - irrespective of the staff member's role within your organisation.
However, there may be circumstances in which withholding the identity of a staff member would be justified. Usually this will apply to non-clinical staff and there should be reason to believe that disclosing their details might result in them suffering serious harm. An example is where a receptionist who reports an individual’s threatening behaviour to a staff member and the clinician subsequently records this information in the patient’s record. It would be reasonable to withhold the receptionist’s details, but not the clinician’s from any subsequent subject access request.