Subject Access Request Policy and Protocol

Subject Access Requests- Following Implementation of GDPR (from 25 May 2018)

On 25 May 2018 the current UK Data Protection Act 1998 (DPA 1998) will be fully replaced by the General Data Protection Regulation (2016/679).

As with the DPA 1998, these new regulations give living individuals the right to request access to personal data held on them by the Trust. This is known as a Subject Access Request (SAR), the person who will hold data about is known as the Data Subject, in many cases this will be the patient, but could be a staff member, a contractor or contact.

Requests must be in writing, this includes, letter, e-mail or in person. The requester will be asked to complete a Subject Access Request form and provide appropriate identification both on submission of the form and the collection of the personal data.

Requesters must be either, the data subject OR have the written permission of the data subject OR have legal responsibility for managing the subject’s affairs in order to access personal information about that person. It is the requester’s responsibility to satisfy the Trust of their legal authority to act on behalf of the data subject.

We also must be satisfied of the identity of the requester before we can provide any personal information.

New Requirements for Subject Access

From 25 May 2018 some new requirements were introduced affecting the handling of subject access requests. These are listed below:

What do we need to provide to a requester?

As well as providing confirmation that their personal is being processed and providing a copy of this personal data that the data subject has asked for; (subject to any exemptions). Individuals will have the right to be provided with additional information which largely corresponds to the information to be provided in a privacy notice:

  • Source of the data.
  • Recipient, including details international transfers.
  • Retention period for the data.
  • How to amend inaccurate data.
  • How to complain to the Information Commissioner’s Office (internal review will usually need to be satisfied first


This policy provides a process for the management of subject access requests (SARs) for personal information (for living individuals) under the Data Protection Act (DPA), the General Data Protection Regulations (GDPR) and (for deceased individuals) the Access to Health Records Act 1990.  It defines a process for achieving legislative requirements and ensuring effective and consistent management of such requests.

This policy does not cover requests for medical reports or for copies of medical records requested under the Access to Medical Reports Act 1998 (AMRAs) usually for insurance and claims purposes.

Under the DPA, subject to certain conditions, an individual is entitled to be:

  • Told whether any personal data is being processed;
  • Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people; and
  • Given a copy of the information comprising the data; and given details of the source of the data (where this is available)

Personal data held by the practice may be:

  • Personnel/staff records relating to a member of staff present, past or prospective
  • Health records consisting of information about the physical or mental health of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.

Access encompasses the following rights:

  • To obtain a copy of the record in permanent form
  • To have information provided in an intelligible format (and explained where necessary)

The DPA also gives subjects who now reside outside the UK the right to apply for access to their former UK health and employment records:

  • Employees are legally entitled to request their personal records and may take them outside of the UK at their own discretion
  • Original health records must not be given to people to take outside the UK.  A GP or community health professional may be prepared to provide the patient with a summary of treatment; alternatively the patient may make a request for access in the usual way.

Individuals’ rights regarding the sharing of their personal information are supported by the Care Record Guarantees, which set out high-level commitments for protecting and safeguarding service user information, particularly in regard to rights of access to their own information, how information will be shared (both within and outside the practice) and how decisions on sharing information will be made.

Who can make an Access Request?

This policy applies to any request by a patient or member of staff for access to their personal information held by the practice as a Subject Access Request.

This non-contractual policy applies to all staff employed by the partners at St Paul’s Medical Centre.  Failure to adhere to the standards outlined herein could lead to disciplinary action.

An application for access to personal data may be made by any of the following:

  • An individual
  • A person authorised by the individual in writing to make the application on their behalf e.g. solicitor, family member or carer
  • A person appointed by a court to manage the affairs of an individual who is deemed incompetent
  • Individuals who hold a health and welfare Lasting Power of Attorney

Where the individual has died, the patient’s personal representative (the executor of the deceased’s will; someone who has been appointed as an administrator of the estate by the courts; someone who has the written consent of the either of the above to be given access) and any person who may have a claim arising out of the patient’s death can make a subject access request to the practice.  Moreover where the deceased made a Subject Access Request prior to their death, this should continue to be actioned under GDPR.

Requests for copies of paper medical records of deceased patients that have been returned to PCSE and are no longer available to the practice can be made by a personal representative by contacting Primary Care Support England – 03330 142884.

Where a request is made by someone with no legal rights to access, they should be advised to contact a solicitor.

Police do not have an automatic right to access to patient’s medical or personal information unless they have a Court Order.  The information can be disclosed to support the prevention and detection of a serious crime, but this decision must be made by a GP partner or manager.

Serious crime includes murder, manslaughter, rape, treason, kidnapping, child abuse, other serious harm to an individual, security of the state or to public order, and crimes that involve substantial financial gain or loss.  Theft, fraud and damage to property are NOT usually sufficient cause to disclose confidential information.  Serious harm includes child abuse, neglect, assault, road traffic accident and spread of potentially life-threatening infectious disease.

This clause also relates to copies of CCTV footage from cameras within the building, which must not be supplied to the police except under the circumstances outlined above.  Footage from public areas such as the car park can be supplied to the police.

Parental responsibility for a child is defined in the Children’s Act 1989 as ‘all the rights, duties, powers, responsibilities and authority, which by law a parent of a child has in relation to a child and his property’.  Responsibilities would include safeguarding and promoting a child’s health, development and welfare, including if relevant their employment records.  Included in the parental rights which would fulfil the parental responsibilities above are:

  • Having the child live with the person with responsibility or having a say in where the child lives
  • If the child is not living with him/her, have a personal relationship and regular contact with the child
  • Controlling, guiding and directing the child’s upbringing

Foster parents are not ordinarily awarded parental responsibility for a child.  It is more likely that this rests with the child’s social worker and appropriate evidence of identity should be sought in the usual way.

The law regards young people aged 16 or 17 to be adults for the purposes of consent to employment or treatment and the right to confidentiality.  Therefore if a 16-year-old wishes their information to be kept confidential, this wish must be respected.

Children aged under 16 who have the capacity and understanding to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected.  Where a child is considered capable of making decisions about medical treatment, their consent must be sought before a person with parental responsibility may be given access.  Consent will usually be required from any child aged 13+ before information can be disclosed to a parent, guardian or third party.

Where in the view of the appropriate professional the child is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it is not felt to be in the patient’s best interests.

The identity and consent of the applicant must always be established.

The applicant does not have to give a reason for applying for access.

The practice is a Data Controller and can only provide information held by the organisation.  Other data controllers must be applied to directly; the practice will not transfer requests from one organisation to another.


Patients wishing to exercise their right of access should inform a member of staff personally, by telephone, by email, by post, or (preferably) by completing the Access to Health Records Request form.

Where the Access to Health Records Request form has not been used, the information required on the form will need to be elicited from the patient and filled in by the member of staff.

Current, past or prospective employees should inform Julie Holford, Practice Manager using the relevant Subject Access Request form.

The practice as ‘data controller’ is responsible for ascertaining the purpose of the request and the manner in which the information is supplied.

A simple request by a patient for either vaccination history or a list of current medications can be processed by any member of the team.  Full details of the request and the stages of processing need to be completed on the request form and the information checked by a second person before being handed to the patient.  The usual ID and eligibility checks must be made.  If the patient is not collecting there and then, place the request form with the prepared information in the concertina file and make sure the collection details are noted on the form when the patient collects.  The form can then be put in the hospital letters tray.

All other patient requests must be passed to Sheila Kirkham (put in her tray).  Requests from current or former staff must be passed to Julie Holford.

Fees and response time

The practice must provide information free of charge unless it is manifestly unfounded, excessive, can easily be obtained through Patient Access or is repetitive (i.e. has been provided before).

The fee must be based on the administrative cost of providing the information only.

The request must be complied with without delay and within 28 days of receipt of the request.  We can extend the period for a further 2 months where requests are complex or numerous, however we must inform the individual of any delay within 28 days, along with an explanation.

The release stages

Consent/eligibility for the request must be checked before preparing the information.  Particular care must be taken when the request is from a third party or in respect of a child.  Informed consent must be sought for any patient aged 13 or more unless the patient lacks capacity under the Mental Health Act or is not deemed to be competent to make the decision if aged under 16, in which case a ‘best interests’ decision will need to be made.

A reason for denying or restricting access does not need to be given but the applicant should be directed through the appropriate complaint channels.

Further guidance must be sought if the request is vague, to avoid disclosing information that is not relevant or not required by the requester.

The record must be collated, redacted where applicable and signed off by a GP partner or manager before being prepared for release.  On no account may the original record be released.

Where possible iGPR will be used to produce and collate the information available on EMIS and Docman.  Lloyd George records must be pruned of expired information in line with defined retention periods (see Summarising Policy) before being photocopied.

Where information is not readily intelligible an explanation e.g. of abbreviations or terminology must be given

The format of the released information must comply with the requester’s wishes wherever possible. If no specific format is requested, we can provide the information in the same manner as the original request e.g. by email (preferred format).

Information can be emailed using the email address provided it is encrypted.  First email instructions on how to open encrypted information to the requester, then send the relevant documents by secure email by putting [secure] as the title.

Where the information is provided in paper form, this must be collected from the surgery by the individual or his/her representative provided we have been notified by the requester in advance of who the representative is.  In either case proof of identity will need to be shown before the records can released.

Ensure that the date the information is emailed or collected has been completed on the request form before sending this for scanning.

If it is agreed that the subject or their representative may directly inspect the record, a health professional must supervise the access (manager for employee requests).  The supervisor must not comment or advise on the content of a medical record if they are not a healthcare professional.


Access may be denied or restricted where:

  • The record contains information which relates to or identifies a third party that is not a care professional and has not consented to the disclosure.
  • Access to all or part of the record will prejudice the carrying out of social work because serious harm to the physical or mental well-being of the individual or any other person is likely.
  • Access to all or part of the record will seriously harm the physical or mental well-being of the individual or any other person
  • If an assessment identifies that to comply with a Subject Access Request would involve disproportionate effort under section 8(2)(a) of the Data Protection Act

Where possible the individual should be provided with that part of the record that does not form one of the above restrictions.

There is no requirement to disclose to the applicant the fact that certain information may have been withheld.

Where the information is to be withheld on the basis of disproportionate effort, the practice will engage with the applicant, having an open conversation about the information they require.  It may be appropriate to have the applicant view the records in practice and select the elements that they require a copy of.

Complaints and appeals

The applicant has the right to appeal against a practice decision to refuse access to their information.  This appeal should be made to Tracey Swift, Patient Services Lead (patients) or Anne Bagot-Moore (staff).

If an applicant is unhappy with the outcome of their access request, the usual complaints (patients) or grievance (staff) procedure should be applied.

Monitoring and review

The Caldicott Lead (Dr C W Scott) has executive responsibility for Subject Access Requests.

All staff will receive training on how to recognise and manage a Subject Access Request.

The Practice Business Manager monitors all Subject Access Requests to ensure the correct process has been followed and monitors and appeals/complaints relating to Subject Access Requests.

Equality impact

In applying this policy the practice will have due regard for the need to eliminate unlawful discrimination, promote equality of opportunity and provide for good relations between people of diverse groups, in particular on the grounds of the characteristics protected by the Equality Act 2010 (see Equal Opportunities Policy) in addition to offending background, trade union membership or any other personal characteristic.


Where an Access to Health Records Request has been completed in respect of a patient, the completed request form must be placed in the hospital letters drawer for scanning/attaching to the medical record as a problem heading under Health Administration using one of the following read codes:

  • 8MA (SNOMED 647551000000110) – Patient requests copy of medical record (free text in if patient representative)
  • 9ER8 (SNOMED 2159182015) – Patient record requested by solicitor
  • 9l8 (SNOMED 2129781000000118) – Copy of clinical record requested by insurance company

The date the information has been supplied must also be recorded using the appropriate code:

  • 9lA (SNOMED 2129861000000118) – Copy of clinical record given to patient (if collected from surgery)
  • 9lB (SNOMED 2129901000000113) – Copy of clinical record sent to patient (if emailed)
  • 9lC (SNOMED 2129941000000111) – Copy of clinical record sent to solicitor
  • 9l9 (SNOMED 2129821000000114) – Copy of clinical record sent to insurance company

The scanned form must then be returned to a member of the Administration Team for filing in the SARS folder.

Details of requests from staff and dates of information supplied will be recorded securely in the employment record for current and previous staff and in the recruitment folder for prospective employees and will therefore be held until those records are destroyed.