Subject Access Request Policy

 

UK GDPR Right of Access

1. Document Control

1.1 Confidentiality Notice
This document and the information contained therein is the property of Lakeside Healthcare.

This document contains information that is privileged, confidential or otherwise protected  from disclosure. It must not be used by, or its contents reproduced or otherwise copied or disclosed without the prior consent in writing from Lakeside Healthcare.

1.2 Document Details

  • Classification: Confidential
  • Document Reference: POL-GEN-SAR-V1.4
  • Current Version Number: V1.4
  • Author and Role: Policy Support Specialist
  • Owner & Role Operations Director
  • Approver & Role: Medical Director 
  • Organisation: Lakeside Healthcare
  • Date Approved: April 2024
  • Date to be Reviewed: April 2026

1.3 Document Revision and Approval History

Version Date Created By Approved By Comments
V0.1 May 2018 Policy Support 
Specialist		   Policy & Forms created in-line 
with the new GDPR 
guidelines
V1.0 July 2018 Policy Support 
Specialist		 Chief Operating 
Officer		 Approved & published
V1.1 August 2019 Corporate 
Management Assistant		   Reviewed & amended:
– Removed names,
V1.2 November 2019 Corporate 
Management Assistant		   Reviewed & amended:
– Associated documents 
moved to references 
section.
V1.3 April 2021 Corporate 
Management Assistant		 COO Updated document details.
V1.4 January 2024  Medical Director Medical Directors Update and review of policy:
  • LHG updated to LH.
  • Updated document  details.
  • Updated to UK GDPR  references and resources.
  • Clarity on disclosure of records within 1 calendar month
  • Flag to PM is not done within 1m and MDs if SARs not completed in an extended timeframe.
  • Added information relating to SARs for deceased patients.
 

2. Introduction

The UK General Data Protection Regulation (UK GDPR) clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing and understand how and why Lakeside Healthcare is using their data. 

Under the UK GDPR, individuals have the right to obtain: 

  • Confirmation that their data is being processed,
  • Access to their personal data (and only theirs),
  • Other supplementary information – this largely corresponds to the information that has been provided in the privacy notice

ICO: Right To Access

An application for access to health records may be made in any of the circumstances  explained below. This policy does not apply to requests to access records of deceased  patients, as the UK GDPR does not apply to the data of deceased patients

 

3. Purpose

The purpose of this policy and protocol is to provide clear and concise guidelines to LH staff on Subject Access Requests.Lakeside Healthcare (LH) therefore will:

  • Ensure all staff are familiar with this policy and that its purpose and principles are well  understood and that the associated procedures are rigorously applied,
  • Regard breaches of this policy as misconduct and could lead to disciplinary proceedings.

All Employees are under a duty to comply with these rules. Failure to do so will result in  disciplinary action being taken.

This policy and procedure replaces all previous policies and procedures relating to Subject Access Requests.

 

4. Scope

This policy applies to all clinicians, employees, partners and executives. It also applies to other people who work at LH e.g. locum GPs, non-employed nursing staff, students, volunteers, temporary staff and contractors. 

LH will ensure that, if relevant to the job role, staff will understand the Subject Access  Request Policy, and that partners, supervisors, managers and employees will be trained to enable them to apply the principles of this Policy within their roles and provide advice and guidance. 

The Subject Access Request Policy forms part of LH Induction Programme for new and  transferred Employees, where this is relevant to the job role.

 

5. Implementation

5.1 Patient Requests 
A request for access to health records in accordance with the UK GDPR can be made in  writing, by email or verbally, to any member of staff, please speak to your practice.

Requests for access can be made verbally, or in writing, to any member of LH staff. A form to record verbal requests, made either face-to-face or by phone can be requested from your practice. 

All requests should be documented. The documented request should then be passed on to either the Administration Team or the Information Governance lead. A list of the Information Governance Leads for LH on Radar.

A request does not have to include the phrase "subject access request" or "Article 15 of the GDPR" or "data protection" or "right of access". 

The requester should provide enough proof to satisfy LH of their identity (and LH is entitled to verify their identity using "reasonable means"). LH must only request information that is necessary to confirm who they are. LH should request any identity verification as soon as possible after the request has been received.

The default assumption when a requester asks for "a copy of their GP record" is that the  information requested by the individual is the entire GP record. However, LH may check with  the applicant whether all or just some of the information contained in the health record is required before processing the request. The GDPR permits LH to ask the individual to specify the information the request relates to (Recital 63) where LH is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely). 

Recital 63 of the GDPR states: 
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data." 

A patient is under no obligation to provide a reason for the request, even if asked by LH.

5.2 Secure Online Records Access 
LH can offer, if appropriate, for a requester to be enabled to securely access online their  Summary Care Record (SCR), their Detailed Coded Record or their Full Medical Record. This would then allow them to access the information that they might be seeking. Access should follow identify verification and a review of the record. 

5.3 Patients Living Abroad 
For former patients living outside of the UK and whom once had treatment for their stay  here, under GDPR they still have the same rights to apply for access to their UK health  records. Such a request should be dealt with as someone making an access request from  within the UK. 

5.4 Patient Representatives 
A patient can give written authorisation for a person (for example a solicitor or relative) to  make an application on their behalf. 

A patient's representative (e.g. solicitor or authorised person), is under no obligation to  provide a reason for the request, even if asked by LH.

LH must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party's responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney (Legal Power of Attorney for Health and Welfare) in the case of an individual who no longer has the mental capacity to manage their own health. 

LH is entitled to send the information requested directly to the patient if we think that the  patient may not understand what information would be disclosed to a third party who has  made a request on their behalf. 

A next of kin has no rights of access to medical record, unless they have Health & Welfare  Power of Attorney.

A form for a Subject Access Request on behalf of an individual can be requested from your surgery.

5.5 Court Representatives 
A person appointed by the Court to manage the affairs of a patient who is incapable of  managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to a third party. 

5.6 Children 
No matter their age, it is the child who has the right of access to their information. 

Before responding to a subject access request for information held about a child, we should consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should usually respond directly to the child. We may, however, allow the parent to exercise the child's rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. 

What matters is that the child can understand (in broad terms) what it means to make a  subject access request and how to interpret the information they receive as a result of doing so. 

When considering borderline cases, LH take into account, among other things: 

  • The child's level of maturity and their ability to make decisions like this.
  • The nature of the personal data.
  • Any court orders relating to parental access or responsibility that may apply (you should contact your local Caldecott Guardian for further advice if required).
  • Any duty of confidence owed to the child or young person.
  • Any consequences of allowing those with parental responsibility access to the child's or young person's information. This is particularly important if there have been allegations of abuse or ill treatment.
  • Any detriment to the child or young person if individuals with parental responsibility cannot access this information.
  • Any views the child or young person has on whether their parents should have access to information about them. 

A person with parental responsibility is either: 

  • The birth mother.
  • The birth father (if married to the mother at the time of child's birth or subsequently or named on the birth certificate).
  • An individual given parental responsibility by a court.

(This is not an exhaustive list but contains the most common circumstances)

If the appropriate health professional considers that a child patient is Gillick competent (i.e.has sufficient maturity and understanding to make decisions about disclosure of their  records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility. 

If the child is not Gillick competent and there is more than one person with parental  responsibility, each may independently exercise their right of access. Technically, if a child  lives with, for example, their mother and the father applies for access to the child's records, there is no "obligation" to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so. 

In all circumstances good practice dictates that a Gillick competent child should be  encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.

5.7 Deceased patient 

There is an ethical obligation to respect a patient's confidentiality after death and access to deceased patients' health records is governed by the Access to Health Records Act 1990.

Under the terms of the Act, someone will only be entitled to access a deceased person's  health records if they are either:

  • a personal representative (the executor or administrator of the deceased person's estate)
  • someone who has a claim resulting from the death (this could be a relative or another person)

Access to a deceased person's health records may not be granted if the patient requested  confidentiality whilst they were alive. No information can be revealed if the patient requested non-disclosure.

5.8 Notification of Requests 
Each site will keep a Subject Access Request Register of all requests in order to ensure that requests and response deadlines are monitored and adhered to. 

5.9 Fees
LH must provide a copy of the information free of charge, including not charging for postage costs.

However, LH may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the  information. 

LH may also charge a reasonable fee if the request is manifestly unfounded or excessive. The fee must be based on the administrative cost of providing the information. 

5.10 Manifestly Unfounded or Excessive Requests
Where requests are manifestly unfounded or excessive, in particular because they are  repetitive, LH can: 

  • Charge a reasonable fee taking into account the administrative costs of providing the information
  • Refuse to respond.

Where LH refuses to respond to a request, LH must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay, and at the latest within one month.

5.11 Requirement to Consult an Appropriate Health Professional
It is LH's responsibility to consider an access request and to disclose the records if the correct procedure has been followed. Before LH discloses or provides copies of medical records, the records must be checked, and the release must be documented and authorised.

It is the responsibility of LH to ensure that the information to be released: 

  • Does not disclose anything that identifies any other data subject. The only exception to this is the identity of people involved in the care of the individual requester, such as community staff or hospital specialists.
  • Does not disclose anything that is likely to result in harm to the data subject or anyone else.
  • Does not disclose anything subject to a court order or that is privileged or subject to fertilisation or adoption legislation.

5.12 Grounds for Refusing Disclosure of Health Records
LH should refuse to disclose all or part of the health record if the Health Professional is of the view that: 

  • Disclosure would be likely to cause serious harm to the physical or mental health of the  patient or any other person.
  • The records refer to another individual who can be identified from that information (apart from a health professional). This is unless:
  1. That other individual's consent is obtained,
  2. The records can be anonymised, 
  3. It is reasonable in all the circumstances to comply with the request without that  individual's consent, taking into account any duty of confidentiality owed to the third party.
  • The request is being made for a child's records by someone with parental responsibility or for an incapacitated person's record by someone with power to manage their affairs, and: 
  1. The information was given by the patient in the expectation that it would not be disclosed to the person making the request.
  2. The patient has expressly indicated it should not be disclosed to that person.

For the avoidance of doubt, we cannot refuse to provide access to personal data about an  individual simply because we obtained that data from a third party. 

5.13 Access to Medical Records Act 
LH will not provide information under a Subject Access Request made on behalf of a patient by a solicitor, insurance agency or employer, and where it is clear that such a request should be made under the Access to Medical Records Act. This would refer to reports for employment (proposed or actual) and insurance purposes (any "insurance contract" so covering accident claims, insured negligence, or anything covered by an insurance contract that requires a medical report to support an actual or potential insured claim

If necessary, or unsure, LH will seek clarification from both the requester and the patient  concerned. 

A Subject Access Request Insurance Request Letter to Patients is to be used to contact the patient to ensure they understand what they are requesting, or what is being  requested on their behalf, i.e. a whole medical record, as opposed to a more defined report.

The requester should be informed in writing that LH is seeking further clarification from the patient and this may cause a delay.

5.14 Informing of the decision not to disclose 
If a decision is taken that the record should not be disclosed, a letter must be emailed to them securely or sent by recorded delivery to the patient or their representative stating the grounds for refusing disclosure. 

The letter must inform the patient or representative without undue delay and within one  month of receipt of the request, and will state:

  • The reasons you are not taking action.
  • Their right to make a complaint to LH.
  • Their right to make a complaint to the ICO or another supervisory authority.
  • Their ability to seek to enforce this right through a judicial remedy

5.15 Disclosure of the Record
Information must be provided without delay and at the latest within one calendar month. This is calculated from the day after the request is received, which will be day one, even if this is a non-working day.

The period for responding to the request begins at receipt of the request, or: 

  • When LH receives any additional information required to confirm the identity of the requester 
  • When LH receives any additional information requested (and required) to clarify the request 

In addition to the information requested, LH Privacy Notice will also be provided to the  individual.

When the information is provided by LH, this is for personal use only. The security and  confidentiality of the records becomes the responsibility of the requestor and LH cannot be held responsible for any onward transmission or distribution.

If a request is made verbally, for example within a GP consultation, then the GP should pass this request to the Administrative Team or ask the patient to contact the Administration directly via the Reception Team. Only if it is appropriate and possible within the consultation and, no additional ID verification is required – should the GP provide the requested information immediately, in which case the GP must make the Administration team aware of the request so that the Verbal Subject Access Request can be recorded on the Subject Access Request Register

LH will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, LH must inform the individual within one month of the receipt of the request and explain why the extension is necessary. The PM must be made aware of any requests that may exceed the given 1 calendar month time frame.

If sites are unable to meet the extended timeframe of requests due to complexity of the SARS this should be flagged to the Medical Directors within LH.

Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be left for the patient or their representative to collect in person, emailed to them securely or sent via recorded delivery. 

If the information requested is handed directly to the patient, then verifiable identification  must be confirmed at the time of collection. 

It should be assumed that if an individual makes a request electronically (i.e. by email), LH should provide the information in a commonly used electronic format (e.g. as .pdf or .doc)  and provide it to the requester by email.

If sending the information via email, LH will: 

  • Check that the individual wishes to receive the information via email.
  • Check the email address, send an email to the address requesting confirmation of receipt, in order to verify the address and test that the individual can receive, and access, a test email and attachment via NHSmail's [Secure] encryption service. 
  • If in doubt about the recipient email address, LH will not send the information via email.
  • Depending on the volume of data to be sent, the information may need to be split across multiple [Secure] emails, due to the maximum attachment files size. The individual should be made aware of this where this is the case.

Collection In Person 
Patients and representatives should be encouraged to collect SARs in person.

  • Whilst awaiting collection, information should be stored securely and clearly addressed with patient's name, date of birth and address.
  • "Office use only" checklist should be attached to the front and completed (including 
    ID check) up on collection, refer to Subject Access Request Information 
    Being Collected in Person
  • The checklist then will be scanned onto the patient's record to enable auditing of 
    multiple requests and the original shredded

Email
Confidential information will not be sent by email unless:

  • The email address of the recipient is absolutely verified, and 
  • The information is sent securely as described above
  • The patient clearly expresses a preference to receive unencrypted information in this way

Post
If sent by post:

  • The record should be sent to a named individual.
  • By recorded delivery
  • Marked "private and confidential".
  • "For addressee only" 
  • LH details should be on the reverse of the envelope

Fax
Information or reports must not be sent by fax, under any circumstances as this is not a  secure format.

5.16 Filing and Retention of Subject Access Requests
The log and all documentation relating to a particular request should be kept and retained for  a period of three years or six years if there has been a subsequent appeal. 

All SAR request forms should be scanned to the patient's record to enable auditing of  multiple requests and originals must be shredded. 

A copy of the disclosure letter which sets out the outcome of the request, must be retained on the data subjects record, for example, medical record, personnel file, as a record of what was disclosed/withheld. 

 

6. Definitions

  • LH – Lakeside Healthcare, The Group, The Practice
  • Practice Manager – Hub Manager, Operations Manager, Practice Manager, Patient  services
  • Information Commissioners Office (ICO) – role is to uphold information rights in the public interest.
  • General Data Protection Regulation (GDPR) – is a legal framework that sets guidelines for the collection and processing of personal information of individuals. 
  • Data Controller – The organisation (or person) that determines the purposes for which and the way any personal data about individuals is processed. 
  • Data Subject – Is a living individual (not an organisation) who is the subject of the personal data. 
  • Caldicott Guardian/Information Governance Lead – The person responsible for ensuring that the organisation is compliant with the confidentiality requirements of the Data Protection Act 1998. 
  • Subject Access Request (SAR) – Is any request made by an individual or an individual's representative for information held by LH about that individual
 

7. Additional resources, FAQs & References

Resources

Associated Documents

  • Grievance Policy,
  • Disciplinary Policy,
  • Equality & Diversity Policy,
  • Data Protection & Security Policy,
  • Confidentiality Policy,
  • Privacy Notice

We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. You can find out more and set your own preferences here.