In accordance with Article 15 of the UK GDPR, individuals have the right to access their data and any supplementary information held by this organisation. Subject Access Requests (SARs) are predominantly used for access to, and the provision of, copies of medical records. This type of request need not always be in writing (e.g., letter, e-mail) although this is preferable to enable auditing of the process.  (Please contact our Reception staff for more information)

The ICO states, “An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data”. Data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.

 To request a SAR, you must be: 

●        The data subject OR

●        Have the written permission of the data subject OR

●        Have legal responsibility for managing the subject's affairs to access personal information about that person, such as a lasting power of attorney (LPA)

 It is the requester’s responsibility to satisfy this organisation of their legal authority to act on behalf of the data subject. The organisation must be satisfied of the identity of the requester before they can provide any personal information (Photo ID being the preferred form).

 Requests may be received from the following:

●        Competent patients – May apply for access to their own records or authorise third party access to their records

●        Children and young people – May also apply in the same manner as other competent patients. This organisation will not automatically presume a child or young person has capacity under the age of 16. However, those aged 13 or over are expected to have the capacity to consent to medical information being disclosed. This reflects the information given in the UK GDPR.

●        Parents – May apply to access their child’s health record providing this is not in contradiction of the wishes of the competent child. 

●        Individuals with a responsibility for adults who lack capacity – Are not automatically entitled to access the individual’s health records. This organisation will ensure that the patient’s capacity is judged in relation to the particular decisions being made. Any consideration to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act 2005 in England and Wales and the Adults with Incapacity Act in Scotland.

●        Next of kin – Have no rights of access to health records 

●        Police – In all cases, the organisation can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statutes (e.g., Road Traffic Act 2006).

Nevertheless, health professionals have power under the Data Protection Act 2018 and the Crime Disorder Act 1998 to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary: 

o   To protect the patient or another person’s vital interests, or 

o   For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g., when the seriousness of the crime means there is a pressing social need for disclosure) 

Only information that is strictly relevant to a specific police investigation will be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it. 

●        Court representatives – A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied when the responsible clinician is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant. 

●        Patient representatives/solicitors – A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf for copies of their medical records. This organisation may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation. It is important to stress that under a SAR, all health records are provided unless a specific time period is stated and patients should be mindful of giving access to this level of health data. 

Solicitors who are acting in civil litigation cases for patients should obtain consent from the patient using the form that has been agreed with the BMA and the Law Society. If a consent form from the patient is not received with the application form then no information will be provided until this has been received. 

      This organisation will contact the patient to explain the extent of disclosure sought by the third party, and will then discuss whether they wish their record is sent directly to the requesting organisation or to be provided to them (the patient) as opposed to the insurer. This will allow the patient an to review their record and decide whether they are content to share the information with the insurance company.