GPs and Subject Access Requests in a post-GDPR World
The ICO has published guidance for GPs and how to respond to subject access requests.
The fundamentals of the right of access have not really changed with the introduction of the GDPR and DPA 2018, but the fact that GPs are no longer entitled to charge a fee, even although it was in most cases a maximum of £10, seems to have increased the number of people exercising their right. According to recent guidance published by the ICO, medical practices have reported a significant rise in SARs since May last year.
The guidance provides some practical tips on how to deal with SARs taking into account that the request is ‘purpose blind’ but recognising that requests for copies of medical records can be administratively burdensome.
- Can you offer patients online access to their health records? This is an area where Government and the ICO are working together to explore new ways for people to access their information.
- You can provide the response electronically, subject to appropriate security safeguards such as encryption and you are only required to provide paper copies if asked to do so and if the request is reasonable.
- The ICO states that you can ask the patient to clarify their request if you hold a large amount of information. However, if the patient asks for all of their personal data, they are entitled to that.
- You cannot charge for providing the first copy of the information, but you can charge for additional copies.
GPs often receive requests for medical records through solicitors. As long as the request is accompanied by a clear mandate from the patient about that specific request, then it should be treated in the same way as if it was made by the patient.
However, it is worth noting that solicitors should only request the data that they need for their specific purpose and that will not always be the entire medical history of a client. If you think that more information is being requested than is necessary then the ICO states that you can check that the patient is aware of the full extent of the request. The ICO goes on to say that if you continue to have genuine concerns about providing excessive information, then you can provide the data directly to the patient.
This is not an approach that they endorse on every occasion but the BMA has also issued Guidance in relation to Access to Health Records where more tips can be found.