Subject Access Requests – The Headlines for GP Practices
Date: 28/01/2020 | Data Protection & Information Law, Healthcare, Regulatory Law
Following the introduction of the GDPR, it became easier for individuals to exercise the right to access their personal data: no fees; no requirement for the request to be in writing; and shorter time limits. The attention that surrounded the introduction of the new law also meant individuals became more aware of their rights.
So needless to say, the number of requests increased significantly, with the BMA reporting last December that subject access requests to GP practices were up by more than 30 per cent since the introduction of GDPR.
The BMA also found that the majority of requests did not come directly from the individual patients but came from an organisation working on behalf of the individual, commonly solicitors. The burden on GP practices is greater with no way to recoup any costs.
The ICO has produced a draft Code of Practice in relation to this issue but this document aims to provide some practical tips to allow medical practices to deal with requests.
-
You should always acknowledge a request as soon as practically possible. If you require a request to be clarified, speak to the requester to try and work out what information they really require. If they want all their personal data, then you have to provide it, but in our experience, it can be helpful to have a conversation with the individual to narrow down the request.
-
You have one month to respond. In practice this means if you receive a request on 1 December you should provide the information by 1 January. As the 1 and 2 January are public holidays in Scotland, you would have until 3 January to respond. You can extend this by two more months, if the request is complex, but you should advise the individual that you are doing this, and why, within one month.
-
You do not always require to ask the individual to prove their identity. You should only do this if you have a reasonable doubt that the person making the request is the person they claim to be.
-
The patient is only entitled to their own personal data and not the data of third parties – which includes their spouse and children once they reach the age of 12 – unless they have provided consent or if it is reasonable to disclose the information about the third party without consent. So, for example, you would not usually redact the name of the doctor who saw the patient, as they will already know this.
-
Solicitors can make requests on behalf of a client but should always provide written consent from the client for the information that is being sought and who it will be shared with as part of the legal proceedings. If you have any doubts about, for example, the extent of the request, you should check with the patient directly. You should not send the original medical records in response to a SAR.
-
If the request has been made electronically, then the data should normally be provided in an electronic format. The BMA advises that individuals should be told about the risks of interception if the medical records are sent via email and document their consent to this. For requests not made electronically, a paper format should usually be fine unless the patient requests otherwise.
-
You can refuse to comply with the request, or charge a fee, if it is manifestly unfounded or excessive. These terms have not been legally determined yet, but the ICO guidance refers to repeated requests or requests where there is evidence that the request is being made to disrupt the business or if the requester is making completely unsubstantiated allegations against the practice, but this would have to be quite extreme.
-
In Scotland children are deemed to have the capacity to provide consent to dataprocessing at the age of 12 and at that stage they can also exercise data protection rights on their own behalf. However, anyone with parental responsibility can exercise the right to access medical records on behalf of children up to the age of 16 in Scotland if this is not contrary to the child’s best interests or the child’s wishes.
-
A parent with parental rights who no longer lives with a child is allowed to access their medical records and there is no requirement to advise the other parent of this request.
-
If you believe that disclosure of the information could cause serious physical or mental harm to the patient or a third party, then the data should not be disclosed but this will be quite rare and requires to be beyond causing upset.
Some SARs can be complex to deal with and if the requester is not happy with how an organisation has responded, they can complain to the ICO who can investigate the matter, ask for lengthy explanations about what has been done and can ultimately take formal enforcement action if they believe that data protection law has been breached. An individual can also ask a court to rule on the matter and to order disclosure of the information.
Getting the response right in the first place can prevent complaints to the ICO and the courts which end up costing a lot more in time, money and emotional energy.
For further information about handling SARs, contact Laura Irvine, Head of Regulatory Law and data protection expert.