We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Subject Access Request
Introduction
In accordance with the UK General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by Holbrooks Health Team. This is commonly known as a subject access request (SAR). Data subjects have a right to receive:
- Confirmation that their data is being processed
- Access to their personal data
- Access to any other supplementary information held about them
Right to access
Holbrooks Health team has mechanisms in place informing patients of their right to access the information held about them, which include the fee and how long it will take for a DSAR process to be completed.
With effect from April 2016, NHS practices are, as part of their contractual obligation, to provide patients with access to coded information held within their health records. Such information includes:
- Demographics
- Allergies
- Immunisations
- Medication
- Results
- Procedures
- Values
- Problems/diagnoses
- Other (ethnicity, QOF etc.)
NHS England have published an information leaflet Patient Online which provides further detailed information about this obligation and how patients can access their health record online.
There are occasions when a GP may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals, or when the record has information relating to a third party.
Patients may request paper copies of health records and, regardless of the preferred method of access, patients and authorised third parties must initially complete a DSAR form. However, patients may request access to their health records informally; any such requests should be annotated within the individual’s health record by the clinician dealing with the patient.
Requests
Requests may be received from the following:
Competent patients may apply for access to their own records or authorise third-party access to their records.
Children and young people may also apply in the same manner as other competent patients and Holbrooks Health team will not automatically presume a child or young person has capacity under the age of 16. However, those aged 12 or over are expected to have the capacity to consent to medical information being disclosed.
Parents may apply to access their child’s health record so long as it is not in contradiction to the wishes of the competent child.
Individuals with a responsibility for adults who lack capacity are not automatically entitled to access the individual’s health records. Holbrooks Health team will ensure that the patient’s capacity is judged in relation to particular decisions being made. Any considerations to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act in England and Wales and the Adults with Incapacity Act Scotland.
Next of kin have no rights of access to health records.
Police are not able to access health records without first obtaining a court order or warrant. However, health professionals at Holbrooks Health team may disclose relevant information to the police if the patient has consented or if there is overriding public interest.
Solicitors and insurance companies in most cases will provide the patient’s signed consent to release information held in their health record. Holbrooks Health team will ensure that patients are fully aware of the information being provided to the solicitor who is acting for that patient.
Deceased patients retain the right of confidentiality. There are a number of considerations to be taken into account prior to disclosing the health record of a deceased patient. Such considerations are detailed in the Access to Health Records Act 1990. Under the terms of this Act, Holbrooks Health team will only grant access if you are either:
- a personal representative (executor of the deceased person’s estate), or
- someone who has a claim resulting from the death
The medical records of the deceased will be passed to Primary Care Support England (PCSE) for storage.
Holbrooks Health team can advise you of who you need to contact in such instances. PCSE will retain the GP records of deceased patients for ten years, after which time they will be destroyed. PCSE have provided an application form which can be used to request copies of a deceased patient’s record.
In the cases of any third-party requests, Holbrooks Health team will ensure that the patient has consented to the disclosure of this information by means of a valid signature of the patient.
In accordance with the GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the DSAR. In order to ensure full compliance regarding DSARs, Holbrooks Health team will adhere to the guidance provided in the GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the extension given.
Under The Data Protection (Subject Access Modification) (Health) Order 2000, Holbrooks Health team will ensure that an appropriate healthcare professional manages all access matters. At Holbrooks Health team there are a number of such professionals, and wherever possible the individual most recently involved in the care of the patient will review and deal with the request. If for some reason they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.
Furthermore, to maintain GDPR compliance, the data controller at Holbrooks Health team will ensure that data is processed in accordance with Article 5 of the GDPR and will be able to demonstrate compliance with the regulation (see GDPR policy for detailed information). Data processors at Holbrooks Health team will ensure that the processing of personal data is lawful and at least one of the following applies:
- The data subject has given consent to the processing of his/her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject or another natural person
Procedure for access
An Subject Access Request form must be completed and passed to the data controller; all SARs should be processed free of charge unless they are either complex, repetitive or unfounded (see GDPR Policy). The GDPR states that data subjects should be able to make access requests via email. Holbrooks Health team is compliant with this and data subjects can complete an e-access form and submit the form via email.
Once the SAR form is submitted, Holbrooks Health Team will aim to process the request within 28 days; however, this may not always be possible. The maximum time permitted to process SARs is one calendar month.
Individuals will have to verify their ID at Holbrooks Health Team and it is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice’s Subject Access Request (SAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. a driving licence or passport.
Summary
Having a robust system in place will ensure that access to health records is given only to authorised personnel. Patient confidentiality is of the utmost importance and any third-party requests must be accompanied by a valid patient signature. Staff are to adhere to this guidance at all times and where doubt exists, they are to discuss their concerns with Shweta Joshi.