What is a subject access request (SAR)?
The General Data Protection Regulation (GDPR), which was implemented in the UK through the Data Protection Act 2018, gives individuals the right of access to their personal data from any health and care organisation that holds records on them.
A SAR is a request that can be made in writing, by email or verbally asking for access to the personal information a company or organisation holds on you. This is a legal right that any individual in the UK is entitled to exercise at any point for free.
Whilst a SAR gives you the right to obtain a copy of your personal data, it should be noted that there are other ways to obtain your health and care records. The NHS is seeking to empower people and transform their experience of health and care by giving them the ability to access, manage and contribute to digital tools, information and services – for example, most patients can now request access to their GP record online, including via the NHS App.
Your GP surgery does not hold medical records in the same format as a hospital setting. If you want to see copies of these medical records, you should ask your health setting that provided your care or treatment in secondary care.
If you require a more specific letter with regards to certain diagnosis and treatments, these requests come under the remit of our Private Services and are not covered by a simple SAR request; these services are not covered under our contract with the NHS and therefore attract charges. These charges are required to be paid up front upon receipt of your request; our reception team will advise at the time your request is made. Please click here for more information about our private services and fees.
How to request a subject access request
Please complete the form embedded at the bottom of this webpage or by dowloading this form: Patient Access to Medical Records Request Form and returning it too: firstname.lastname@example.org. These requests can take up to 28 days to process.
Once completed, our administration team will be in touch with you to confirm your request has been processed and is ready for collection. Please do not attend the surgery to enquire about these records until you have been contacted.
We require proof of your identity before we can disclose and share out this personal data. Confirming identification is important as it helps to stop organisations from inadvertently disclosing personal data, either accidentally or as the result of deliberate fraudulent action by a third party. If the SAR has been submitted by a third party or agent on behalf of an individual, there should be evidence that the individual has consented to this.
Subject Access Requests (SARs) and children
A child can exercise their own data protection rights so long as they are deemed competent to do so. Generally, children aged 13 and over, are considered competent to make a SAR unless there is information to suggest otherwise. If the child (of any age) does not have sufficient understanding to exercise their rights themselves, you may allow a person with parental responsibility to exercise the child’s right to make a SAR.
If a SAR is made on behalf of a child who is deemed to lack capacity to act on their own behalf, information may be sent to a person with parental responsibility. However, this is not a decision that should be made automatically. In all cases the best interests of the child should be considered. It is possible to restrict information going to a parent where it is not considered to be in the best interests of the child, for example, where there are “do not disclose” notes on the child’s record.
In most cases your organisation cannot charge an administration fee for responding to a SAR, though “reasonable” fees can still be charged for manifestly unfounded, repeated requests or excessive requests.
Third party Subject Access Requests
Individuals can authorise third parties (for example, solicitors) to make a SAR on their behalf. Health and care providers releasing information to solicitors acting for their patients and service users should ensure they have the individual’s written consent.
It is important to draw a distinction between SARs (made by someone acting on the patient’s behalf) and requests made under the Access to Medical Reports Act (AMRA). Requests under the AMRA are made by a third party who is not necessarily acting on the patient’s behalf – for example, an insurance company. If the request from the solicitor is for a copy of the patient and service user’s health record (or extracts of the record) it is deemed to be a SAR. If the request is asking for a report to be written, or it is asking for an interpretation of information within the record, this request would go beyond a SAR. It is likely that such requests will fall under the AMRA framework for which fees can be charged.