1. Introduction
The purpose of this document is to set out the process and responsibilities for dealing with patient requests for personal information within BrisDoc, In line with General Data Protection Regulation legislation (DPA 2018/UK GDPR).
1.1 Related Documents
- BrisDoc Website (About/Privacy Notice)
2. Background
Under the General Data Act 2018, individuals have the right to obtain:
- confirmation that their data is being processed
- access to their personal data (and only theirs)
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
https://ico.org.uk/global/privacy-notice/your-data-protection-rights/
The DPA 2018 clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing and understand how and why the practice is using their data.
An application for access to health records may be made in any of the circumstances explained below. This policy does not apply to requests to access records of deceased patients, as the DPA 2018 does not apply to the data of deceased patients.
Individuals have a right to apply for access to health information held about them and, in some cases, information held about other people. Under DPA 2018 legislation, a request is recognized as a ‘Subject Access Request’ (SAR)
The DPA 2018 replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill.
What information does the DPA 2018 apply to?
The DPA 2018 applies not only to health care records but to all ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
The main legislative measures that give rights of access to health records include:
- The Data Protection Act (DPA) 2018 – patients have the right to request access to their own medical records under a Subject Access Request without charge, including situations where they give consent for a third party such as a solicitor or insurer to access the data.
- The Access to Health Records Act 1990 – rights of access to deceased patient health records by specified persons.
- The Medical Reports Act 1988 – right for individuals to have access to reports, relating to themselves, provided by medical practitioners for employment or insurance purposes.
- Department of Health: Guidance for Access to Health Records Requests 2010 – the guidance aims to assist NHS organisations in England, through the process of dealing with an access request in accordance with the relevant legislation and any subsequent considerations.
A health record can be defined as: a record consisting of information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.
A health record can be recorded electronically or in manual form, or in a mixture of both. It may include such things as; hand-written clinical notes, letters to and from other health professionals, laboratory reports, radiographs and other imaging records e.g. X-rays and not just X-ray reports, printouts from monitoring equipment, photographs, videos and recordings of telephone conversations.
2.1 Further Reading
Information Commissioners Office Right of Access
3 Practice Patient Requests
A request for access to health records in accordance with the DPA 2018 can be made in writing to the Practice. A simple form is included in this policy for patients to use if they wish. Requests for access can be made verbally, or in writing, to any member of Practice staff.
All requests are documented as part of a Subject Access Request Register.
Requests will be managed within the Practice by appropriately trained staff. The process will be overseen by the Practice Manager, with number of requests and adherence to the required timeline reported via the Information Governance Dashboard at the Information Governance Board.
A request does not have to include the phrase “subject access request” or “data protection” or “right of access”.
The requester should provide enough proof to satisfy the Practice of their identity (and the Practice is entitled to verify their identity using “reasonable means”). The Practice must only request information that is necessary to confirm who they are. The Practice should request any identity verification as soon as possible after the request has been received.
The default assumption when a requester asks for “a copy of their GP record” is that the information requested by the individual is the entire GP record. However, the Practice may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The DPA 2018 permits the Practice to ask the individual to specify the information the request relates to (Recital 63) where the Practice is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely).
A patient, or their representative, is under no obligation to provide a reason for the request, even if asked by the Practice.
3.1 Secure Online Records Access
The Practice can offer, if appropriate, for a requester to be enabled to securely access their full GP electronic record online. This would then allow them to access all information that they might be seeking. Access should follow identify verification, and a review of the record.
4 Integrated Urgent Care Service Patient Requests
A request for access to health records in accordance with the DPA 2018 can be made in writing to the Governance Manager. A simple form is included in this policy for patients to use, if they wish. Requests for access can be made verbally, or in writing.
All requests for information will be logged on a central database by BrisDoc Governance Team, under the Information Requests category. The tool will also be used to manage and record the actions taken whilst dealing with the request. The following steps/information will be recorded.
- Request Details
- Date Request Received
- Person Making Request
- Request Validation
- Sufficient detail should have been supplied to process application, Date
- NO letter sent to seek further information, Date
- Name of Lead Health Professional
- Health Record has been reviewed by a Senior Clinician and is to be limited?
- Notes could cause harm physically or mentally to the patient
- Discloses information about a 3rd party
- Correspondence sent / contacted, Date
- Outcome(s)
- Appointment to be made with Clinician if patient requesting to directly inspect the health record, Appointment Date & Time
- Supervised Appointment to be made with Clinician, Appointment Date & Time
- Copies of notes to be sent
- Applicant advised of outcome, Date
- Processing application
- Access provided on, Date
- Further action required, Details
- Corrections requested YES / NO
- Comments:
- Copy of notes made, Date
- Notes Sent, Date
A request does not have to include the phrase “subject access request” or “data protection” or “right of access”. The requester should provide enough proof to satisfy the Governance Manager of their identity (and the Governance Manager is entitled to verify their identity using “reasonable means”). The Governance Manager must only request information that is necessary to confirm who they are. The Governance Manager should request any identity verification as soon as possible after the request has been received.
The default assumption when a requester asks for “a copy of their record” is that the information requested by the individual is the entire clinical record. However, the Governance Manager may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The DPA 2018 permits the Governance Manager to ask the individual to specify the information the request relates to where the Governance Manager is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely). A patient, or their representative, is under no obligation to provide a reason for the request, even if asked by the Governance Manager.
5 Patients Living Abroad
For former patients living outside of the UK and whom once had treatment for their stay here, under DPA 2018 they still have the same rights to apply for access to their UK health records. Such a request should be dealt with as someone making an access request from within the UK.
6 Patient Representatives
A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.
The Practice/Service must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney (Legal Power of Attorney for Health and Welfare) in the case of an individual who no longer has the mental capacity to manage their own health.
The Practice/Service is entitled to send the information requested directly to the patient if we think that the patient may not understand what information would be disclosed to a third party who has made a request on their behalf.
A next of kin has no rights of access to medical record, unless they have Power of Attorney.
7 Court Representatives
A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the
GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
8 Children
No matter their age, it is the child who has the right of access to their information.
Before responding to a subject access request for information held about a child, we should consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should usually respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
When considering borderline cases, the Practice should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
A person with parental responsibility is either:
- the birth mother, or
- the birth father (if married to the mother at the time of child’s birth or subsequently) or,
- an individual given parental responsibility by a court
(This is not an exhaustive list but contains the most common circumstances).
If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.
If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, their mother and the father applies for access to the child’s records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so. In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.
9 Notification of Requests
The Practice will keep a Subject Access Request Register of all requests in order to ensure that requests and response deadlines are monitored and adhered to.
10 Fees
The Practice/Service must provide a copy of the information free of charge. However, the practice/service may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.
11 Manifestly Unfounded or Excessive Requests
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the Practice/Service can:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where the Practice/Service refuses to respond to a request, the Practice/Service must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay, and at the latest within one month.
12 Requirements to Consult an Appropriate Health Professional
It is the Practice/Service’s responsibility to consider an access request and to disclose the records if the correct procedure has been followed. Before the Practice discloses or provides copies of medical records, the records must be checked, and the release must be documented and authorised.
It is the responsibility of the Practice/Service to ensure that the information to be released:
- Does not disclose anything that identifies any other data subject. The only exception to this is the identity of people involved in the care of the individual requester, such as community staff or hospital specialists
- Does not disclose anything that is likely to result in harm to the data subject or anyone else
- Does not disclose anything subject to a court order or that is privileged or subject to fertilisation or adoption legislation
13 Grounds for Refusing Disclosure of Health Records
The Practice/Service should refuse to disclose all or part of the health record if the Health Professional is of the view that:
- disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person; or
- the records refer to another individual who can be identified from that information (apart from a health professional).
This is unless
- that other individual’s consent is obtained, or
- the records can be anonymised, or
- it is reasonable in all the circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the
- third party
- the request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and:
- the information was given by the patient in the expectation that it would not be disclosed to the person making the request; or
- the patient has expressly indicated it should not be disclosed to that person
For the avoidance of doubt, we cannot refuse to provide access to personal data about an individual simply because we obtained that data from a third party.
15 Informing of the decision not to disclose
If a decision is taken that the record should not be disclosed, a letter must be sent by recorded delivery to the patient or their representative stating the grounds for refusing disclosure.
The letter must inform the patient or representative without undue delay and within one month of receipt of the request, and will state:
- the reasons you are not taking action;
- their right to make a complaint to the Practice;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
The Practice/Service should also provide this information where a request for a reasonable fee is made, or additional information to identify the individual is required.
16 Disclosure of the Record
Information must be provided without delay and at the latest within one month. This is calculated from the day after the request is received, which will be day 1, even if this is a nonworking day.
The period for responding to the request begins at receipt of the request, or:
- When the Practice/Service receives any additional information required to confirm the identity of the requester
- When the Practice/Service receives any additional information requested (and required) to clarify the request
In addition to the information requested, the Practice/Service Privacy Notice will also be provided to the individual. When the information is provided by the Practice/Service, this is for personal use only. The security and confidentiality of the records becomes the responsibility of the requestor and the Practice/Service cannot be held responsible for any onward transmission or distribution.
If a request is made verbally, for example within a GP consultation, then the GP can – if appropriate and possible within the consultation and, no additional ID verification is required provide the requested information immediately. Verbal Subject Access Requests should be recorded on the Subject Access Request Register. The Practice/Service will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the Practice must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be sent to, or given to, the patient or their representative.
If the information requested is handed directly to the patient, then verifiable identification must be confirmed at the time of collection.
It should be assumed that if an individual makes a request electronically (i.e. by email), the
Practice should provide the information in a commonly used electronic format (e.g. as .pdf or
.doc) and provide it to the requester by email.
If sending the information via email, the Practice will
- Check that the individual wishes to receive the information via email.
- Check the email address, and send an email to the address requesting confirmation of receipt, in order to verify the address.
- If in doubt about the recipient email address, the practice will not send the information via email.
- Test that the individual can receive, and access, a test email and attachment via
- NHSmail’s [Secure] encryption service. The individual will need to register to access the information via Trend Micro upon receipt.
- Usually send the information via a secure email from NHSmail, using [Secure] at the start of the subject line, and request the receiver acknowledges receipt.
- Depending on the volume of data to be sent, the information may need to be split across multiple [Secure] emails, due to the maximum attachment files size. The individual should be made aware of this where this is the case.
Confidential information will not be sent by email unless:
- the email address of the recipient is absolutely verified, and
- the information is sent securely
- policy stipulations (unless the patient clearly expresses a preference to receive unencrypted information in this way)
If sent by post:
- the record should be sent to a named individual
- by recorded delivery
- marked “private and confidential”, “for addressee only”
- and the Practice details should be written on the reverse of the envelope.
Confidential medical records should not be sent by fax unless there is absolutely no alternative:
- If a fax must be sent, it should include the minimum information and names should be removed and telephoned through separately.
All staff should be aware that safe haven procedures apply to the sending of confidential information by fax, for whatever reason. That is, the intended recipient must be alerted to the fact that confidential information is being sent. The recipient then makes a return telephone call to confirm safe and complete receipt. A suitable disclaimer, advising any unintentional recipient to contact the sender and to either send back or destroy the document, must accompany all such faxes.
A suitable disclaimer would be: “Warning: The information in this fax is confidential and may be subject to legal professional privilege. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, please notify the sender immediately. Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it.”
17 Monitoring and Review of Information Requests
The Governance Team and IG Lead will provide data for Information Governance Board meetings via the information governance dashboard on Subject Access Requests and Access to Medical Records.
18 Informing the Patient of how to request information
Direct patients to the practice/service website.
19 Informing the Staff of how to deal with patient requests for information
Staff are trained on a summary of the process contained within this document and have access to a Fact Sheet that enables them to support patients, who make this type of request.
Appendix 1 – Subject Access Request Forms
Subject Access Request Form
| Name of patient | |
| DOB | |
| NHS Number | |
| Date of request |
| For Practice Patients only
Do you want secure online access to your full electronic GP record? YES / NO
This might easily provide you with all the information you seek 24hrs a day, as well as the ability to make appointments and request medication. Ask at Reception or visit our website.
Do you want a copy of your entire GP record? YES / NO
If not your entire GP record, then please detail exactly what information you would like. For example, between two dates, or relating to a particular medical condition, or hospital letters only.
|
| For Out of Hours/Acute GP Team Service Patients only
Do you want a copy of your GP record? YES / NO
|
| How would you like
the information to be provided, if possible?
|
ÿ Email – please supply an up to date secure email address
ÿ Email address: ÿ Printed ÿ Online access to my medical record ÿ Other – please specify: Please note, it may not always be possible to supply the information in your preferred format. |
Please note that you might be contacted by the practice for further information, identity verification or clarification about the request, if needed
Recording Subject Access Requests
| Have you positively identified the patient? YES / NO | |
| Name of patient | |
| DOB | |
| NHS Number | |
| Date of request | |
| Was the request made on behalf of another individual?
|
YES / NO
If Yes – what is the name and contact details of the requester? Please make the requester aware that the practice will need to contact them to verify the basis of making a request on behalf of a patient. |
| How was request made? | □ Face-to-face □ Telephone |
| Does the patient want secure online GP records access? YES / NO | |
| Does the patient want a printed copy of “their entire GP record”? YES / NO | |
| Details of request | If not the entire record then what exactly?
e.g. records between two dates, records about a medical condition, only hospital letters, etc. |
| How does patient want the information to be provided? | □ Email – an up to date secure email address □ Email address:
□ Printed □ Online access to my medical record □ Other – please specify: |
| Remind the patient that they might be contacted by the practice for further information, identity verification or clarification about the request, if needed. | |
| Pass this request on to the Practice Manager | |
| Identity verified by (initials) | Date | Method
Vouching Vouching with information in record Photo ID and proof of residence |
||
| Authorised by | Date | |||
| Date account created | ||||
| Level of record access enabled
All Prospective Retrospective Detailed coded record Limited parts |
Notes / explanation | |||
Subject Access Request form where a request is made on behalf of an individual
| I am the representative of the following individual and would like to make a Subject
Access Request for their personal information. |
||
| Name of patient | ||
| Date of Birth | ||
| NHS Number (if known) | ||
| Date of request | ||
| Name of person making the request | ||
| Signature of requester | ||
| Please provide the basis for applying on behalf of another individual:
□ Authorisation from the patient □ I hold Lasting Power of Attorney for the patient □ I am appointed as an independent Mental Capacity Advocate on behalf of the patient □ I have parental responsibility and the patient is under 18, and lacks capacity to understand the request □ I have parental responsibility and the patient is under 18, and has consented to the request Please note that the practice may have to contact you for further information and verification of the above. |
||
| Are you requesting a copy of the entire GP record? YES / NO | ||
| Details of request
|
If not the entire GP record, then please detail exactly what information you are requesting. For example, between two dates, or relating to a particular medical condition, or hospital letters only. | |
| How would you like the information to be provided, if possible?
|
Please indicate your preferred option:
□ Email – please supply an up to date secure email address □ Email address: □ Printed □ Online access to the medical record □ Other – please specify: Please note, it may not always be possible to supply the information in your preferred format. |
|
| Please note that you might be contacted by the practice for further information, or clarification about the request, if needed. Any questions? Please contact the Practice Manager | ||
| Identity verified by (initials) | Date | Method
Vouching Vouching with information in record Photo ID and proof of residence |
||
| Authorised by | Date | |||
| Date account created
|
||||
| Level of record access enabled
All Prospective Retrospective Detailed coded record Limited parts |
Notes / explanation | |||
2. Tables
| Date | Reviewed and amended by | Revision details | Issue number |
| 31/08/2012 | DL | First Drafts | DRAFT |
| 11/10/2012 | DL | Amendments after review by NG/BC/CB | 1.1 |
| 01/10/2014 | DL | Reviewed. Change reviewers to reflect new organisation structure + minor grammatical changes – Signed off by NG | 2.0 |
| 26/10/2015 | DL | Annual review added related documents | 2.1 |
| 16/10/2017 | DL | Annual Review | 2.2 |
| 01/09/2018 | SP/DL | Updated to reflect new GDPR Legislation | 3 |
| 18/01/2021 | DL | Annual Review | 3.1 |
| 30/01/2023 | DL | Annual Review | 3.2 |