Purpose
This policy outlines the procedure for handling Subject Access Requests (SARs) in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It ensures that patients can access their personal data while maintaining the practice’s operational efficiency.
Scope
This policy applies to all staff members involved in processing SARs at Benfield Park Medical Group.
Policy Statement
Patients have the right to access their personal data held by the practice. This policy sets out the process for requesting access and the associated fees for printed reports.
Procedure
- Request Submission:
- Patients must submit a written request for access to their medical records. This can be done via email, post, or in person at the practice.Â
- The request should include the patient’s full name, date of birth, and contact information.
- Who can make SAR requests:
- A Subject Access Request (SAR) can be made by:
- The Individual: The person whose data is held by the practice has the right to request access to their own personal data.
- A Third Party with Consent: Someone else can make a SAR on behalf of the individual if they have the individual’s explicit consent. This is often the case with carers or legal representatives.
- A Parent or Guardian: For children under the age of 16, a parent or guardian can request access to the child’s records. However, if the child is deemed competent to make their own decisions, they may need to provide consent.
- A Legal Representative: Solicitors or other legal representatives can request access on behalf of their clients, provided they have the necessary authorisation.
- A Person with Power of Attorney: If someone holds a power of attorney for health and welfare, they can request access to the individual’s medical records.
- Verification:
- Upon receiving a request, the practice will verify the identity of the requester to ensure data protection. This may involve requesting additional identification documents.
- Response Time:
- The practice will respond to SARs within one month of receipt (28working days). This period may be extended by a further two months for complex requests, with the patient being informed of the extension and the reasons for it.
- Fees:
- This practice currently uses iGPR software to provide reports electronically for no Fee satisfying the terms of SAR requests. This allows the requestor to print at home should they desire ‘hard copy’ notes.
- Printed reports of medical records can be provided subject to reasonable costs. Reports up to 200 pages; a minimum fee of £75 will be charged to cover reasonable costs. For larger reports exceeding 200 pages, an additional charge of 40p per page will apply.
- Fees must be paid before the release of requested printed records.
- Provision of Records:
- Records will be provided in a secure format electronically subject to change.
- The practice will ensure that any third-party information and safeguarding relevant material is redacted before release.
- Records will be provided to the data subject only; please note if the request is solicitor generated then the data subject will be the recipient unless there are exceptional circumstances such as individual who lacks capacity.
- Exemptions:
- The practice may refuse to provide access to certain information if it is deemed to cause harm to the patient or others, or if it includes third-party data without consent. Safeguarding relevant information will also be redacted.
- Complaints:
- Patients who are dissatisfied with the handling of their SAR can submit a complaint to the practice manager. If unresolved, they may contact the Information Commissioner’s Office (ICO).
Review
This policy will be reviewed annually or in response to changes in legislation or practice procedures.
| Review Date | Reviewed By | Due for Review |
| October 2024 | Dr Murray Head | October 2025 |