Skip to main content
  • Language
    • Afrikaans
    • Albanian
    • Arabic
    • Armenian
    • Azerbaijani
    • Basque
    • Belarusian
    • Bengali
    • Bulgarian
    • Catalan
    • Chinese (Simplified)
    • Chinese (Traditional)
    • Croatian
    • Czech
    • Danish
    • Dutch
    • Esperanto
    • Estonian
    • Filipino
    • Finnish
    • French
    • Galician
    • Georgian
    • German
    • Greek
    • Gujarati
    • Haitian Creole
    • Hebrew
    • Hindi
    • Hungarian
    • Icelandic
    • Indonesian
    • Irish
    • Italian
    • Japanese
    • Kannada
    • Korean
    • Lao
    • Latin
    • Latvian
    • Lithuanian
    • Macedonian
    • Malay
    • Maltese
    • Norwegian
    • Persian
    • Polish
    • Portuguese
    • Romanian
    • Russian
    • Serbian
    • Slovak
    • Slovenian
    • Spanish
    • Swahili
    • Swedish
    • Tamil
    • Telugu
    • Thai
    • Turkish
    • Ukrainian
    • Urdu
    • Vietnamese
    • Welsh
    • Yiddish
  • 01772 503200
  • Font Size
    • Increase Font Size
    • Decrease Font Size
    • Reset Font Size
Kingsfold Medical Centre
Search
Show Main Menu
  • Home
  • Appointments
  • Prescriptions
  • Services
  • Surgery Information
    • About Us
    • Complaints Procedure
    • Friends & Family Test
    • GP earnings
    • Medical Students
    • Named GP For All Patients
    • News
    • Our Team
    • Opening Times
    • Practice Booklet
    • Primary Care Network (PCN)
    • Practice Performance
    • Practice Policies
    • Practice Survey
    • Surgery Diary
    • Vacancies
  • Health Information & Support
    • COVID-19 & Flu
    • Find your NHS number
    • Health A to Z
    • Live Well
    • Medicines A to Z
    • NHS 111 Online
    • Patient Information
    • Useful Links
    • Health Information & Support Index
  • Contact Us

Subject Access Request

Introduction

Right of access is a core principle of the GDPR. Individuals have the right to access their personal data and supplementary information at any time. Under GDPR guidelines, individuals will have the right to obtain:

  • Confirmation that their data is being processed
  • Confirmation on how and why their data is processed
  • Access to their personal data at reasonable intervals
  • Any other supplementary information held by your organisation (this usually corresponds with the information that you need to provide in a privacy policy)

What is a subject access request?

‘A subject should have the right of access to personal data which are collected concerning him or her, and to exercise that right easily and at reasonable intervals’ – GDPR Official Guidelines (Article 63) (EXTERNAL PDF LINK)

What counts as a valid Subject Access Request?

In order for a subject access request to be valid it must be made in writing. However as this includes various digital and physical formats it’s useful to understand what does or does not count as valid.

  • Under the GDPR it is possible for an individual to make a subject access request via email. These applications are valid and should be provided within the 28 day timescale.  It is possible to gain an extension to this timescale if the request is deemed complex, or numerous.
  • If a written request fails to mention that it is a subject access request, but it is clear that the individual is asking for their own personal data, it is still valid and should be treated as such.
  • Similarly, a Subject Access Request is considered valid, even when it has not been sent to person in your company who usually deals with this kind of request.
  • A verbal request is not considered valid in most cases. However, good practice suggests you at least offer the individual information about how to make a subject access request

As with any request of this nature, there are always exemptions to what is considered valid. For example, if a disabled person is unable to make a subject request in writing, you make have to make adjustment for them under the Equality Act 2010 (Disability Discrimination Act 1995- Northern Ireland). You may also have to make a similar provision to the format: Braille, audio transcribed, large print etc. Failure to make provision may not put you at risk of GDPR non-compliance, but will certainly put at risk of a claim under the Equality Act.

What format do we have to respond in?

You must provide a copy of the information to the individual in an easy to access format. GDPR guidelines state that ‘the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.’ Another update to current guidelines is that, if the individual makes the request digitally, the response must be provided in a commonly used digital format.

Is there a charge for a Subject Access Request?

Under the GDPR it is important that you provide any information in a subject access request for free.  Where a request can be legitimately termed ‘manifestly unfounded, or excessive’ it is possible for the practice to charge a ‘reasonable fee’. This particularly applies to repetitive requests and (occasionally) to further copies. However, this does not apply to a subject access request that is made after a reasonable interval.

Who can make a request? 

Requests can be made by the following: 

  • The data subject  (the patient)
  • A person or third party acting on behalf of the data subject and authorised in writing by the data subject can apply on their behalf. Such a person or third party can be a relative or a solicitor.
  • Individuals requesting access on behalf of a child for whom they have parental responsibility.
  • In certain situations a person granted power of attorney for health and wellbeing or agent by the Court of Protection on behalf of an adult who is incapable of providing consent.
  • The police may get information without seeking the consent of the individual(s).  The police may access personal data for prevention or detection of crime, the apprehension or prosecution of offenders or taxation purposes. The police have a form specifically for this.  It is referred to as a ‘Section 29(3) form’ which allows them to approach any data controller for information regarding an individual, in relation to the apprehension of an offender or for the prevention of a crime, or for the prosecution of a crime. The Section 29(3) must state the reason(s) for requesting specific information about a data subject and must be countersigned by a higher ranking officer.  A section 29(3) form is the safe guard to the Practice for releasing the information to the police. The police must provide a complete and appropriately signed form to show that the information is needed to further their case, as per the Section 29(3) requirements. 

Requests where the data subject has died their personal representative or any person having a claim arising from the death should be referred to PCSE in order to arrange access.

pcse.accessrequests@nhs.net

Refusing a request

If the practice is unable to provide the information requested, the requestor should be advised of the reason in writing along with details on their right to complain to the information commissioner’s office, examples of these maybe new patient for whom notes have not been received, documentation extremely sensitive and may cause harm if disclosed, etc . 

Share

  • Print
  • Facebook
  • X (Twitter)
Local Services
Taxi
Family Law

Site

  • Sign In
  • Sitemap
  • Back To Top

About

  • Disclaimer
  • Website Privacy
  • Website Accessibility
  • Cookies
  • Content Attribution

Social

  • Facebook

Contact

Kingsfold Medical Centre

Woodcroft Close, Penwortham, Preston, Lancashire, PR1 9BX

  • 01772 503200
© Neighbourhood Direct Ltd  2024
Website supplied by Oldroyd Publishing Group

Loading...

Local Services
Taxi
Family Law