How to handle a subject access request for disclosure of records or statements

Under the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) individuals have a legal right to apply for access to health information held about them. This is called a Subject Access Request. It includes NHS or private health records held by a doctor, therapist or dentist, or by a hospital or clinic.

Is there a subject access request time limit?

You should respond without delay and within one month of receipt of the request. You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.

In most cases, no fee is recoverable (exceptions include some repeated requests). However, the Information Commissioner’s Office has wide powers in the case of a failure to comply including issuing assessment notices, warnings, reprimands, enforcement notices, penalty notices and in some cases carrying out inspections. Do not take the ICO lightly!

Requests for deletion or amendment of records should be treated with real caution and expert advice is recommended.

Some third parties can also apply on behalf of someone that they are responsible for, including for a child or for someone who has died. They will need to provide proof that you are allowed to act on their behalf.

Contrary to frequent misconceptions, there is no provision in the DPA or GDPR which compels healthcare professionals or organisations to disclose patient records to the police. It is important to note that in the absence of an Order or summons, the disclosure will be regarded as voluntary and requests should therefore be considered very carefully in light of potential liability.

Requests for statements about patients and/or treatments provided should likewise be treated with caution even when made by the patient, but especially when not (for instance, by family, friends, lawyers, police etc). Save where accompanied by a Court Order, there is seldom any requirement to provide a statement. You need to balance your natural desire to be cooperative against your duty of patient confidentiality. We are here to help.

If you have any questions on the above, please contact Matthew Trinder or Andrea James for more information.