Subject Access Requests

A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a Subject Access Request (SAR). If you want to see your full health records, or wish for a copy, you can request this by dowloading a form by clicking   this link  or calling into the surgery with your 2 forms of ID and this will be passed to the appropriate member of staff to action within the allocated time.

Medical records will be sent to the requester via secure email and will be password protected. You don’t have to give a reason for wanting to see your records and there is no charge for this service.

The Practice has up to 1 calendar month to respond to your request. If additional information is needed before copies can be supplied, the time limit will begin as soon as the additional information has been received.

The month time limit can be extended for two months for complex or numerous requests where we need more time to

collate and supply the data. A fee can also be applied by the Practice if the request is agreed to be manifestly unfounded or excessive but you will be advised beforehand if this is necessary.

When requesting your full health records, you should say if you:

● want all or just part of them (If part, these can be accessed through Patient Access and a SARS is not required

● If you request your records to be emailed (usual procedure), then we will secure you or your representative’s agreement (in writing or by email) that they accept the risk of sending unencrypted information to a non-NHS email address

You may also need to fill in an Application Form and give proof of your identity. The Practice has an obligation under the GDPR and DPA2018 to ensure that any information provided for the patient can be verified.

Please note we never send original medical records because of the potential detriment to patient care should these be lost

Who may apply for access?

1(1) Patients with capacity

Subject to the exemptions listed in paragraph 1(6) (below) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a Solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for them to give reasons as to why they wish to access their records.

1(2) Children and young people under 18

Where a child is competent, they are entitled to make or consent to a SAR to access their record.

Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must

demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR.However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 1 (3) below)

1(3) Next of kin

Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no

rights of access to medical records. For parental rights of access, see the information above.

1(4) Solicitors

You can authorise a Solicitor acting on your behalf to make a SAR. We must have your written consent before releasing your medical records to your acting Solicitors. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is any doubt, we may contact you before disclosing the information. (England and Wales only – should you refuse, your Solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for Solicitors to use the form, it is hoped it will improve the process of seeking consent).

The Practice may also contact you to let you know when your medical records are ready. If your Solicitor is based within our area, then we may ask you to collect them and deliver them to

your Solicitor. This is because we can no longer charge for copying and postage, so we would appreciate your help if you can do this, or alternatively ask your Solicitor if they can collect your medical records.

The right to make a complaint to the Information Commissioner’s Office (ICO)

1(6) Information that should not be disclosed

The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to you, we will inform you and discuss this with you.

1(7) Individuals on behalf of adults who lack capacity

Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Court of Protection in England and Wales, and the Sheriff’s Court in Scotland, can also

appoint Deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.

Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.

1(8) Deceased records

The law allows you to see records of a patient that has died as long as they were made after 1st November 1991.

Records are usually only kept for three years after death (in England and Wales GP records are generally retained for 10 years after the patient’s death before they are destroyed).

Who can access deceased records?

You can only see that person’s records if you are their personal representative, administrator or executor.

You won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.

Accessing deceased records

Before you get access to these records, you may be asked for:

● proof of your identity

● proof of your relationship to the person who has died

Viewing deceased records

You won’t be able to see information that could:

● cause serious harm to your or someone else’s physical or mental health

● identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission

● If you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.

1(9) Hospital Records

To see your Hospital records, you will have to contact your local Hospital.

1(10) Power of attorney

Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney.

A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.

The person you appoint is known as your attorney. An attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney

must be registered with the Office of the Public Guardian before it can be used.

If you wish to see the health records of someone who has died, this is now the responsibility of the Practice and you will need to call into the surgery to discuss this further. You can only apply if you:

● are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person),

● have the permission of the next of kin or have obtained written permission from the deceased person before they died.

● To access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the Practice or the Hospital where the records are stored.

If you think that information in your health records is incorrect, or you need to update your personal details (name, address, phone number), approach

informally and ask to have the record amended. Some Hospitals and GP Surgeries have online forms for updating your details. If this doesn’t work, you can formally request that the information be amended under the NHS complaints procedure.

All NHS trusts, NHS England, CCGs, GPs, Dentists, Opticians and Pharmacists have a complaints procedure. If you want to make a complaint, go to the organisation concerned and ask for a copy of their complaints procedure. Alternatively, you can complain to the Information Commissioner (the person responsible for regulating and enforcing the Data Protection Act), at:

The Information Commissioner’s Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 01625 545745