Subject Access Request (SAR)

Introduction

The General Data Protection Regulation (GDPR) gives every patient (or their authorised representative) the right to apply for access to data or information held within their health record. To make a request to access information from your medical health record at the practice, you can apply to the Data Controller (the Practice) using the Data Subject Access Request form overleaf. (Please note that the practice does not have access to your hospital records or those of other service providers, although we will have any correspondence received from them).

Please complete our Subject Access Request (SAR) Form which can be found at the bottom of this page. Please ensure you read and understand the following information before submitting a Subject Access Request to the practice. You must provide the correct proof of identification for your Subject Access Request to be processed.

Timescale & Costs

Once we have received your completed form, your request should be fulfilled within one month. In exceptional circumstances, where it is not possible to comply with your request within this period, you will be informed of any delay and given an anticipated timescale as to when the information will be made available.

Under GDPR you will not normally be charged a fee for obtaining copies of any information from your record.  However, should your request be considered unfounded or excessive, the request may be refused or a fee could be incurred, based on the administrative cost of providing the information. We would of course advise you if this was the case. Please note your request would not be processed until any fee due was paid.

Exemptions

In some circumstances, the Data Controller is permitted by the regulations to withhold information held in your health record.  These rare cases are:

  • Where it has been judged that supplying you with the information is likely to cause serious harm to the physical or mental health or condition of you, or any other person, or;
  • Where providing you with access would disclose information relating to or provided by a third person who had not consented to the disclosure.  This exemption does not apply where that third person is a clinician involved in your care.

When making a request it would be helpful if a clear outline description of the time-periods and/or aspects of your health record that you require access to and why is provided. This will help us ensure that you receive the key information you actually require and it can help save time meaning we may be able to deal with your request in a shorter timescale.

Requests made via your authorised representatives

If you are using an authorised representative, you need to be aware that in doing so, they may gain access to all health records concerning you, which may not be relevant.  Therefore, to protect your data we approach you directly for your consent and the reasons for disclosure of records.  We will ask you to collect the record extract for us so that you can make an informed decision about what personal data you are prepared to release to your authorised representative.  Please be advised that the Practice is not responsible for any postage costs.

Proof of identity

Two forms of identity must be provided (one of which must be photographic). This is to ensure information is not released to unauthorised individuals. The table below outlines the proof of identity we can accept.

TYPE OF APPLICATIONIDENTIFICATION REQUIRED
Patient applying for their own 
Can be waived if the applicant is known to the Staff Member accepting the request
One which must be photographic i.e. passport. One containing individuals name and address
Third Party Applying.
Consent of Patient will be required  BEFORE the request will be processed
One containing Third Party name and address One must be Photographic ID of Third Party  
Applying on behalf of a child 
We will ALWAYS obtain consent for release of records from a child age 12+ to <16 if a third party is making request
One which must be Child’s birth certificate and photographic ID of person with parental rights

If you are completing this application on behalf of another person, the Practice will require their authorisation before we can release the data to you. The person whose information is being requested should sign the relevant section within the online form. If the patient is a child (i.e. under 16 years of age) the application may be made by someone with parental responsibilities – in most cases this means a parent or guardian. If the child is capable of understanding the nature of the application, his or her consent should be obtained or, alternatively, the child may submit an application on their own behalf.  Children will, generally, be presumed to understand the nature of the application if aged between 13 and 16 however, all cases will be considered individually.

Further Information

Detailed information about your rights in connection with data held within your medical record can be found in the Practice’s Data Privacy Notice which is available on the practice website St James Medical Centre: Policies and in our waiting rooms.

You can download a SAR form here.

Download Subject Access Request Form