Subject Access Requests
A request by a patient, or a request by a third party who has been authorised by the patient, for access to their health records under the GDPR (and DPA 2018) is called a subject access request (SAR). If you want a copy your health records please contact the Practice. You may make a verbal or written request but a written one is better. Contact will, subsequently, be made by the Practice to arrange a time for you to come in and collect them. You don’t have to give a reason for wanting to see your records. There is no charge for this service.
You will be required to produce proof of identity. The Practice has an obligation under the GDPR and DPA2018 to ensure that any information provided for the patient can be verified.
The Practice has one month to respond to your request. If additional information is needed before copies can be supplied, the one month time limit will begin as soon as the additional information has been received.
The one month time limit can be extended for two months for complex or numerous requests where the data controller (usually your practice) needs more time to collate and supply the data. You will be informed about this within one month and will be provided with an explanation of why the extension is necessary.
Please note we never send original medical records because of the potential detriment to patient care should these be lost.
Who may apply for access?
Patients with capacity
Subject to the exemptions listed in paragraph (6) (below) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for you to give reasons as to why they wish to access their records.
Children and young people under 18
Where a child is competent, they are entitled to make or consent to a SAR to access their record.
Children aged over 16 years are presumed to be competent. However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph (3) below)
Next of kin
Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records. For parental rights of access, see the information above.
You can authorise a solicitor acting on your behalf to make a SAR. We must have your written consent before releasing your medical records to your solicitors. The consent must be dated and must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history). Where there is any doubt, for example, if the request is for full medical records rather than from the date of an incident, we may contact you before disclosing the information.
The Practice may also contact you to let you know when your medical records are ready. If your solicitor is based within our area, then we may ask you to uplift them and deliver them to your solicitor. This is because we can no longer charge for copying and postage, so we would appreciate your help if you can do this, or alternatively ask your solicitor if they can uplift your medical records.
More Information about SAR requests
The purposes for processing data
The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is also processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.
The categories of personal data
The category of your personal data is healthcare data.
The organisations with whom the data is shared
Your health records are shared with the appropriate organisations which are involved in the provision of healthcare and treatment to the individual. Other organisations will receive your confidential health information, for example Digital or the Scottish Primary Care Information Resource (SPIRE) or research bodies such as the Secure Anonymised Linkage Databank (SAIL). (This information is already available to patients in our Practice privacy notices).
The existence of rights to have inaccurate data corrected and any rights of objection
For example, a national ‘opt-out’ model such as SPIRE
Any automated decision taking including the significance and envisaged consequences for the data subject
For example, risk stratification.
The right to make a complaint to the Information Commissioner’s Office (ICO)
The ICO regulates the GDPR in the UK. They can be contacted on 0303 123 1115
Information that should not be disclosed
The GDPR and Data Protection Act 2018 provide for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to you, we will contact and discuss this with you.
Individuals on behalf of adults who lack capacity
The Adults with Incapacity (Scotland) Act 2000 contains powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Sheriff’s Court in Scotland can also appoint deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.
Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.
The law allows you to see records of a patient that has died as long as they were made after 1st November 1991. The legislation is the Access to Health Records Act 1990. The DPA2018 only applies to living individuals.
Who can access deceased records?
You can only see that person’s records if you are their personal representative, administrator or executor.
You won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.
Accessing deceased records
Before you get access to these records, you must show that you:
- are that person’s personal representative or their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person)
- have the permission of the executor or have obtained written permission from the deceased person before they died.
Viewing deceased records
You won’t be able to see information that could:
- cause serious harm to your or someone else’s physical or mental health
- identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission
- If you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.
To see your hospital records, you will have to contact your local Hospital.
Power of Attorney
Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney which has been activated.
A power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.
The person you appoint is known as your attorney. An attorney can make decisions about your finances, property and welfare depending on what you have agreed to. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the Office of the Public Guardian before it can be used. Power of Attorney is only active once you have lost capacity to make decisions. Sometimes Power of Attorney is never activated.
Power of Attorney ceases upon the death of the patient.