On 25 May 2018 General Data Protection Regulation came into law whereby most processing of personal data by organisations has to comply with it.
GP practices frequently receive requests from people wishing to view or acquire copies of their health records or those of others.
The BMA has produced extensive guidance on this for practices which covers the following areas:
- defining a health record
- advice on record-keeping
- subject access requests
- requests for access on behalf of others
- requests by the police
- requests by insurers
- requests for access to the records of deceased patients
- records retention.
If you have any queries do not hesitate to contact us in the LMC office to discuss.
Solicitors using SARs to request patient data
A patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a GP will be able to lawfully decline.
Provided the solicitor has given the GP the patient’s written consent for the disclosure of the full medical record, the SAR from the solicitor should be treated in the same way as if it was made directly by the patient.
Charging a fee
Under GDPR, SARS are generally free of charge. Only if the SAR is considered to be ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged.
The circumstances when a fee can be charged are rare and should be on a case by case basis.
The ICO has advised that a request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee, or refuse the request.
Postage costs for SARs should not be charged for, unless they are 'unfounded or excessive'.