GDPR SAR General Advice
Practices will have to change how they respond to subject access requests (SARs) under the EU’s General Data Protection Regulation (GDPR), due to come into effect on 25 May.
Patients continue to have a right to see their records and as data controllers practices must provide them access to it.
However several aspects of how practices deal with SARs have changed, as follows:
- Crucially, you will no longer be able to routinely charge for providing copies of patient records.
- You must supply additional information to the patient’s data – in effect the contents of the relevant privacy notice.
- Practices must now respond to any SAR within a month (instead of 40 days).
- You can now negotiate over how much information you provide.
What additional data must we supply?
The additional information that you must supply, along with the original personal data concerning the patient (data subject), comprises an explanation of:
- The purpose(s) of the processing
- The categories of personal data being processed
- The recipients or categories of recipients
- How long the patient’s information will be held
- The rights of rectification, restriction, objection and where applicable erasure
- The right to complain to the Information Commissioner’s Office
- The patient’s right to be told more about the source of their data received from other organisations.
- The existence of and logic behind and consequences of any automated processing.
Remember this information, or an easily accessible link to it, must be provided as well as the actual data relating to the patient.
Responding to SARs – your options
- You can agree. If you agree to an SAR, you must respond within one month and include all the data you hold on the data subject plus whichever of the information listed above that applies. Providing all the data you hold is regarded as the norm.
- You can decline. You can decline to provide a SAR, or as the GDPR states, ‘not take action’. However you’ll still have to justify why within the universal one-month deadline and explain how the data subject can complain against your decision. One obvious reason for declining is if the data has not changed since a previous request.
- You can say you require more time. Practices can inform a patient they require extra time, where they decide it will take longer than a month to collate and supply the data. In this case you must tell them this within the usual one-month deadline and you have up to an additional two months to provide the information.
- You can negotiate. A SAR was defined under the Data Protection Act as the entire contents of the patient record and under GDPR that is the same basic default assumption, but it has now been recognised that over 20 years on we hold masses of data on our patients, so a new option has been introduced: you can supply less than the entire record by mutual agreement.
This means you can agree with the patient (within the one-month period) to narrow down the data required to satisfy their request, provided they agree voluntarily and freely. You must not coerce people into asking for less than they want or need. In these circumstances clearly document what is agreed within a first SAR – for example, only the records of a hip operation. Subsequent SARs could then be chargeable, although you should take a reasonable approach. If the patient asks for one additional letter it would in my opinion be unreasonable to charge a fee, but if they ask for hundreds more pages, then a charge would be reasonable.
When should we negotiate?
You may feel a negotiated SAR is going to be more difficult and time consuming than just handing over the lot, but remember GDPR applies to all data formats – including the paper in Lloyd George envelopes. So, a sensible negotiated SAR might be everything you have on the patient in electronic form.
In most circumstances the patient is unlikely to want copies of the irrelevant historical paper records. Another option is to take everything from a certain date. Remember you still have to protect any other data subjects mentioned in the requestors records, i.e., must redact any information on non-medical third parties. The less given, the less there is to redact.
When can we charge?
You can apply certain charges for repeat requests and for unfounded or excessive requests.
For a repeat request you can only charge a fee to cover your administrative costs.
GPs can also either refuse to comply with requests that are ‘manifestly unfounded or excessive’ or comply but charge for the inconvenience. However, ‘unfounded’ and ‘excessive’ are not defined, either in the GDPR itself or in related guidance, so this will depend on an interpretation of how reasonable the request is. GDPR does provide some clue in describing ‘repetitive character’ as being a qualifying criterion. If you decide to comply with the request, you may then charge for: ‘the administrative costs’; ‘providing the information’; ‘communicating the data’; or ‘taking the action requested.’
If you invoke the unfounded or excessive clause you must justify your reasons to the patient.
Do I have to provide records on USB sticks or CDs?
No. You can agree the medium with the patient. However, GDPR and the Information Commissioner's Office (ICO) are very much in favour of electronic SARs and if the request is made electronically it is expected that the response will be provided electronically. You can charge for the administrative or communication costs of a second and subsequent SARs – which could include the cost of a USB stick/CD.
Could we simply sign patients up to NHS Patient Online to save time?
Yes. The GDPR states that ‘where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form’. Furthermore, it provides this very useful steer for GPs: ‘Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.’ So it looks like NHS Patient Online would fit that bill very nicely. Signing patients up for Patient Online, and ensuring they have a link to your practice privacy notice or privacy notices would satisfy GDPR patient access rights in full.
Saying no to a request for data
If you refuse a request it will be important to document your reasons for doing so and you must communicate them to the patient within the same one-month response deadline. You must also let the patient know their rights to complain about your decision to the ICO and it would be wise to also refer to your data protection officer.
Beyond the ‘excessive or unfounded’ clause you can also refuse to provide data where the patient already has the information. Other relevant exceptions include where:
- It would involve a disproportionate effort
- It would disclose comments about a third party to the patient
- It could result in harm to the patient or anyone else
- The information is subject to a court order or is privileged, or subject to fertilisation or adoption legislation.
What if a third party requests data on behalf of a patient?
A third party, including legal representatives, can ask for patient records on behalf of a patient and you still cannot ordinarily charge for a first SAR. If you hand over data to a nominated third party for free, you have by definition provided access free to the patient because the nominated third party is the patient ‘by proxy’.
However, solicitors are not permitted to seek a SAR to support an application that should be made under the Access to Medical Reports Act (AMRA), ie, reports for employment and insurance purposes. This covers accident claims and insured negligence as well as mortgages and life insurance – anything covered by an insurance contract that requires a medical report. If a solicitor’s letter does not make the precise purpose of the request and report clear, then ask them if the report is being requested under GDPR or AMRA. If the report is to support an actual or potential insured claim then AMRA applies. You can charge and no additional information is needed.
The same applies to employers – so if the report is in connection with proposed or actual employment, it’s not classed as a SAR, meaning you can charge and no additional information is needed.
What if insurers get patients to make SARs?
Clause 181 of the Data Protection Bill (due to be enacted later this year) will extend the offence of ‘enforced subject access’ to cover medical records, so this will become a criminal offence. Insurers will not want to be found guilty of the crime of enforced subject access. If any GP suspects that an insurer is doing this, they should report them to the Information Commissioner’s Office and the Association of British Insurers. Guidance on this from the ABI and the BMA is unchanged under GDPR.
Data Protection Officer Information
Head of Information Governance, Midlands and Lancashire CSU
120 Grove Road