Access to Health Records

BRYNGWYN SURGERY
SUBJECT ACCESS REQUEST POLICY
Updated July 2025

1. Introduction

This policy outlines the procedure for managing Subject Access Requests (SARs) at Bryngwyn Surgery, in compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018), and the Access to Health Records Act 1990 (for deceased individuals).

It ensures:

• Staff are aware of how SARs can be made
• All requests are handled promptly and lawfully
• Compliance with statutory requirements

2. Scope

This policy applies to any request for access to personal information held by the practice, whether made by patients, staff, or authorised third parties. It covers all staff including permanent, temporary, contractors, and volunteers.

3. Rights of Access

Under UK GDPR and DPA 2018, individuals have the right to:

• Be informed whether personal data is held about them
• Receive a copy of that data in a permanent and intelligible form
• Understand why it is being processed and who it is shared with

This applies to:

• Staff records (current, past, or prospective)
• Health records relating to physical or mental health

4. Who Can Make a Request
SARs can be submitted by:

• The data subject themselves
• A person with written authorisation (e.g. solicitor, family member)
• Those with parental responsibility (for children)
• Appointed deputies or those with Lasting Power of Attorney
• Executors or administrators of a deceased person’s estate

5. Requests from Police, Solicitors, and Insurers

• Police must provide appropriate justification or obtain a court order
• Solicitors must provide valid patient consent
• Insurance companies should not use SARs to request full records; any suspected misuse must be reported to the ICO

6. Children and Young People
Requests relating to children will be considered based on:

• Legal parental responsibility
• Child’s age and capacity to consent
• Best interests of the child

7. Submitting a Request
Requests should:

• Be made in writing (including by email)
• Include enough information to verify identity
• Be clearly marked as a Subject Access Request

Applicants may use the Practice SAR Form, but this is not mandatory.

8. Fees and Response Time

• SARs are usually free of charge
• A reasonable fee may be charged for repetitive or excessive requests
• Requests must be completed within one calendar month
• Extensions of up to two months may be applied for complex cases (with notification within the first month)

9. Third Party and Redaction Considerations

• Third party identities must be protected unless consent is given
• Information must be redacted where required by law or to prevent serious harm

10. Releasing Information

• The release format should match the request format unless otherwise agreed
• Records must be checked by the Caldicott Guardian or a delegated clinician
• Originals must never be released

11. Viewing Records On-Site

• Where records are viewed on site, a clinician or trained admin must supervise
• No interpretation or advice may be given by non-clinical staff

12. Exemptions
Access may be limited where:

• Disclosure would identify a third party without consent
• Serious harm to physical/mental health may result
• Disclosure would prejudice social work or legal proceedings
• The request would involve disproportionate effort

13. Complaints and Appeals
Unhappy applicants should:

• Raise concerns with the practice in the first instance
• Be directed to the complaints process or their union (for staff)
• If unresolved, they can contact the ICO:
  • www.ico.org.uk
  • Tel: 0303 123 1113
  • Email: casework@ico.org.uk

14. Roles and Responsibilities

• Caldicott Lead: Dr M Jadoon
• Data Protection Officer: [Insert name or refer to cluster/Health Board DPO]
• All staff: Must recognise and escalate SARs appropriately

15. Monitoring and Review
SARs and any related complaints will be monitored by the Caldicott Lead. This policy will be reviewed every two years or sooner if legislation changes.

16. Equality and Inclusion
The practice is committed to eliminating discrimination and promoting equality in line with the Equality Act 2010. Reasonable adjustments will be made to ensure fair access to records.

Appendix C – Disproportionate Effort Exemption Guidance

The Disproportionate Effort exemption will only be applied where:

• Significant time/cost is involved in locating data
• An open dialogue has taken place with the requester
• All reasonable steps have been taken

Even if full access is not provided:

• The patient still has the right to know if their data is held
• They are entitled to basic information about the data

The practice must document the justification for using this exemption and provide alternative ways of meeting the request where possible.

This document replaces the July 2021 version and reflects current guidance as of July 2025.