GPs and Subject Access Requests in a post-GDPR World

The ICO has published guidance for GPs and how to respond to subject access requests.

The fundamentals of the right of access have not really changed with the introduction of the GDPR and DPA 2018, but the fact that GPs are no longer entitled to charge a fee, even although it was in most cases a maximum of £10, seems to have increased the number of people exercising their right.  According to recent guidance published by the ICO, medical practices have reported a significant rise in SARs since May last year.

The guidance provides some practical tips on how to deal with SARs taking into account that the request is ‘purpose blind’ but recognising that requests for copies of medical records can be administratively burdensome.

Top Tips

• Can you offer patients online access to their health records? This is an area where Government and the ICO are working together to explore new ways for people to access their information.
• You can provide the response electronically, subject to appropriate security safeguards such as encryption and you are only required to provide paper copies if asked to do so and if the request is reasonable.
• The ICO states that you can ask the patient to clarify their request if you hold a large amount of information.  However, if the patient asks for all of their personal data, they are entitled to that.
• You cannot charge for providing the first copy of the information, but you can charge for additional copies.

Legal Representatives

GPs often receive requests for medical records through solicitors. As long as the request is accompanied by a clear mandate from the patient about that specific request, then it should be treated in the same way as if it was made by the patient.

However, it is worth noting that solicitors should only request the data that they need for their specific purpose and that will not always be the entire medical history of a client. If you think that more information is being requested than is necessary then the ICO states that you can check that the patient is aware of the full extent of the request. The ICO goes on to say that if you continue to have genuine concerns about providing excessive information, then you can provide the data directly to the patient.

This is not an approach that they endorse on every occasion but the BMA has also issued Guidance in relation to Access to Health Records where more tips can be found.

Disclaimer 
The matter in this publication is based on our current understanding of the law.  The information provides only an overview of the law in force at the date hereof and has been produced for general information purposes only. Professional advice should always be sought before taking any action in reliance of the information. Accordingly, Davidson Chalmers Stewart LLP does not take any responsibility for losses incurred by any person through acting or failing to act on the basis of anything contained in this publication.