Advice for GPs on managing subject access requests under GDPR

How to Manage Subject Access Requests

The General Data Protection Regulation (GDPR) came into force in May 2018. Since then GPs have warned that they are under increased strain as a result of the obligations the new legislation has imposed and the increased use of Subject Access Requests (SARs).

The British Medical Association claims the additional red tape is putting extra pressure on doctors and reducing time spent with patients due to a significant increase in the number of requests made to GPs for patient notes. There is particular tension between doctors and solicitors as GP surgeries complain of being bombarded with requests – sometimes aggressively – for free copies of patient records.

What should GPs do when receiving Subject Access Requests?

The below checklist sets out what medical professionals need to consider and do on receiving a SAR from a solicitor on behalf of their client:

  • There must be enough information in the request to identify the patient and locate the information that has been requested
  • Ensure that there is valid consent from the patient. Does the patient realise exactly what they have consented to (e.g. the full set of records rather than just from a specific date)? Contact the patient, or their guardian/legal proxy, to clarify if there is any ambiguity.
  • You have one month from the day after receiving the request to comply with it (save for in exceptional circumstances).
  • In most cases you will not be able to charge a fee for complying with the request and providing the information. This includes not being able to charge for postage or copying.
  • You will be required to redact any information that would identify third parties.
  • The information supplied should be in a format that it is legible and intelligible.

The two most common issues medical professionals have in handling SARs is in handling substantial and complex requests free of charge and also considering whether it is within the patient’s best interests to do.

Consent when fulfilling Subject Access Requests

A patient can authorise an individual (such as a solicitor) to make a SAR on their behalf. Under section 185 of the Data Protection Act 2018 they cannot, however, be contractually compelled to (for example by an insurance company). Health professionals releasing information to third parties acting on behalf of patients should firstly ensure that they have the patient’s written consent. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. If there is any ambiguity it is legitimate to check the position with the patient.

Most third parties provide the patient’s signed consent when requesting information however, given the potential scope of the information that is requested, it is important that GPs are satisfied that the patient understands the following:

  • Who will see the information
  • What is being disclosed
  • The purpose of disclosure
  • The significant foreseeable consequences.

If a GP is in any doubt then they should confirm that the patient understands the nature and extent of the information disclosed and this could, in some circumstances, involve sending the records to the patient for approval before sending them to any other third party.

GPs should be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure and the fact that relevant information cannot be concealed or withheld.

Can GPs charge fees for fulfilling Subject Access Requests?

Under GDPR GPs are no longer allowed to charge for copies of patient records under a first SAR.

A request can be refused or a ‘reasonable’ fee can be charged for a SAR if the request is manifestly unfounded or excessive. There is little explanation as to when a request might be considered as “manifestly unfounded or excessive”. However, it would be prudent to assume that the threshold set here is fairly high and that accordingly requests should be refused on this basis only where the facts are particularly extreme.

Where access has been refused on this basis, the patient must in any event be given an explanation as to why access has been refused and they must also be informed that they have the right to complain to the ICO.

For many health care providers there has been a substantial impact resulting from the changes brought in by GDPR. One solution to reduce the cost of disclosure is to send out encrypted electronic copies of the records in question where possible and to speak to patients who a SAR relates to in order to ensure that they wish for the request to be complied with in the form received or whether a reduced scope would be more appropriate without putting pressure on the patient in this regard.

It is also worth noting that where any form of report or analysis of medical records is required, the rules under the Access to Medical Reports Act continue to apply.

For more information on the issues contained within this article please contact Antonio Fletcher.