The ICO has recently published a blog post on responding to subject access requests, designed for GPs, but of use for all healthcare organisations. Among the tips from the ICO: 

  • Practices may be able to comply with a SAR by offering to provide a patient with online access to their health records, where available. However, it is worth bearing in mind that (1) electronic access is sometimes limited to summary records, and (2) there are additional obligations under Article 15 GDPR to explain information which may not be possible simply through online access.
  • Practices can more generally provide the SAR response electronically (subject to safeguards such as encryption). A surgery only needs to print paper copies if (1) it is asked to do so and (2) it is reasonable to provide paper copies.
  • If GPs hold a large amount of information about a patient they can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.
  • Subsequent copies of records may be charged for.

It is also important to distinguish between requests for information/data/existing records under a subject access request, as compared for a request for a 'new' report, which is outside the scope of the rights (and could still be charged for).

Given that the ICO's advice is designed to play-down the burden of such requests, it is perhaps unsurprising that the ICO does not talk about the importance of organisations having a proper process for managing requests, and of checking records prior to disclosure. However, the ICO has previously fined healthcare providers that have failed to do this. It therefore is crucial that organisations are mindful of their broader obligations when dealing with subject access requests - particularly when the most burdensome requests may be contentious for other reasons.

For more advice on information rights, talk to Capsticks' information law team.