Access to Medical Records
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. The request for medical records can be made verbally or in writing. A form for written requests is produced at the end of this policy.
There is no charge for the information unless the request is excessive or repetitive. In this case a reasonable fee based on the administrative cost can be charged. Excessive/repetitive requests can also be refused but must be advised to the requester along with how they can complain.
Requests for health records information should be recorded internally and fulfilled within 1 month of receipt. An extension by up to 2 months is possible for complex/numerous requests. This must be advised within a month of receipt, to the requester explaining why an extension is necessary.
There is no minimum age for children, to request subject access however the clinician should consider whether the child is mature enough to understand what it means to make a request for their information and how to interpret the information they receive as a result of doing so.
Denial or Limitation of Information
The data controller may deny or limit the scope of information given where it may fall under any of the following:
• The information released may cause serious harm to the physical or mental health or condition of the individual or any other person, or
• Disclosure is limited by law or the courts, or
• The disclosure would also reveal information relating to or provided by a third person who has not consented to that disclosure unless:
The third party is a clinician who has compiled or contributed to the health records or who has been involved in the care of the individual;
The third party, who is not a clinician, gives their consent to the disclosure of that information;
It is reasonable to disclose the information without that third party’s consent.
A reason for denial of information does not have to be given to the individual, but must be recorded.
Guidance from the ICO Website: 01.06.18
We have received a request but need to amend the data before sending out the response. Should we send out the “old” version?
It is our view that a subject access request relates to the data held at the time the request was received. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request.
However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DP Bill, it is an offence to make any amendment with the intention of preventing its disclosure.
Data that includes information about other people.
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
The DP Bill says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
• the other individual has consented to the disclosure; or
• it is reasonable to comply with the request without that individual’s consent.
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including: • the type of information that you would disclose; • any duty of confidentiality you owe to the other individual;
• any steps you have taken to seek consent from the other individual;
• whether the other individual is capable of giving consent; and
• any express refusal of consent by the other individual.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
For the avoidance of doubt, you cannot refuse to provide access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.
Once the DP Bill is finalised, we will update our guidance accordingly.
For further information please visit ICO website: https://ico.org.uk/ under Right of Access (Subject Access Request).
There is a right to lodge a complaint with the ICO or another supervisory authority.
Please click on the following for a copy of the Patient Access to Medical Records - Request Form