Subject Access Requests (SAR)
If you wish to apply for access to your medical record, this can be done in two ways:
Sign up for Patient Access and request Access to your full medical record - please contact reception for further details
Patient Access Application Form - Detailed
Complete a Subject Access Request (SAR) Application form and submit to the Practice:
Subject Access Request Application Form
Once the Subject Access Request Application form has been completed, application is as follows:
E-Mail request is preferred - please e-mail your request to: firstname.lastname@example.org and your request will be dealt with within 28 days. We will send your records back in an electronic format free of charge
Hand your request in at the desk - we will provide a copy of your records without charge which can be collected at the reception desk.
REQUESTS SHOULD BE MADE ELECTRONICALLY WHERE POSSIBLE
We have a duty under GDPR to make the records available to the requestor or the data subject FREE OF CHARGE.
- Patient / Representative should make an application via email to email@example.com
- Under GDPR your SAR request must “specify the information or processing activities to which the request relates.” as per Recital 63. We would then provide that targeted SAR according to Article 15(3), i.e. no fee necessary. In some circumstances a request for full medical records may be deemed excessive and therefore a fee may be chargeable if the reason for request relates to a certain period in time or a certain condition.
- You could utilise Article 9(2)(f) which we believe to be the correct lawful basis for processing this sort of request under GDPR.
- If the case relates to employment or an insurance contract, then we believe that you should use the Access to Medical Reports Act (AMRA).
- If none of the above are suitable you could simply request a non GDPR, non AMRA but properly consented report. A fee would apply.
- Finally, we also assume you have made the data subject aware of the guidance on the ICO web site regarding the issue of 3rd parties requesting SARs from GPs. This says that another option is for us give the copied records to the data subject directly, and they then decide what data to share with you.
On the issue of consent, we are aware that many patients do not fully understand what is meant when they agree to all their records being disclosed to a third party. We are not party to your full consenting arrangements nor any other options they may have been given. GDPR requires their consent to have been freely, actively and demonstrably given and we believe our patient should have been advised of this. To ensure that they are fully aware we will contact the patient directly to ensure they do understand they are releasing their records and to give them the option of holding the records themselves so they can share information with you as they see fit.