Skip to main content

Subject Access Request (SAR)

What is a Subject Access Request (SAR)?

The General Data Protection Regulation (GDPR), which was implemented in the UK in conjunction with the Data Protection Act 2018, gives individuals the right of access to their personal data from any health and care organisation that holds records on them.  

A SAR is a request that can be made in writing, by email or verbally asking for access to the personal information a company or organisation holds on you. This is a legal right that any individual in the UK is entitled to exercise at any point for free. 

At Bronyffynnon Surgery, we ask that all requests are submitted to the practice in writing to allow for an audit trail and to enable us to provide the exact information that is being requested by the patient. When emailing information to the practice, we cannot guarantee the security and safety of the information during transit. By using email facilities, you are accepting the risk that your information may be compromised on it's way to us. If you do choose to email us, we recommend that you do not include any sensitive information within the body of the email. Where possible, please submit SAR requests in writing using one of our standard request forms which can be collected from our Reception Team. 

You can request a full copy of the medical records that are held for you at the practice, or a partial record of a specific time period that you require. 

If you require a more specific letter with regards to certain diagnosis and treatments, these requests may come under the remit of our Private Services and are not covered by a simple SAR request; these services are not covered under our contract with the NHS and therefore attract charges.  These charges are required to be paid up front upon receipt of your request; our reception team will advise at the time your request is made. Please click HERE for more information about our private services and fees. 

Please note: We do not hold medical records in the same format as a hospital setting. If you want to see copies of your hospital records, you should ask your health setting that provided your care or treatment in secondary care.

 

Making a request

Your request should specify you are making a request to access your own information, by clearly marking your request ‘subject access request’. Providing us with sufficient information will enable us to locate your required information in a timely manner. Please date your request and provide:

  • Your full name, including any aliases, if relevant;

  • Your up-to-date contact details, date of birth and NHS number if available;

  • A comprehensive list of what personal information you want to access, based on what you need;

  • Details, such as relevant dates/time periods, episodes of treatment, etc.

We will require acceptable proof of identification and address consisting of one item from List A and one from List B:

  • A - Birth certificate, marriage certificate, passport or driving license;
  • B - Bank/Building Society statements, recent utility bill, tax certificate, letter from Department of Work and Pensions.

All requests will be recorded and normally responded to within 30 days. If your request is complex or considered excessive, we may require extra time to consider your request which may take up to an additional two months. We will keep you informed if this is the case.

In most circumstances we will not charge to fulfil your request however, a reasonable fee may be charged for the administration of the request in certain instances, for example, if we think your request is manifestly unfounded or excessive or where further copies of information are requested.

 

Subject Access Requests (SARs) and children 

A child can exercise their own data protection rights so long as they are deemed competent to do so. Generally, children aged 13 and over, are considered competent to make a SAR unless there is information to suggest otherwise - please note, children as young as 10 can also be considered competent following clinical assessment. If the child (of any age) does not have sufficient understanding to exercise their rights themselves, you may allow a person with parental responsibility to exercise the child’s right to make a SAR.

If a SAR is made on behalf of a child who is deemed to lack capacity to act on their own behalf, information may be sent to a person with parental responsibility. However, this is not a decision that should be made automatically. In all cases the best interests of the child should be considered. It is possible to restrict information going to a parent where it is not considered to be in the best interests of the child, for example, where there are “do not disclose” notes on the child's record.

If your child does have capacity to understand the SAR process and their rights, we may need to seek consent for the SAR if you are requesting information on your child's behalf. 

 

Third party Subject Access Requests

Individuals can authorise third parties (for example, solicitors) to make a SAR on their behalf. Health and care providers releasing information to solicitors acting for their patients and service users should ensure they have the individual’s written consent.

It is important to draw a distinction between SARs (made by someone acting on the patient’s behalf) and requests made under the Access to Medical Reports Act (AMRA). Requests under the AMRA are made by a third party who is not necessarily acting on the patient’s behalf - for example, an insurance company. If the request from the solicitor is for a copy of the patient and service user’s health record (or extracts of the record) it is deemed to be a SAR. If the request is asking for a report to be written, or it is asking for an interpretation of information within the record, this request would go beyond a SAR. It is likely that such requests will fall under the AMRA framework for which fees can be charged.