Creating a new NHS England: NHS Digital and NHS England have now merged. Health Education England will join us in April 2023. Learn more.

NHS England - Transformation Directorate

Guidance for Subject Access Requests offers clear advice

Dan Greenwood is Head of Information Governance and a Data Protection Officer at Greater Manchester, Tameside and Glossop Integrated Care NHS Foundation Trust.

If you’re an information governance (IG) or health and care professional like me, you’ll probably have encountered the same issues and challenges with explaining the importance of IG to people you work with, reassuring people that their data is being used safely and appropriately, as well as dealing with Subject Access Requests (SARs). You may even have needed guidance on certain things yourself. I’d strongly encourage you to take a look at NHSX’s Subject Access Requests (SARs) guidance. This has helped me tremendously by providing the clarity I needed to respond effectively to requests. Below, I explain a little more about how incredibly useful this guidance has been in helping me do my job.

I’ve been in my current role for 3 years now. Even when I worked in IT, I always had an interest in information security, which makes me hugely passionate about what I do now, including being patient-centric and having a pragmatic approach.

One of the most rewarding aspects of my job is when staff and patients are satisfied that we have taken their data protection seriously and have been able to answer or investigate their queries and concerns. This is particularly relevant in relation to Subject Access Requests, which gives people the legal right to access their personal information from any health and care organisation that holds their records.

In my experience, there have been instances where staff are unsure or nervous about how to respond to SARs from patients, the public or colleagues, which can often lead to debates about whether a record should be released or not.

I would often be challenged on this, as there wasn’t always concrete guidance to rely on. However, in my mind (and according to data protection and GDPR) I was always able to defend and support why we should release a record, but this debate was a regular occurrence because of the ambiguity that surrounded it.

When NHSX published its SARs guidance, available on their information governance portal, it came as a massive relief. This hugely helpful guidance is clear, accessible and concise, and states in black and white how SARs should be dealt with. This has given me a clear steer and makes me much more confident discussing SARs with colleagues. I can signpost them to the guidance quickly and simply, and I know it is easy to understand and follow - giving them the knowledge they need to fulfil requests confidently.

We have also taken the opportunity to update our trust policies, to ensure that they’re more exacting and transparent. Staff are more aware about the dos and don’ts when it comes to managing records and information and have a clearer understanding of the role they play in ensuring patient and service user information continues to be managed safely and securely.

I’d strongly recommend anyone who needs concrete advice on this thorny topic to bookmark the guidance - it’s essential reading!