Subject Access Requests

You have a legal right to ask for a copy of the personal information a health or care organisation holds on you. Asking for this information is known as making a Subject Access Request (SAR). You do not need to explain why you want the information, and in most cases the information is free of charge.

How do I make a SAR?

You can make your request to any part of the health and care organisation. You don’t need to find a specific person in the organisation to direct your request to. However, an organisation’s privacy notice (available on their website) may provide the contact details for the Data Protection Officer (DPO) or give more information about how you can easily make a SAR request. You can also make your request in different ways, for example, face-to-face, by phone or in writing – including by email or via social media.

You may be asked to provide proof of your identity, for example, to supply a driving licence, passport or a marriage or a birth certificate.

What information can I request?

You can request many different types of information that are held about you. For example:

• information from your health and care record
• information about who has accessed your record and when
• communications about you for example emails, text or mobile messages

You can request a specific piece of information, or all the information that an organisation holds on you.

When will I get a response?

The organisation must respond within one calendar month of you making the request, although that time may be extended up to three months if the request is complex. However, if this is the case you will be told of the extension within the first calendar month.

Can someone else make a SAR on my behalf?

Someone else can submit a SAR for you – for example, a solicitor, family member or friend acting on your behalf. They will need to provide evidence that you have agreed to the request, such as a signed consent form.

Can I make a SAR on behalf of someone I hold registered lasting power of attorney status for, where they lack capacity?

If you have a registered lasting power of attorney for health and welfare for someone who has lost capacity, you can submit a SAR on that person’s behalf. The lasting power of attorney status will need to have been registered with the Office of the Public Guardian.

If you do not have a registered lasting power of attorney for health and welfare but you can provide evidence that you are acting in someone else's best interests (and they lack capacity) then your request will be considered. An example is where you were supporting someone who lacks capacity with a move to a new care home.

I’m a young person – can I make a SAR?

You can make your own SAR as a young person as long as there is evidence that you adequately understand your rights. Typically, young people aged 13 and over are considered to have a good enough understanding to submit a SAR unless there is information to suggest otherwise. For young people under 13, they may also be able to submit their own SAR as long as there is evidence that they also understand their rights.

I have parental responsibility – can I make a SAR on behalf of a young person?

A young person can exercise their own data protection rights so long as they are deemed competent to do so. Typically, a young person aged 13 and over would be considered competent to make a SAR, unless there is information to suggest otherwise. Therefore, in most cases SARs made by a person with parental responsibility on behalf of a young person aged 13 or over will need the consent of that young person.

Similarly, there may be information to suggest a young person under 13 has adequate understanding to be considered competent to make a SAR.

If a young person of any age does not have sufficient understanding to exercise their rights themselves or consent to their parent exercising their right for them, health and care organisations may allow a person with parental responsibility to exercise the young person's right to make a SAR (so long as this is considered to be in the best interests of the young person).

As someone supporting the health and care of patients and service users, you need to understand that people have the right to access copies of their information.

You should also know who in your organisations is responsible for responding to SARs. Your organisation has one month to action and respond to a SAR – so you need to forward the request to the appropriate person or team as quickly as possible.

If you are a health and care professional, you may also be involved in reviewing the response or deciding whether certain information should be released. For example, you may need to carry out a serious harm review. This is to ensure information which would be likely to cause serious harm to the physical or mental health of any individual is not released.

If you are involved in responding to a request, see the section for IG professionals for further information. The IG lead, Caldicott Guardian or senior team will also be able to provide guidance and assistance where necessary.

What are the key things I need to know?

1. A SAR must come from the individual themselves or a person acting on their behalf (also see section on young people). It must be accompanied by sufficient information to enable you to verify the identity of the individual and then locate their personal data.
2. You have one calendar month from the receipt of the request to respond unless the request is complex, and an extension is applied.
3. Keep a log of all requests, including those made by telephone or in person. Keep records of requests for 3 years from the date of the closure of the SAR, in line with the Records Management Code of Practice.
4. Where possible, enable your patients and service users to access their records online rather than providing photocopies.
5. Failure to comply with a legitimate SAR, risks breaching UK GDPR and a potential sanction by the ICO, such as an enforcement notice.

How should I confirm a person’s identity?

Confirming identification of the person who has submitted the request is important as it helps to stop organisations from inadvertently disclosing personal data, either accidentally or as the result of deliberate fraudulent action by a third party.

You must be satisfied that you know the identity of the requestor before providing any information, including confirming whether or not you hold the information.

If the information provided by the individual in their request is insufficient to confirm their identity, you may need to request information such as:

• proof of identification - for example, driving licence, passport, birth/marriage certificate
• proof of relationship - for example, you may need proof of parental responsibility when requesting information about a young person (for example the young person’s birth/adoption certificate with the requestor’s name, or a parental responsibility agreement or court order)
• proof of authority - an agent (such as a solicitor) will need to prove they are acting on the person’s behalf. For example, this may be through a letter of consent signed by the individual

What about SARs relating to young people?

Where a young person is competent

A young person can exercise their own data protection rights as long as they are deemed competent to do so. Generally, young people aged 13 and over are considered competent to make a SAR unless there is information to suggest otherwise.

Hence, a SAR made by a parent or other third party on behalf of a young person aged 13 or over, will (in most cases) need the consent of that young person.

Likewise, there may be information to suggest a young person under 13 has adequate understanding to be considered competent to make a SAR.

If you are not sure about the competency of a young person to submit a SAR, ask a health and care professional (HCP) to consider the competence of that young person.

Where a young person is competent, they can still agree that a request is made on their behalf by those with parental responsibility.

Where a young person is not competent

If a young person does not have sufficient understanding to exercise their rights themselves, a person with parental responsibility can exercise the young person’s right to make a SAR.

Where a person with parental responsibility is requesting information about a young person who lacks capacity to act on their own behalf, you must make reasonable efforts to verify that the person does, in fact, hold parental responsibility for that young person – see How should I confirm a person’s identity.

It is possible to restrict information going to a parent where it is not considered to be in the young person’s best interests. For example, where there are “do not disclose” notes on the young person’s record.

What if the request is from someone with registered lasting power of attorney (LPA) for health and welfare for the individual?

A person with a registered lasting power of attorney (LPA) for health and welfare is someone who has been appointed by the individual to manage their health and wellbeing affairs when they no longer have capacity to do so themselves. A person with a registered LPA is authorised to make a SAR on the individual’s behalf. A person who has power of attorney for finance would not be able to use this to make a SAR request on behalf of the individual.

You may also allow a person without an LPA to make a SAR on behalf of someone without capacity if they can provide evidence to show that they are acting in the individual’s best interests, for example to support benefit claims or social care provision.

What about SARs made by third parties?

Individuals can authorise third parties (for example, solicitors) to make a SAR on their behalf. Health and care providers releasing information to solicitors acting on behalf of their patients and service users should ensure they have the individual’s written consent.

The request should be treated as if it came directly from the individual. There are very few circumstances when a health and social care provider will be able to lawfully decline such requests. You are still required to validate the consent in order to make sure it has come from the correct individual, and they have enough information to understand what they were consenting to. For example, where an insurance company asks for all medical records, you may feel it helpful to explain to the data subject what this means. A more proportionate disclosure would allow the insurance company to do their assessment without having access to all the data subject’s health or care information.

The British Medical Association has further guidance on responding to SARs from insurers.

How long do we have to respond to a SAR?

Organisations have one calendar month from the date that the request is received to complete the request (either to provide the information or to confirm refusal).

If the corresponding date falls on a weekend or a public holiday, the deadline would be the next working day.

If there is no corresponding calendar date in the next month (because the month is shorter) the deadline would be last day of the following month.

When you need to request ID or clarification, you can ‘pause the clock’ until the requestor has returned the required information to you. For example, if the requestor takes 7 days to respond to an ID request, you can add 7 days on to your one month deadline.

In some circumstances you may be able to extend the SAR deadline by a further two months where the request is considered ‘complex’ (see complex requests below).

The ICO has more information on the deadlines that apply.

What information should be made available in a SAR?

An individual can request to see any information you hold on them. Their request would apply to any form of information, for example, their health and care record, email, chats, text or mobile messages, telephone call recordings, paper records, CCTV, or human resources files. The information doesn’t have to explicitly name the individual to count as their information, as long as it contains other data which identifies the person, such as their date of birth, their address, or a code name (or pseudonym) which is documented as an identifier for them.

In some cases, the requestor may only want a specific record or piece of information, for example, they may only want a copy of a particular letter from the consultant. You only need to provide the information requested.

If the person does not specify what information they are requesting, you are able to ask them to confirm the scope of their request and what information they are looking for. They may still ask for ‘everything you hold’.

Even if it is requested, in some cases exemptions will apply which will mean certain information should be withheld from the SAR, for example, if the information would be likely to cause serious harm to the individual (see the section on redactions for further information).

What if a SAR asks for the requestor’s personal data that is contained in emails, when there may be hundreds?

An email search may return a large number of emails which makes it difficult to comply with the request within the one-month time limit. In this case you may contact the requestor and ask them if they would like to narrow the scope of the request. For example, you might be able to cover emails between particular dates or people; or covering particular subjects. If the requestor agrees, then you can filter the results down to those that are relevant.

It is important when looking at emails to consider whether the data is the requestor's personal data for example, where a text message is addressed to them but where the content of the message is a service message about bank holiday opening hours.

If the requestor does not wish to narrow down the scope, then you will still need to comply unless an exemption applies. However, you may be able to apply an extension to the one-month time period if the request is considered ‘complex’.

Complex requests and extensions

Where a request is considered complex you may be able to extend the response deadline to three months.

A request may not be considered complex just because it involves a large amount of information. One or more of these factors may be present which adds to the complexity and therefore justifies an extension:

• There are technical difficulties retrieving the information
• The information includes particularly sensitive data that requires significant review
• There are potential issues around disclosing information about a child to a legal guardian
• There are confidentiality issues around sensitive medical information
• You need to obtain specialist legal advice
• You are searching large volumes of unstructured manual records

If you are applying an extension, you must let the individual know within the one month deadline.

A proportionate effort should be made to comply with the request. An example of this could be by prioritising the emails with the most relevant content.

In all cases, it is important to keep the requestor informed of the situation so alternative actions can be taken if necessary.

What information is exempt/When might I need to redact a response to a SAR?

Some information is exempt from disclosure under a SAR and would need to be redacted from a SAR response. Exempt information may include information which:

• would be likely to cause serious harm or distress to the requestor or another person if released
• identifies a third party (see What if records contain data about other individuals?)
• would prejudice the prevention or detection of crime
• contains confidential employment data such as references or management information
• contains child abuse data

There are a number of other exemptions which may apply. A full list of exemptions and guidance is available from the ICO.

Further information on specific exemptions is provided below:

What if the release may cause serious harm or distress to the requestor or another person?

The team handling SARs may carry out an initial check for information which would be likely to cause serious harm or distress. Where the team is unsure or identifies information that may lead to significant harm or distress (either to the individual or a third party), an appropriate health and care professional should review the response before it is sent to the individual. The health and care professional can then decide whether that information should be released via a SAR. This assessment of the SAR response should be made by the professional who has most recently been responsible for the person’s diagnosis and treatment, or where they are not available, another healthcare professional with appropriate experience and qualification to make the decision. Where it is deemed that some of the information cannot be disclosed then the serious harm exemption should be applied.

What if the records contain data about other individuals (third parties)?

If the individual’s information contains details data about a third party who has not given their consent for disclosure, it may be reasonable not to disclose that information. This will be the case if you believe the duty of confidentiality you owe to the third party outweighs the individual’s right of access. This excludes health and care professionals who have been involved in providing care or support to the individual. (also see the question on should I inform the requestor that information has been redacted).

See the guidance from the ICO on requests which involve information about other individuals such as a family member.

Should the names of admin staff working in health and care organisations be disclosed in a SAR request?

Information that may identify staff who have viewed or contributed to a health or care record is not generally exempt from disclosure should an individual request it - irrespective of the staff member's role within your organisation.

However, there may be circumstances in which withholding the identity of a staff member would be justified. Usually this will apply to non-clinical staff and there should be reason to believe that disclosing their details would be likely to result in them suffering serious harm. An example is where a receptionist who reports an individual’s threatening behaviour to a staff member and the clinician subsequently records this information in the patient’s record. It would be reasonable to withhold the receptionist’s details (but not the clinician’s) from any subsequent SAR.

What if the release of the information would prejudice the prevention or detection of crime?

Where necessary, information may be withheld for the purpose of the prevention or detection of crime. If you have withheld information, you may generally tell the requestor why they cannot have the information. However, there are cases where the redaction should not be disclosed to the requestor if disclosing this information would be likely to prejudice a police investigation.

What if the information contains child abuse data?

Child abuse data is information which reveals whether an individual is, has been the subject of, or may be at risk of, child abuse.

If a SAR is being made on behalf of an individual by:

• someone who has parental responsibility for the individual; or
• someone who has been appointed by a court to manage the individuals' affairs (known as a personal welfare deputy)

then you may need to redact information relating to child abuse if you believe that disclosing this information to these people would not be in the best interest of the child.

If the request is made by the individual themselves or by someone appointed by the individual as opposed to a court (for example, someone with a registered lasting power of attorney for health and welfare), you may not redact, though other basis for redaction of the information might apply (such as protecting the individual from serious harm).

Where a SAR involves child abuse data, you should involve your Caldicott Guardian in the decision of whether to disclose or not.

Where the decision is to withhold child abuse data, the child abuse data exemption should be applied.

Should I inform the requestor that information has been redacted?

It is good practice to inform the requestor that information has been redacted. If the requestor subsequently requests to see it, you should refuse the request if it is exempt under data protection legislation.

If informing the requestor of this decision would be likely to cause serious harm to them or to a third party, then the requestor should not be informed about this decision.

In all cases, where information is withheld from being released under the SAR exemptions, the organisation must justify and document the decision to withhold that piece of information in case it is challenged in future.

You will need to have software redaction tools for this purpose.

What about where we have integrated care records?

For integrated care records, where an individual's records are connected from across the health and care system, all the participating organisations must have policies and procedures in place to ensure the appropriate management of SARs.

There also needs to be a process in place to ensure that SARs related to integrated care records receive responses. This should be detailed in the data sharing and processing agreement. A process which has worked well in some areas is the establishment of an information sharing group which leads on the request. Each contributing organisation would be asked to send their redacted data to the information sharing group who would respond to the individual.

It must be made clear to individuals that this is the process in case they do not want information sent outside the organisation that holds it. In such cases the ‘holding’ organisation should deal with the request on an exclusive basis.

Are there any cases where I can refuse to answer a SAR?

There are several circumstances under which you can reasonably refuse to answer a SAR. A SAR can reasonably be turned down in the following circumstances:

• You do not hold the information. For example, if a SAR is submitted in error to a hospital which did not actually provide the individual with treatment.
• The requestor cannot suitably prove their identity. You must be satisfied that the request comes from the subject of the SAR (or a third party representative – see above), and not someone attempting to fraudulently access their data.
• Where a third party is making the request on behalf of the subject of the SAR, you have no evidence the subject has consented to the third party making the SAR on their behalf.
• All the information requested falls within an exempted category of information.
• The SAR request covers the same timeframe as a recent one. You do not need to respond regarding that same period again, but you would need to action any information that has arisen between completion of the last SAR and the date the new one is received.
• You believe the SAR to be “manifestly unfounded or excessive”.

What is a manifestly unfounded or an excessive request?

See ICO guidance on manifestly unfounded and excessive requests. SARs that fall into this category are likely to be:

• repetitive - for example, regular requests for copies of records especially where there has been little or no change to the record since the previous request
• aimed at disrupting your organisation
• targeted against an individual.

Decisions about whether a SAR falls into this category must be taken on a case-by-case basis and you should be able to justify your decision with evidence. If you choose to respond to a request that you have decided is manifestly unfounded or excessive, you may charge a reasonable fee for doing so.

What if the requestor is unhappy with the refusal to answer a SAR?

If you refuse to comply with a SAR, you must inform the requestor of the reasons why, and of their right to complain to the Information Commissioner’s Office (ICO) and to seek to enforce this right through the courts.

What requests for information might not be SARs?

It is important to draw a distinction between SARs and requests made under the Access to Medical Reports Act (AMRA) 1988, which concern medical reports prepared on individuals for employment or insurance purposes. As part of the consent process for an applicant seeking the preparation of a medical report for these purposes, the applicant must inform the individual of their right to see the report, once completed by the doctor, before it is sent to the applicant, or once sent to the applicant, for up to six months after.

For SARs, the interests of the third party should be aligned with those of the individual, for example, solicitors pursuing personal injury claims on behalf of their client. In cases where the interests of the third party are not aligned with the individual (for example, an insurance company assessing a claim) then a SAR will not be an appropriate route to access information.

If the request from a solicitor or third party is for a copy of information that you hold, it is likely to be a SAR. If the request is for a report to be written, or for an interpretation of information within the record, this request would go beyond a SAR.

A SAR should also be distinguished from a request under the Access to Health Records Act (AHRA) 1990, which applies to requests made about deceased people. Access to records of the deceased can only be accessed via the AHRA and not via a SAR. See the guidance about Access to the health and care records of deceased people for further information.

See this BMA guidance for more information on handling the different types of requests to access health records you might receive.

Can I charge fees to respond to a SAR?

In most cases your organisation cannot charge an administration fee for responding to a SAR (though “reasonable” fees can still be charged for manifestly unfounded, repeated requests or excessive requests, or if further copies of the information are requested) (see above).

How should I ensure my response is sent securely?

Any information sent in response to a SAR must be sent securely and confidentially. To reduce costs, redactions and release of information should be done electronically wherever possible.

If information is sent electronically, it must be sent using secure encrypted email or secure encrypted file transfer software. Redaction software should be used where possible.

If information is sent in hard copy format either on paper or on a memory stick, it must be sent by recorded delivery or by courier and signed for upon receipt.

Further guidance

ICO - Right of access

NHS England - Access to patient records through the NHS App

ICO - guide for employers on responding to SARs

Updates since original publication

Patients and service users section:

Information for young people and those with parental responsibility updated to align with training.

IG professionals section:

Guidance on SARs relating to young people updated.

Appropriate professionals to conduct serious harm reviews clarified.