What is an SAR?
An individual has the right to ask an organisation whether or not they are using or storing their personal information. They can also ask the business for copies of their personal information, verbally or in writing.
This is called the right of access and is commonly known as making a subject access request or SAR.
Under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) individuals referred to in the legislation as Data Subjects have the following rights: Under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) individuals referred to in the legislation as Data Subjects have the following rights:
• Transparency over how we use their personal information (right to be informed).
• To request a copy of the personal information we hold about them, which will be provided to them within one month (right of access).
• An update or amendment of the personal information we hold about them (right of rectification)
• To ask us to stop using personal information (right to restrict processing).
• Ask us to remove their personal information from our records (right to be forgotten).
• Request us to remove their personal information for marketing purposes (right to object).
• To obtain and reuse their personal data for their own purposes (right to portability).
• Not to be subject to a decision based on automated processing.
The legislation does not require an individual to make a request in writing but Medicus Health Partners is of the view it is preferable for record purposes that if any individual makes contact whether by telephone or text, or in any other way asking how they should make a request they should be advised that they can make the request by letter or email to the Data Lead Officer at the address of the surgery at which they are a patient.
On receipt of any request to exercise one of the rights this should be immediately passed to the Data Lead Officer at the surgery at which the patient is registered who will deal with this request.
On receiving the request the Data Lead Officer will:
• Record on both any data base relating to the individual and in the data subject access data base the receipt of the request.
• Consider whether they are satisfied the request is from the Data Subject or whether Identification should be requested before responding.
• If the request is from an individual or organisation acting on behalf of the Data Subject ask for and receive written authorisation (consent) from the Data Subject to provide the access to that individual or organisation.
• In a situation where the Data Subject has given written authorisation (consent) to the release of information to another individual or organisation but there is concern as to whether the Data Subject (patient) has understood the meaning of the authorisation consideration will be given to sending the response or the information direct to the Data Subject.
• If the request is made by an individual or organisation (e.g. the Police) who does not act on behalf of the Data Subject ensure that they have the appropriate legal authority to make the request.
• If the request is made after the death of the Data Subject check whether it is the Personal Representatives who are making the request. Careful consideration should also be given as to whether there are issues of confidentiality in respect of the personal information and if there are whether this means the information should not be disclosed.
• If the patient (Data Subject) is a child under 16 years’ consideration will be given as to whether they are mature enough to give their own consent to access the personal information or whether the person or persons with parental responsibility must give consent. If there is any difficulty in making the decision the DPO will be consulted.
• If the agreeing to the request would result in disclosing personal information of another Data Subject then the consent of the other Data Subject should be obtained or the information relating to them redacted.
• Acknowledge the request within 7 days. We have standard draft letters to be used for acknowledging these requests.
• Make a diary entry for the request to be fully responded to within 30 days. We can extend the time, where necessary, by up to two further 30 day periods.
• Undertake full consideration of the request and decide whether to agree to the request or that there are proper grounds for not agreeing to the whole or any part of the request.
• Prepare a response in respect of the decision and send this to the individual (Data Subject) making the request. We have draft responses which can be used as templates.
• Record on the subject access request data base and on any records relating to the individual copies of the full response or setting out the decision made.
Subject Access Request Form
What is eConsult?
Where can I get help in using eConsult?
Is it easy to use eConsult?
Does eConsult mean I won’t see my GP?
Do I need an account and password?
How can I use eConsult when I don’t have a computer, tablet or smartphone?
eConsult is only available online, but you can still telephone the GP surgery in the same way you always have. Practice receptionists will talk you through a questionnaire and complete an eConsult on your behalf if you do not have online access.