This site is intended for health professionals only

How to handle subject access requests under the new data regulations

Practices will have to change how they respond to subject access requests (SARs) under the EU’s General Data Protection Regulation (GDPR), due to come into effect on 25 May. 

Dr Paul Cundy, GPC IT policy lead, outlines what the major changes are and what practices should do to minimise disruption and costs.

How does GPDR change SARs?

Patients continue to have a right to see their records and as data controllers practices must provide them access to it.

However several aspects of how practices deal with SARs have changed, as follows:

  1. Crucially, you will no longer be able to routinely charge for providing copies of patient records.
  2. You must supply additional information to the patient’s data – in effect the contents of the relevant privacy notice.[See below]
  3. Practices must now respond to any SAR within a month (instead of 41 days) and the definition of ‘one month’ varies. I would advise assuming a blanket 28 days response deadline.
  4. You can now negotiate over how much information you provide.

 What additional data must we supply?

The additional information that you must supply, along with the original personal data concerning the patient (data subject), comprises an explanation of:

  • The purpose(s) of the processing
  • The categories of personal data being processed
  • The recipients or categories of recipients
  • How long the patient’s information will be held
  • The rights of rectification, restriction, objection and where applicable erasure
  • The right to complain to the Information Commissioner’s Office
  • The patient’s right to be told more about the source of their data received from other organisations.
  • The existence of and logic behind and consequences of any automated processing.

Remember this information, or an easily accessible link to it, has to be provided as well as the actual data relating to the patient.

Responding to SARs – your options

1. You can agree. If you agree to an SAR, you must respond within one month and include all the data you hold on the data subject plus whichever of the information listed above that applies. Providing all the data you hold is regarded as the norm.

2. You can decline. You can decline to provide a SAR, or as the GDPR states, ‘not take action’. However you’ll still have to justify why within the universal one-month deadline and explain how the data subject can complain against your decision. One obvious reason for declining is if the data has not changed since a previous request.

3. You can say you require more time. Practices can inform a patient they require extra time, where they decide it will take longer than a month to collate and supply the data. In this case you must tell them this within the usual one-month deadline and you have up to an additional two months to provide the information.

4. You can negotiate. A SAR was defined under the Data Protection Act as the entire contents of the patient record and under GDPR that is the same basic default assumption, but it has now been recognised that over 20 years on we hold masses of data on our patients, so a new option has been introduced: you can supply less than the entire record by mutual agreement.[1]

This means you can agree with the patient (within the one-month period) to narrow down the data required to satisfy their request, provided they agree voluntarily and freely. You must not coerce people into asking for less than they want or need. In these circumstances clearly document what is agreed within a first SAR – for example, only the records of a hip operation. Subsequent SARs could then be chargeable, although you should take a reasonable approach. If the patient asks for one additional letter it would in my opinion be unreasonable to charge a fee, but if they ask for hundreds more pages, then a charge would be reasonable.

When should we negotiate?

You may feel a negotiated SAR is going to be more difficult and time consuming than just handing over the lot, but remember GDPR applies to all data formats – including the paper in Lloyd George envelopes. So, a sensible negotiated SAR might be everything you have on the patient in electronic form.

In most circumstances the patient is unlikely to want copies of the irrelevant historical paper records. Another option is to take everything from a certain date. There are other options and I’ve asked the IT suppliers to facilitate making these easier to action. Remember you still have to protect any other data subjects mentioned in the requestors records, ie, must redact any information on non-medical third parties. The less given, the less there is to redact.

When can we charge?

You can apply certain charges for repeat requests and for unfounded or excessive requests.[2]

For a repeat request you can only charge a fee to cover your administrative costs.

GPs can also either refuse to comply with requests that are ‘manifestly unfounded or excessive’, or comply but charge for the inconvenience. However, ‘unfounded’ and ‘excessive’ are not defined , either in the GDPR itself or in related guidance, so this will depend on an interpretation of how reasonable the request is. GDPR does provide some clue in describing ‘repetitive character’ as being a qualifying criterion. If you decide to comply with the request, you may then charge for: ‘the administrative costs’; ‘providing the information’; ‘communicating the data’; or ‘taking the action requested.’

So, the fee might involve the cost of professional time to redact records, for example.

If you invoke the unfounded or excessive clause you must justify your reasons to the patient.

Do I have to provide records on USB sticks or CDs?

No. You can agree the medium with the patient. However, GDPR and the Information Commissioner’s Office (ICO) are very much in favour of electronic SARs and if the request is made electronically it is expected that the response will be provided electronically. You can charge for the administrative or communication costs of a second and subsequent SARs – which could include the cost of a USB stick/CD.

Could we simply sign patients up to NHS Patient Online to save time?

Yes. The GDPR states that ‘where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form’. Furthermore, it provides this very useful steer for GPs: ‘Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.’ So it looks like NHS Patient Online would fit that bill very nicely.[3] Signing patients up for Patient Online, and ensuring they have a link to your practice privacy notice or privacy notices would satisfy GDPR patient access rights in full.

Saying no to a request for data

If you refuse a request it will be important to document your reasons for doing so and you must communicate them to the patient within the same one-month response deadline. You must also let the patient know their rights to complain about your decision to the ICO and it would be wise to also refer to your data protection officer.

Beyond the ‘excessive or unfounded’ clause you can also refuse to provide data where the patient already has the information. Other relevant exceptions include where:

  • It would involve a disproportionate effort (eg, letters from the 1960s that are no longer relevant)
  • It would disclose comments about a third party to the patient (except for others involved in their care)
  • It could result in harm to the patient or anyone else
  • The information is subject to a court order or is privileged, or subject to fertilisation or adoption legislation.

What if a third party requests data on behalf of a patient?

Patients can authorise third parties, including solicitors, to make a SAR on their behalf. Doctors releasing information to solicitors acting for their patients should ensure they have the patient’s written consent, which should be provided by the solicitor making the request. Provided the patient’s solicitor has given the GP the patient’s written consent for the disclosure of the full medical record, the SAR should be treated in the same way as if it was made directly by the patient.

There are very few circumstances when a GP will be able to lawfully decline such requests.

Patients can authorise their solicitor to make a SAR for the purpose of legal claims, including employment or insurance purposes. GPs cannot refuse to comply with SARs which are made for reasons related to insurance or employment purposes.

It is important to draw a distinction between SARs and requests made under the Access to Medical Reports Act (AMRA). If the request from the solicitor is for a copy of the patient’s medical record, or a copy of some elements of the medical record, it is categorised as a SAR. GPs should not refuse to comply with a SAR because of the existence of the AMRA.

If the request is asking for a report to be written, or it is asking for an interpretation of information within the record, this request goes beyond a SAR. It is likely that such requests will fall under the AMRA framework – for which fees can be charged.

Failure to comply with a legitimate SAR risks a breach of the GDPR and potential sanction by the ICO. GPs who are unsure whether the request is a SAR or a request under the AMRA should seek advice from the ICO.

What if insurers get patients to make SARs?

Section 185 of the Data Protection 2018 makes it legally ineffective to require a SAR to be made as part of a contractual arrangement. For example, an employer cannot require an employee to make a SAR to obtain their medical record so that it can be handed to the employer. Such a contractual condition would be deemed to be void.

Insurers or claims management companies can make their services conditional on a client giving them reasonable cooperation and access to relevant information. However, other routes of access exist which means insurers should not need to use SARs in this way.

The ICO has previously stated that the practice of insurers requesting SARs on behalf of patients in order to obtain full medical records is not appropriate and an abuse of SAR rights.

Key learning and action points:

  1. Revise your SAR request procedures and paperwork
  2. You must provide a copy of, or link to, an additional processing information notice with every SAR or negotiated SAR
  3. Be aware of the tighter deadlines
  4. Use the negotiated SAR response to help save time
  5. Get patients to sign up for access to Patient Online instead of copying their records
  6. Be wary of solicitors’ and others’ letters. Be prepared to clarify requests

Dr Paul Cundy is IT policy lead at the BMA GP Committee. For more information on the GDPR please see the BMA website.

This article was updated on 20 June 2018 in line with BMA advice, to clarify that GPs cannot decline SARs made by legal representatives for insurance or employment purposes; and that any contractual condition requiring a SAR is made is legally ineffective, rather than a criminal offence


1. PrivazyPlan. EU GDPR. Recital 63.

2. EU GDPR. Final version (2016) Article 15(3).

3. NHS England. Patient Online. Patient online: offering patients access to detailed online records