Record Providers will now have to change how they respond to Subject Access Requests under the new General Data Protection Regulation (GDPR), which came into force on 25th May.

How does GPDR change Subject Access Requests?

Several aspects of how Subject Access Requests are dealt with have changed as follows:

  • Record Providers will no longer be able to routinely charge for providing copies of patient Records
  • Record Providers must supply additional information to the patient’s data
  • Record Providers must now respond to any Subject Access Request within a month (instead of 41 days)
  • Providers can now also negotiate over how much information they provide

“Additional Information”

Together with the original personal data concerning the data subject, Record Providers must now also (where applicable) provide:

  • The purpose(s) of the processing
  • The categories of personal data being processed
  • The recipients or categories of recipients
  • How long the patient’s information will be held
  • The rights of rectification, restriction, objection and where applicable erasure
  • The right to complain to the Information Commissioner’s Office
  • The patient’s right to be told more about the source of their data received from other organisations.
  • The existence of and logic behind and consequences of any automated processing

Declining Requests:

A Subject Access Request can be declined or, ‘not take action’ as per GDPR. However, the Record Provider will have to justify why within the one month deadline.

Extensions of Time to deal with Requests:

Record Providers can advise that they require extra time, where they believe that it will take longer than one month to collate and supply the data. The Record Provider must advise if this is the case within the usual one month deadline, and they then have up to an additional two months to provide the information.

Negotiating a Subject Access Request

A Subject Access Request was defined under the Data Protection Act as the entire contents of the patient record and under GDPR the same basic principle applies, but it has now been recognised that a large volume of data is held on patients, so a new option has been introduced to supply less than the entire record by mutual agreement.

This means it can be agreed with the patient (within the one month period) to narrow down the data required to satisfy the request, provided they agree voluntarily and freely.

However, if it becomes apparent that additional documents are required, subsequent Subject Access Requests could then be chargeable.

When can a fee be charged for a Subject Access Request?

Charges can be applied for ‘repeat requests and for unfounded or excessive requests.’ For a repeat request a fee can only be charged to cover administrative costs.

GPs can also either refuse to comply with requests that are ‘manifestly unfounded or excessive’, or comply but charge for the inconvenience. However, ‘unfounded’ and ‘excessive’ are not defined, either in the GDPR itself or in related guidance, so this will depend on an interpretation of how reasonable the request is. GDPR does describes ‘repetitive character’ as being a qualifying criteria. If the request is complied with, GPs can charge for: ‘the administrative costs’; ‘providing the information’; ‘communicating the data’; or ‘taking the action requested.’

Third Party Requests

A third party, including legal representatives, can request patient Records on behalf of a patient, and a fee cannot ordinarily be charged for a first Subject Access Request.

However, Solicitors are not permitted to seek a Subject Access Request to support an application that should be made under the Access to Medical Reports Act i.e., Reports for Employment and Insurance purposes. This covers anything covered by an insurance contract that requires a Medical Report. If a Solicitor’s letter does not make the precise purpose of the request and Report clear, then it may be queried whether the Report is being requested under GDPR or AMRA. If the Report is to support an actual or potential insured claim then AMRA applies and a fee can be charged.

Although it is good news that Subject Access Requests will now have to be dealt with in a tighter deadline, which will avoid unnecessary delays, care should be taken when requests for Records are made, particularly to GPs, and where access to Medical Reports are required (as above) as in those instances fees may still be chargeable.


Lindsay Woolford