Data subject access rights and your medical practice: The UK Information Commissioner’s Office (ICO) issues advice.
Medical practices have reported a significant rise in subject access requests (SARs) since the GDPR came into effect in May last year, which is a similar trend in other sectors. Here are some points of advice from the ICO:
- General Practitioners (GPs) cannot query the reason for requesting the information.
- Providing a patient with online access to their health records may be sufficient.
- SAR response may be provided electronically (subject to safeguards such as encryption).
- GPs can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.
Where an SAR is made on behalf of a patient by their legal representative:
- GPs may ask for evidence of clear, specific authority of the data subject to exercise their right of access
- If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought
- In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient