Background
In accordance with Article 15 of the UK GDPR, individuals have the right to access their data and any supplementary information held by Prentis Medical Centre.
The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them. In addition, data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.
When a data subject (individual) wishes to access their data, they are to be encouraged to use the subject access request (SAR) form which can be requested from the practice.
Overview
SARs are predominantly used for access to, and the provision of, copies of medical records. This type of request need not always be in writing (e.g., letter, e-mail). However, applicants should be offered the use of a SAR application form which allows for explicit indication of the required information.
Verbal requests will be documented, and a clarification letter sent or a telephone call made to the patient for approval.
Requesters must be:
- The data subject OR
- Have the written permission of the data subject OR
- Have legal responsibility for managing the subject’s affairs to access personal information about that person
It is the requester’s responsibility to satisfy Prentis Medical Centre of their legal authority to act on behalf of the data subject.
Timeframe for responding to requests
In accordance with the UK GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the SAR.
In order to ensure full compliance regarding SARs, Prentis Medical Centre will adhere to the guidance provided in the UK GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the applicant will be informed in the first month and the reasons for the extension given.
Should the request involve a large amount of information, the data controller will ask the data subject to specify what data they require before responding to the request. Data controllers are permitted to ‘stop the clock’ in relation to the response time until clarification is received.
Fees
Under the UK GDPR, Prentis Medical Centre is not permitted to charge data subjects for initial access; this must be done free of charge. In instances where requests for copies of the same information are received or requests are deemed “unfounded, excessive or repetitive”, a reasonable fee may be charged.