Practices have reported a significant rise in SARs since the GDPR came into effect in May last year. GPs cannot query the reason for a patient or their representative requesting the information. However, the administrative impact of the increased workload on GP surgeries has definitely been felt. The GDPR is an evolution – not revolution – of data protection legislation, and many of the ways practice staff dealt with requests to ease the burden of printing reams of paper under the previous framework are still valid.
¨ Practices may be able to comply with a SAR by offering to provide a patient with online access to their health records, where available.
¨ Practices can provide the SAR response electronically (subject to safeguards such as encryption). A surgery only needs to print paper copies if it is asked to do so and this is reasonable.
¨ If GPs hold a large amount of information about a patient they can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.
¨ While the costs of providing initial copies need to be borne by the GP practice, it’s worth knowing that further copies can be charged for.
Requests from legal representatives
Where a SAR is made on behalf of a patient by their legal representative and is accompanied by the patient’s clear authority for that specific request, it should be treated in the same way as if it was made directly by the patient. The BMA have worked with the legal profession to create a standard form which legal representatives can use, which can be found in their guidance.
Legal representatives must, of course, also consider their own responsibilities under the law. They should only request the data they need for their specific purpose and they must make sure they are using the correct legal framework. When practices receive requests from a third parties they can consider the following:
¨ Before responding ask for evidence that the third party has the clear, specific authority of the data subject to exercise their right of access. A general authority to act on the data subject’s behalf, or to request the sharing of personal data, is not sufficient.
¨ If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought.
¨ In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient who can then make their own choice about what information they pass on to their representative.
Requests from insurers
Insurers may also request patient information from GPs as part of managing policies and assessing claims. A separate framework – the Access to Medical Reports Act 1988, commonly known as AMRA - already exists as a mechanism for the insurance industry’s access to tailored medical reports used as part of underwriting policies or assessing claims. This route allows practices to charge insurance companies a fee for access to patient information and includes important safeguards for patients.