The uphill task of processing subject access requests. But it doesn’t have to be a headache says the ICO. Do you agree?

GPs and health and care providers up and down the country will be all too familiar with subject access requests – the right to access patient data. The principle has been imported from the old Data Protection Act 1998 and strengthened by the new EU General Data Protection Regulations which came into force in May 2018.

Many GPs have reported an increase in the number of requests received since the new data protection regime came into force last year – this view has been supported by a recent BMA survey which reported that these have increased by more than a third since GDPR. The ICO believe this is partly due to lawyers increasingly submitting SARs on behalf of clients to support legal claims.

ICO offers practical advice and tips for GP practices dealing with requests

  • If available, do offer to provide a patient with online access to their health records.
  • Do provide the SAR response electronically, subject to safeguards such as encryption. Practices only need print paper copies if it is asked to do so and this is reasonable.
  • Do ask the patient or their representative to clarify the information that would be acceptable to satisfy a SAR, particularly where there is a large amount of information.
  • Remember that the first set of copies must be met by the practice but that subsequent copies can be charged for.

While these points serve as a reminder, they do not add anything new and are unlikely to lift the burden significantly.

Managing requests from legal representatives or third parties

The ICO say that such a request must be managed in the same way as if it was made directly by the patient. The British Medical Association has worked with the legal profession to create a standard form which legal representatives can use – you can view the BMA’s guidance here.

But, in this respect, the ICO does make some useful points to bear in mind before practices (and indeed any health and care provider) respond to:

  • Check that the third party has a specific authority to exercise their right of access to personal data. A general authority is not sufficient.
  • If a GP believes that more information than is necessary is being requested, do check with the patient.
  • If a GP has concerns about providing excessive information, do share the data directly with the patient who can then make their own choice about information they pass on to their representative.

And what about requests from insurers managing policies and assessing claims?

A separate framework: Access to Medical Reports Act 1988 already exists to manage these types of requests which allow practices to charge insurance companies a fee for access to patient information and includes safeguards for patients. The ICO expect insurers to continue to use this process. Further information on this framework can be found here.

Other useful resources for practices and health and care providers

While the extra guidance is helpful, it still remains a heavy burden but the ICO’s tips do offer a solution to a few tricky requests. But if you have any doubt about your responsibilities do take a look at the following guidance:

If you do have a tricky SAR do get in touch as we have a friendly and expert team familiar with the new data protection regime.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.