GDPR and Subject Access Requests

GDPR and Subject Access Requests

Our fifth blog from Karen Heaton of Data Protection 4 Business covers how to handle a request from a patient or customer for details of the information that you hold on them.

In our blog today, we look at a data subject’s right to access, a powerful tool for individuals who have concerns about what information organisations hold about them.  Unfortunately, it can also be used for litigious purposes and such a request should be taken very seriously within your organisation, so please read on!

A data subject, in other words, you or I, can request a free copy of all personal data relating to us that an organisation holds – in any format – paper files, digital, videos or voice records.  Ok, do I have your attention now?  Even for a small organisation, that can amount to a lot of data.

Oh, and you have one calendar month to respond.

So, what must you provide and what is exempt?  Well, let’s see…

What information must I provide?

You must provide the following long list of information in relation to the personal data being processed as well as the data itself:

  • the purposes of your processing
  • the categories of personal data concerned
  • the recipients or categories of recipient you disclose the personal data to
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
  • the existence of their right to request rectification, erasure or restriction or to object to such processing
  • information about the source of the data, where it was not obtained directly from the individual
  • the existence of automated decision-making (including profiling)
  • the safeguards you provide if you transfer personal data to a third country or international organisation
  • the right to lodge a complaint with the ICO or another supervisory authority

I have a question or two:  would you know where to find the data? Would you be able to respond to the other information points above regarding the data you hold?  This is not a simple task and can amount to an operational headache for many organisations.

What information can I withhold?

The most common type of data that should be withheld is data mentioning third parties (unless they have given consent for their data to be shared or it is reasonable not to require such consent – confused?).  For example, an email chain where people other than the data subject are mentioned would need to be considered for redacting.  How easily can your organisation find, review and redact third party information?

Other examples of exempted information:

Specific information regarding medical organisations

Often, my clients have concerns that some law firms may use SARs to obtain medical data for free that was previously chargeable.

Subject Access Request (free) vs Access to Medical Records Act 1988 (chargeable):
Requests from Solicitors acting on behalf of a Patient

The British Medical Association advises that a patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a medical practice will be able to lawfully decline such requests. In this instance, you should ask the person acting on their behalf if there is specific data that they require, for example, are they requesting data covering a specific time period or illness or operation?  This is a valid question for you to ask if the patient data file is substantial.

Tip:  Don’t forget to get valid consent from the patient to disclose their personal and sensitive data to the Solicitor or third party. 

If, however, the request is asking for a report to be written or it is asking for an interpretation of information within the record, this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act 1988, for which a fee may be charged.

Requests from an Insurance company

The British Medical Association, ICO and Association of British Insurers currently advise that Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek access to medical records and that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights.

So, that scenario is a bit more clear cut.

The bottom line is….

Your organisation or medical practice must take the time to consider and plan how to respond to a Subject Access Request from an operational perspective.   Don’t wait until you receive one to work out how it should be done.  The clock starts ticking from the day you receive the request.


Today’s fact.   Access to your data is a basic Right under GDPR and Data Protection Act 2018.   A data subject can make a complaint to the ICO if an organisation fails to respond to a Subject Access Request. Further failures to respond to requests from the ICO and any Enforcement Notice they serve, is a criminal offence.

=>   This is worst case scenario and easily avoided.  Ensure you have a robust operating procedure to handle Subject Access Requests and train your staff in how to respond, when to respond and what information to provide.

See you next week!

Karen Heaton Data Protection 4 Business



Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Previous blogs in the series:

How A Private Medical Practice Should Handle Social Media Complaints

How A Private Medical Practice Should Handle Social Media Complaints

It only takes one scathing patient review to make a substantial, negative impact on your practice and following. Brands that are quick to recover from such a knock back tend to follow some basic steps to resolve the matter quickly, thus avoiding the dreaded automated ‘apology’ response. Did you know that;

  • It takes 12 positive experiences to rectify for just one negative experience?
  • A disgruntled patient will inform on average another 9-13 people about poor customer service.
  • 80% of your customers revenue will come from just 20% of your existing customer base. 

With these facts in mind, it’s vital we nip any brand resentment in the bud quickly. But how? Let’s take a look at a few steps to ensure damage control when handling complaints in the future.

Respond ASAP

It’s vital you close this complaint down as quickly as possible. A negative review can be seen by all future patients deciding whether to use your medical services or not. A tip is to use as much time and care as you would securing a possible patient as you would handling a disgruntled one. And the chances are the patient will remove the complaint once it is handled in a prompt and genuine manner.

  • Set a guideline for how complaints are to be handled
  • Be honest in your response time – If you only check your Facebook business page every 3 days for example, then a reply within 24 hours is just not realistic.
  • Remember, even on weekends patients will expect the same level of commitment in your response time

Deal With The Complaint Offline

I have seen many examples where one negative experience on a public forum will snowball with others joining in, some that haven’t even used the services before! To prevent the situation from escalating, try using Facebook chat or even make the effort to call them. This shows the customer their query is of the up most importance and you will go out of your way to resolve the situation.

Acknowledge Your Mistakes

Be transparent and OWN your mistakes. Patients will have more respect than if you try to skirt around the issue and make excuses as to what went wrong that day. ‘I’m sorry’ is a very strong statement when it’s genuine.

  • Take ownership
  • Be genuine
  • Show your human side, not just the practices’ complaint procedure

Go That Extra Mile

I recently visited a cafe which belongs to a global super-brand. After ordering a simple salad, they mixed up my order 3 times and forgot I was still there, impatiently waiting 25 minutes later. On a time constricted lunch, I was extremely unhappy and when I finally received my food, I was surprised to be offered a free drink of my choice. Not only that, but on the way out I was given a gift card with another 2 free items for when I return again.

Needless to say, the cafe left a favourable impression and I told my friends and colleagues about the fantastic service I received. All because they went that extra mile.

Remember To Follow Up

So you’ve responded to the patient on social media. You have dealt with their issue in a prompt manner and have apologised. But don’t close this down just yet.

To ensure you have met the patients’ needs, give them a few days cooling off period before you attempt to reconnect. Thank them for their comments and ask if you have answered all their questions and is there anything else that needs your attention before closing this down? Yes, it’s direct, but to the point.

Our team at Designated Medical have an extensive background in customer services and ensuring the patient relationship is built on strong foundations. We are here to support Private Medical Practices in growing their brands and to ensure a ‘complaint handling’ procedure is put in place. We also have prolonged experience using live chat to talk directly with our customers.

  • Do you need someone to cover your live chat a few hours a week?
  • How about regular check ups and engagement on all your social media platforms?
  • An extra team member to assist with all customer engagement, whether it be by phone, live chat or email?

Get in touch today with our specialised team and let us assist you with our bespoke service!

Contact us on  +44 (0)20 7952 1008 or

January Stay Connected

Subscribe To "Stay Connected" our Monthly Medical Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!