Right of Access – No. 9

Right of Access – No. 9


Obtaining access to their own information is one of the most exercised rights afforded to data subjects. Those rights have changed under the new data protection legislation, making it easier for them to access their medical records.  Controllers can no longer charge for providing data subjects with their personal data and have to respond within a month when previously they had 40 calendar days.

This week we look at how to manage these requests, how GP systems can be utilised to help compliance, and how to manage requests which aren’t always straightforward.

What would be the cost to your practice of a large number of patients requesting Subject Access Requests (SARs), to which you are obliged to respond without charge? Those costs will be minimised by not having to print out and post reams of paper records, and this can be achieved by allowing patients access to their full record – electronically. There remains a resource issue related to checking the records, but the effort of doing so would have other benefits. How much time would be freed at reception if your patients had instant access to their results without having to telephone first?  Could we train non-clinical staff to identify (and flag) third party or harmful data and might such a role be centralised?  Why not consider these issues at your practice and discuss ways of delivering solutions at scale in your network meetings and with your CCG and Federation? More below.

Review of action points from prior session

  • To do 26  Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27   Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28  Review the example information risk register and update for your practice
  • To do 29  Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30  Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31  Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32  Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33  Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

Work covered this week

Right of Access

GDPR provides a right of access to individuals for a copy of their personal data held by a Data Controller. As Data Controllers, GP Practices must now supply a copy of all information they hold about an individual on request for no fee and within a month.

Since March 2016, it has been a contractual obligation to allow patients access to their medical records via the organisation’ Patient Online system (SystemOne or EMIS). Both clinical systems allow patients to register and access all information held about them, which will ensure they have up to date and timely information at hand. Many patients currently use Patient Online to book for appointments and obtain prescriptions through the Electronic Prescription Service (EPS), but a smaller proportion uses this system to access their medical record. Allowing access to electronic records is not a binary decision and there are significant resource implications. You should have a system in place for allowing patients to apply for access their records online and any system you have should take into account the resources required. The priority you place on this process will be decided by the practice partnership. If resources are limited, you can and should have a waiting list. However it is worth recognising that if a patient does request electronic access to their record, and if this is declined (put on a waiting list), they are entitled to request a SAR and practically speaking the quickest and easiest way of responding to this within one month will be to provide them with full access to their record through Patient Online. If your practice requires help in providing this service there is a wealth of useful information from the RCGP which is signposted below in the Resources section.

Where an adult patient is requesting access to their own records online, you should be assured that they are who they say they are. In most cases this will be by them providing two forms of ID, one photographic (such as a driving license or passport); and one showing their address (such as a recent utility bill). If you can vouch the person is who they say they are (for example they regularly come to the surgery) then this can also be a form of assurance before granting access.

Coded Data or Free Text?

SystemOne system allows the patient to have access to either only their read-code data or a copy of the full record including free text. Each Controller should make a decision regarding whether they want to patients to access just coded information or additionally the free text. As we have already noted, patients have a right to request the full record, and the coded information on its own would be insufficient to provide a response to a SAR.

Before access is granted, it is essential that the information on the record is reviewed to ensure that it is suitable to be disclosed to the patient. The right of access is not an absolute right, and information can be withheld in a number of limited scenarios, including where it is regarding third parties, or where it could be considered harmful or distressing to the patient to disclose. It is noted that this could cause resource issues, however, this is something that should be weighed up against the resource of handling requests for access in paper form now that no fee can be charged.

Specific data entries can be hidden from the patients’ view of online access, so it is important to ensure each query in a given consultation is recorded as a separate entity (a new section) so that if the information does need to be redacted later then this can be done at a more granular level.

Access by Proxy

Access to children’s records

It is important to note that the right of access always applies to the data subject, so there is no automatic right for a parent to access a child’s record. However, if an adult has parental responsibility of a child or is a legal guardian, a GP can make a decision about whether to allow the individual access to the child’s record if it is the child’s best interest. There is no statutory age in England and Wales where a child is considered to have sufficient knowledge to exercise their right of access, however, the new data protection legislation does stipulate that from the age of 13, a child will be deemed to have the capacity to consent to use ‘information society services’ which online access to records can be considered.

Therefore, any request for access to records by a parent or legal guardian where the child is under the age of 13 should be considered on a case by case basis, taking into account whether the child may have the capacity to understand the effects this may have and request their information is not shared with their parents.

Where a child is between the age of 13 and 18, again this should be on a case by case basis but it is generally assumed the child will have the capacity to decide whether the parent/legal guardian can access their record. Such requests should be granted and the parent’s consent only asked if the child is deemed to lack capacity or if the clinician feels that it is in the best interest of the child.

Access to elderly patients/adult lacking capacity

Where a request comes to access the records of an elderly individual (such as a mother or daughter requesting access to their elderly parents’ records) the individual should always be assessed as to whether they have the capacity to make such a decision themselves. If not, you should assure yourself the person requesting access to the record has either Power of Attorney, a court order, or it is in the patients best interest. It is important that you and your staff understand that these elderly patients are vulnerable and that on occasion such requests can be open to abuse and so where there is capacity you should ask direct questions to ensure there is no coercion and where there is not capacity, you should always be mindful of the possibility of coercion.

Real life case study

In 2016 a GP Practice was fined £40,000 for disclosing confidential information during a subject access request. The disclosure to a child’s father also included information relating to the mother (who had separated from the father and asked the Practice not to disclose her whereabouts), which included her contact details, information relating to her parents and another third party. The Information Commissioners Office found that the Practice had insufficient systems in place to manage such requests.

Therefore, in circumstances where they may be concerns regarding either safeguarding, domestic violence or other such situations which could cause harm to individuals, every effort should be made to ensure the disclosure is appropriate and lawful.

Do remember, before allowing a patient or guardian access to clinical records you must be certain that:

  • They are who they say they are
  • They are allowed access to the requested record
  • The record given to them does not contain harmful or third party data


There are a series of eLearning modules available via the RCGP eLearning website below. These include courses on coercion, identity verification, proxy access, children & young people, overview and benefits protecting patients and practice and online access for clinical care.

General Resources

Output Documentation

Learning Points

  • Your practice should have an up to date access to records policy
  • You should have a system in place for allowing patients to apply for access their records online
  • That system should take into account the resources required

Practice Checklist

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

Next session on 04.09.18

(Blog No. 9 due 11.09.18)

Taking all of the patient data identified in earlier blogs which is being processed through the practice, and looking at the ways in which we use that information we can now draw up a final Fair Process Notification.


Comments are closed.