SUBJECT ACCESS REQUEST POLICY
You have a right, under the General Data Protection Regulation, to access the personal data we hold on you. To do so, you should made a subject access request, and this policy sets out how you should make a request, and our actions upon receiving the request.
“Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including your name.
“Special categories of personal data” includes information relating to:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life or
- sexual orientation.
MAKING A REQUEST
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please contact the surgery.
Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.
Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.
In addition, we may also charge a reasonable fee if you request further copies of the same information.
INFORMATION YOU WILL RECEIVE
When you make a subject access request, you will be informed of:
- whether or not your data is processed and the reasons for the processing of your data;
- the categories of personal data concerning you;
- where your data has been collected from if it was not collected from you;
- anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
- how long your data is kept for (or how that period is decided);
- your rights in relation to data rectification, erasure, restriction of and objection to processing;
- your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
- the reasoning behind any automated decisions taken about you.
CIRCUMSTANCES IN WHICH YOUR REQUEST MAY BE REFUSED
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.
On receipt of a request for a subject access report, we will
- Confirm your identity
- Confirm you have given consent if the request is made by a third party
- Review if we have already responded to a previous Subject Access Request
- We will write to you explaining the information we can provide to you and requesting an email address if you would like to receive your report in this way. If you would like a paper copy, we will make a paper copy available for collection, or if necessary we will post this to you.
- As an alternative, we will offer you on-line access to your computerised record if you would prefer this.
- We will confirm with you if you are happy to receive a copy of electronically held data only
- We will respond with an electronic report, or a printed copy of this report if you prefer, within 30 days.
- If you would like a copy of paper notes as well, we will need an additional 30 days to enable us to copy paper notes.
- If a request is made from a solicitor on your behalf, we will confirm, if it is unclear, whether your solicitor is requesting information under the Subject Access Request procedure, or as may be likely, the Access to Medical Reports Act, which has different provisions for the amount of data we need to provide.