GDPR/Data Protection 2018 gives every living person, or an authorised representative, the right to apply for access to any personal information an organisation is using or storing.
The GDPR privacy policy for direct care is displayed in the waiting room, in the practice booklet and on the practice website. There is no fee for this service.
A request for access to medical health records held at Loxwood Medical Practice can be made in writing (e-mails are accepted) or verbally over the telephone to our Secretary team. A GP Partner will have ultimate responsibility for releasing any information.
We will comply with an access request (SAR) providing we have sufficient information to identify the requesting person and to locate the information held about them within 1 calendar month ‘Day one’ is the day of receipt – for example, a SAR received on 3 September should now be responded to by 3 October.
If we receive a SAR, but the patient hasn’t signed the consent form, the clock would start ticking once you have obtained consent (in exceptional circumstances where it is not possible to comply within this period the subject will be informed of the delay and given a timescale for when the request is likely to be met).
Subjects are entitled to request all information that we hold about them, but it is reasonable to ask whether all information is required or if a more tailored or limited amount of information may be preferable.
When making a request for access, it would be helpful if details of the time-periods and which aspects of the health record are required.
If an authorised representative is making the request, the patient needs to be aware that in doing so they may gain access to all health records concerning them, which, may not all be relevant. If this is a concern, the patient should inform their representative what information they wish them to specifically request when they are applying for access.
A request can be refused if it is ‘manifestly unfounded or excessive’. The patient must be informed with an explanation why and that they have the right to complain to the ICO.
In some circumstances, we have the right to withhold information held in the medical record:
- If it is likely to cause serious physical or mental harm to the patient or another person
- Information relates to a third party who has not given their consent for disclosure
- If information is requested by a third party and the patient has requested that their information remain confidential. Such information will remain confidential once considering the legal implications of a request for the purpose of litigation.
- It is restricted by order of the court
- It relates to the keeping or using of gametes or embryos or pertains to an individual being born as a result of in-vitro fertilisation
- Or in the case of children’s records, disclosure is prohibited by law e.g. adoption
Any exempt information, such as third party names or information personal to another person will be redacted by us. The GP takes full responsibility as to whether or not to disclose information.
If an explanation of unintelligible medical terms is required this will be provided on request.
Patients may seek a correction of medical information that they believe is inaccurate. The GP is not obliged to accept the patient’s opinion, but must ensure that the medical record indicates the patients view. A copy of the correction will be supplied to the patient. Patients have the right to apply to the ICO or the courts to have inaccuracies amended or destroyed.
Parents may have access to their children’s records if this is not contrary to the child’s best interests or the child’s wishes. Refer to the BMA guidance below for who has parental responsibility and a detailed version of information contained within this policy.
Patients with a mental disorder or some degree of cognitive impairment should not automatically be regarded as lacking capacity to give consent and can make valid decisions about some matters that affect them, refer to the BMA guidance.
Healthcare professionals have the power to disclose medical records to the police, but there is no obligation to do this without a court order or a warrant. Patients must give their consent or there needs to be an overriding need in the interest of public safety, such as a serious threat to public health, national security, the life of an individual or a third party, or to prevent or detect serious crime. For more advice speak to the Caldicot Guardian.
The ICO state that the use of a SAR to disclose medical information for life insurance purposes is an abuse of subject access rights which could also risk breaching the GDPR. If such a request is received from an insurance company, the patient will be contacted and the information requested may be given to the patient and it is their choice to disclose it to the insurance company. Insurance companies are expected to make a formal GP Medical Report request under the terms of the Access to Medical Reports Act 1988 for which there is an administration charge.
Making a Request
Please download, complete and print this form and return to Loxwood Medical Practice:
Subject Access Request Form 08_24
Disclosure after Death
There is an ethical obligation to respect a patient’s confidentiality beyond death. There is also a duty of confidence attached to the medical records of a deceased person under section 41 of the Freedom of Information Act. Under the terms of the Access to Health Records Act 1990 a personal representative or a person who may have a claim arising out of a death has a right of access to information which is directly relevant to a claim. Medical information that is not directly relevant to a claim should not be disclosed.
Request for information from the medical record of a patient that has died should be made in writing to a GP.
A GP can use their discretion to disclose information about a ‘last illness’ to the relatives of a deceased person. This may be of benefit for example to disclose a hereditary or infectious condition, a misdiagnosis or negligence where the deceased person would have wanted disclosure in the interests of justice.
Patients no longer Registered at Loxwood Medical Practice
Medical records are not stored at the GP surgery once a patient has moved away or died. It is the responsibility of PCSE to store these records appropriately and destroy them once they reach their retention age.
Complaints
If a patient has any complaints about any aspect of their application to obtain access to their health records, they should first discuss this with the clinician concerned. If this proves unsuccessful, they can make a complaint following our complaints procedure.
Alternatively you can contact the Information Commissioners Office (responsible for governing Data Protection compliance). Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Tel 0303 123 1113 or 01625 545 745 or www.ico.org.uk