Data Subject Access Requests.

How to deal with them in Private Practice.



Let’s imagine a patient pings your secretary an email – it’s about a Data Subject Access Request (aka: ‘SAR’). That patient wants a copy of all data you hold on them.

You’ve got just a month to get it to them.The shortest month of the year is February, so let’s err on the side of caution and call it 28 days. Have a think about the following:

Are you prepared?

Would you know what to do?

How much upset is it going to cause your day

Can you gather that data together with just a few clicks of a button?

Can I decline a SAR?

Interestingly, there are times when you can decline a subject access request.

Imagine you have a patient who’s taken a dislike to you (humour me), and they’re bent on causing trouble. They’ve previously asked for their data, and you’ve dished it up to them once already.

If you know that absolutely zilch has changed in terms of their data during the time that they asked for the last one, you can politely give their request the big heave-ho.

Other times you can decline a SAR include:

– If their data contained comments about another person (think STDs, genetics, or criminal convictions).

– If the patient might harm themselves or another person upon receiving that data.

– If the request is ‘vexatious’. The ICO defines this as being ‘likely to cause a disproportionate or unjustified level of disruption, irritation or distress’.

– If information is ‘privileged’, which means it’s a private statement between two people that can’t ever be shared (think ‘attorney-client privilege’ in the U, S of A terminology).

– If a court order forbids it.

– If there’s a law forbidding it – such as in the case of data which is subject to fertilisation or adoption legislation.


It goes without saying that it’s really important that you explain your reasoning to the patient within the 28-day time frame, and you document your reasoning thoroughly.



The GDPR allows us to negotiate how much data the patient receives.

This seems counter-intuitive to the values of the GDPR.

But let’s imagine you were a rheumatologist and somewhere deep in a vault you had a rheumatoid patient’s life-long collection of paper notes, the scale of which would make any Munchausen’s syndrome patient jealous.

Stuff that happened back in the 60’s. When we were still encouraging people to smoke. For their health.

In that situation, you might negotiate with the patient that the last ten years of their electronic records would suffice.

Who else can ask for a SAR?

Requests from solicitors

I work in the musculoskeletal world, and I’ve received many SARs from solicitors as part of a patient’s personal injury claim when they were hit by a car whilst out training on their road bike. I’m sure solicitors must love SARs, as it will have made their lives a lot easier. And less expensive.

As long as the solicitor can provide written consent from the patient, you should treat this as if the patient has asked for it directly.

Who shouldn’t be asking for a SAR?

In a word, insurers. The ICO looks poorly on insurers who ask for data, and say it is ‘an abuse of the process’. It all has to go through the patient.

Additionally, if an insurer tries to gather information about a patient’s criminal record (by having a sniff through a patient’s medical records), that’s considered to be a criminal offence.


Additional information you should give the patient.


Along with their ‘data’, it’s also important that you provide the patient with an explanation of how their data is being processed (i.e. the categories of the data you process, the lawful basis for processing their data, how long you’ll keep their data etc. etc.)

The simplest way to do this, is to point the patient to a URL link of your detailed and comprehensive Privacy Notice.

Need help with your Privacy Notice? We’ve done this for loads of clinicians so far and really know how to author the Privacy Notice to suit your Private Practice and help with GDPR compliance.

Get in touch at

Email and SARs.

Remember, a SAR isn’t just about the ‘notes’ and clinic letters. It includes emails too.

If you haven’t got your systems and processes in order, this could be a big task for you.

It’s stressful and cuts into your time.

Do you really want to be scabbling through your inbox at 9pm, to satisfy the demands of someone who bumped their knee, slipping on a squashed peach in Sainsbury’s?

I know what I’d rather be doing at 9pm…


What about dead people?

Let’s say you’re a relative of a deceased person, and you want to get access to their records. Well, the GDPR doesn’t apply in the case of people who have died.

In the NHS world, when you die, your records are stashed away by Primary Care Support England. Under the ‘Access to Health Records Act (1990)’, if you’re a personal representative of the deceased (e.g. the executor of their will), or if you have a claim resulting from the person’s death, then you can access to access data that is directly relevant. Nothing more.

It makes sense that the same should apply in Private Practice.


Can I charge for dealing with a SAR?

You’re not allowed to charge patients or solicitors for dealing with the SAR, unless the SAR is ‘manifestly unfounded or excessive’. It’s unlikely that this will be the case.

In what form should you provide the data?

Article 15 of the GDPR states that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.’

Putting it another way, if they ping you an email requesting their data, it’s appropriate to email them their data.

I feel daft mentioning this, but, for goodness sake, make sure you send it via encrypted email.

If the patient insists it has to be in the form of a paper copy, guess what? Yep. You’ll need to print it all out for them.


What steps should you take when a SAR arrives?

Acknowledge that you’ve received the patient’s request, and that you will be supplying the data within 28 days. If it’s from a solicitor, make sure you have written consent from the patient.

If you’re using a Practice Management software system (and you should be), then make use of it! Many now have simplified this process (e.g. Heydoc has a great system for exporting data easily).

If you’re not storing emails within your Practice Management Software, you’ll need to retrieve that information too. Office 365 has a fantastic GDPR dashboard that we will be blogging more about in a future post.

Once you’ve gathered it together, you’ll need to check through to make sure you’re not committing a faux pas by releasing data you shouldn’t be.

Send the patient the data in an encrypted format, and document when it was sent. Ask for confirmation of it’s being received.


Do you need help with getting prepared for dealing with a Subject Access Request or GDPR compliance overall?

Then email me directly on, and let’s get building your successful, happy Private Practice!

Now it’s time for you to grow your Private Practice.






email or call us 0207 993 6425 http://www.instagram/privatepracticeninja