Subject Access Requests
(Access to Medical records)
All patients' have a right to access their data and any supplementary information held by Wey Family Practice. You have the right to receive:
Confirmation that your data is being processed
- Access to your personal data
- Access to any other supplementary information held about you
The reason for granting access to patients' is to enable you to verify the lawfulness of the processing of data held about you.
Under the GDPR, Wey Family Practice is not permitted to charge data subjects for providing a copy of the requested information; this must be done free of charge. That said, should a request be deemed either “unfounded, excessive or repetitive”, a reasonable fee may be charged. Furthermore, a reasonable fee may be charged when requests for additional copies of the same information are made. However, this does not permit the practice to charge for all subsequent access requests.
The fee is to be based on the administrative costs associated with providing the requested information.
Responding to a data subject access request
In accordance with the GDPR, the Practice must respond to all data subject access requests within one month of receiving the request.
In the case of complex or multiple requests, the Practice may extend the response time by a period of two months. In such instances, you will be informed and the reasons for the delay explained.
Verifying the subject access request
It is the responsibility of the Practice to verify all requests from patients' using reasonable measures. The use of the practice Subject Access Request (SAR) form supports the Practice in verifying the request. In addition, the Practice is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. driving licence or passport.
The GDPR states that patients' should be able to make access requests via email. Wey Family Practice is compliant with this and data subjects can complete a request via email on firstname.lastname@example.org.
The Practice is to ensure that ID verification is requested and this should be stated in the response to the patient upon receipt of the access request. It is the responsibility of the Practice to ensure they are satisfied that the person requesting the information is the data subject to whom the data applies.
Third-party requests will continue to be received following the introduction of the GDPR. The Practice must be able to satisfy themselves that the person requesting the data has the authority of the patient.
The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the patient.