Subject Access Requests

This policy outlines the practices approach to managing Subject Access Requests – SARs.

It is compliant with the General Data Protection Regulations and Data protection Act 2018

A Subject Access Request (SAR) is a right of access.  An individual is entitled only to their own personal data and not data relating to other people (unless they are acting on behalf of that person – this could be a relative, or carer with consent, or Power of Attorney, or it could be from a Solicitor, or Insurance Company).

To support the practice to implement this policy, there are two supporting documents:

  • SAR Process Flowchart
  • Patient information leaflet and supplementary form

  • Practice Privacy Notice / Fair Processing Notice


  • A valid subject access request can be in writing, sent by fax or by email.
  • The request must have clear identity details – name, address and date of birth stating the exact data required e.g. a specific period or all personal data. (Data can be in electronic or manual format or both).
  • It must be signed by the requester – the Data Subject.
  • Individuals requesting Subject Access must have two valid forms of identification.

If a disabled individual finds it impossible or unreasonably difficult to make a Subject Access in writing, reasonable adjustments must be made to accommodate requests.  This could include treating a verbal request for information as though it were a valid Subject Access request.

If the request does not mention the Act specifically or even say that it is a Subject Access Request, it is nevertheless valid and treated as such, if it is clear that the individual is asking for their own personal data.

A request is valid regardless of who the individual has sent a Subject Access Request to in the practice.  It is therefore important to recognise this and treat appropriately.

At the time of the request, it is important to establish the following:

  • Who is making the request?
  • If it is a third party, do they have consent?
  • Is the request a SAR under the GDPRs or is it a request for data under the Access to medical Records Act 1988 – AMRA:
  • Does the Data Subject require their whole record, or just part of it? If only part of the record is required, we will refer to this as a Targeted SAR – TSAR
  • Would offering the data subject Online Access to their medical record satisfy their request?

The form on the reverse of the patient information leaflet prompts the Data Subject to answer some of these questions.


Having received a valid SAR request and completed form, the data subject should be advised that their request will be dealt with within one month.

  • Add read code EMISNQSU84 (Subject Access Request Status) when a request is received and data subject advised.


  • GDPR requires us to process Subject Access Requests within one month. (EMIS search to be run weekly to monitor timeframe compliance). If more time is required, we must inform the DS within the one month period.
  • Add read code EMISNQSU87 (Subject Access Request Completed) when personal information has been supplied.
  • The information supplied need to be accompanied by a copy or link to the Practice’s Privacy Notice / Fair Processing Notice. This includes third parties, and for DS’s who have requested online access as an acceptable medium for accessing their information.


In most circumstances we cannot charge the data subject for personal data.

However, if the request is excessive, unfounded, or a repeat request we can apply a reasonable administration charge. The guidance around this is not explicit. If a charge is to be applied, the reason for charge should be clearly documented and the data subject/requester should be advised.

In some cases the data requester could be a solicitor, or insurance company acting on behalf of the data subject. In this case written consent must be obtained. The third party requester should make it clear if their request is a SAR, or a request under AMRA. If the request is under AMRA it will be related to employment and insurance purposes and could include, accident claims, life insurance, insured negligence claims. If the third party request does not make this clear, they should be asked to confirm whether the report is being requested under GDPR or AMRA.

Note – It is important to check subject access request/consent given to third parties e.g. insurance companies to confirm exactly what data is requested.  Excessive data must not be provided.


The GDPR regulations do allow for SARs to be declined, for example if the data has not changed since a previous request. If a request is to be declined, the DS must be informed of this decision and the reason for it within one month of the request, and be informed of how they can complain against the decision.


Data subjects have the right to ask for personal data to be corrected/altered/erased. Refer such requests to the Practice Manager for action.





Comments are closed.