GDPR - GPC - Blog 7
Subject Access Requests, SARs and TSARs
What’s different about Subject Access Requests (SARs)?
The fundamental has not changed, its their data, they must have access to it. So, whilst there might seem to be many reasons (excuses?) for not giving up their data specified in this blog the default assumption remains that patients have a right to see their records and as DCs we must provide them access to it.
Several things have changed regarding SARs.
- Firstly, you will not be able to charge for a first copy of the data subject’s records.
- Secondly the data you must supply is more than just a copy of the data you hold but also additional information (in effect the content of the relevant Privacy Notice).
- Thirdly any response to a SARs, see 4 below, must now be within “one month” (no longer 41 days and no, I’m not clear whether this is one calendar month, 30 or 31 days, I’d advise assuming it means 28 days or 4 weeks).
- Fourthly, there are new potential responses to a SAR which include; you can agree (the norm and not new) or decline (not new, not advised and you’ll need to justify refusing) or you can agree to respond but require more time (up to a max of two of those months, and you’ll have to explain why) or you can negotiate (this is new!) and in some circumstances you can either refuse point blank or charge for the inconvenience.
2, So what’s the additional data we must supply?
The additional information that you must supply, along with the original personal data concerning the DS, is listed in Articles 13 and 14 and is;
- The purpose(s) of the processing
- The categories of personal data being processed
- The recipients or categories of recipients
- The envisages retention period or the criteria that determine it
- The rights of rectification, restriction, objection and where applicable erasure.
- The right to complain to the ICO
- The right to know more about the source if not the DS
- The existence of and logic behind and consequences of any automated processing
- Remember this, or an easily accessible link to it, has to be provided as well as the actual data relating to the DS.
- You can agree (to the full SAR).
- If you agree to the SAR must respond within one month and include all the data you hold on the DS plus whichever of the information listed above that applies. Providing all the data you hold is regarded as the norm.
- You can decline
- You can decline, or as GDPR puts it; “not take action” to provide a SAR. Its not advised and you’ll still have to justify why and provide the justification within the universal one-month deadline and explain how the DS can complain against your decision. One obvious reason for declining is if the data has not changed since a previous request.
You can agree to respond but require more time
You can agree to supply the data, all the data plus the additional information, but because of the difficulties of collating and supplying the data you (and you alone) can decide you need more time. You can have up to an additional two months. If you decide you need the additional time you must let the DS know within the universal response one-month deadline. This will also apply to the SAR variants.
We’ve been collecting paper records since the 1940s and electronic stuff for 20 yrs., we now have masses of data on our patients, do we have to produce it all? (You can negotiate!)
This is the new one, a negotiated disclosure. Under GDPR (see Recital 631) it is possible to agree with the patient that only certain parts of the record are produced under a SAR. A SAR was defined under DPA as the entire contents of the patient record and under GDPR that is the same basic default assumption but it’s been recognised that 20 or more years later we hold masses of data on our patients, so a new option has been introduced; a SAR can now be less than the entire record by mutual agreement, I shall call these a “Targeted SAR” (TSAR).
Tell me more about TSARs
GDPR allows the DC to ask the individual to specify the information the request relates to, which could narrow down the data needed to satisfy the request. The absolute proviso is that the DS agrees and does so voluntarily and freely. You can’t use a TSAR to coerce people into asking for less than they want or need. In these circumstances it would be best to clearly document what is agreed as being the scope of the first TSAR, for instance; only the records of a hip operation. Subsequent ones could then be chargeable although I would advise a reasonable approach. If they ask for one additional letter it would in my opinion be unreasonable to charge a fee. If the DS subsequently asks for hundreds more pages, then a charge would be reasonable. Agreeing with the DS what is going to be covered by the SAR must occur within the “one month” timeframe above.
What else could be a TSAR?
Some might say a negotiated TSAR is going to be more difficult and time consuming than just unloading the lot, but remember GDPR applies to all data formats, it includes the paper in the Lloyd George envelopes. So, a sensible TSAR might be everything you have on the DS in electronic form. I can imagine in most circumstances the patient is not likely to want copies of the irrelevant historic paper records. Another might be a simple everything from a certain date. There are other options and I’ve asked the suppliers to facilitate making these easier to action. Remember even for the laziest download everything SAR you still have to protect any other DSs mentioned in the requestors records, i.e. redaction of non medical 3rd parties. The less there is give, the less there is to redact.
And about all disclosures, electronic by default
“Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form”. Furthermore Recital 63 provide us GPs with a very useful steer; “Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data”. So that looks like Patient On-Line access would fit that bill very nicely. Signing patients up for NHS provided On-Line Access3 and ensuring they have a link to your PPN or PNs would satisfy GDPR DS access rights in full.
How much can I charge for administration costs?
There appear to be to charging rules, those for repeat SARs and TSARs and those for unfounded or excessive SARs and TSARs. For a repeat SAR or TSAR, you can only charge a fee to cover your administrative costs; “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.”2
“Unfounded or excessive”
Article 12(5) allows GPs to either refuse to comply (see Article 12(5)(b)) with SARs or TSARs that are “manifestly unfounded or excessive” or to comply but charge for the inconvenience. Neither “unfounded” nor “excessive” are defined in the GDPR nor its guidance so interpretation is going to have to be an application of the reasonableness factor. GDPR does provide some clue in describing “repetitive character” as being a qualifying criterion. If you decide to comply with the request, you may then charge for either;
- ” the administrative costs”
2) “providing the information”
3) “communicating the data
4) “taking the action requested.”
So, the fee might involve the cost of professional time to redact records, for example. The DC shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
If you invoke the unfounded or excessive clause you must justify your reasons to the DS, both for declining or complying but charging.
Can I provide a SAR orally?
Yes, you know it’s the patient, you can action the SAR there and then. Obviously, this is likely to be a TSAR.
Saying No a SAR or TSAR?
If you refuse a request it will be important to document your reasons for doing so and you must communicate them to the DS within the same one-month response deadline. If you do decline a request, you must let the DS know their rights to complain about your decision to the ICO and it would be wise to also refer to your DPO.
Other GDPR exceptions
In relation data gathered from the DS themselves, i.e. data they provided, or you got from them directly, the only exception to giving up the provision of data you hold on them is if “where and insofar as, the data subject already has the information”. Please note this applies to both the personal and special category data relating to the DS as well as the additional data mentioned in 2 above.
In relation to data gathered from elsewhere, i.e. other than from the DS themselves, which is a lot in medicine, other exceptions for providing data can apply. They are; firstly, the manifestly obvious “they’ve already got it” reason above (Article 14.5(a)) but also Articles 14.5(b)(c) and (d) allow for the other exceptions;
Article 14(5)(b), “The provision of such information is impossible or would involve a disproportionate effort or would make the achievement of the objectives of the processing impossible or seriously impair them.”
One would imagine most incoming data about our patients’ identified both them and the source, so this is unlikely to ever apply for GPs.
If a patient has hundreds of hospital letters or thousands of test results, it might be reasonable to argue that the letters from the 1960’s are probably no longer relevant. GDPR states that accessing aged data could be deemed to require disproportionate effort.
Make impossible or seriously impair?
Neither of these are likely to be available for a GP.
Article 14(5)(c), “The data controller is subject to a national law or EU law requirement to obtain or disclose the personal data and that the law provides appropriate protections for the data subject’s legitimate interests”
This is where a law requires a DC to collect data on DSs from elsewhere. In that circumstance the DC is not bound to disclose that data to the DS. I cannot think of any circumstance where this will apply to GPs and their patients.
Article 14(5)(d), An obligation of professional secrecy (including a statutory obligation of secrecy) which is regulated by national or EU law means the personal data must remain confidential.
This is what GPs can rely upon, it’s essentially the same as redacting 3rd party information. You wouldn’t disclose comments about a 3rd party to the DS, the exception to this exception being the identity of others involved in the care of the patient.
Other general exceptions
And remember these other more generic exceptions;
You shouldn’t disclose anything that identifies any other DS. The only exception to this is the identity of people involved in the care of the DS, such as community staff or hospital specialists, they are not exempt.
You mustn’t disclose anything that is likely to result in harm to the DS or anyone else.
You mustn’t disclose anything subject to a court order or that is privileged or subject to fertilisation or adoption legislation.
Do I have to provide SARs on USB sticks or CDs?
No. You can agree the medium with the DS. GDPR and the ICO are very much in favour of electronic SARs and TSARs. If the SAR or TSAR request is made electronically it is expected that the response will be provided electronically. You can charge for the administrative or communication costs of 2nd and subsequent SARs and TSARs. And that could include the cost of a USB stick.
Under the DPA insurers tried to get around the Access to Medical Records Act by getting patients to “request” SARs which were then forwarded to the insurer. Why won’t they use this new “modified SAR” option to do the same again?
Because clause 181 of the Data Protection Bill will extend the offence of “enforced subject access”, i.e. where a patient is being coerced or tricked into providing a SAR to support an application, to cover medical records. Insurers will not want to be found guilty of the crime of enforced subject access. If any GP suspects that an insurer is doing this, they should report them to the ICO and the ABI. As a reminder the ABI and the BMA have issued guidance previously and this is unchanged under GDPR.
Dr Paul Cundy
GPC IT Policy Lead
2nd April 2018
1, Recital 63, “Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.”
2, GDPR Article 15(3) “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”