Request for Personal Information about yourself / Subject Access Requests
Under the EU General Data Protection Regulation (GDPR) which came into force on 25 May 2018 and the Data Protection Act 2018 you (the Data Subject) have a right to:
A Subject Access Request (SAR) is a request for personal data from a Data Subject (the individual whom particular personal data is about).
Information requested by you must be disclosed within one month following the date of receipt, and organisations will no longer be able to charge data subjects for requesting their information.
A subject access request does not have to be in any particular format but it must be in writing. It does not have to include the words ‘subject access’ or make any reference to the General Data Protection Regulation/Data Protection Act 2018.
There is no legally prescribed subject access request form but SPCL have one for ease of use and to help you to provide all the information which is required. A subject access request might also be received via email, fax or social media. Reasonable adjustments must be considered and/or made for disabled people, for example, recognising a formal request in a verbal format and responding in an appropriate format such as in Braille or large print.
To comply with the law, information relating to the Data Subject must only be disclosed to that person (data subject) or someone with their written consent to receive it. A SAR can be made by someone who is acting in the patient’s interests or as the ‘agent’ of the patient (i.e. solicitor) as long as the patient has given appropriate written consent for that individual to access the full medical record.
If your request is asking for a report to be written or it is asking for an interpretation of information within the record this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act framework for which fees can be charged.
SPCL may check the nature of the request to ensure they are complying with their legal duties as the Data Controllers.
Where there is any doubt, proof of identity will be required. Examples of suitable documentation could include copies of:
• Valid Passport.
• Driving Licence.
• Birth Certificate along with some other proof of address, e.g. a named utility bill or a Medical Card.
If the originals of these documents are received, SPCL will take due care of them and ensure their safe return (i.e. using Recorded Delivery or similar). A photograph is not necessary.
Information may be withheld if it:
• Relates to a Third party
• Could cause serious harm to the physical or mental health or condition of the Data Subject, or any other person (refer to the Exemption from Article 15 of the GDPR – Serious Harm)
• relates to legal advice (legally privileged)
To make a Subject Access Request, please email firstname.lastname@example.org