What is a Subject Access Request in Health and Social Care?

Hours Updated
What is a Subject Access Request in Health and Social Care

Understanding an individual’s right to access their personal data is central to fairness and transparency. A Subject Access Request, or SAR, is a formal way someone can ask for information the NHS, social care services, or any other organisation holds about them. This right comes from the Data Protection Act 2018, which is aligned with the General Data Protection Regulation (UK GDPR).

SARs, also known as data requests, are essential for protecting people’s rights by giving them control over their personal information. This applies to health and social care organisations like GP surgeries, hospitals, care homes, and local councils.

The Right to Access Information

Individuals have the right to see personal data organisations store about them. This includes health and social care records that might be used for treatment, care planning, or administrative purposes.

This right allows people to:

  • Understand how their data is being processed.
  • Check the accuracy of their data.
  • Confirm whether an organisation is holding any information about them.

The information shared can include:

  • Medical records such as diagnosis, test results, and treatment plans.
  • Social care records like care assessments, social worker notes, or care arrangements.
  • Administrative details linked to health or care decisions.

Who Can Make a Subject Access Request?

A SAR can usually only be made by the individual concerned. However, other parties may have valid reasons to make requests:

  • Parents or guardians can request access on behalf of children if it’s judged to be in the child’s best interests.
  • Authorised representatives such as solicitors can act on someone’s behalf with their consent.
  • Next of kin might request records of deceased individuals, but access is subject to the Access to Health Records Act 1990.

Some organisations ask for proof of identity to confirm the requestor is entitled to the data.

How to Make a Subject Access Request

Making a SAR doesn’t need to follow a rigid format. It can be made in writing, electronically, or verbally. Here are common steps:

  1. Contact the organisation: Identify the department handling SARs, such as the records office or patient access team at an NHS trust.
  2. Provide details: Include specific information, such as your name, address, and any reference numbers, that help locate your records.
  3. Be specific: It helps if you mention what records you are looking for. For example, specify timeframes, episodes of care, or particular health conditions.
  4. Proof of identity: The organisation may ask for identification to ensure they only release information to the entitled individual.

Timeframes for Responding

Organisations must respond to Subject Access Requests within one calendar month. For example, a request on the 15th of August should be responded to by the 15th of September.

In rare cases, more time may be needed. If requests are complex or excessive, the timeframe may extend by an additional two months. The organisation must explain the reasons for any delay.

Fees and Costs

Most SARs are free. However, if a request is repetitive or unfounded, a reasonable fee may be applied. The fee must reflect actual administrative costs, such as printing and postage.

Organisations cannot charge fees arbitrarily, which ensures fair access without financial barriers.

What Information Can You Access?

SARs allow access to personal data. This doesn’t always mean the full set of records. Some information might be withheld, such as:

  • Third-party references: Details about other people cannot be included without their consent.
  • Risk to others: Information likely to harm someone if disclosed might be restricted.
  • Legal privilege: Records created with legal protections won’t be shared under SARs.

Requesting third-party details requires extra permissions. For example, if a parent is accessing a child’s record, specific safeguards apply to protect family privacy.

What Happens to Digital Data?

Health and social care services increasingly rely on electronic systems. Digital records include email communications, appointment systems, and shared databases like local health information exchanges. These must also be included in SAR responses where relevant.

Data protection regulations ensure that the electronic handling of SARs is treated the same as paper-based records.

Protecting Sensitive Data

When dealing with SARs, organisations must comply with strict rules to maintain confidentiality. This includes steps like:

  • Removing sensitive content if it could cause distress or harm.
  • Redacting information about third parties.
  • Applying encryption to electronically transfer data securely.

Health and social care providers have appointed Data Protection Officers who oversee SAR responses.

Benefits of Accessing Your Records

Understanding your health and social care records brings several benefits:

  1. Empowerment: Patients and service users feel in control of their own medical and care history.
  2. Accuracy: Reviewing records can identify errors or incomplete data.
  3. Improved care: People can use their records to inform discussions about care needs.
  4. Accountability: Access to information allows individuals to challenge decisions they believe are unfair.

Whether planning a treatment pathway or clarifying past care, SARs equip people with valuable documentation.

Support for Subject Access Requests

Some organisations provide guidance to help with SARs, such as frequently asked questions on their websites or dedicated support teams. Advocacy groups in health and social care, like Healthwatch or Citizens Advice, can assist individuals struggling with the process.

Challenges might arise if requests are delayed or incorrect, and it may help to approach the organisation’s complaints team.

What Happens if Requests Are Declined?

Occasionally, SARs may be refused. Reasons could include:

  • The organisation doesn’t hold the requested data.
  • Disclosure of data may harm the requestor or others.
  • Requests are excessive or unreasonable.

If declined, the organisation must explain why and inform the individual of their right to complain to the Information Commissioner’s Office (ICO).

The Information Commissioner’s Office (ICO)

The ICO enforces data protection rights. If someone believes their SAR was mishandled, they can raise concerns with the ICO. After reviewing the complaint, the ICO can issue recommendations or penalties to organisations failing to comply.

Organisations may take complaints seriously since ICO oversight carries potential consequences, including financial penalties or reputational impact.

Final Thoughts

Subject Access Requests promote transparency in health and social care. They enable individuals to take an active role in safeguarding their rights, ensuring fairness, and improving services. From accessing GP records to reviewing care plans, this simple yet powerful tool plays a crucial role within data protection laws.

If you would like to submit a SAR, the first step is to contact the organisation holding your records for advice on next steps.

How useful was this?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you! We review all negative feedback and will aim to improve this article.

Let us improve this post!

Tell us how we can improve this post?

Share:

Subscribe to Newsletter

Get the latest news and updates from Care Learning and be first to know about our free courses when they launch.

Care Learning Team
Care Learning Team

Our team has more than 15 years’ combined experience across adult social care, the NHS, mental health services, and the charity sector. We regularly update our resources using guidance from CQC, NICE, Skills for Care and other UK health and social care bodies. We’re committed to raising care standards through high-quality training and by sharing practical, evidence‑based insights.

Related Posts