Subject Access Requests
What is a Subject Access Request?
The General Data Protection Regulation (GDPR) 2016 and Trust Policy, gives a data subject (patient/staff) the right to obtain confirmation that their data is being processed, and where that is the case, access to the personal data. The right of access to this information is referred to as Subject Access Request (SAR). This procedure explains the process to ensure SARs are handled in line with the GDPR.
Who can make a Subject Access Request?
Persons who are entitled to access personal data under this procedure are:
a) The data subject.
b) A representative of the data subject who has written consent (e.g. solicitor; a court appointed representative if the data subject could no longer manage his or her own affairs; a person with enduring Power of Attorney or quite simply anyone else an individual wants acting for them).
c) The parent or guardian of a child under 16 years of age: In cases where the child agrees, or it was in the child’s best interest for access to the data to be granted.
What is a valid subject access request?
An organisation is not obliged to comply with a Subject Access Request unless it has received:
a) A request in writing.
b) Enough information to identify the data subject.
c) Enough information to identify the information sought.
d) Any request from a personal representative of the data subject should be accompanied by an authority from the data subject consenting to that individual or organisation acting on their behalf.
How do I make a Subject Access Request (SAR)?
Requests can be received by post, email, telephone, social media.
A SAR request can be made by a solicitor or a court on behalf of the data subject or parent if it is a child and should be accompanied by written consent from the data subject or the individual acting on their behalf.
If made on-line the requester can be asked to complete an Subject Access Request Form.
We ask that they provide as much information as possible to allow us to narrow down our search.
We acknowledge requests within 3 working days.
Complete information will be sent to the requester as soon as possible or within 1 month of receiving the valid request.
Is there a charge for a Subject Access Request (SAR)?
Under the current General Data Protection Regulation (GDPR) there will no fee with effect from May 2018 (this is for all records i.e SAR’s, personnel files, occupational health records, GP/hospital records etc). Following a recent review, NEAS implemented the no fee from July 2017.
The Subject Access Request Process
1. When the North East Ambulance Service receives a valid formal request, it will be logged by the relevant department. The requester will receive a confirmation receipt letter.
2. If more information is needed, the requester will be contacted to provide further information.
3. Where a request is made online (e.g. Trust Internet site or social media) or via telephone the requester will be asked to complete a NEAS Subject Access Request Form.
Collating the information
Once all of the requested information is collated by NEAS, the SAR response is reviewed to ensure that:
a) The information is clear and that all coded data is decoded and any business or medical terms are explained.
b) Any information in relation to a third person is removed unless they are a professional who has contributed to the report, been involved in the care or given their consent.
c) Any information likely to cause serious harm to the physical or mental health of the data subject or any third person if it were to be released be removed.
If any information has been removed e.g. relating to another person OR all the information asked for is not given, an explanation will be included in the letter to the requester.
The completed SAR will be sent to the requester in the format they have asked for e.g. email, post, CD, applying appropriate security, within one month of receiving the valid request.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Trust may:
a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
b) Refuse to act on the request.
Appeals and complaints process
Data subjects have the right to appeal against a decision to refuse access to their information. The data subject has the opportunity to either write their letter of complaint or express their complaint orally with a possible satisfactory outcome.
Data subjects are also free to contact the Information Commissioner, who is the compliance lead on Data Protection:
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Tel: 0303 123 1113 (local rate) or 01625 545 74 (national rate)
We would encourage the requesters to raise any matters with the Trust before the Information Commissioner.
The Subject Access Request Form is available here:
Subject Access Request Form
Authority for release of personal information under the General Data Protection Regulations; Data Subject Consent form is available below:
Data Subject Consent Form
For more information or assistant please contact: