Subject Access Requests
A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a subject access request (SAR). If you want to see your health records or wish a copy, you can write or call your Practice and then arrange a time to come in and read them. You don’t have to give a reason for wanting to see your records. There is no charge for this service.
It’s a good idea to state the dates of the records that you want to see – for example, from 2010-2017 – and to send the letter by recorded delivery or deliver it to the Practice. (if you are requesting this in writing). You should also keep a copy of your letter for your records. The Practice, has up to 28 days to respond. If additional information is needed before copies can be supplied, the 28-day time limit will begin as soon as the additional information has been received.
The 28-day time-limit can be extended for two months for complex or numerous requests where the data controller (usually your practice) needs more time to collate and supply the data. You will be informed about this within 28 days and provided with an explanation of why the extension is necessary.
When writing/calling, you should say if you:
- want a copy as well as to see them (if you wish to see them your doctor or member of staff will be present to assist you and explain any medical terms to you)
- want all or just part of them
- would like your records to be given to you in a format that meets your needs, and we will endeavour to accommodate your request
- If you request your records to be emailed, then we will secure your or your representative’s agreement (in writing or in email) that they accept the risk if sending unencrypted information to a non-nhs email address
You may also need to fill in an application form and give proof of your identity. The Practice has an obligation under the GDPR and DPA2018 to ensure that any information provided for the patient, can be verified.
Please note we never send original medical records because of the potential detriment to patient care should these be lost
Who may apply for access?
1(1) Patients with capacity
Subject to the exemptions listed in paragraph 1(6) (below) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for you to give reasons as to why they wish to access their records.
1 (2) Children and young people under 18
Where a child is competent, they are entitled to make or consent to a SAR to access their record.
Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed inorder to be entitled to make or consent to an SAR.However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 1 (3) below)
1(3) Next of kin
Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records. For parental rights of access, see the information above.
You can authorise a solicitor acting on your behalf to make a SAR. We must have your written consent before releasing your medical records to your solicitors acting. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is any doubt, we may contact you before disclosing the information. (England and Wales only – Should you refuse, your solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for solicitors to use the form, it is hoped it will improve the process of seeking consent).
The Practice may also contact you to let you know when your medical records are ready. If your solicitor is based within our area, then we may ask you to uplift them and deliver them to your solicitor. This is because we can no longer charge for copying and postage, so we would appreciate your help if you can do this, or alternatively ask your solicitor if they can uplift your medical records.
1(5) Supplementary Information under SAR requests
The purposes for processing data
The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is also processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.
The categories of personal data
The category of your personal data is healthcare data.
The organisations with which the data has been shared
Your health records are shared with the appropriate organisations which are involved in the provision of healthcare and treatment to the individual. Other organisations will receive your confidential health information, for example Digital or the Scottish Primary Care Information Resource (SPIRE) or research bodies such as the Secure Anonymised Linkage Databank (SAIL). (This information is already available to patients in our practice privacy notices).
The existence of rights to have inaccurate data corrected and any rights of objection
For example, a national ‘opt-out’ model such as SPIRE etc
Any automated decision taking including the significance and envisaged consequences for the data subject
For example, risk stratification.
The right to make a complaint to the Information Commissioner’s Office (ICO)
1(6) Information that should not be disclosed
The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to you, we will inform you and discuss this with you.
1(7)Individuals on behalf of adults who lack capacity
Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Court of Protection in England and Wales, and the Sheriff’s Court in Scotland, can also appoint deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.
Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.
1(8) Deceased records
The law allows you to see records of a patient that has died as long as they were made after 1st November 1991.
Records are usually only kept for three years after death (In England and wales GP records are generally retained for 10 years after the patient’s death before they are destroyed).
Who can access deceased records?
You can only see that person’s records if you are their personal representative, administrator or executor.
You won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.
Accessing deceased records
Before you get access to these records, you may be asked for:
- proof of your identity
- proof of your relationship to the person who has died
Viewing deceased records
You won’t be able to see information that could:
- cause serious harm to your or someone else’s physical or mental health
- identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission
- If you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.
To see your hospital records, you will have to contact your local Hospital.
Power of Attorney
Power of Attorney Information Form for Patients
1) Drawing up a PoA document – the Practice is not involved with this
This is not part of General Medical Services or the NHS services that we provide and we are not legally qualified to advise you or give you any opinion on how to go about it. You should contact The Office of the Public Guardian on 01324678300 or visit the website www.publicguardian-scotland.gov.uk Please check their document: Power of Attorney top tips, which you may find helpful.
2) Completing and signing the prescribed certificate (Schedule 1 certificate) – the Practice is not involved with this
This is a mandatory certificate, which confirms that you understand the nature and extent of the PoA legal document, the extent of the powers that you are giving to your Attorney and how and when they come into force. You cannot register a PoA with the Public Guardian without this certificate, which must be signed by a practising member of the Faculty of Advocates, a practising Solicitor who is registered to practice law in Scotland or a UK registered and licensed Medical Practitioner. Your Advocate, Solicitor or Medical Practitioner will advise you of the fees involved.
GPs are Medical Practitioners and, therefore, authorised to sign the certificate, but they are not under an obligation to do so. We do not sign it in this Practice because we do not feel that we are legally qualified to understand, explain, and ensure that you understand, the nature and extent of the legal aspects of the PoA document. Our legal advisers at the Medical & Dental Defence Union Scotland and our professional advisers at the British Medical Association support us in this view. You may, of course, approach other Medical Practitioners with your request.
3) Providing a medical report on Capacity – the Practice does this as a private work service
Sometimes a Solicitor will request this from us, with the patient’s consent, to help the Solicitor to decide whether to complete and sign the Schedule 1 certificate or not. We will provide a report on Practice headed paper and the fee for this is £117, which covers the work involved in the 30-minute private appointment, researching the medical record, producing the report, and the ongoing responsibility for documents which could later be challenged in court.
If you do not wish to consult a Solicitor, you may still request a capacity report from us on the above basis but you should be aware that you would still need to get the Schedule 1 certificate signed by an Advocate or Solicitor or another Medical Practitioner and that there would probably be further fees from them. Our medical report, therefore, may serve no purpose for you, as you cannot lodge it with the Public Guardian in place of a Schedule 1 certificate and you could be incurring unnecessary fees by requesting it. Please give some thought beforehand to who is going to sign your Schedule 1 certificate and how much this is all going to cost.
4) Storing the PoA document – when to give a copy to the Practice
This is a legal document and it is up to you and your Attorney to store it safely. We do not require and do not accept copies of the document until the Welfare power for decisions to be made about your health and welfare matters is activated. This only happens when you become incapable of making decisions about your own welfare and there will be a clause in the PoA document stating how this is to be determined. If your PoA document states that it is to be determined by your GP, this, again, is a private service, which we will provide on the same terms as those stated in paragraph 3 above. The fee for this additional service is £117. We would require a copy of the PoA document at that stage, to scan into your medical record.
Optician and dental records
Your optician and dentist also hold records about you. To access your optician or dental records, you may need to show proof of identity.
Emergency Care Summary
What does this information contain?
This is to let you know about changes in the way we in the NHS store your health records.
It tells you about something new – the Emergency Care Summary – which all patients in Scotland will soon have, and the benefits this will bring.
It explains how, in the future, all your health records will be stored and linked electronically, and why that will be good for your health care.
It’s happening now
All patients in Scotland have, or will soon have, something called an Emergency Care Summary.
What is an Emergency Care Summary?
This is a summary of basic information about your health which might be important if you need urgent medical care when your GP surgery is closed, or when you go to an accident and emergency department. It means that all NHSstaff looking after you can get important information about your health, even if they cannot contact your GP surgery. Please go to Emergency Care Summary for further information.
Your Emergency Care Summary contains the following information.
- Your name
- Your date of birth
- The name of your GP surgery
- An identifying number called a CHI number (there is more about the CHI number later)
- Information about any medicines prescribed by your GP surgery
- Any bad reactions you’ve had to medicines that your GP knows about
Your Emergency Care Summary is copied from your GP’s computer system and stored electronically. NHS staff can then find it quickly if they need to see it.
Who can look at my Emergency Care Summary?
NHS staff can look at your Emergency Care Summary on computer if they need to treat you when your GP surgery is closed. They must ask you if you agree to this before they look at your information.
- If you agree, only the staff listed here will be able to look at your Emergency Care Summary.
- Doctors, nurses and receptionists in out-of-hours medical centres.
- Staff at NHS 24 who are involved in your care.
- Staff in hospital accident and emergency departments.
- In the future, ambulance staff may also be able to look at your Emergency Care Summary.
- If you are unconscious, NHS staff may look at your Emergency Care Summary without your agreement. This is so they can give you the best possible care.
How do I know that the information in my Emergency Care Summary is secure?
- The NHS stores your Emergency Care Summary electronically using the highest standards of security.
- Only NHS staff directly involved in your medical care will be allowed to look at your Emergency Care Summary.
- NHS staff can only look at your Emergency Care Summary if they have a password that allows them to.
- A record will be kept of everyone who has looked at your Emergency Care Summary.
- Your GP surgery will be able to check who has looked at your record if you want them to.
What if I’m not sure that I want an Emergency Care Summary?
- If you don’t want an Emergency Care Summary to be made for you, tell your GP surgery.
- Don’t forget that if you do have an Emergency Care Summary, you will be asked if staff can look at it every time they need to.
You don’t have to agree to this.
Can I see my Emergency Care Summary?
- If you would like to see your Emergency Care Summary, ask your GP to print it out for you to have a look at.
- If you think anything is wrong, ask for it to be changed.
What does the future hold?
In the future, all patients in Scotland will have an electronic health record. The rest of this leaflet explains why this is important for providing the best possible care in the NHS.
What is an electronic health record?
- It is any information about your health and health care which is stored electronically.
- We will use an identifying number called the Community Health Index number ( CHI for short) to link up the different parts of your health record held in different places within the NHS.
How are my records stored at the moment?
- Most of your health information is recorded on paper files that are kept in different places. For example, you will have one set of records at your GP surgery, and another set at any hospital you have been to.
- GPs and hospitals store some records electronically, but the different computers they use are not linked up. So when you go to a hospital, staff there cannot look at the health record held in your GP surgery.
What are the benefits of electronic health records?
- NHS staff will be able to find medical information about you much more quickly.
- Staff treating you will have a more complete picture of your health and your medical background. For example, we will be able to see quickly if you have any long-term medical conditions, or if you have recently had an operation.
- This information will be available even when you are not at home – for example, if you are in another part of Scotland.
- It will be easier for you to look at your own health records, for example, if you want to check that they are correct.
How soon will I have an electronic health record?
- We are already storing some records electronically, but it will take some time before all your health records are
- It will also take quite a long time before we are able to link all your records, using the CHI number.
- Most test results are now stored on computer. This means your GP gets the results more quickly, without having to wait for a letter.
- Letters about your care and treatment are often sent electronically between NHS staff and stored on computer. This may happen if, for example, your GP refers you to hospital or if you leave hospital.
What if I do not wish my electronic health record to be accessed ?
- Please write to the the Practice manager **insert name** and we will update your practice records accordingly your electronic health records will no longer be shared.
Do you need more information?
- A special helpline will be available until 30 September 2006 to give you more information about anything in this leaflet. Phone this helpline on 0800 85 85 31. The helpline is available from 11am to 7pm.
- For information about your emergency care summary or electronic health records from 1 October 2006, phone the NHS Helpline on 0800 22 44 88.
- If you want to find out more about your health records and how you can see what’s in them, ask for the leaflets ‘How to see your health records’ and ‘Confidentiality – it’s your right’. You can get these leaflets from:
- GP surgeries, dental surgeries, hospitals and any other places where you receive NHS care;
- the NHS Helpline on 0800 22 44 88;
- your local citizens advice bureau (find your nearest bureau on the internet at Citizens advice bureau or in your local phone book).
The content of this leaflet has been developed with Health Rights Information Scotland.
This information is produced by the Scottish Executive Health Department.
Please ask us if you would like this document on audio tape, in Braille, in large print or in Arabic, Hindi, Chinese, Bengali, Punjabi, Gaelic and Urdu.
Please e-mail ECSLeaflet@scotland.gsi.gov.uk