Subject Access Requests

Subject Access Requests

Main Address

What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. In a health setting requests will largely be made by patients and their appointed representatives (such as solicitors)for copies of their health records from both acute and community services but this can extend to current and ex-staff members. The right of access only applies to living individuals.
 
For more information on Subject Access Requests please visit NHS England guidance for patients and service users page here.
 
Access to deceased patients' health records
The Access to Health Records Act 1990 gives rights of access to deceased patient health records by the personal representative of the deceased who holds a role set out in law. This is usually the person who holds the probate documentation (such as the Grant of Probate or Letters of Administration) or is named as executor in the deceased’s will. Access may also be granted to those who can establish a claim arising from a patient’s death
 
For more information on Access to the health and care records of deceased people please visit NHS England guidance for patients and service users page here.

How can individuals make a request for copies of records?
Individuals can make a request by completing the below application from:
 
 

Opening Hours

8:30-16:00

Further Information

What is an individual entitled to?              
 
Individuals have the right to obtain the following from  the Trust: 
  • confirmation that we are processing their personal data;
  • a copy of their personal data (health records most cases); and
  • other supplementary information
What evidence is required?
 
The below proofs must be providing following a request for records.
  • Requests from patient directly - Photo ID of patient.
  • Requests for adult records from other family member - Photo ID of requestor; plus photo ID of patient, plus letter of consent (signed and dated) or other proof of authority.
  • Requests for children’s records from other family member or guardian - Child’s birth certificate, plus photo ID of parent/guardian named on birth certificate.
  • Requests from solicitor for adult records - Photo ID of the patient/client, plus letter of consent (signed and dated) or other proof of authority. Requests from solicitor for children’s records  - Child’s birth certificate, plus Photo ID of litigation friend.
  • If applying for a deceased patient’s records you will need to provide proof that you the personal representative of the patient  Evidence will include a copy of Letters of Administration or grant of probate , copy of the relevant section of the Will confirming you are the Executor of the estate .  Evidence of your claim, the nature of the claim, If you are a person with a claim arising out of the patient’s death , you would need to evidence of your claim, the nature of the claim, clarification of the claimant’s relationship to the patient.

We will never require original documentation, scanned copies or photographs of the ID are acceptable as long as the image is clear. All proof documents should be sent to SAR.WhittHealth@nhs.net. However should you wish to send us a secure encrypted message for this purpose, you can do this by registering for a free Egress account here 

How will the data be provided?
The Trust provides responses to requests in commonly used electronic formats unless requested otherwise.
 
Will there be a fee?
In most cases a fee cannot charge be charged to comply with a subject access request.
However, where the request is manifestly unfounded or excessive a reasonable fee can be charged for the administrative costs of complying with the request. A fee will be charged for further duplicate or paper copies following a request. Paper copies are charged at 60p per page not including postage.
 
How long do we have to comply?
A subject access request must be complied with within one month of receipt. Applicants are required to provide proof of identification, the time is calculated from the day the relevant proofs are received.
 
Requests for records of deceased individuals are handled under the Access to Health Records Act 1990 and must be complied with within 40 days. As well as proof of identification applicants are required to provide authenticating details to prove their status as the personal representative of the patient or as a person with a claim arising out of patient’s death. Where possible applicant should specify the parts of the deceased health record they require for the reasons outlined above. The time is calculated from the day the relevant proofs are received. 
 
Can we extend the time for a response?
We can extend the time to respond to a subject access request by a further two months if the request is complex or if we have received a number of requests from the same individual.
 
Can we ask an individual to clarity their request?
Applicants  may be asked to clarify their request. If the additional information is not provided, we will endeavour to comply with the request by making reasonable searches.
 
Requests made on behalf of others?
The GDPR does not prevent an individual making a subject access request via a third party. In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the individual, it is the third party’s responsibility to provide evidence of this entitlement. 
  
Requests for information about children
When a request is made for information about children it will be considered whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then explicit consent will be required from the child. The age for giving consent to data processing prescribed by the UK General Data Protection Regulation (UK GDPR) / Data Protection Act 2018 (DPA18) is 13.
 
What if the data includes information about other people?
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
Data protection legislation requires that information of third parties is removed prior to disclosure. Some information may be removed where it was provided in confidence or where it's disclosure could cause harm or lead to impairment of care.
 
Can a request be refused?
A subject access request can be refused if it is manifestly unfounded or excessive. If we do refuse a request, we will inform the applicant within one month of receipt of the request.                           
 
Confidentiality
The Trust is required to keep health records safe and confidential. Every member of staff working for, or with the NHS, has a duty to keep any information that they come across completely confidential.

Apart from clinical and administrative staff involved with providing care, the Trust will only share information that other healthcare professionals involved in patient care need to know about. These may include patients' GP, dentist, health visitor or community nurse.
By law the Trust may sometimes have to provide information to other agencies, for example when a formal court order has been issued or when we encounter infectious diseases which may be a risk to others.

Locations  See on a map

Related services

Last updated17 Oct 2022
Working on it!