Dealing with Subject Access Requests in Healthcare

19 January, 2017

Healthcare professionals need to be properly trained by their employers, and organisations must have adequate procedures in place for dealing with Subject Access Requests, as the recent case of a GP surgery in Hitchin demonstrated.  The practice, Regal Chambers, was fined £40,000 by the Information Commissioner (“ICO”) for disclosing confidential details about a patient to her estranged ex-partner.


The patient had advised the practice that they should take particular care over her information, but when the ex-partner submitted a request under the Data Protection Act to see information held by the practice in relation to his son, staff provided him with 62 pages of information that included the woman’s contact details as well as those of her parents and an older child the man was not related to.


The ICO was heavily critical of the failure by the practice to ensure there were proper procedures in place to protect patients’ confidential details and that staff had not received proper training on how to deal with Subject Access Requests.


The ICO noted that considering the seriousness of the breach the fine was low but this was because the partners would be personally liable to pay.  If a company or other corporate organisation had committed this kind of breach, they could expect a much larger fine. 


The fact that the request was made to a GP practice meant they were likely to hold sensitive personal data, which means adequate protection is even more important.  Other healthcare providers (dentists, private therapists etc) would likely be in a similar position and should take note to examine their own policies and procedures in relation to Subject Access Requests.


Another growing privacy concern that needs to be addressed by all healthcare providers is cyber security. According to government cyber security experts there were 227 officially recorded breaches of data security in the NHS and local government in the first quarter of this year.  There is government help out there, in the form of the Cyber Essential Scheme and NHS Digital guidance and support.


Proper staff training is a recurring theme in all areas related to use of technology, and something that may have prevented the red faces in Croydon NHS after an IT contractor reportedly sent an email to 1.2 million NHS staff, a number of whom subsequently “replied to all”, which compounded the problem.


If you need any help putting together a policy on Subject Access Requests or dealing with a particular Subject Access Request, or for help or information on Cyber Security or any other aspect of Data Protection law, please contact Kathryn Rogers on 01892 506147 or email her at .  If you need advice in relation to other aspects of healthcare law, please speak to Justin on 01732 224 107 or email him at


First published in Practice Management in January 2017.