Subject Access Requests and other data subject rights
When you visit our hospitals, we record what happens to you so that Healthcare Professionals can plan your future care. Clinic visits, operations, tests and investigations are documented in your health record, alongside copies of all correspondence relating to your care. We also record information such as allergies, medicines, past reactions to medicines, and any long term conditions such as diabetes or asthma along with personal information such as your name, address, gender, next of kin and ethnic origin.
Your health record is kept confidential within the hospital at all times and is only shared with staff when they need it to carry out their job. All staff are required to work to strict professional and contractual codes of confidentiality, and where possible we will anonymise information so that individual patients cannot be identified. The only time information will be shared to outside organisations is if they are directly involved in your care, for instance, your GP, social worker, community nurses or other hospital.
Data Protection law gives you significant rights over the use of your personal data. The most important is the right to make a ‘Subject Access Request’ for access to the information we hold, usually by being provided with a copy.
The UK General Data Protection Regulation 2018 (UK GDPR) read together with the Data Protection Act (2018) gives you the right to access the information we hold about you or others.
The Trust is not obliged to comply with any request unless we receive sufficient information to identify the patient and applicant (if different), to locate the information held and to confirm if the applicant has sufficient right of access. Please see below for documentation required depending on the type of SAR submitted:
Documentation Required
Patient request for own health records
- Copy of passport, driving licence or birth certificate
Representative of patient (e.g. relative, carer) request for health records
- Copy of applicant’s passport, driving licence or birth certificate
And one of the following:
- Copy of Lasting Power of Attorney
- Evidence of appointment as Independent Mental Capacity Advocate
- Informed consent of the patient
Parent or Guardian of child request for health records *
- Copy of applicant’s passport, driving licence or birth certificate
And one of the following:
- Applicant’s name on patient’s birth certificate
- Applicant’s name on patient’s adoption certificate
- Court Order granting the applicant parental responsibility
- (Where Unmarried) copy of parental responsibility agreement signed by both parties
Executor/Personal Representative of a deceased patient request for health records
- Copy of applicant’s passport, driving licence or birth certificate
And one of the following:
- Copy of the Will naming you the executor
- If the person died without making a Will but Letters of Administration were granted, that you were the person to whom were granted
Person who may have a claim arising from the patient’s death
- Copy of applicant’s passport, driving licence or birth certificate
- Evidence supporting the claim
*If the child is aged around 12 years old or over, and has the capacity to understand the request, the child’s written consent will also be required as evidence. If the child lacks the capacity to understand the request, evidence will be required that the applicant is acting in loco parentis.
If you would like to access your own or someone else’s health records and can provide sufficient documentation as highlighted in the table above, please submit a SAR digitally using our SAR Portal. Click get started online, then follow the instructions to set up your account or login if you have an existing account.
By making this application you confirm the information given is correct and you are entitled to apply for access under the DPA (2018) and UK GDPR. You are also confirming that it is necessary to confirm your identity and right of access and it may be necessary for the Trust to obtain more detailed documentation.
Requests are managed electronically to aid speed and efficiency. When making your request, please ensure the correct application type is selected. This will help the SAR Team process your request effectively.
Once your request has been submitted via the Portal the SAR Team will send your request to the appropriate Healthcare Professional for their confirmation that it is safe to disclose the records. The Healthcare Professional may recommend the best way for you to view the health records. This might be copies sent to you directly which is the most common option of disclosure, by making an appointment with the Healthcare Professional or viewing the health records in the Health Records Department
We aim to disclose health records within one month from receiving your request and sufficient documentation. This may be extended in complex cases however we will inform you of any new timescales.
Once complete, patients will be able to view and download the health records using a secure password encrypted link sent to them via email. This reduces the need for paper copies and CD files to be created and posted to homes which saves the Trust money and reduces our environmental impact.
If you have any questions or queries relating to a SAR please contact the SAR Team on the details below:
Tel: 0117 342 1788
To make a request relating to information shared with Connecting Care please visit the Connecting Care Website.
You can also find useful information about exercising your right of access and what you can expect on the ICO website.
Your rights to your data other than a SAR include:
If you think that the data we hold on you is inaccurate or incomplete you may ask us to rectify or complete it. You can make your request by contacting the Trust's data protection officer
Under GDPR you sometimes have a right to have personal data erased. The right to erasure is also known as 'the right to be forgotten'. We will tell you within one month what action we intend to take in response to your request.
However this right does not apply to many of our key data holdings such as health records and employees' records as we are keeping such records as part of our legal duties. For a full explanation of the right and when it applies please see the Information Commissioner's website.
This is closely linked to other rights. You have the right to restrict processing in limited circumstances for example if you think our data is inaccurate and you want to limit what we do with it until we have considered rectification (see above). We will tell you within one month what action we intend to take in response to your request.
You have a general right to object to our processing your personal data if we are processing your information for direct marketing. We will always respect such an objection.
You also have a right to object on "grounds relating to your particular situation" when we are processing your personal data:
- On the basis of our legitimate interests or the performance of a task in the public interest/exercise of official authority. This would include our processing of medical records and employee records; or
- For purposes of scientific/historical research and statistics.
For example, someone might object to us sharing their address if they were on a witness protection programme. We can refuse to uphold an objection if it is not based on their particular situation or in any event on compelling grounds - for example to save the life of a child of the person on the witness protection scheme.
For a full explanation of the right and when it applies please see the Information Commissioner’s website.
If you wish to exercise any of the rights other than a Subject Access Request please contact the Trust's Data Protection Officer via:
Trust Headquarters
Marlborough Street
Phone: 0117 342 3701
You also have a right to complain to the Information Commissioner if you are in any way unhappy with the way we have processed your personal information or allowed you to exercise your rights. Please see: