Subject Access Requests

The General Data Protection Regulations state that you have a right to access personal information that Colton Mill and The Grange Medical Centre holds about you. There are three main areas of legislation that allow the right of the individual to request such personal information, and they are:

  • The Data Protection Act 1998
  • The Access to Health Records Act 1990
  • The Medical Reports Act 1988

How do I requesting access the information you hold about me?

  • All requests must be in writing to the Data Controller at Colton Mill and The Grange Medical Centre.
  • Verbal requests can be accepted where the individual is unable to put the request in writing – this must be noted on the patient record.
  • Proof of identityMUST be provided to satisfy the Data Controller and to enable them to locate the correct information
  • Requests made on behalf of another, the Data Controller must be satisfied that correct and adequate consent has been provided.
  • The Data Controller needs to check whether the entire individual’s health record information is required or just certain information.
  • Where an information request has been previously fulfilled, the Data Controller does not have to honour the same request again unless a reasonable time-period has elapsed. It is up to the Data Controller to ascertain what constitutes as reasonable.

How long will it take to get my data?

Requests for health records information will be recorded internally and processed within 30 days (unless under exceptional circumstances – the applicant must be informed where a longer period is required).

Will I have to pay to access my data?

We do not charge for subject access requests

Will you object or restrict any information?

The Data Controller has the right to object or restrict the use of your personal information for the following reasons:

  • The information released may cause serious harm to the physical or mental health or condition of the individual or any other person.
  • The disclosure would also reveal information relating to or provided by a third person who has not consented to that disclosure.

A reason for denial of information does not have to be given to the individual, but must be recorded.

Can I access information about my children?

  • Parents will normally have parental responsibility for accessing the health records of their children
  • The Data Controller will need to obtain consent of the child where necessary (16 and 17 year olds are seen as adults in relation to confidentiality, and their consent would be necessary).
  • Children under 16 who have capacity and understanding for decision-making need to have their confidentiality respected.

To request access- please complete the form below and return to the practice.