A NEW guide to help organisations deal with requests from individuals to access personal data has been published by The Information Commissioner’s Office (ICO).
Every individual has a right under the Data Protection Act to request access to information held about them by organisations such as hospitals or medical or dental practices. These subject access requests (SARs) can range from medical records to credit histories and should be responded to normally within 40 days (although government guidance for healthcare organisations is 21 days).
The new guide is intended to help organisations handle subject access requests more efficiently, "while supporting the public in taking control of their personal information".
As part of the launch the ICO has published an online checklist of 10 simple steps which organisations should consider when responding to subject access requests.
1. Identify whether a request should be considered as a subject access request.
2. Make sure you have enough information to be sure of the requester’s identity.
3. If you need more information from the requester to find out what they want, then ask at an early stage.
4. If you’re charging a fee, ask for it promptly.
5. Check whether you have the information the requester wants.
6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…
7. But do consider whether the records contain information about other people.
8. Consider whether any of the exemptions apply.
9. If the information includes complex terms or codes, then make sure you explain them.
10. Provide the response in a permanent form, where appropriate.
The ICO revealed that the healthcare sector was responsible for around 600 of the 6,000 complaints over SARs in 2012/13.
This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.