Subject Access Requests for 3rd party information

Posted by: karenbarron2 - Posted on:

Subject Access Requests – Third Party

Please note that any third-party Subject Access Requests we receive (SAR) will no longer be released to a third party.

In assessing SARs, Armley Medical Practice refers to the Data Protection Act DPA (2018) and General Data Protection Regulation (GDPR) along with the Information Commissioner’s Office’s (ICO) guidance on these.

ICO guidance states that “A third party can make a SAR on behalf of an individual, provided that the third party is entitled to act on the individual’s behalf” but does not say that this information must be released to that third party.

In addition to the DPA/GDPR, for healthcare data, NHSE guidance states “in common law, there is a duty of confidentiality which means that when a patient/service user shares information in confidence it must not be disclosed without some form of legal authority or justification. In practice, this usually means that the information cannot be disclosed without that person’s consent.”

A SAR contains all patient records from a time period and inevitably includes information of which the data subject may not be aware. For this reason, we cannot be sure that the data subject is fully informed, and therefore able to consent to the release of the information, until they have reviewed it themselves.

In addition, disclosing such information to a third party would likely mean disclosing information that was not relevant, was excessive, and would not be in line with the principle of data minimisation, as per Article 5(1)(c) and Article 25(2) of GDPR.

For this reason, Armley Medical Practice policy is to release the SAR only to the data subject. It can be collected from the practice, at no cost to the patient, or emailed directly to the patient securely, after which our duty under GDPR has been discharged and the data subject is free to share this information with a third party if they wish