Clarity

Published: 15 February 2024

A patient asked their legal representative to make a ‘data subject access request’ (DSAR) to their GP on their behalf.

Background
A patient asked their legal representative to make a ‘data subject access request’ (DSAR) to their GP on their behalf. The DSAR asked for all the patient’s medical data (general) within a particular date range (specific). Notwithstanding the apparent lack of clarity regarding the data being requested, the GP’s practice did not seek any further information or clarification from the legal representative and went on to send the patient’s complete medical history to the patient’s legal representative by email. 

The patient was unhappy that their entire medical record had been sent to, and seen by, their legal representative as they had only intended for them to convey their request and wanted the data to be sent directly to them. The patient was also concerned that the GP practice would send such a large volume of highly sensitive information (special category data) via unencrypted email. The GP’s practice accepted that its own internal policies did not permit them to send medical data via email, but that it assumed because the request came in via email that it must be responded to the same way. 

Learning points
  • Ensure you are aware of and plan for receiving requests from individuals for their personal data (DSARs).
  • If you want to submit a DSAR, ensure that your request is clear on exactly what data you want and how you want to receive it.
  • If you receive a DSAR and are not clear about any aspect of it, contact the requesting individual without delay to ensure clarity.
  • If there is a third party acting for the requesting individual, ensure you have the appropriate consent and that you are clear about the instructions. 
  • If you are responding to a DSAR, talk to the person making the request and ensure you are providing their data back to them in a way that they are comfortable with and in a way that adheres to your own policies. All personal data must be stored and sent with care, and when you are dealing with special category data (e.g. medical information, criminal data, biometrics etc) you must use additional safeguards.