The DPA 2018 defines health professionals and appropriate health professionals as follows.

A health professional is one of the following.

1. A registered medical practitioner (which includes a person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section),
2. a registered nurse or midwife,
3. a registered dentist within the meaning of section 53 of the Dentists Act 1984,
4. a registered dispensing optician or a registered optometrist within the meaning of section 36 of the Opticians Act 1989,
5. a registered osteopath with the meaning of section 41 of the Osteopaths Act 1993,
6. a registered chiropractor within the meaning of Section 43 of the Chiropractors Act 1994,
7. a person registered as a member of a profession to which the Health and Social Work Professions Order 2001 (S.I. 2002/254) for the time being extends, other than the social work profession in England,
8. a registered pharmacist or a registered pharmacy technician within the meaning of article 3 the Pharmacy Order 2010 (S.I. 2010/231),
9. a registered person within the meaning of article 2 of the Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)),
10. a child psychotherapist, and
11. a scientist employed by a health service body as head of a department.

An appropriate health professional is one of the following.

1. The health professional who is currently or was most recently responsible for the diagnosis, care, or treatment of the data subject in connection with the matters to which the data relates,
2. where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or
3. a health professional who has the necessary experience and qualifications to provide an opinion on the question, where there is no health professional available falling within paragraph (a) or (b).

In addition, the Trust adds the following Health and Care Professions Council (HCPC) registered practitioner psychologists and allied health professionals to the above list of health professionals.

Psychologists

• Psychologists (Clinical Psychologists, Counselling Psychologists, Forensic Psychologists, and Health Psychologists).
• Psychological Therapists (Cognitive Behaviour Therapists, Counsellors, Adult Psychotherapists, Child and Adolescent Psychotherapists, and Family and Systemic Psychotherapists).
• Psychological Practitioners (Psychological Wellbeing Practitioners, Children’s Wellbeing Practitioners, Educational Mental Health Practitioners, Youth Intensive Psychological Practitioners, Associate Psychological Practitioners, and Clinical Associate Psychologists).

Allied Health Professionals

• Arts Therapists.
• Biomedical Scientists.
• Chiropodists/Podiatrists.
• Clinical Scientists.
• Dietitians.
• Hearing Aid Dispensers.
• Occupational Therapists.
• Operating Department Practitioners.
• Orthoptists.
• Paramedics.
• Physiotherapists.
• Practitioner Psychologists.
• Prosthetists/Orthotists.
• Radiographers.
• Speech and Language Therapists.

For further information about AHP job roles, please click here to visit the HCPC website.

As noted above, the assessment must be undertaken by the health professional who is currently or was most recently responsible for the diagnosis, care, or treatment of the patient.  If this is not possible, another health professional can be asked to perform this check based on the content of the care records.

These are usually noted on the electronic patient records as the “lead professional”, “allocated therapist”, “last contact” or other such term (click here for examples).  Where this is the case, this health professional will be approached for their assessment.

Where there is more than one such health professional, the person who saw the patient most recently will be asked first.  If they are unable to provide an assessment, the next health professional will be approached.

Where there is no appropriate health professional stated or if the appropriate health professional has left the Trust or no longer practices, another health professional who has the necessary experience and qualifications to provide an opinion will be asked to perform the assessment.  This could be the health professional who has since replaced the appropriate health professional or the team manager or other clinical lead.  They do not have to know the patient or have been involved in their care … they just need to be qualified to make an informed judgment based on the content of the care record.

All efforts must be made to consult with the appropriate health professional as patient information cannot be released without a serious harm assessment being undertaken.  Any difficulties in identifying or engaging with someone must be immediately escalated to the Information Governance (IG) Team.  The IG Team will assist with trying to identify or engage with the appropriate health professional.  If this is still not possible, they will then help the SAR Team to evidence that they have taken all reasonable steps to contact the appropriate health professional and how to write to the requestor refusing their request.  It is important that this documentation is done carefully as it will be the first thing the Information Commissioner’s Office (ICO) will ask for if they receive a complaint about its handling of the SAR.

The Trust has one calendar month to respond to a SAR from the date it is received.  If the request is considered as ‘complex’, then a two-month extension can be applied.  To determine whether the extension should be applied, the appropriate health professional must respond to the assessment request in a timely manner.  Notification to the requestor that the two-month extension is being applied, must be done BEFORE the initial one-month deadline is reached.  As such, the following contact and escalation process is suggested.

The following process will be followed to deal with SARs and the subsequent serious harm test.  Click here to see a flow chart of this process.

1. A SAR is received from a patient or an authorised person representing them (eg solicitor, family member, friend, advocate, etc).
2. The SAR Team logs the request on Radar as an Access to Records Request.
3. The SAR Team then checks all information systems to determine whether the patient is known to the Trust and that information is held about them.
   1. If no information is held, the requestor is notified, and the request is closed on Radar.
   2. If information is held, the SAR Team acknowledges the request and then identifies the appropriate health professional and continues following the process below.
4. SAR Team will email the appropriate health professional stating that a SAR has been received and are there any concerns for the patient’s, or any other individual’s, physical or mental health if this information is released¹.  (The email will state who the patient is and who the information will be released to.)  A two-week deadline to respond will be given.  Radar will be updated, and the SAR Team will begin to collate the information requested whilst waiting for a reply.  (The information must be collated electronically into PDF files using Fox-it Pro to enable secure and professional redactions to be made.)
   1. If the appropriate health professional does not feel there is any serious harm associated with releasing the information, the SAR Team will undertake the Data Protection Review (see the section below for further information) and redactions (for third party information).  The response will then be released, with all actions fully documented on Radar.  A copy of the documents being released will be held on Radar with the redactions marked, but not applied, in case any complaints need investigating.  The request will now be closed.
   2. If the appropriate health professional does feel there is a risk of serious harm to an individual, they must clearly specify what their concerns are – which will be held on Radar.  The SAR Team will then apply the two-month extension² and write to the requestor informing them of this³ and continue following the process below.
5. The SAR Team will undertake the Data Protection Review of the information (for third party information) within two weeks and highlight all suggested redactions in yellow.
6. The documents will be securely shared with the appropriate health professional, either via a shared network drive or by email.
7. The appropriate health professional will then review the documents to determine what may be released (if anything).  They have one month to complete this review.
   1. Following review, if it is felt that no information can be released, the appropriate health professional must clearly document this in an email to the SAR Team, who will record it on Radar, notify the requestor that the Trust cannot respond to the request³ and then close the request on Radar.
   2. If some information can be released, the appropriate health professional must highlight in green any information that they feel cannot or must not be released and return the document to the SAR Team, who will continue following the process below.
8. The SAR Team will save the highlighted PDF to Radar and then apply all redactions before releasing to the requestor.  Once released, the request will be closed on Radar.

The process for sharing patient records with the appropriate health professional will be electronic, rather than paper-based.  This must be done electronically by PDFing documents prior to sharing and using the highlighting tools in the PDF reader to clearly identify information that must be redacted prior to release.  This enables all changes to the documents to be tracked on the documents themselves.

This new way of handling electronic records will be the best way to manage the files and removes the use of paper copies.

Click here for guidance on secure emailing.

Prior to releasing any information, the SAR Team will undertake a Data Protection Review and apply appropriate redactions to the documentation.  Click here to see a flowchart of the review process.

This will primarily be in relation to information that relates to someone other than the patient, referred to as a third-party. It may appear in the patient’s record as:

• an entry or attached file recorded in the wrong patient’s notes by mistake,
• information about the patient given in confidence by a third-party (but not a health professional providing direct care to the patient),
• information about a third-party that is confidential to that person and to which the patient does not have a right to access, or
• a letter or report that refers to more than one patient.

The names and job titles of NHS staff who have accessed the records for any reason will not be removed as they have accessed it as part of their duties, unless it is felt that releasing the names could cause distress or harm to the patient, staff or other individual.

Third-party information that has clearly been provided by the patient or is already known to the patient can be left in the documents and does not need to be redacted.

If the third-party information can be redacted (blacked out and hidden from view) then this is not a reason to withhold the records.

Responses to SARs must be held for three years unless an appeal/complaint is received in which case they must be held for six years.

The SAR Teams will retain all emails and documentation on Radar.  This will include a final copy of the documents to be released with all redactions highlighted, but not applied.  This is in case a complaint is received via the ICO that information has been unnecessarily redacted.

If a further request for information is received within six months, the appropriate health professional must be re-consulted as the patient’s circumstances could have changed, unless it is clear from the patient's care record that they have not been in touch with the Trust during those six months.

If the patient has not been seen during that time, the SAR Team should document on Radar that the appropriate health professional was not re-consulted due to the patient not having been seen since the last review.

British Medical Association (2018) Access to Health Records (Accessed: 02/06/2023)

Information Commissioner’s Office (n.d.) Health Data (Accessed: 02/06/2023)

Legislation.gov.uk (n.d.) Data Protection Act 2018 Schedule 3 Part 2 Paragraph 2(1) – Health Data (Accessed: 02/06/2023)

Legislation.gov.uk (n.d.) Data Protection Act 2018 Part 7 Section 204 – Meaning of “Health Professional” and Social Work Professional” (Accessed: 02/06/2023)

N3i Information Governance (2020) 22. Serious Harm Test (Accessed: 02/06/2023)

Royal College of General Practitioners (n.d.) GP Online Services Guidance – Managing Potentially Harmful Information (Accessed: 02/06/2023)

If appropriate health professionals have any questions in relation to this process, please speak to your line manager in the first instance.

If there are any questions around the SAR process and Data Protection Reviews, please contact the Trust’s Information Governance Team by email IG@merseycare.nhs.uk (IG (MCT) on the global address list in Outlook).

Alternatively, advice can be sought from your professional body or the Information Commissioner's Office.