Click here to download this guidance in full.
Introduction
Under the Data Protection Act 2018 (DPA 2018) and the United Kingdom’s General Data Protection Regulation (UK GDPR), living individuals have the right to access the records the Trust holds about them, including their health data. This is known as a Subject Access Request (SAR).
For many patients this will be a straight-forward process, but, for some, the release of their health data could “cause serious harm to the physical or mental health of any individual.” Consideration of this must, therefore, be done on a case-by-case basis with an appropriate health professional assessing whether releasing the records will cause serious harm to the patient or any other individual (this is legally known as the ‘serious harm test’).
All decisions during this process must be clearly and fully documented in case they are later challenged via a complaint to the Information Commissioner’s Office (ICO) or through court proceedings. The Trust may be asked to provide this record as evidence.
Who Must Undertake the Assessment
Legally, an ‘appropriate health professional’ must undertake this assessment – this cannot be done by anyone else. Please see below for the legal definitions of who is deemed a ‘health professional’ and an ‘appropriate health professional’.
As such, the assessment must be undertaken by the health professional who is currently or was most recently responsible for the diagnosis, care, or treatment of the patient. If this is not possible, another health professional can be asked to perform this check based on the content of the care records.
What Should be Considered for the Serious Harm Test?
The following table gives some examples of what should be considered as part of the serious harm assessment. (This list is not intended to be comprehensive.)
Consideration |
Example |
Is there any information that may cause distress to the patient or may cause harm to the patient’s mental and/or physical health? (It cannot apply to information the patient already knows.) |
Are there references to a diagnosis which has not yet been communicated to the patient (eg a cancer diagnosis) or references to historical abuse or similar suffered as a child which may not be known to the patient. Sharing a counsellor’s notes with a patient in a vulnerable state, could put them at risk of the danger of self-harm. |
Is there any information that may cause distress to any other person or may cause harm to any other person’s mental and/or physical health? |
Has a family member provided information to the Trust about the patient of which the patient is not aware? Could the patient learning about this cause harm to them or to the family member? |
Is the individual vulnerable to coercion to share access to their record or unable to keep their access or record secure? |
Is the individual in a controlling or violent relationship where they may be forced into providing their information someone else? An abusive partner requests their personal data that a domestic abuse helpline collected when providing help to the abused victim. The very act of confirming that such data exists could expose the victim to further harm. |
Does the information identify any safeguarding concerns in relation to children or vulnerable adults? If so, can this information be released? Do the people involved know about it? |
Mum has mentioned that she’s worried that her ex-husband’s (the Dad) new girlfriend is abusing her child when visiting them. Dad then applies, using his parental responsibility rights, for a copy of the child’s records to use in court. |
Does the information contain facts, statements or opinions that have been given on the basis that it would not be further disclosed or disclosed to specific individuals? |
A person admits to being sexually assaulted in their childhood, but expressly asks for this to be kept between the person and health professional and not to be shared any further. |
The DPA 2018 defines health professionals and appropriate health professionals as follows.
A health professional is one of the following.
- A registered medical practitioner (which includes a person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section),
- a registered nurse or midwife,
- a registered dentist within the meaning of section 53 of the Dentists Act 1984,
- a registered dispensing optician or a registered optometrist within the meaning of section 36 of the Opticians Act 1989,
- a registered osteopath with the meaning of section 41 of the Osteopaths Act 1993,
- a registered chiropractor within the meaning of Section 43 of the Chiropractors Act 1994,
- a person registered as a member of a profession to which the Health and Social Work Professions Order 2001 (S.I. 2002/254) for the time being extends, other than the social work profession in England,
- a registered pharmacist or a registered pharmacy technician within the meaning of article 3 the Pharmacy Order 2010 (S.I. 2010/231),
- a registered person within the meaning of article 2 of the Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)),
- a child psychotherapist, and
- a scientist employed by a health service body as head of a department.
An appropriate health professional is one of the following.
- The health professional who is currently or was most recently responsible for the diagnosis, care, or treatment of the data subject in connection with the matters to which the data relates,
- where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or
- a health professional who has the necessary experience and qualifications to provide an opinion on the question, where there is no health professional available falling within paragraph (a) or (b).
In addition, the Trust adds the following Health and Care Professions Council (HCPC) registered practitioner psychologists and allied health professionals to the above list of health professionals.
Psychologists
- Psychologists (Clinical Psychologists, Counselling Psychologists, Forensic Psychologists, and Health Psychologists).
- Psychological Therapists (Cognitive Behaviour Therapists, Counsellors, Adult Psychotherapists, Child and Adolescent Psychotherapists, and Family and Systemic Psychotherapists).
- Psychological Practitioners (Psychological Wellbeing Practitioners, Children’s Wellbeing Practitioners, Educational Mental Health Practitioners, Youth Intensive Psychological Practitioners, Associate Psychological Practitioners, and Clinical Associate Psychologists).
Allied Health Professionals
- Arts Therapists.
- Biomedical Scientists.
- Chiropodists/Podiatrists.
- Clinical Scientists.
- Dietitians.
- Hearing Aid Dispensers.
- Occupational Therapists.
- Operating Department Practitioners.
- Orthoptists.
- Paramedics.
- Physiotherapists.
- Practitioner Psychologists.
- Prosthetists/Orthotists.
- Radiographers.
- Speech and Language Therapists.
For further information about AHP job roles, please click here to visit the HCPC website.
As noted above, the assessment must be undertaken by the health professional who is currently or was most recently responsible for the diagnosis, care, or treatment of the patient. If this is not possible, another health professional can be asked to perform this check based on the content of the care records.
These are usually noted on the electronic patient records as the “lead professional”, “allocated therapist”, “last contact” or other such term (click here for examples). Where this is the case, this health professional will be approached for their assessment.
Where there is more than one such health professional, the person who saw the patient most recently will be asked first. If they are unable to provide an assessment, the next health professional will be approached.
Where there is no appropriate health professional stated or if the appropriate health professional has left the Trust or no longer practices, another health professional who has the necessary experience and qualifications to provide an opinion will be asked to perform the assessment. This could be the health professional who has since replaced the appropriate health professional or the team manager or other clinical lead. They do not have to know the patient or have been involved in their care … they just need to be qualified to make an informed judgment based on the content of the care record.
All efforts must be made to consult with the appropriate health professional as patient information cannot be released without a serious harm assessment being undertaken. Any difficulties in identifying or engaging with someone must be immediately escalated to the Information Governance (IG) Team. The IG Team will assist with trying to identify or engage with the appropriate health professional. If this is still not possible, they will then help the SAR Team to evidence that they have taken all reasonable steps to contact the appropriate health professional and how to write to the requestor refusing their request. It is important that this documentation is done carefully as it will be the first thing the Information Commissioner’s Office (ICO) will ask for if they receive a complaint about its handling of the SAR.
The Trust has one calendar month to respond to a SAR from the date it is received. If the request is considered as ‘complex’, then a two-month extension can be applied. To determine whether the extension should be applied, the appropriate health professional must respond to the assessment request in a timely manner. Notification to the requestor that the two-month extension is being applied, must be done BEFORE the initial one-month deadline is reached. As such, the following contact and escalation process is suggested.
Day(s) |
Action |
1 |
Request received |
1-3 |
Log request on Radar and check information is held. If held, acknowledge the request, and identify appropriate health professional, and contact them for the serious harm assessment. |
4-18 |
Appropriate health professional has two weeks to undertake the serious harm assessment. |
10 |
If no response received, SAR Team to email appropriate health professional reminding them they have one week left to undertake serious harm assessment. |
18 |
If no response received, SAR Team to email appropriate health professional stating assessment is now required and, if not received, will be escalated. |
19 |
Escalate request to line/team/service manager and give them two days to respond. |
22 |
Escalate request to IG Team, who may escalate to the Chief Medical Officer/Caldicott Guardian. |
The following process will be followed to deal with SARs and the subsequent serious harm test. Click here to see a flow chart of this process.
- A SAR is received from a patient or an authorised person representing them (eg solicitor, family member, friend, advocate, etc).
- The SAR Team logs the request on Radar as an Access to Records Request.
- The SAR Team then checks all information systems to determine whether the patient is known to the Trust and that information is held about them.
- If no information is held, the requestor is notified, and the request is closed on Radar.
- If information is held, the SAR Team acknowledges the request and then identifies the appropriate health professional and continues following the process below.
- SAR Team will email the appropriate health professional stating that a SAR has been received and are there any concerns for the patient’s, or any other individual’s, physical or mental health if this information is released1. (The email will state who the patient is and who the information will be released to.) A two-week deadline to respond will be given. Radar will be updated, and the SAR Team will begin to collate the information requested whilst waiting for a reply. (The information must be collated electronically into PDF files using Fox-it Pro to enable secure and professional redactions to be made.)
- If the appropriate health professional does not feel there is any serious harm associated with releasing the information, the SAR Team will undertake the Data Protection Review (see the section below for further information) and redactions (for third party information). The response will then be released, with all actions fully documented on Radar. A copy of the documents being released will be held on Radar with the redactions marked, but not applied, in case any complaints need investigating. The request will now be closed.
- If the appropriate health professional does feel there is a risk of serious harm to an individual, they must clearly specify what their concerns are – which will be held on Radar. The SAR Team will then apply the two-month extension2 and write to the requestor informing them of this3 and continue following the process below.
- The SAR Team will undertake the Data Protection Review of the information (for third party information) within two weeks and highlight all suggested redactions in yellow.
- The documents will be securely shared with the appropriate health professional, either via a shared network drive or by email.
- The appropriate health professional will then review the documents to determine what may be released (if anything). They have one month to complete this review.
- Following review, if it is felt that no information can be released, the appropriate health professional must clearly document this in an email to the SAR Team, who will record it on Radar, notify the requestor that the Trust cannot respond to the request3 and then close the request on Radar.
- If some information can be released, the appropriate health professional must highlight in green any information that they feel cannot or must not be released and return the document to the SAR Team, who will continue following the process below.
- The SAR Team will save the highlighted PDF to Radar and then apply all redactions before releasing to the requestor. Once released, the request will be closed on Radar.
1 Occasionally, requests may be received from multiple sources within a few months of each other. The appropriate health professional must be asked each time a new request is received, even if they have recently given their opinion unless this is unreasonable. This is because situations can quickly change or releasing information to some requestor may not cause a risk, but releasing to a difficult requestor may cause risk. However, the SAR Team can acknowledge that they have recently asked and ask if the change of requestor or any changes in circumstances has changed their initial response.
2 Under the legislation, the Trust can apply a two-month extension to complex requests. Requests that need considering under the serious harm test, can be considered complex and can have this extension applied. However, it would be inappropriate to apply this to all requests being received as the majority will not have any concerns raised around serious harm.
3 Consideration must be given to how this is worded as it may not be appropriate to tell the individual why the time limit has been extended or why information is being withheld. It will depend on the circumstances, but the Trust should be as transparent as possible.
The process for sharing patient records with the appropriate health professional will be electronic, rather than paper-based. This must be done electronically by PDFing documents prior to sharing and using the highlighting tools in the PDF reader to clearly identify information that must be redacted prior to release. This enables all changes to the documents to be tracked on the documents themselves.
This new way of handling electronic records will be the best way to manage the files and removes the use of paper copies.
Click here for guidance on secure emailing.
Prior to releasing any information, the SAR Team will undertake a Data Protection Review and apply appropriate redactions to the documentation. Click here to see a flowchart of the review process.
This will primarily be in relation to information that relates to someone other than the patient, referred to as a third-party. It may appear in the patient’s record as:
- an entry or attached file recorded in the wrong patient’s notes by mistake,
- information about the patient given in confidence by a third-party (but not a health professional providing direct care to the patient),
- information about a third-party that is confidential to that person and to which the patient does not have a right to access, or
- a letter or report that refers to more than one patient.
The names and job titles of NHS staff who have accessed the records for any reason will not be removed as they have accessed it as part of their duties, unless it is felt that releasing the names could cause distress or harm to the patient, staff or other individual.
Third-party information that has clearly been provided by the patient or is already known to the patient can be left in the documents and does not need to be redacted.
If the third-party information can be redacted (blacked out and hidden from view) then this is not a reason to withhold the records.
Responses to SARs must be held for three years unless an appeal/complaint is received in which case they must be held for six years.
The SAR Teams will retain all emails and documentation on Radar. This will include a final copy of the documents to be released with all redactions highlighted, but not applied. This is in case a complaint is received via the ICO that information has been unnecessarily redacted.
If a further request for information is received within six months, the appropriate health professional must be re-consulted as the patient’s circumstances could have changed, unless it is clear from the patient's care record that they have not been in touch with the Trust during those six months.
If the patient has not been seen during that time, the SAR Team should document on Radar that the appropriate health professional was not re-consulted due to the patient not having been seen since the last review.
British Medical Association (2018) Access to Health Records (Accessed: 02/06/2023)
Information Commissioner’s Office (n.d.) Health Data (Accessed: 02/06/2023)
Legislation.gov.uk (n.d.) Data Protection Act 2018 Schedule 3 Part 2 Paragraph 2(1) – Health Data (Accessed: 02/06/2023)
Legislation.gov.uk (n.d.) Data Protection Act 2018 Part 7 Section 204 – Meaning of “Health Professional” and Social Work Professional” (Accessed: 02/06/2023)
N3i Information Governance (2020) 22. Serious Harm Test (Accessed: 02/06/2023)
Royal College of General Practitioners (n.d.) GP Online Services Guidance – Managing Potentially Harmful Information (Accessed: 02/06/2023)
If appropriate health professionals have any questions in relation to this process, please speak to your line manager in the first instance.
If there are any questions around the SAR process and Data Protection Reviews, please contact the Trust’s Information Governance Team by email IG
Alternatively, advice can be sought from your professional body or the Information Commissioner's Office.