Subject Access Request - More Information - Thyroid UK

Thyroid UK

143,861 members•169,308 posts

Subject Access Request - More Information

helvella•

5 years ago•15 Replies

Response received from Information Commissioner's Office this morning:

Dear <helvella>,

Thank you for your email of 30 January 2020.

Data protection legislation does not specify how to make a valid request. Therefore, an individual can make a subject access request verbally or in writing.

Organisations can ask an individual to complete a form, but the individual is under no obligation to do so. A subject access request is valid if it is submitted by any means, so they will still need to comply with any request they receive verbally, in a letter or a standard email.

Although you can make a request verbally we do recommend doing so in writing if possible, because this gives you a record of your request.

There is further information about how to make a subject access request on our website, via the previous link.

I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number <redacted phone number>. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.

Yours sincerely

<redacted name>

Case Officer

Information Commissioner's Office

I hope this clarifies - but I have asked for further clarification about the "signed consent form" that is also being demanded.

Written by

helvella

To view profiles and participate in discussions please or .

15 Replies

•

5 years ago

No doubt I'm being dim, but what is this "Signed consent form" about?

london815 years ago

a signed consent form is usually standard practise when releasing sensitive and confidential data to an individual. it covers the organisation handing out this info and they can leave this on file to assure their governing bodies etc that the data was released in accordance with the law

nightingale-565 years ago

Having just asked for Subject Access Request from my local hospital via PALS I was emailed a form to fill in requesting what information I wished to have and asking for two pieces of supporting evidence of who I was and signing the form under GDPR . I then email all this information back to them and they should return to me a disc with all the information requested in 30 days from receipt. Is this the signed consent form, do you think Hidden ? Thanks for this information helvella .

london81• in reply tonightingale-565 years ago

that sounds like standard practise. i’ve requested records from uk border agency, social services etc and always completed a form and provided written consent from clients. same with requesting my own records from GP. yes, information laws don’t require this but it’s practical and covers legal and moral duties to ensure our data is safe

nightingale-56• in reply tolondon815 years ago

By far the easiest way to ask for information london81 .

• in reply tonightingale-565 years ago

So "Subject Access Request" is the same as asking for a disclosure of medical records. I've heard of PALS (Patient Access...something-or-other) but can't remember what GDPR is.

I have thought about asking for my full medical records but anything official, such as filing in forms, or even asking for such a form, does my head in!

So in answer to your question "Is this the signed consent form, do you think?" I haven't a clue

london81• in reply to5 years ago

it just means a request for your data/records. it is a great provision to give us what we rightly need- our own medical history.

you can simply write a letter to your GP saying please provide me with my medical records, including test results and reference ranges. then sign and date it, and give them a copy of your ID. that should suffice. if they ask you to complete a form its usually personal details, what you want and a declaration saying you are who you say you are

gdpr is just the new name for data protection. that just means the law that gives us some rights to our data and privacy rights, generally speaking. and it covers circumstances where officials give away our information by accident/breach our confidentially. it’s quite useful.

• in reply tolondon815 years ago

Thank you

Treepie• in reply to5 years ago

PALS is a patient advisory and liaison service ,a link between patients and hospital carers.

nightingale-56• in reply to5 years ago

I would think so.

london815 years ago

you don’t have to for those particular rules, but for easy administration, confidentiality and data protection it’s better that we do comply and organisations take our privacy seriously ( in my opinion) ,

helvella• in reply tolondon815 years ago

I would be far happier if the people writing instructions/rules took account of the legal situation. Something like:

If you wish to access your medical records, we find the best way is for you to download or pick up our standard form, fill it in and email it to us or drop it off at the surgery.

This helps to ensure that all information necessary to fulfil your request has been provided and we will be best able to handle your request efficiently.

If there is some reason you would prefer not to, or cannot, use a form, we can accept requests without.

london81• in reply tohelvella5 years ago

yes.... but then again we can’t even get the medics to take account of the medical situation half the time! dammit!!! but yes unfortunately it feels like rules and regulations aren’t explained or rolled out in a way that is easy to navigate! it’s what i’ve spent my whole career helping people to do.

helvella5 years ago

And if you do not have a passport?

(To avoid the obvious next suggestion. )

And if you do not have a driving licence?

london81• in reply tohelvella5 years ago

i suppose it comes down to this- if the person:/agency in question hands out your medical data they break the law- personally and organisationally. therefore having proof of ID on file along with written confirmation of the request that covers them with their auditors and the law. whilst information rules don’t necessarily require this, data and confidentiality best practise often do. i’m not splitting hairs or defending the medical institutions (as i’ve had so many issues with them), i’m just pointing out this is one battle we don’t need to have. if one doesn’t have a photo ID they should accept two other forms of ID such as utility bill and medical letter or such like