Response received from Information Commissioner's Office this morning:
Dear <helvella>,
Thank you for your email of 30 January 2020.
Data protection legislation does not specify how to make a valid request. Therefore, an individual can make a subject access request verbally or in writing.
Organisations can ask an individual to complete a form, but the individual is under no obligation to do so. A subject access request is valid if it is submitted by any means, so they will still need to comply with any request they receive verbally, in a letter or a standard email.
Although you can make a request verbally we do recommend doing so in writing if possible, because this gives you a record of your request.
There is further information about how to make a subject access request on our website, via the previous link.
I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number <redacted phone number>. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.
Yours sincerely
<redacted name>
Case Officer
Information Commissioner's Office
I hope this clarifies - but I have asked for further clarification about the "signed consent form" that is also being demanded.
Written by
helvella
Administrator
To view profiles and participate in discussions please or .
18 Replies
•
No doubt I'm being dim, but what is this "Signed consent form" about?
a signed consent form is usually standard practise when releasing sensitive and confidential data to an individual. it covers the organisation handing out this info and they can leave this on file to assure their governing bodies etc that the data was released in accordance with the law
Having just asked for Subject Access Request from my local hospital via PALS I was emailed a form to fill in requesting what information I wished to have and asking for two pieces of supporting evidence of who I was and signing the form under GDPR . I then email all this information back to them and they should return to me a disc with all the information requested in 30 days from receipt. Is this the signed consent form, do you think Hidden ? Thanks for this information helvella .
that sounds like standard practise. i’ve requested records from uk border agency, social services etc and always completed a form and provided written consent from clients. same with requesting my own records from GP. yes, information laws don’t require this but it’s practical and covers legal and moral duties to ensure our data is safe
So "Subject Access Request" is the same as asking for a disclosure of medical records. I've heard of PALS (Patient Access...something-or-other) but can't remember what GDPR is.
I have thought about asking for my full medical records but anything official, such as filing in forms, or even asking for such a form, does my head in!
So in answer to your question "Is this the signed consent form, do you think?" I haven't a clue
it just means a request for your data/records. it is a great provision to give us what we rightly need- our own medical history.
you can simply write a letter to your GP saying please provide me with my medical records, including test results and reference ranges. then sign and date it, and give them a copy of your ID. that should suffice. if they ask you to complete a form its usually personal details, what you want and a declaration saying you are who you say you are
gdpr is just the new name for data protection. that just means the law that gives us some rights to our data and privacy rights, generally speaking. and it covers circumstances where officials give away our information by accident/breach our confidentially. it’s quite useful.
you don’t have to for those particular rules, but for easy administration, confidentiality and data protection it’s better that we do comply and organisations take our privacy seriously ( in my opinion) ,
I would be far happier if the people writing instructions/rules took account of the legal situation. Something like:
If you wish to access your medical records, we find the best way is for you to download or pick up our standard form, fill it in and email it to us or drop it off at the surgery.
This helps to ensure that all information necessary to fulfil your request has been provided and we will be best able to handle your request efficiently.
If there is some reason you would prefer not to, or cannot, use a form, we can accept requests without.
yes.... but then again we can’t even get the medics to take account of the medical situation half the time! dammit!!! but yes unfortunately it feels like rules and regulations aren’t explained or rolled out in a way that is easy to navigate! it’s what i’ve spent my whole career helping people to do.
i suppose it comes down to this- if the person:/agency in question hands out your medical data they break the law- personally and organisationally. therefore having proof of ID on file along with written confirmation of the request that covers them with their auditors and the law. whilst information rules don’t necessarily require this, data and confidentiality best practise often do. i’m not splitting hairs or defending the medical institutions (as i’ve had so many issues with them), i’m just pointing out this is one battle we don’t need to have. if one doesn’t have a photo ID they should accept two other forms of ID such as utility bill and medical letter or such like
I know ... why we have to battle to get treated is beyond me. I once burst into tears when my Endocrinologist told me everything was normal when I felt so ill .... his response counselling!!
Content on HealthUnlocked does not replace the relationship between you and doctors or other healthcare professionals nor the advice you receive from them.
Never delay seeking advice or dialling emergency services because of something that you have read on HealthUnlocked.