One of the most obvious operational changes brought about by GDPR is the loss of the general ability to charge individuals for making a subject access request, rather than the £10 (or sometimes £50 charge) that was possible under the Data Protection Act 1998. We are aware that some health organisations have already seen some increases in requests following GDPR coming into effect, and questions are being asked about when it is possible to charge a fee.

Under GDPR, it remains specifically possible to levy a reasonable fee to cover the costs of providing multiple copies of the same information. Article 12 GDPR also provides that where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either:

  • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request.

There are three key points to note in the above provisions:

  1. The reference to ‘requests’ in the plural sense – given the ‘fundamental nature’ of the subject access right, our view is that it will generally be challenging to prove that a first request is (of itself) ‘excessive’ such that it is impossible to respond entirely to the request – but it may be the case that aspects of a request are disproportionate;
  2. It may be preferable to refuse (aspects of) the request rather than to seek to levy a fee;
  3. Any fee needs to be non-profit making.

It therefore is important for data controllers – such as hospitals or GP practices - to be able to explain why any part of a request is too difficult to comply with. We suggest, where possible, viewing the subject access request process as a dialogue with the data subject – do they really want ‘everything’ (and do they understand what ‘everything’ entails?) or do they actually want a narrower subset of the information – which can be provided more readily? An early conversation may help to manage the process.

The Data Protection Act 2018 does provide an option for further regulations to be made so that statutory fees can be charged. However, there is no indication that such regulations will be made.

What are the exemptions from data subjects’ rights?

The substantive exemptions from the right of subject access largely reflect the old law, and those of most relevance to the health sector are set out in Schedules 2 and 3 of the Data Protection Act 2018. These include:

  • Mixed personal data about third parties, which it would not be reasonable to disclose (but it is normally reasonable to include clinicians’ details);
  • Risk of serious harm to the data subject or any other person;
  • Information about a child or non-capacitous adult, which they would not expect to be disclosed to the person making the request;
  • Legally privileged information;
  • Disclosure would prejudice the prevention or detection of crime;
  • Disclosure would prejudice regulatory activities.

Some exemptions are only available where a clinician has reviewed the records and concluded the exemptions are engaged.

The importance of carefully reviewing records prior to disclosure generally is illustrated by ICO enforcement action being taken where the ‘wrong’ records have been disclosed.

What about deceased patients’ records?

Without any fanfare, a further change brought about within the consequential amendments in the Data Protection Act 2018 (revising the Access to Health Records Act 1990 – “AHRA”) means that it is no longer possible to charge for access to medical records of deceased patients under the AHRA.

The old regime relating to the costs for access to deceased patients’ records was complex and interpreted diversely across the NHS, so this simplification is welcome, but the loss of the ability to charge a fee may affect the balance sheets of some medical records departments.

The existing rules in the AHRA about what records are disclosable, to whom, and in what circumstances are preserved.

Requests from lawyers

Where a request is not made further to the GDPR or AHRA, it remains possible to charge for the response. However, many lawyers will make initial requests further to those legislative regimes as a way to seek ‘cheap’ disclosure on behalf of their clients in the first instance.

What to take away

For many health providers there will be a revenue impact from these changes. One solution to reduce the cost of photocopied disclosure is to send out an encrypted electronic copy of the records in question, where possible. This saves on paper and special delivery postage, and ensures a duplicate copy of whatever is disclosed is readily accessible.

Organisations need to understand and appropriately apply the circumstances in which fees can be levied so as to avoid criticism, and to change policies accordingly. It is also important to ensure that subject access request policies are updated to reflect the revised time periods for compliance.

How we can help

Capsticks advises on all aspects of the law relating to data subject rights – including handling complex requests for disclosure of records, legal claims and ICO complaints. We can also undertake health-checks on policies and provide training on this area. For more information on the above issues, please contact Andrew Latham, Dominic Ip, or Tracey Lucas.