Subject Access Requests
As individuals have the right to access their information, you should put in place procedures that allow you to comply within one month (previously this was 40 days). You cannot charge for complying with a request, unless it is unreasonable or excessive. You can also refuse to comply with a request in this situation but you should have a clear policy in place that sets out the criteria for refusing such a request.
If you do refuse a request, you must tell the individual why and tell them that they have the right to appeal to the Information Commissioner’s Office (ICO) and seek legal advice. Again, you must inform the individual of this within one month of their request.
Put in place a procedure which will allow you to comply with information access requests within one month.
- In most cases, you must provide the information free of charge and in an electronic and commonly used format.
Put in place a policy which documents the reasons why such a request may, in rare circumstances, be refused.
- As the circumstances for refusing subject access requests are relatively rare in dentistry, you may wish to seek advice from your indemnity organisation prior to responding to a patient if you intend to refuse their request.
If you choose to refuse to provide access, inform the individual of your decision, and the reasons for it, within one month of their request.
- Inform the individual that they have the right to appeal to the ICO and to seek legal advice.
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.