Since 1990 [1], patients have had the same rights of access to their computerised health records (and radiographs) as their manual records.
Under the Data Protection Act 2018 (DPA 2018) [2] and the UK General Data Protection Regulations (UK GDPR) [3], individuals have a right to have a copy of the personal information held about them. This is known as the right of subject access. Parents also have rights to access their children’s records if it is in the child’s interest (see Children). Although the age of legal capacity in Scotland is 16 years [4], younger children can have sufficient capacity and maturity to have an input into decisions that affect them. The DPA 2018 recognises this and allows a young person of 12 years or more in Scotland, with sufficient capacity and maturity, to exercise their rights under the Act. The ‘data controller’ (in most cases the dentist) must make a judgement if a child or parent requests records. A solicitor can request access with the consent of their client.
As individuals have the right to access their information, you should put in place procedures that allow you to comply within one month (previously this was 40 days). You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary. You cannot charge for complying with a request, unless it is unreasonable or excessive. You can also refuse to comply with a request in this situation but you should have a clear policy in place that sets out the criteria for refusing such a request.
If you do refuse a request, you must tell the individual why and tell them that they have the right to complain to the Information Commissioner’s Office (ICO) and seek legal advice. Again, you must inform the individual of this within one month of their request.
Put in place a procedure which will allow you to comply with information access requests within one month.
- The request does not have to be provided in writing and verbal requests must be responded to in the same manner and timeframe as written requests. It may be prudent to keep a log of verbal requests for personal information.
- In most cases, you must provide the information free of charge and in an electronic and commonly used format.
Verify the identity of the person making the request, as an individual is only entitled to their own personal data.
- Individuals can make subject access requests via a third party, for example a solicitor acting on behalf of a client or a parent acting on behalf of a child.
Be prepared to offer an explanation of what is written in the record to make it understandable to the patient.
Put in place a policy which documents the reasons why such a request may, in rare circumstances, be refused.
If you choose to refuse to provide access, inform the individual of your decision, and the reasons for it, within one month of their request.
- Inform the individual that they have the right to complain to the ICO and to seek legal advice.
- As the circumstances for refusing subject access requests are relatively rare in dentistry, you may wish to seek advice from your indemnity organisation prior to responding to a patient if you intend to refuse their request. You can also contact the ICO for further advice.