Laburnum Health Centre
Data Subject Access Requests Charging Policy
1.1 Data subject’s rights
All data subjects have a right to access their data and any supplementary information held by Laburnum Health Centre. Data subjects have a right to receive:
- Confirmation that their data is being processed
- Access to their personal data
- Access to any other supplementary information held about them
Laburnum Health Centre ensures that all patients are aware of their right to access their data and has privacy notices displayed in the following locations:
- Waiting room
- Practice website
To comply with the GDPR, all practice privacy notices are written in a language that is understandable to all patients and meet the criteria detailed in Articles 12, 13 and 14 of the GDPR.
The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them.
Under the GDPR, Laburnum Health Centre is not permitted to charge data subjects for providing a copy of the requested information; this must be done free of charge. That said, should a request be deemed either “unfounded, excessive or repetitive”, a reasonable fee may be charged. Furthermore, a reasonable fee may be charged when requests for additional copies of the same information are made. However, this does not permit the practice to charge for all subsequent access requests.
The fee is to be based on the administrative costs associated with providing the requested information.
1.3 Responding to a data subject access request
In accordance with the GDPR, data controllers must respond to all data subject access requests within one month of receiving the request (previous subject access requests had a response time of 40 days).
In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the delay explained.
1.4 Verifying the subject access request
It is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice Subject Access Request (SAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. driving licence or passport.
The GDPR states that data subjects should be able to make access requests via email. Laburnum Health Centre is compliant with this and data subjects can complete an e-access form and submit the form via email.
The data controller is to ensure that ID verification is requested and this should be stated in the response to the data subject upon receipt of the access request. It is the responsibility of the data controller to ensure they are satisfied that the person requesting the information is the data subject to whom the data applies.
1.6 Third-party requests
Third-party requests will continue to be received following the introduction of the GDPR. The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject.
The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject.