Under GDPR laws we have to ensure that we look after your data. Part of this is ensuring that we have consent to release copies of your information, and that we keep a record of any requests. We also have to ensure that any third-party data is redacted before we can hand it out. 

What is a Subject Access Request (SAR) 
A SAR is a request by an individual to access their personal data held by a data controller, in this case 
your GP practice. 
You have the rights to access your health records under the General Data Protection Regulations (GDPR) 

How to make a SAR
You can make a SAR by contacting the practice, either in person, by phone, in writing or by email. 
The practice will ask you to complete and sign a practice SAR request form to ensure we have all the 
necessary information from you to verify your identity and exactly what information you are requesting. 
You can request a copy of full medical records, partial records e.g. specific dates or information. 
You do not have to state the reason for your request but it can sometimes be helpful to know the context 
behind the request when preparing the records. 
The practice does not send any original documents.

Refusal
The practice can refuse to provide the information if an exemption or restrictions apply. Third party data 
and information likely to cause harm to the mental or physical health of an individual will be removed. 

Solicitor requests
A solicitor can request a patient’s records as long as they have signed consent from the patient. If they 
have signed consent they can act on behalf of the patient.

Parent requests
Parents do not have an automatic right to their children’s information and disclosure will only be 
considered if it is in the best interests of the child. Despite this, if the child is around 12 years of age or 
above, it is up to the GP to determine if the child is competent. This is done through the Gillick 
competency test. If the child is deemed competent then the child must either provide consent or 
exercise their own rights.
If the child is considered not Gillick competent, we will seek to establish parental responsibility, this is 
normally done by evidence of a birth certificate naming the individual or other official documentation.
Usually, parents with parental responsibility will be seen as acting in their child’s best interests, however 
if there is any doubt regarding this, the practice is entitled to confirm with the parent the purpose of the 
request to determine this.

Fees
In most cases there is no charge for a SAR. However, the practice will charge for a duplicate request 
within a 12 month period. You will be informed of the fee upon duplicate request. Where a request is 
manifestly unfounded or excessive a reasonable fee for the administration cost will be charged. 

Time
The practice will complete a SAR within 30 working days. If the practice is unable to complete the 
request within this time period you will be contacted and informed of an approximate completion date.

If you want a copy of any of the data contained in either your own medical records, those of your children if under 13 or for anyone you have a lasting power of attorney for, please complete and return this form Subject Access Request - Patient Consent Form.pdf.  We are unable to provide any data for anyone else without their express permission/consent.  Please note, if you have permission to speak on another patients behalf this does not constitute permission for data.

You can email it to practice.manager.w97021@wales.nhs.uk, send it by post, or return it to reception. 

Once the information requested is ready to be collected, you will be notified via an email or text. A phone call will be made if you are unable to receive SMS or email. We will only keep the documents for 1 month, if it is not collected within this time it will be destroyed.

If your request is related to a Blue Badge application then please state these on your form as this are simpler to action, as they only involve a detailed summary of your conditions and therefore could be expedited.

Timeline of a SAR request submitted to the practice
1. SAR received by the practice either from the patient or solicitor.

2. If the request is from the patient, they are asked to complete a practice SAR form.

3. If the request is from a solicitor, the patient will be contacted to check they are aware of the request 
and what information is being requested. We will check with the patient at this point if they are happy 
for the records to be provided directly to the solicitor or if they would prefer the copy to be provided to 
them.

4. Administrator will contact the patient to check the details received are correct, the information being
requested including dates and the format records are to be provided in.

Please note: the practice will not send any medical records in the post. If you request paper format you 
will need to collect in person from the practice and you will be asked to provide identification. 

5. Request is passed to the Information Governance Lead to process. 

6. If you have requested the records in paper format you will receive a phone call or text informing you 
your records are ready for collection at reception desk. 

7. If you have requested the records via email these will be sent to you via the Secure File Transfer
system. You will receive an email with the code needed to access the records. 

Please note: there is a 21 day access restriction on the email for security. You will need to access the 
email within this timeframe, failure to do so may result in a duplicate request to the practice which will 
be charged.

For more information please consult: model-publication-scheme.pdf (ico.org.uk)