Subject Access Requests (SARs) Policy


This policy outlines the procedures for handling Subject Access Requests (SARs) made by individuals seeking access to their personal data held by Thorkhill Surgery.


The purpose of this policy is to ensure compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, ensuring that individuals are aware of their rights concerning their personal data.


This policy applies to all personal data held by Thorkhill Surgery, whether in paper or electronic format.

Who Can Make an Access Request?

An application for access to personal data may be made to Thorkhill Surgery by any of the following:

  • An individual
  • A person authorized by the individual in writing to make the application on their behalf (e.g., solicitor, family member, carer)
  • A person having parental responsibility for the individual if the individual is a child
  • A person appointed by a court to manage the affairs of an individual deemed incompetent
  • Individuals holding a health and welfare Lasting Power of Attorney
  • If the individual has died, the personal representative and any person who may have a claim arising from the individual's death (e.g., executor of the deceased’s will, an Administrator of the Estate appointed by the Courts, someone with written consent from either of the above)

Police Requests

The Police may occasionally request access to personal data of individuals. While there is an exemption in the Data Protection Act that permits Thorkhill Surgery to disclose information to support crime prevention and detection, the Police do not have an automatic right to access. They may, however, obtain a Court Order.

Solicitor Requests

A patient can authorize their solicitor or another third party to make a SAR. As long as the solicitor has the patient’s written consent, the SAR process will proceed as usual.

Insurance Requests

Insurance companies do not have the same privileges to access patient records. The ICO has stated that insurance companies using SARs to obtain full medical records is an abuse of the process. The DPA 2018 requires that information must be adequate, relevant, and not excessive in relation to the purpose for which the data is processed.

It is a criminal offense to make a SAR to access information about individuals’ convictions and cautions. The DPA 2018 sets out various levels of fines and a clause to extend this to cover medical records. If you suspect that a SAR from an insurer is irrelevant or excessive, it should be reported to the ICO and the Association of British Insurers.

Requests Relating to Children/Young Persons

Parental responsibility for a child is defined in the Children’s Act 1989. While foster parents do not usually have parental responsibility, it is more likely that this responsibility rests with the child’s social worker. Appropriate evidence of identity should be sought.

The law regards young people aged 16 or 17 as adults for consent to employment or treatment and the right to confidentiality. If a 16-year-old wishes their information to remain confidential, that wish must be respected.

Children under the age of 16 who understand their treatment decisions are also entitled to decide whether personal information may be shared. Consent from the child must be sought before a person with parental responsibility can access the information. If the child is not capable of understanding the application, access may be denied if it is not in the child's best interest.

The identity and consent of the applicant must always be established. The applicant does not have to give a reason for applying for access.

Application Process

Individuals wishing to exercise their right of access should:

  • Make a verbal or written application to Thorkhill Surgery.
  • Provide sufficient information to identify the individual.

The Data Protection Officer will manage the Subject Access Request.

Fees and Response Time

Under GDPR, Thorkhill Surgery must provide information free of charge. However, a reasonable fee may be charged if a request is manifestly unfounded or excessive.

The request must be complied with without delay and within one calendar month. This period can be extended by two months for complex or numerous requests, with the individual informed within one month of receipt.

The Release Stage

The format of the released information must comply with the requester’s wishes. If no specific format is requested, the information should be provided in the same manner as the original request.

Consultation with a health professional responsible for the data subject's clinical care is required before releasing health records. Once records are collated and redacted as necessary, they will be sent to the requester.


Access may be denied or restricted under certain circumstances, such as:

  • The record contains third-party information without consent.
  • Access poses a risk of serious harm to the individual or others.
  • Compliance involves disproportionate effort.

Complaints and Appeals

The applicant can appeal against a decision to refuse access. Unresolved complaints can be referred to the Information Commissioner’s Office.

Roles and Responsibilities

  • The Caldicott Lead has executive responsibility for SARs.
  • The Data Protection Officer has operational responsibility for SARs.
  • All staff must recognize and manage SARs appropriately, with training provided on the necessary procedures.

Monitoring and Review

Our team monitor all SARs to ensure correct processes are followed and oversees any appeals or complaints related to SARs.

Equality Impact

Thorkhill Surgery is committed to eliminating unlawful discrimination, promoting equality of opportunity, and fostering good relations among diverse groups, considering all characteristics protected by the Equality Act (2010).

For any inquiries or to request a copy of the Subject Access Request Form, please email:

Review Date: June 2025