Privacy Notice – GDPR
What information is an individual entitled to under the GDPR?
Under the GDPR, individuals have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
What is the purpose of the right of access under GDPR?
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
Can GP surgery charge a fee for dealing with a subject access request?
The Practice must provide a copy of the information free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. A reasonable fee can be charged to comply with requests for further copies of the same information. This does not mean that the surgery can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information.
How long does the Surgery have to comply?
Information must be provided without delay and at the latest within one month of receipt. The surgery will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the surgery must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
What if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the surgery can:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where the surgery refuses to respond to a request, it must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
How should the information be provided?
The surgery must verify the identity of the person making the request, using ‘reasonable means. If the request is made electronically, it should provide the information in a commonly used electronic format.
What about requests for large amounts of personal data?
Where the surgery processes a large quantity of information about an individual, the GDPR permits the practice to ask the individual to specify the information the request relates to. The GDPR does not include an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.
Please request in writing to the Practice Manager.
If the request is to view vaccinations then please request in writing to the Practice Manager using the form below:
Freedom of Information (FOIA) 2018
The Freedom of Information (FOI) Act gives a general right of access to all types of recorded information held by public authorities. The Act sets out exemptions to that right and places certain obligations on public authorities.
For details of the practice scheme please click here to view details of the practice scheme.