General Data Protection Regulation Rights
Your individual rights
You as an individuals have the right to:
- Be informed about what information an organisation hold about you as the 'Data Subject'
- The right of access to that information (commonly known as a ‘Subject Access Request’)
- The right to rectify any inaccuracies of that information
- The right in certain circumstances to have that information erased (known sometimes as ‘right to be forgotten’)
- The right to object to that processing of information and restrict that processing of information
- To know about whether certain decisions have been made about you through automated decision making or profiling.
Subject Access Requests (SAR)
The GDPR gives individuals (Data Subjects) the right to request and in most cases to be given, a copy of the information which North Bristol NHS Trust holds about them. This is called a Subject Access Request (SAR).
Please note that the Act only entitles an individual to see, or be given a copy of, their own information. You are not entitled to see someone else’s information unless they have given their permission for you to do so. Likewise, someone else cannot ask for your information unless you have given permission for them to do so. This applies to spouses, relatives, friends etc.
If you want to see, or be given, a copy of information that North Bristol NHS Trust holds about you, you need to Make a Subject Access Request.
The Trust is not required to respond to a request made verbally, but depending on the circumstances, it may be reasonable to do so (as long as your identity has been satisfied).
As a requestor you do not have to tell us the reason for making the request or what you intend to do with the information. However, it might be helpful to inform us so we can find the relevant information if you do explain the purpose of the request.
What Information am I entitled to?
‘Subject Access’ is most often used by individuals 'Data Subjects' who want to see the information the Trust holds about them, but now goes further than this and entitles an individual to be:
- Told whether any personal data is being processed
- Given a description of that information and be told whether it will be shared with any other organisation of people
- Given details of the source of the data (where this is known and available)
- Access to their personal information
‘Subject Access’ provides a right for you to see your own personal data, rather than a right to see copies of documents that contain personal data.
Is there a fee for submitting a Subject Access Request?
The Trust must provide a copy of the information free of charge. However, the Trust can charge a ‘reasonable fee’ when the request is deemed ‘manifestly unfounded or excessive’ and particularly if it is repetitive.
The Trust can also charge a ‘reasonable fee’ to comply with a request for further copies of the same information.
The fees will be based on administrative costs of providing the information; for example photocopying, postage and packaging.
How long for the Trust have to comply?
Information must be provided without delay and at least within one calendar month of receipt of the request. However, the Trust can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case the Trust will inform you within one month of receipt of the request and explain why the extension is necessary.
If requests are manifestly unfounded or excessive because they are repetitive, the Trust can:
- Charge a ‘reasonable fee’ taking into account administrative costs or refuse to respond.
- If the request is for a large amount of personal data, the Trust is permitted to ask you to specify the information the request relates to.
Verifying your identity
The Trust has a legal obligation to verify the identity of the Data Subject and any authorised person making the request and to verify if they are entitled to the information.
The Trust will verify the identity of the person making the request, using ‘reasonable means’.
Can information be exempted?
Some types of personal information are exempt from the right of subject access and so cannot be obtained by making a ‘Subject Access Request’.
Information may be exempt because of it’s nature or because of the effects its disclosure is likely to have.
There are also some restrictions on disclosing information in response to a subject access request that would involve disclosing information about another individual.