Client: "I want to see my notes." Therapists - here is what to do next
Resource - Policy Template
After the anxiety of the introduction of GDPR in 2018, some of us may have settled into the groove of the new data protection guidelines. There might be a temptation to sit back and relax, feeling confident you’ve ticked all the boxes, but there is actually still plenty to be vigilant on – we need to ensure we’re up to speed on managing our ongoing obligations under GDPR. If you are new to private practice and this post already sends you in a spin, check this out. We will also be covering more about data protection this month.
Now GDPR has been around for a while; we have more information about how it’s being used, and the ICO has highlighted one of the most commonly used eight rights of the data subject, the right to access information.
What is the ‘Right to Access Information’?
The "right to access information" refers to a fundamental privacy right that individuals have to request and obtain access to the personal information held about them by an organisation or business. It is a crucial aspect of data protection and privacy laws in many countries.
it may be a simple, informal request from a client, a letter from the client’s solicitor with a form of authority from the client, a ‘Subject Access Request’ under the Data Protection legislation, or a Court Order requiring disclosure. It may also be a request from the police without a court order.
Of all the complaints the ICO (Information Commissioners Office) received between September 2016 and August 2017, 27% of cases were related to data access requests or obtaining data. (ICO Stats for Complaints and Concerns). Many complaints are around delays:
Taking too long to receive the data.
It’s over the deadline.
Poor searches – the individual believes the information is incomplete.
An individual has to make repeated requests for the information and there’s been no action or attempt to provide the information.
When an individual exercises their right to access information, it’s known as a formal request called a Subject Access Request (SAR). The SAR is made to the organisation or business that holds their personal data. This request allows the individual to understand what personal information is being held, processed and stored, how it is being used, and whether it is being shared with any third parties.
Paid subscribers can dive deeper into this next section on what a SAR is and why it’s important.
What clients can ask for exactly, and how long do you have to action the request?
We answer the question, can you refuse a request?
Copy of our Template Policy for dealing with a SAR request for your private practice,
How to manage a court order or police request is discussed.