Under the Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2], individuals have a right to have a copy of the personal information held about them. This is known as the right of subject access. Individuals with parental responsibilities also have rights to access their children’s records if this is in the child’s interest (see Children). Although the age of legal capacity in Scotland is 16 years [3], younger children can have sufficient capacity and maturity to have an input into decisions that affect them. The DPA 2018 recognises this and allows a young person of 12 years or more in Scotland, with sufficient capacity and maturity, to exercise their rights under the Act. in this situation the ‘data controller’ (in most cases the dentist) must assess whether the child has capacity and maturity to understand their rights with regards to requesting their information. Those with parental responsibilities may request the child's information when the child authorises them to do so, if the child does not have sufficient understanding to exercise their rights, or when it is in the best interests of the child. A solicitor can request access with the consent of their client.
Practices should have policies and procedures in place to deal with subject access requests for personal information. The practice must respond to a subject access request as soon as possible and within one calendar month of receiving the request.
If the subject access request is unclear, you can seek further clarification from the requester. The Data (Usage Access) Act 2025 [4] permits organisations to “stop the clock” on the one month response deadline while seeking further clarification from the requester. The time limit pauses on the day the additional clarification is requested and resumes when this has been received.
You can extend the time to respond to a subject access request by a further two months if the request is complex or you have received a number of requests from the individual. You must let the requester know about the extension within one month of receiving their request and explain why the extension is necessary.
When searching for the information relevant to a subject access request, the searching process should take a “reasonable and proportionate” approach. Consider the information requested, the context in which the data is held, and the resources required to obtain it. The search should focus on information relevant to the request (e.g. treatment specific or date specific). [4] You are not required to undertake searches that are unreasonable or disproportionate to the importance of the information requested.
You cannot charge a fee for complying with a request, unless it is manifestly unfounded or excessive, or the individual requests further copies of their information. You can also refuse to comply with a manifestly unfounded or excessive request, but you should have a clear policy in place that sets out the criteria for refusing such a request.
If you refuse a subject access request, you must tell the requester why and tell them that they have the right to complain to the Information Commissioner’s Office (ICO) and seek legal advice. You must inform the individual of this within one month of their request.
Note: As the circumstances for refusing subject access requests are relatively rare in dentistry, you may wish to seek advice from your indemnity provider if you intend to refuse the request.
Put in place a procedure which will allow you to comply with subject access requests within one month.
- The subject access request does not have to be provided in writing and verbal requests must be responded to in the same manner and timeframe as written requests. It may be prudent to keep a log of verbal subject access requests for personal information.
- In most cases, you must provide the information free of charge and in a commonly used format.
Verify the identity of the person making the request, as individuals are only entitled to their own personal data.
- Subject access requests can be made via a third party, for example a solicitor acting on behalf of a client, or a parent or guardian acting on behalf of a child.
- You must ensure that the third party is entitled to act on the person’s behalf and that they provide evidence of this e.g. consent from a patient.
- If a child is not competent, it is usually appropriate to let the parent or guardian exercise the child’s rights on their behalf.
Search for the information requested using an approach that is “reasonable and proportionate” [4].
Be prepared to offer an explanation of what is written in the record to make it understandable to the patient e.g. explain dental abbreviations
Put in place a policy which documents the reasons why such a request may, in rare circumstances, be refused (e.g. the request is manifestly unfounded or excessive information is requested).
If you choose to refuse a subject access request, inform the requester of your decision, and the reasons for it, within one month of their request.
- Consider seeking advice from your indemnity provider or the Information Commissioner's Office
- Inform the individual that they have the right to complain to the ICO and to seek legal advice.