Four ways safe medical storage soothes subject access requests

Employee medical data and records is an important asset for businesses to protect as GDPR comes into effect next year.

Sudden Subject Access Requests (SARs) can sometimes expose poor Data Protection procedures. And patients’ health records tick every box when it comes to highly sensitive personal information.

But when you’re busy providing premium customer care to patients, ensuring staff are satisfied and keeping an eye on your budget, losing focus on data protection compliance is easy.

So here are four ways good physical storage systems facilitate smooth SAR responses.

Your responsibilities

Your responsibilities as a data controller are enforced by the legislative framework of the Data Protection Act and compliance is enforced stringently.

Under current guidelines patients have a legal right to receive relevant information from their health records within 40 days of making a SAR.

If your medical centre storage is shoddy and crucial records are missing or incomplete, you could face a hefty fine.

What can patients request?

Patients have the right to request a wide range of information from their medical practice — from health records including X-Rays and MRI scans to information on management and customer care. So you need to ensure you can rapidly access a wide range of information.

This means that fast and flexible data governance procedures are essential. Fumbling through random files and folders in a panic is counterproductive — if your storage systems aren’t SAR-friendly yet the time to act is now.

Get ready for GDPR

Until Brexit is complete you’re still subject to European Data Protection legislation. And the EU GDPR (General Data Protection Regulation) comes into effect in May 2018.

SARs don’t escape this legislation — GDPR reduces the current 40 day deadline to one month. So if you already struggle to retrieve relevant records and redact third party info, timelines are about to get tighter.

Making more information securely available online can minimise the pain of SAR completion, but a complex request might require location of lots of long-term patient records. And this type of deep dig retrieval requires well-organised storage systems.

Minimise the impact of cyber attacks

The recent NHS hack proves that cyber attacks are swift and savage. Safe record storage doesn’t just ensure you can respond quickly to SAR requests — it also allows you to back up electronic files that fall foul of hackers.

It’s unlikely that every piece of important patient information will be replicated in electronic and paper formats. But if your physical storage is robust you won’t find yourself explaining to a patient that all of their personal information has disappeared into the ether.

Do you have any words of advice when it comes to smooth Subject Access Requests? Share your stories in the comments below.

Further reading on subject access requests

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the and titles before moving on to be a Digital Technology reporter for the

Related Topics

Data Protection

Leave a comment