Freedom of Information Policy – Including Subject Access Requests


This policy is in line with current legislation at the time of writing and is subject to periodic review.

In the event of any incident linked to this policy; findings of an audit that identifies a gap or a need for a review or a change of legislation impacting on this policy, the policy will be updated and will supersede this policy.

Unless there are changes to regulations that affect this policy then this policy will be reviewed on a regular basis.


The purpose of this policy is to provide guidance for staff and assurance to patients that Hall Green Health is committed to continually providing high quality healthcare for all patients and supporting the staff who provide this care. The aim of the policy is to provide guidance on the process of handling freedom of information and subject access requests at the practice.

All patients regardless of age, gender, ethnic background, culture, cognitive function, or sexual orientation have the right to have their privacy and dignity respected.


This policy applies to all employees of Hall Green Health, contractors, seconded staff, placements, and agency staff.

Roles, rights, and responsibilities

All staff

All staff have a responsibility to understand the process of how the practice handles freedom of information and subject access requests, the escalation process, and how to discuss these issues with patients, carers, and other third parties.

Operational Manager

To update the policy, ensure that it is aligned with national guidelines, distribute appropriately, and ensure that staff are trained at induction and at regular intervals so that they are aware of the principles of freedom of information and subject access requests and the content of the practice policy.

Principles of this policy

This policy adheres to local and national guidance and policy including the Freedom of Information Act 2000, GDPR, the Data Protection Act 2018, and the NHS Constitution.

The Freedom of Information Act allows access to information held by public authorities, which includes primary care. There are two parts to this act that are relevant.

  1. Members of the public are entitled to request information from their primary care organisation.
  2. Primary care organisations are also obliged to publish certain information about their activities.

Recorded information is defined as content within printed or digital documents, photographs, and even sound or video recordings.

Freedom of information (FOI) requests are not chargeable and will be responded to within 20 working days.

These requests can be made by email or on paper and be made to any member of staff and do not have to refer to the Freedom of Information Act.

We cannot ask for the reason for the request but can ask for clarifications in order to ensure that they provide the clearest possible response.

It is important to note that failure to comply can result in contempt of court proceedings.

We can refuse to process a FOI request for the following reasons:

  • If disclosure of information would be harmful to the person.
  • If it is a repeat of a previous request from the same person.
  • If it is too onerous on staff or time.
  • If the request is vexatious.
  • If the request is for confidential personal information.
  • If the information is still in draft form or archived or difficult to access.

The decision to refuse a FOI request will be made by a senior member of staff and may involve taking advice from legal experts.

We also produce a guide to information/publication scheme that provides detail on:

  • What information we routinely publish.
  • How the information can be accessed, on noticeboards and the practice website.
  • What charge, if any, is made for access to the information.
  • Our contact details.

We also publish our process for reviewing and updating our published information on the website.

We understand that the Information Commissioner’s Office (ICO) expects us to use its model publication scheme, which covers the following types of information:

  • Who we are and what we do – including doctors in the practice, contact details, opening hours, and other staff employed.
  • What we spend and how we spend it (current and previous financial year) – total cost to the primary care organisation of contracted services, audit of NHS income, with overall practice income and prescribing costs.
  • What our priorities are and how we are doing (current and previous year) – plans for developing and providing services.
  • How we make decisions (current and previous year) – records of decisions made in the practice affecting any changes to the provision of services.
  • Our policies and procedures – policies, protocols, and procedures concerning the employment of staff, delivery of services, equality and diversity, health and safety, complaints, and records management, data protection, the handling of requests for information, and the NHS constitution.
  • Lists and registers – this is not applicable to the practice.
  • The services we offer – current services provided and any charges, information leaflets, and out-of-hours arrangements.
  • Primary Care Organisation details.

Subject access request

If a member of the public wants to see information that our practice holds about them, they can make a written subject access request under the Data Protection Act 2018.

We are aware that the GDPR and the Data Protection Act 2018 give individuals certain rights regarding personal information held about them.

The definition of ‘personal data’ means any information relating to an identified person.

In the main these requests will be for a person to look at their medical record.

If this is the case then we must make certain that the person making the request is identified correctly by correlating some evidence against the request, we will, therefore, require sight of a driver’s license or passport, and a utility bill.

If a third party (such as a solicitor) makes a subject access request, we must be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of consent for this access such as written authority to make the request or general power of attorney.

We will comply with this request using our process that is clear to the individual, published openly, and follows a clear pathway, using a paper or digital request form available in the practice or from the practice website.

If the request involves an onerous volume of work, then we will charge an administration fee of between £10 and £50, depending on the type of information provided. £10 is the charge for digital information, £50 for the provision of a copy of written notes.

The practice will comply within 1 month of the request being made.

We are aware that there are exemptions to subject access requests, which are:

Third party data

If a person’s health record contains personal data about someone other than the requester (such as a family member), we must consider the rules about this third-party data before disclosing. However, information that identifies a professional, such as a doctor or social worker, carrying out their duties will not normally be withheld.

Serious harm

Special rules apply where providing subject access to information about an individual’s physical or mental health would be likely to cause serious harm to them or to another person and the effect is to exempt such personal information to the extent that its disclosure would be likely to cause harm.

Lack of capacity

A further exemption from subject access to information about an individual’s physical or mental health applies where a subject access request is made by a third party who has a right to make the request on behalf of the individual, such as the parent of a child or someone appointed to manage the affairs of an individual who lacks capacity. In these circumstances, personal data is exempt from subject access if the individual has made clear they do not want it disclosed to that third party.


Employees will be made aware of this policy via TeamNet.

Patients will be made aware of this policy using patient leaflets and on the practice website.


All staff will be given training on freedom of information and subject access requests at induction and at regular intervals thereafter.

Any training requirements will be identified within an individual’s Personal Development Reviews. Training is available in the Training module within TeamNet.

Equality and diversity impact assessment

In developing this policy, an equalities impact assessment has been undertaken. An adverse impact is unlikely, and on the contrary the policy has the clear potential to have a positive impact by reducing and removing barriers and inequalities that currently exist.

If, at any time, this policy is considered to be discriminatory in any way, the author of the policy should be contacted immediately to discuss these concerns.

Monitoring and reporting

Monitoring and reporting in relation to this policy are the responsibility of the practice manager.

The following sources will be used to provide evidence of any issues raised:

  • PALS.
  • Complaints.
  • Significant and learning events.

Any incidents relating to freedom of information and subject access requests will be monitored via incident reporting.


Internal Links

External Links

Page last reviewed: 29 December 2023