• Categories: News

Tagged with:

NHS Subject Access Request Failings: A Real‑World Case Study

/ News / By

Empty picture frame with “X-ray Pending…” nameplate, symbolising NHS Subject Access Request failings and delayNHS Subject Access Request Failings: A Real‑World Case Study

Yesterday should have been simple.
My 14‑year‑old son needed his broken wrist re‑x‑rayed. A routine appointment, in and out, nothing remarkable. Except it turned into an unexpected case study in how not to handle Subject Access Requests (SARs) — and how easily well‑meaning NHS processes can drift into non‑compliance, inconsistency, and unnecessary risk.

After the x‑ray, my son asked for a copy of his images. Straightforward, you’d think. He’s the patient. I’m his parent. And throughout the appointment, every member of staff — radiographers, nurses, receptionists — confirmed his name, date of birth, and hospital number. Identity was checked and re‑checked at every stage. No ambiguity. No doubt.

But when we were directed to the x‑ray reception to request the images, things took a turn.

The ID Obstacle Course

To request the images, I was handed a form and told I needed to provide two forms of ID:
– one photographic (e.g., passport), and
– one proof of address (e.g., utility bill).

I showed scans of my driving licence — perfectly legible, high‑quality, and more than sufficient to confirm identity in most modern systems. But no. Scans were not acceptable. Originals only.

Why? Because the receptionist needed to scan the originals.

I asked where these scans were stored.
The answer: in a lever‑arch file on a shelf behind her.
Also uploaded and sent to another department.
Retention schedule? Unknown.
Access controls? None mentioned.
The lever‑arch file? Accessible to anyone working in that office — and potentially anyone walking through it.

This is the point where any information governance professional feels their eye start to twitch.

The Inconsistency Problem

Here’s where it gets even more surreal.

I explained that I live 75 miles away and didn’t have my original documents with me.
The response?

I could email in photocopies of my passport.

So:
– Proving my identity in person with digital scans = not acceptable
– Emailing photocopies of my passport from anywhere in the world = absolutely fine

The inconsistency is staggering.
The risk profile is inverted.
And the logic is nowhere to be found.

What the Trust’s Privacy Notice Doesn’t Say

Naturally, I checked the Trust’s privacy notice. It makes no mention of collecting or storing copies of identification documents for SARs. Not what they collect, not why, not where it’s stored, not who can access it, and not how long it’s retained.

Instead, it references the NHS England Records Management Code of Practice — a generic document that suggests SAR correspondence should be kept for three years. But it makes no explicit reference to ID documents, and it certainly doesn’t justify retaining copies of passports or driving licences for that length of time.

If the Trust is applying the same retention period to ID documents, the question becomes: why?
And under what lawful basis?

The Questions This Raises

This single interaction raises a series of legitimate, serious questions:

1. Why is the Trust demanding identification when identity has already been verified multiple times in person?
If the patient is physically present, and identity has been confirmed repeatedly, what additional assurance does a photocopy of a passport provide?

2. Why are different standards applied to face‑to‑face and remote requests?
If emailed photocopies are acceptable, why are scanned documents shown in person not?

3. How is the Trust ensuring that sensitive ID documents are not left in lever‑arch files accessible to multiple staff?*
Physical storage is often the weakest link in information governance. A shelf in a busy office is not a secure storage solution.

4. What is the retention schedule for these ID documents?
If staff cannot answer this, that is a governance failure in itself.

5. Does the Trust understand the legislative requirements of SARs?
Under UK GDPR, organisations must ensure that identification checks are proportionate, necessary, and not excessive. The process I encountered fails that test.

6. Are staff trained and confident in the lawful basis for collecting and storing ID documents?
The answer yesterday appeared to be no.

Why This Matters

This isn’t about one receptionist or one hospital.
It’s about systemic issues:

– inconsistent processes
– outdated paper‑based systems
– poor staff training
– unclear retention policies
– and a lack of transparency about how personal data is handled

For patients, it creates barriers.
For staff, it creates confusion.
For Trusts, it creates risk.

And for anyone working in risk, resilience, or information governance, it’s a reminder that compliance isn’t just about policies — it’s about practice. Real‑world, everyday practice.

A Better Way Forward

Subject Access Requests should be simple, consistent, and proportionate.
Identity verification should be risk‑based, not ritualistic.
And sensitive documents should never be stored in a lever‑arch file on a shelf.

Trusts need to:

– review their SAR processes
– align identification requirements with actual risk
– update privacy notices to reflect reality
– train staff on lawful bases and retention
– and ensure secure handling of ID documents

Because if a 14‑year‑old asking for his own x‑ray triggers this many governance red flags, something is fundamentally broken.

For those that are curious, apparently we might get sent copies of the x-ray in the post at some point….

 

Related Posts

Scroll to Top
Scroll to Top