Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what estimate his Department has made of the cost of the requirement to respond to subject access requests free of charge after 25 May 2018 under the General Data Protection Regulation for (a) Acute Trusts (b), Mental Health Trusts, (c) GP practices and (d) the NHS as a whole.

The Department has not made any assessment of the cost of responding to subject access requests under the General Data Protection Regulation (GDPR).

The United Kingdom is reviewing its data protection legislation in light of the GDPR. The Data Protection Bill is currently going through Parliament. Once it is enacted it will become the new Data Protection Act. It will implement the GDPR from May 2018.

Article 12(5) of the GDPR refers to the rights of the data subject when requesting their information and that this is provided free of charge. Data controllers that process personal data will be required to comply with subject access requests in this way.

There are provisions in the GDPR and the Data Protection Bill, as there are currently under the Data Protection Act 1998, to charge or refuse a request should it be considered manifestly unreasonable or repeated. However, these should be considered on a case by case basis and considered in line with guidance provided by the Information Commissioner’s Office.