How do I handle an Access Request?
Article 15 of GDPR, “the right of access” is a powerful and often less discussed aspect of the GDPR that is designed to empower data subjects (you and I) with total visibility of the information that organisations and public bodies hold about us.
In short, what this means from a practical perspective is that any one (or all) of your clients has the right at any time to request every scrap of data that you hold about them within 30 days of their request.
We don't have any general feel for the volume of Access Requests that organisations might receive but suffice to say that dealing with them could be very onerous if you don't have the right tools in place.
Thankfully, we do!
To get started click on Main Menu -> Tools -> Access Requests:
Click on “CREATE NEW ACCESS REQUEST”:
Log the details of the request and hit save:
At this point you have fulfilled your initial obligations under Article 15 of the GDPR and you need to await verification of the identity of the person making the request. You need something like a driving licence or passport that will allow you to visually verify they are who they say they are. For your own protection I would recommend copying their ID and attaching it to the client record.
In the background, WriteUpp will be working its magic and pulling together all of the data that you hold about the client. As this can sometimes be a fairly intensive task we queue up each Access Request and set its status to “Pending” until the content is ready. This normally takes a few minutes and once it's available to download, the status is set to “Complete”.
Having verified the identity of the requestor just click on Main Menu -> Tools and you will see a log of your Access Requests along with a download link. For security reasons this automatically expires 7 days after it has been created:
Find the request relating to your requestor and click on “Download”. A ZIP file will be saved to your hard drive, with contents that will be structured like this:
The file will be named using the patient's WUID number.
Assessments are converted into PDF files within the Assessments folder
Consents, Documents (Letters), Messages and Notes are all exported as .txt files and placed into the relevant folders. If any of these items have images within them, you will find a zip file which contains the body of the item as a txt file and the images in their original format (for example .png)
Attachments are reproduced in their original format (word doc, .jpg, PDF etc) and placed into the Attachments folder
Appointments, Episodes and Invoices are summarised in .csv files
The Patient tab is summarised in a file called client-summary.pdf
Please keep in mind the contents of the ZIP file are dependent on what data you hold about the client.
Once you have reviewed the contents of the ZIP file you should immediately password protect it using your preferred ZIP utility
You can then complete the process and fulfil your Article 15 obligations by emailing the ZIP file to the requestor or by providing it to them on optical media. In both cases the ZIP file should be password protected.
In short, what this means from a practical perspective is that any one (or all) of your clients has the right at any time to request every scrap of data that you hold about them within 30 days of their request.
We don't have any general feel for the volume of Access Requests that organisations might receive but suffice to say that dealing with them could be very onerous if you don't have the right tools in place.
Thankfully, we do!
To get started click on Main Menu -> Tools -> Access Requests:
Click on “CREATE NEW ACCESS REQUEST”:
Log the details of the request and hit save:
At this point you have fulfilled your initial obligations under Article 15 of the GDPR and you need to await verification of the identity of the person making the request. You need something like a driving licence or passport that will allow you to visually verify they are who they say they are. For your own protection I would recommend copying their ID and attaching it to the client record.
In the background, WriteUpp will be working its magic and pulling together all of the data that you hold about the client. As this can sometimes be a fairly intensive task we queue up each Access Request and set its status to “Pending” until the content is ready. This normally takes a few minutes and once it's available to download, the status is set to “Complete”.
Having verified the identity of the requestor just click on Main Menu -> Tools and you will see a log of your Access Requests along with a download link. For security reasons this automatically expires 7 days after it has been created:
Find the request relating to your requestor and click on “Download”. A ZIP file will be saved to your hard drive, with contents that will be structured like this:
The file will be named using the patient's WUID number.
Assessments are converted into PDF files within the Assessments folder
Consents, Documents (Letters), Messages and Notes are all exported as .txt files and placed into the relevant folders. If any of these items have images within them, you will find a zip file which contains the body of the item as a txt file and the images in their original format (for example .png)
Attachments are reproduced in their original format (word doc, .jpg, PDF etc) and placed into the Attachments folder
Appointments, Episodes and Invoices are summarised in .csv files
The Patient tab is summarised in a file called client-summary.pdf
Please keep in mind the contents of the ZIP file are dependent on what data you hold about the client.
Once you have reviewed the contents of the ZIP file you should immediately password protect it using your preferred ZIP utility
You can then complete the process and fulfil your Article 15 obligations by emailing the ZIP file to the requestor or by providing it to them on optical media. In both cases the ZIP file should be password protected.
Updated on: 07/02/2025
Thank you!