Articles on: Privacy & Data Security

How do I handle an Access Request?

Article 15 of GDPR, “the right of access” is a powerful and often less discussed aspect of the GDPR that is designed to empower data subjects (you and I) with TOTAL visibility of the information that organisations and public bodies hold about us.

In short, what this means from a practical perspective is that any one (or all) of your clients has the right at any time to request EVERY scrap of data that you hold about them within 30 days of their request.

We don't have any general feel for the volume of Access Requests that organisations might receive but suffice to say that dealing with them could be very onerous if you don't have the right tools in place.

Thankfully, we do!

To get started click on Main Menu -> Tools -> Access Requests:


Log the details of the request and hit save:

At this point you have fulfilled your initial obligations under Article 15 of the GDPR and you need to await verification of the identity of the person making the request. You need something like a driving licence or passport that will allow you to visually verify they are who they say they are. For your own protection I would recommend copying their ID and attaching it to the client record.

In the background, WriteUpp will be working its magic and pulling together all of the data that you hold about the client. As this can sometimes be a fairly intensive task we queue up each Access Request and set its status to “Pending” until the content is ready. This normally takes a few minutes and once it's available to download, the status is set to “Complete”.

Having verified the identity of the requestor just click on Main Menu -> Tools and you will see a log of your Access Requests along with a download link. For security reasons this automatically expires 7 days after it has been created:

Find the request relating to your requestor and click on “Download”.  A ZIP file will be saved to your hard drive, with contents that will be structured like this:

Assessments, Consents, Documents (Letters), Messages and Notes are all converted into PDFs and placed into folders
Attachments are reproduced in their original format (word doc, .jpg, PDF etc) and placed into a folder
Appointments, Episodes and Invoices are summarised in .csv files
The Patient tab is summarised in a file called client-summary.pdf

Assessments, notes and documents are exported in PDF format as additional contextual information may be present which cannot be presented in Excel/CSV.  In the case of notes and documents this might include tables or images/annotations and in the case of an assessment form, it's the physical structure of the form that gives the raw data within it meaning.  We export assessment forms, notes and documents in PDF format so that our clients (and your clients) have a full and accurate record of the information that was captured during the intervention.

Please keep in mind the contents of the ZIP file are dependent on what data you hold about the client.

Once you have reviewed the contents of the ZIP file you should immediately password protect it using your preferred ZIP utility
You can then complete the process and fulfil your Article 15 obligations by emailing the ZIP file to the requestor or by providing it to them on optical media. In both cases the ZIP file should be password protected.

Updated on: 07/11/2022

Was this article helpful?

Share your feedback


Thank you!