Charging £50 for information under GDPR

**TheCyclingProgrammer** · 12 March 2019, 13:51

In most cases you cannot charge a fee to comply with a subject access request.

However, as noted above, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.

You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.

If you do not believe the fee is reasonable then you can threaten to report them to the ICO for not honouring your rights under the GDPR.

**northernladuk** · 12 March 2019, 13:58

Originally posted by man View Post

A few years back, I requested a copy of my medical records from a private consultant (as I wasn't convinced he'd given me a copy of everything and I was seeking further care elsewhere). He demanded £50 for it (outrageously high but he reckoned that was within the rules) and so I left the matter. GDPR came in, so I've sent a separate request, stating that I expect the info for free under GDPR. He's sticking to £50! (and it took him 2 months to reply, well in excess of the 1 month limit)

Is there some GDPR exemption for medical companies that I don't know about, or should I be reporting this guy to the ICO, as it looks like he's taking the proverbial?

If you look at this site...
Health and social care | ICO

And in particular to the GP's section (I know he might not be a GP but there it might apply)
https://ico.org.uk/media/1273/doctors_guidance.doc

On page 5 it says..

Fees and charging

Information available through a GP’s publication scheme should be readily available at a low cost or at no cost to the public. If a GP does charge for this information, we expect the charges to be justifiable, clear and kept to a minimum.

Charges may be made for activities such as printing, photocopying and postage as well as information that the GP is legally authorised to charge for. Anyone requesting information must be informed of any charge before the information is provided. GPs may ask for payment before providing the information. Guidance on our website: Charging for information in a publication scheme provides more details.

If the GP charges a fee for licensing the re-use of datasets, they should state in the guide to information how this is calculated and whether the charge is made under the Re-use Fees Regulations or under other legislation. The GP cannot charge a re-use fee if they make the datasets available for re-use under the Open Government Licence.

Could also be true for his situation and £50 could be what he factors in for his time. It does seem high bit in that area that's arguable. That could equate to less then 30 mins of his time.

I very much doubt the ICO is remotely interested in something like this unless his whole GDPR policy is in a complete mess and even then it's going to take forever to sort.

**DaveB** · 12 March 2019, 15:33

Originally posted by northernladuk View Post

If you look at this site...
Health and social care | ICO

And in particular to the GP's section (I know he might not be a GP but there it might apply)
https://ico.org.uk/media/1273/doctors_guidance.doc

On page 5 it says..

Could also be true for his situation and £50 could be what he factors in for his time. It does seem high bit in that area that's arguable. That could equate to less then 30 mins of his time.

I very much doubt the ICO is remotely interested in something like this unless his whole GDPR policy is in a complete mess and even then it's going to take forever to sort.

That document is out of date and is based on the FOI Act 2000, not data protection rules.

Current guidance for H&SC bodies is here: Health and social care | ICO

Data protection – looking after the information you hold about patients

Requests for personal information

Your patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.

Right to access guidance

TL;DR It's all covered under GDPR and no they cannot charge for it, or take more than 20 days to deliver it.

I would mail them again and state clearly that this constitutes a Subject Access Request under Article 15 of the GDPR as enacted in the Data Protection Act 2018. If they refuse or insist on charging then report them directly to the ICO with copies of all correspondence showing the dates of the original request. Web link for complaints here.

Your personal information concerns | ICO

It will take couple of weeks to get a response, but you will get one and they will contact the bodies involved if there is evidence of non-compliance.

Charging £50 for information under GDPR