Anonymising NHS SAR Responses Before Release – UK GDPR-compliant anonymisation per UK GDPR Art. 9
An NHS Subject Access Request response bundles together records from multiple care settings — GP notes, hospital letters, mental health assessments, and medication records — creating a high-density personal-data package under UK GDPR Art. 15. anonym.legal pseudonymises third-party personal data (named clinicians, other patients inadvertently mentioned) in the bundle before release, ensuring the requester receives their own health information without exposing third parties.
When this applies
This task applies when an NHS Trust or GP surgery has compiled a SAR response bundle and must redact or pseudonymise third-party personal data — other patients named in ward notes, named clinicians in records about disciplinary matters — before releasing the bundle to the requesting patient.
How anonym.legal handles it
- Upload the compiled SAR response bundle to anonym.legal.
- The engine scans the entire bundle for third-party personal data: other patients named in shared ward notes, clinicians named in complaint correspondence, and family members mentioned in social-history sections.
- Third-party individuals are pseudonymised; the requesting patient's own data is preserved in full.
- Clinical content, dates, diagnosis codes, and care-plan entries directly relating to the requesting patient are preserved.
- A review report flags all pseudonymisation actions for the Data Controller to verify before release.
- The processed bundle is prepared for release to the requester under the UK GDPR Art. 15 right of access.
What you provide
- Compiled SAR response bundle (PDF or DOCX)
- Patient identity confirmation (to distinguish the requester from third parties)
- List of known third-party individuals to flag (optional, improves detection)
Limitations & cautions
- The tool pseudonymises third-party personal data but does not constitute a legal assessment of whether particular information is exempt from disclosure under DPA 2018 Schedule 2 exemptions — obtain legal advice on exemption claims.
- Complex ward notes where multiple patients are discussed in a single entry require careful review of the pseudonymisation output before release.
- The NHS one-month SAR response deadline cannot be extended solely on account of pseudonymisation processing time; plan accordingly.
FAQ
Must the NHS Trust pseudonymise third-party clinician names in the SAR bundle?
Whether clinician names constitute third-party personal data that must be withheld depends on whether the clinician has a reasonable expectation of privacy in that context. The ICO's subject access guidance indicates that healthcare professionals' names in their professional capacity may not require redaction. Obtain legal advice for your specific facts.
Can the engine distinguish between the requesting patient's own data and third-party data?
Yes, provided the requesting patient's identity is supplied as a reference. The engine preserves occurrences of the requester's identifiers while pseudonymising those of other named individuals.
Does the tool handle SAR bundles that include scanned handwritten notes?
Scanned handwritten notes require OCR pre-processing. After OCR conversion, the engine detects named individuals in the transcribed text. OCR accuracy affects coverage for poorly legible handwriting.