Handling a Subject Access Request (SAR)

This FAQ is for HelloSelf therapists who have been asked to contribute to a Subject Access Request (SAR). It outlines your responsibilities, how to redact information correctly, and where to get further support.

1. What is a Subject Access Request (SAR)?

A SAR is when a member requests access to their personal data. Under UK GDPR, individuals have the legal right to access information held about them.

HelloSelf is responsible for managing this request, but as their therapist, you may hold additional data (e.g., clinical notes, emails, or process notes) that must be included.

2. Who Can Request a SAR?

🔹 A member can submit a SAR verbally, in writing, or via social media.
🔹 Third parties (e.g., solicitors, police) can request a SAR but only if the member consents.
🔹 Insurance companies CANNOT make a SAR on behalf of a member.
🔹 A current HelloSelf therapist can relay a SAR request from a member, but we cannot accept SARs from former HelloSelf therapists.

3. What do I need to do?

As part of this process, you need to:

✅ Review your records for any relevant member data.
✅ Redact third-party information where necessary (see section 6).
✅ Apply necessary exemptions (see section 7).
✅ Ensure the document is correctly formatted (sanitised, watermarked, password-protected).
✅ Submit your redacted documents via EGRESS/messages on the platform for review.

You should aim to complete this as soon as possible—we have 30 days to respond from the SAR request date.

4. How do I submit my documents?

Once you have reviewed and redacted your documents:

1️⃣ Password-protect the document (use the member's DOB: DD/MM/YYYY).
2️⃣ Send the files via EGRESS/messages on the platform.
3️⃣ HelloSelf will review your redactions before release.

📌 Important: If a SAR request involves NHS-referred members, HelloSelf's Account Manager will notify the referring NHS Trust to ensure proper handling.

If you need guidance, contact the Senior Clinical Team at:
📩 clinicalsupportteam@helloself.com

5. How do I redact information correctly?

🔹 Use Adobe Acrobat’s redaction tool to permanently black out text.
🔹 Do NOT simply highlight or delete text—this is not a secure method.
🔹 Sanitise the document to remove hidden metadata.
🔹 Keep a separate document noting what was redacted and why.
🔹 Apply an “APPLICANT’S COPY” watermark before submission.

📌 Guide on using Adobe’s redaction tool:
🔗 Adobe Help: Redacting Sensitive Information

6. What information should I redact?

You must only disclose the data subject’s personal information. The following must be redacted:

🔴 Third-party information – Any data that identifies another individual (unless they have given consent).
🔴 Opinions about the member from a third party—if the third party could be identified.
🔴 Sensitive data that may cause harm, such as:

• Information that could cause psychological or physical harm to the member or others.
• Data that could jeopardise crime prevention or detection.

📌 More guidance on third-party redactions from the ICO:
🔗 ICO - Handling SARs

7. Can I refuse to provide certain information?

You can only withhold information if:
✔️ A valid exemption applies (see section 6).
✔️ The request is manifestly unfounded or excessive.

You cannot refuse simply because the data came from a third party—all personal data about the member must be disclosed unless an exemption applies. See here for details.

📌 Exemptions & Redaction Records:

• Keep a separate record of all redactions, including:
  
  • Who provided the information
    
  • What was disclosed
    
  • What was redacted (and why)
    
• If large redactions are necessary (beyond third-party data), document your reasoning.

📌 If in doubt, consult the Caldicott Guardian or HelloSelf’s Information Governance Team:
📩 hello@helloself.com

8. What is the deadline for completing this SAR?

We must respond within one month of receiving the request. If ID verification was delayed, the deadline may be adjusted.

If we fail to respond within 40 days, the member can formally complain, which may lead to a fine.

🔹 If a SAR is particularly complex, HelloSelf can extend the deadline by two additional months, but the member must be informed.

📌 If you have concerns, contact us immediately:
📩 clinicalsupportteam@helloself.com

9. Additional Guidance for Therapists in Active Treatment Cases

• If the member is still in therapy, all therapists involved should review their notes and agree on necessary exemptions.
• In some cases, a supported reading session with the therapist may help the member understand clinical notes before they receive the SAR.
• If a request is particularly sensitive (e.g., could trigger distress), HelloSelf’s Account Manager may liaise with NHS referrers to ensure appropriate handling.
  
  

10. Final Checks Before Sending the SAR

✅ Use professional redaction tools (Adobe Acrobat, etc.) – basic PDF editing isn’t enough.
✅ Ensure no "roundtripping" issues (old versions of redacted text appearing).
✅ Double-check that all redactions are properly applied before submitting.

📌 Redaction Toolkit:
🔗 National Archives: Redaction Toolkit

11. Secure Delivery of the SAR

🔹 HelloSelf’s Information Governance Team will send the SAR securely via Egress email.
🔹 The document will be password-protected with the first 8 characters of the member’s long ID.
🔹 The password must be shared via a separate method (e.g., therapist-to-therapist messaging or text message).

12. Need Help?

💬 If you have any questions or want to discuss specific redactions, reach out to:
📩 clinicalsupportteam@helloself.com or contact the Information Commissioner’s Office https://ico.org.uk/.

🔍 Additional resources:

• ICO Guidance on SARs: Right of Access (SAR) Guide
• Adobe’s Redaction Tutorial: How to Redact PDFs
• HelloSelf SAR Presentation: (attached)
  

🔹 Key Takeaway: Complete the SAR as soon as possible, ensure correct redactions, and reach out for support if needed.

• Subject Access Request (SAR) procedure.pdf300 KB