Tweet
NHS trust GDPR breach - 'letter before action' help needed please
Hello. My issue is with an NHS trust that has not released my SAR since my request mid October 2025.
In early December, I chased the data controller by email and their reasoning was:
"Unfortunately, due to significant internal pressures within the department, we are currently unable to complete our response to your subject access request within the required timeframe.
Please accept our sincere apologies. We would like to assure you that we are actively processing your subject access request and will provide a full response as soon as possible. We greatly appreciate your patience and understanding, and we remain fully committed to meeting our obligations under the Data Protection Act 2018"
I've heard no more since.
I see that under GDPR compliance, they have not given a valid excuse. Nor have they mentioned a reasonable extension beyond the legal one month timescale, which they must do.
These are the basics I know about.
ICO advised me yesterday to lodge a complaint with them, (which I will) so at least it is logged against the trust. They say they cannot enforce the release of the SAR though, and that that there is a 10 month backlog for to look at complaints.
It's important for me to add that the SAR is needed for a complaint against a senior member of medical staff at the hospital.
I did tell another consultant that I was going to log a complaint in August, and it's possible this may be the reason for the holding back of the SAR disclosure.
I then applied for the SAR in October to produce evidence of all serious wrongdoings.
My physical and mental health has suffered through the actions, and the non-actions so far.
This leaves me with going through the small claims court.
I dread the thought of this approach to get heard, and I'm trying to prepare a properly worded 'letter before action' to give the NHS a last chance.
This is what I need help with please.
As I'm not exactly clued up on GDPR, I have had some 'automated help' with construction of the example below (which isn't to be fully trusted)
Can anyone knowledgeable check over the wording please and let me know if it's suitable to send?
Thank you
Subject: Formal Notice of Intended Court Proceedings – Subject Access Request
Dear Data Protection Officer,
I am writing regarding my Subject Access Request submitted electronically on __ October 2025
I received confirmation from the Data Controller two days later on __ October 2025 that my request had been received.
Under Article 15(1) UK GDPR and Article 12(3), a controller is required to respond to a valid subject access request without undue delay, and in any event within one month of receipt.
I have not received a substantive response within this statutory timeframe, nor was I notified of any lawful extension with reasons.
The Trust is therefore in ongoing breach of its obligations under the UK GDPR and the Data Protection Act 2018.
Accordingly, I require full compliance with my Subject Access Request within 7 days of the date of this email.
If a complete response is not received within this timeframe, I will issue proceedings in the County Court under Section 167 of the Data Protection Act 2018 to obtain an order compelling compliance, together with recovery of the court fee and reasonable costs.
I also expressly reserve my right to seek compensation pursuant to Section 168 of the Data Protection Act 2018 for the distress caused by the Trust’s ongoing failure to comply with its statutory obligations.
This letter is sent in accordance with the Civil Procedure Rules as formal notice prior to issuing proceedings.
I trust that court action will not be necessary and look forward to your prompt response.
Yours sincerely,
[Your Name]
In early December, I chased the data controller by email and their reasoning was:
"Unfortunately, due to significant internal pressures within the department, we are currently unable to complete our response to your subject access request within the required timeframe.
Please accept our sincere apologies. We would like to assure you that we are actively processing your subject access request and will provide a full response as soon as possible. We greatly appreciate your patience and understanding, and we remain fully committed to meeting our obligations under the Data Protection Act 2018"
I've heard no more since.
I see that under GDPR compliance, they have not given a valid excuse. Nor have they mentioned a reasonable extension beyond the legal one month timescale, which they must do.
These are the basics I know about.
ICO advised me yesterday to lodge a complaint with them, (which I will) so at least it is logged against the trust. They say they cannot enforce the release of the SAR though, and that that there is a 10 month backlog for to look at complaints.
It's important for me to add that the SAR is needed for a complaint against a senior member of medical staff at the hospital.
I did tell another consultant that I was going to log a complaint in August, and it's possible this may be the reason for the holding back of the SAR disclosure.
I then applied for the SAR in October to produce evidence of all serious wrongdoings.
My physical and mental health has suffered through the actions, and the non-actions so far.
This leaves me with going through the small claims court.
I dread the thought of this approach to get heard, and I'm trying to prepare a properly worded 'letter before action' to give the NHS a last chance.
This is what I need help with please.
As I'm not exactly clued up on GDPR, I have had some 'automated help' with construction of the example below (which isn't to be fully trusted)
Can anyone knowledgeable check over the wording please and let me know if it's suitable to send?
Thank you
Subject: Formal Notice of Intended Court Proceedings – Subject Access Request
Dear Data Protection Officer,
I am writing regarding my Subject Access Request submitted electronically on __ October 2025
I received confirmation from the Data Controller two days later on __ October 2025 that my request had been received.
Under Article 15(1) UK GDPR and Article 12(3), a controller is required to respond to a valid subject access request without undue delay, and in any event within one month of receipt.
I have not received a substantive response within this statutory timeframe, nor was I notified of any lawful extension with reasons.
The Trust is therefore in ongoing breach of its obligations under the UK GDPR and the Data Protection Act 2018.
Accordingly, I require full compliance with my Subject Access Request within 7 days of the date of this email.
If a complete response is not received within this timeframe, I will issue proceedings in the County Court under Section 167 of the Data Protection Act 2018 to obtain an order compelling compliance, together with recovery of the court fee and reasonable costs.
I also expressly reserve my right to seek compensation pursuant to Section 168 of the Data Protection Act 2018 for the distress caused by the Trust’s ongoing failure to comply with its statutory obligations.
This letter is sent in accordance with the Civil Procedure Rules as formal notice prior to issuing proceedings.
I trust that court action will not be necessary and look forward to your prompt response.
Yours sincerely,
[Your Name]
Comment