The Right of Access – Data subjects (e.g. students of a yoga teacher), have a right of access to the records that are held about them. Where a Right of Access is made, the Data Controller (e.g. the teacher) must provide the information they hold about their client, free of charge, in a suitable, secure format and within 30 days of the request. Note: The day of the request is considered to be the first day of the 30-day time limit. There are some exemptions, for example if the request is excessive or manifestly unfound.
Whilst we not able to give advice regarding Data Protection, if you have received a legitimate Right of Access request from a Solicitor with signed consent form from your student for the solicitor to act on their behalf, then you would need to release the notes to the Solicitor as the third party making the request.
If you have concerns that the request is not legitimate, you may have cause to check it’s validity with your student direct, and depending upon the circumstances, to confirm what information the student authorises you to release, i.e. details of any confidential information that you may have discussed that would not be relevant for the Solicitor to see.
Full details and further information may be found on the Information Commissioner’s Office (ICO) website at: Right of access | ICO
It will not be necessary for you to advise the insurance provider (Balens Limited) of any Right of Access requests that you receive, unless you have concerns that this may lead to a specific complaint or claim against yourself.