Subject Access Requests
A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a subject access request (SAR). If you want to see your health records or wish a copy, you can write to or call your Practice and then arrange a time to come in and read them. You do not have to give a reason for wanting to see your records and there is no charge for this service.
It is a good idea to state the dates of the records that you want to see – for example, from 2010-2017 – and to send the letter by recorded delivery or deliver it to the Practice (if you are requesting this in writing). You should also keep a copy of your letter for your records. The Practice has up to 28 days to respond. If additional information is needed before copies can be supplied, the 28-day time limit will begin as soon as the additional information has been received.
The 28-day time-limit can be extended for two months for complex or numerous requests where the data controller (usually your practice) needs more time to collate and supply the data. You will be informed about this within 28 days and provided with an explanation of why the extension is necessary.
When writing/calling, you should say if you:
- want a copy as well as to see them (if you wish to see them your doctor or member of staff will be present to assist you and explain any medical terms to you)
- want all or just part of them
- would like your records to be given to you in a format that meets your needs, and we will endeavour to accommodate your request
- would like your records to be emailed; we will then secure your or your representative’s agreement (in writing or in email) that they accept the risk of sending unencrypted information to a non-NHS email address
You may also need to fill in an application form and give proof of your identity. The Practice has an obligation under the GDPR and DPA 2018 to ensure that any information provided for the patient can be verified.
Please note we never send original medical records because of the potential detriment to patient care should these be lost.
Who may apply for access?
1(1) Patients with capacity
Subject to the exemptions listed in paragraph 1(6) (below) patients with capacity have a right to access their own health records via an SAR. You may also authorise a third party such as a solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for you to give reasons as to why they wish to access their records.
1 (2) Children and young people under 18
Where a child is competent, they are entitled to make or consent to an SAR to access their record.
Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR. However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 1 (3) below)
1(3) Next of kin
Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records. For parental rights of access, see the information above.
You can authorise a solicitor acting on your behalf to make an SAR. We must have your written consent before releasing your medical records to your solicitors acting. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is any doubt, we may contact you before disclosing the information. (England and Wales only – should you refuse, your solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for solicitors to use the form, it is hoped it will improve the process of seeking consent).
The Practice may also contact you to let you know when your medical records are ready. If your solicitor is based within our area, then we may ask you to uplift them and deliver them to your solicitor. This is because we can no longer charge for copying and postage, so we would appreciate your help if you can do this, or alternatively ask your solicitor if they can uplift your medical records.
1(5) Supplementary Information under SAR requests
The purposes for processing data
The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is also processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.
The categories of personal data
The category of your personal data is healthcare data.
The organisations with which the data has been shared
Your health records are shared with the appropriate organisations which are involved in the provision of healthcare and treatment to the individual. Other organisations will receive your confidential health information, for example Digital or the Scottish Primary Care Information Resource (SPIRE) or research bodies such as the Secure Anonymised Linkage Databank (SAIL). (This information is already available to patients in our practice privacy notices).
The existence of rights to have inaccurate data corrected and any rights of objection
For example, a national ‘opt-out’ model such as SPIRE etc.
Any automated decision taking including the significance and envisaged consequences for the data subject
For example, risk stratification.
The right to make a complaint to the Information Commissioner’s Office (ICO)
1(6) Information that should not be disclosed
The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of an SAR. If we are unable to disclose information to you, we will inform you and discuss this with you.
1(7) Individuals on behalf of adults who lack capacity
Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Court of Protection in England and Wales and the Sheriff’s Court in Scotland can also appoint deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.
Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.
1(8) Deceased records
The law allows you to see records of a patient who has died as long as they were made after 1st November 1991.
Different parts of the health record are retained for different lengths of time following a patient’s death. In England and Wales, GP records are generally kept for 10 years after death, before they are destroyed.
Who can access deceased records?
You can only see that person’s records if you are their personal representative, administrator or executor.
You won’t be able to see the records of someone who made it clear that they did not want other people to see their records after their death.
Accessing deceased records
Before you get access to these records, you may be asked for:
- proof of your identity
- proof of your relationship with the person who has died
Viewing deceased records
You won’t be able to see information that could:
- cause serious harm to your or someone else’s physical or mental health
- identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission
- if you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.
1 (9) Hospital Records
To see your hospital records, you will have to contact your local hospital.
1 (10) Power of attorney
Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney.
A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.
The person you appoint is known as your attorney. An attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the Office of the Public Guardian before it can be used.
If you wish to see the health records of someone who has died, you will have to apply under the Access to Medical Records Act 1990. You can only apply if you:
- are that person’s next of kin or are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person)
- have the permission of the next of kin or have obtained written permission from the deceased person before they died.
To access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the Practice or the hospital where the records are stored.
If you think that information in your health records is incorrect, or you need to update your personal details (name, address, phone number), approach the relevant health professional informally and ask to have the record amended. Some hospitals and GP surgeries have online forms for updating your details. If this doesn’t work, you can formally request that the information be amended under the NHS complaints procedure.
All NHS trusts, NHS England, CCGs, GPs, dentists, opticians and pharmacists have a complaints procedure. If you want to make a complaint, go to the organisation concerned and ask for a copy of their complaints procedure.
Alternatively, you can complain to the Information Commissioner (the person responsible for regulating and enforcing the Data Protection Act), at:
The Information Commissioner’s Office (ICO)
Telephone: 01625 545745
If your request to have your records amended is refused, the record holder must attach a statement of your views to the record.