Our 'Access to Medical Records' Policy




Individuals have the right to access their personal data and supplementary information.

The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Under the GDPR/DPA 2018, individuals will have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (Article 15)

The GDPR/DPA 2018 clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).

An application for access to health records may be made in any of the circumstances explained below.


The Patient

Yealm Medical Centre (hereby referred to as “the Practice”) has a policy of openness with regard to health records and health professionals are encouraged to allow patients to access their health records on an informal basis. This should be recorded in the health record itself. The Department of Health’s Code of Practice on Openness in the NHS will still apply to informal requests.


A request for access to health records in accordance with the GDPR/DPA 2018 should be made in writing, which includes by email, to the data controller, i.e. the Practice. If appropriate, the patient can make a verbal request, especially if the person that the patient is making the request to can verify his/her identity (e.g their GP).


The requester should provide enough proof to satisfy the Practice of their identity (and the Practice is entitled to verify their identify using “reasonable means”) and to enable the Practice to locate the information required. If this information is not contained in the original request the Practice should seek proof as required. Where requests are made on behalf of the individual patient the Practice should be satisfied that the individual has given explicit consent to the release of their information.


The default assumption is that the information requested by the individual is the entire GP record. However, the Practice may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The GDPR/DPA 2018 permits the Practice to ask the individual to specify the information the request relates to (Recital 63) where the Practice is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely). This has been called a “targeted” subject access request.


Where an access request has previously been met the Act permits that a subsequent identical or similar request does not have to be fulfilled unless a reasonable time interval has elapsed between.

A request does not have to use the term “subject access”, “right of access”,  or “data protection” for it to be valid.

A patient, or their representative, is under no obligation to provide a reason for the request, even if asked by the Practice.



Patients living abroad

For former patients living outside of the UK and whom once had treatment for their stay here, under GDPR/DPA 2018 they still have the same rights to apply for access to their UK health records.  Such a request should be dealt with as someone making an access request from within the UK. 


Children of 16 years or over

If a mentally competent child is 16 years or over then they are entitled to request or refuse access to their records.  If any other individual requests access to these the Practice should first check with the patient that he or she is happy for them to be released. 


Children Under 16 Years

Individuals with parental responsibility for an under 16 year old will have a right to request access to those medical records.  A person with parental responsibility is either:


  • the birth mother, or
  • the birth father (if married to the mother at the time of child’s birth, or subsequently) or,
  • an individual given parental responsibility by a court


(This is not an exhaustive list but contains the most common circumstances).


If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility.


If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access.  Technically, if a child lives with, for example, its mother and the father applies for access to the child’s records, there is no “obligation” to inform the mother.  In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so. 


In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions. 

Patient Representatives

A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.  The Practice may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation.


Next of kin

Despite the widespread use of the phrase ‘next of kin’ this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. A next of kin has no rights of access to medical records.

Court Representatives

A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application.  Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.



The Practice must provide a copy of the information free of charge. However, the practice may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.

Manifestly unfounded or Excessive Requests

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the Practice can:

  • charge a reasonable fee taking into account the administrative costs of providing the information; or
  • refuse to respond


Where the Practice refuses to respond to a request, the Practice must explain why to the individual, informing them of their right to complain to the supervisory authority (the Information Commissioner’s Office) without undue delay, and at the latest within one month.


Secure Online Records Access

The Practice can offer, if appropriate, for a requestor to be enabled to securely access their full GP electronic record online. This would then allow them to access all information they might be seeking.

Recital 63 of the GDPR states:

Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. “


Notification of requests

The Practice will keep a central record of all requests in order to ensure that requests are cross-referenced with any complaints or incidents and that the deadlines for response are monitored and adhered to.



Requirement to consult appropriate health professional
It is the GP’s responsibility to consider an access request and to disclose the records if the correct procedure has been followed.  Before the Practice discloses or provides copies of medical records the patient’s GP must have been consulted and he / she checked the records and authorised the release, or part-release.


It is the responsibility of the GP to ensure that the information to be released:

  • Does not disclose anything that identifies any other data subject. The only exception to this is the identity of people involved in the care of the individual requestor, such as community staff or hospital specialists
  • Does not disclose anything that is likely to result in harm to the data subject or anyone else
  • Does not disclose anything subject to a court order or that is privileged or subject to fertilisation or adoption legislation



Grounds for refusing disclosure to health records

The GP should refuse to disclose all or part of the health record if the he / she is of the view that:


  • disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person; or
  • the records refer to another individual who can be identified from that information (apart from a health professional).  This is unless that other individual’s consent is obtained or the records can be anonymised or it is reasonable in all the circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the third party; or
  • the request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and the:


  • information was given by the patient in the expectation that it would not be disclosed to the person making the request; or
  • the patient has expressly indicated it should not be disclosed to that person


Access to Medical Records Act

The Practice will not provide information under a Subject Access Request made on behalf of a patient by a solicitor, insurance agency or employer, and where it is clear that such a request should be made under the Access to Medical Records Act. This would refer to reports for employment (proposed or actual) and insurance purposes (any “insurance contract” so covering accident claims, insured negligence, or anything covered by an insurance contract that requires a medical report to support an actual or potential insured claim).


If necessary, or unsure, the Practice will seek clarification from both the requestor and the patient concerned.


Informing of the decision not to disclose

If a decision is taken that the record should not be disclosed, a letter must be sent by recorded delivery to the patient or their representative stating that disclosure would be likely to cause serious harm to the physical or mental health of the patient, or to any other person. The general position is that the Practice should inform the patient if records are to be withheld on the above basis.


If however, the appropriate health professional thinks that telling the patient:


  • will effectively amount to divulging that information; or
  • is likely to cause serious physical or mental harm to the patient or another individual


then the GP could decide not to inform the patient, in which case an explanatory note should be made in the file.


The decision can only be taken by the GP and an explanatory note should be made in the file.  Although there is no right of appeal to such a decision, it is the Practice’s policy to give a patient the opportunity to have their case investigated by invoking the complaints procedure.  The patient must be informed in writing that every assistance will be offered to them if they wish to do this.  In addition, the patient may complain to the Information Commissioner for an independent ruling on whether non-disclosure is proper.



Disclosure of the record

Information must be provided without delay and at the latest within 28 calendar days of receipt.

If a request is made verbally, for example within a GP consultation, their GP can – if appropriate and possible within the consultation – provide the requested information immediately.

The Practice will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the Practice must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be sent to, or given to, the patient or their representative.


There should be no circumstances in which it would not be possible to supply permanent copies of health records.


If sent by post:

  • the record should be sent to a named individual
  • by recorded delivery, costs borne by the patient
  • marked “private and confidential”
  • “for addressee only”
  • and the Practice details should be written on the reverse of the envelope.


Originals should not be sent.


Confidential medical records should not be sent by fax unless there is absolutely no alternative

If a fax must be sent, it should include the minimum information and names should be removed and telephoned through separately.  Normal security procedures for sending faxes apply; refer to reception protocol.


All staff should be aware that safe haven procedures apply to the sending of confidential information by fax, for whatever reason.  That is, the intended recipient must be alerted to the fact that confidential information is being sent.  The recipient then makes a return telephone call to confirm safe and complete receipt.  A suitable disclaimer, advising any unintentional recipient to contact the sender and to either send back or destroy the document, must accompany all such faxes. 

A suitable disclaimer would be:


“Warning: The information in this fax is confidential and may be subject to legal professional privilege. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, please notify the sender immediately. Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it.”


If the request was made electronically, the Practice should provide the information in a commonly used electronic format.


Confidential information should not be sent by email unless:

  • the email address of the recipient is absolutely verified
  • the data is via an encrypted service such as one NHS Mail account to another NHS Mail account; or
  • the data is fully encrypted via at least 128-bit AES and preferably 256-bit AES. In such circumstances, the password must be at least 32 characters and contain a mixture of letters (upper and lower case), digits, and punctuation
  • the password must be conveyed to the patient separately from the encrypted file and preferably not by email at all (i.e. in person, by SMS, telephone or post)



Confidential information can be burnt onto a practice-provided blank CD-ROM as long as:

  • the data is fully encrypted via at least 128-bit AES and preferably 256-bit AES. In such circumstances, the password must be at least 32 characters and contain a mixture of letters (upper and lower case), digits, and punctuation
  • the password must be conveyed to the patient separately from the encrypted file


If the information requested is handed directly to the patient (whether on paper or CD-ROM) then the patient must provide verifiable identification at the time of collection.

A note should be made in the file of what has been disclosed to whom and on what grounds.


Where information is not readily intelligible an explanation (e.g. of abbreviations or medical terminology) must be given.