Access To Medical Records

1. Introduction

1.1 Policy Statement

The purpose of this document is to ensure that appropriate procedures are in place at St Clements Surgery, to enable individuals to apply for access to information held about them, and for authorised individuals, information held about other people. This policy is written in conjunction with the following government legislation:

  1. The Access to Health Records Act 1990
  2. The Access to Medical Reports Act 1988
  3. The General Data Protection Regulation
  4. The Data Protection Act 2018
  5. The Freedom of Information Act 2000
  6. The Data Protection (Subject Access Modification) (Health) Order 2000

1.2 Status

This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.

1.3 Training and support

The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy

2. Scope

2.1 Who it applies to

This document applies to all employees of the practice and other individuals performing functions in relation to the practice, such as agency workers, locums and contractors.

2.2 Why and how it applies to them

In accordance with the General Data Protection Regulation individuals have the right to access their data and any supplementary information held by St Clements Surgery; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Access to any other supplementary information held about them

This policy will outline the procedure to access health records at St Clements Surgery as follows:

  • For an individual, for information about themselves
  • For access to the health records of a deceased individual
  • Access to health records of an individual by an authorised person (by a court), when the individual does not have the capacity to make such a decision
  • Organisations requesting information about an individual for employment or insurance purposes (governed by The Access to Medical Reports Act 1988)

The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.

3. Policy

3.1 Right to access

In accordance with the Access to Health Records Act 1990 individuals have the right to access health records held by a healthcare provider that has treated that individual, and/or to access a summary care record (SCR) created by the individual’s GP. The Data Protection Act (DPA 1998) gives individuals the right to ask for a copy of the information an organisation holds about them; this right is commonly known as a Data Subject Access Request (DSAR). In the case of health records, a request for information has to be made with the organisation that holds the individual’s health records, otherwise known as the data controller.

St Clements Surgery has mechanisms in place to inform patients of their right to access the information held about them, and how long it will take for a DSAR process to be completed.

With effect from April 2016, NHS practices are, as part of their contractual obligation, to provide patients with access to coded information held within their health records. Such information includes:

  • Demographics
  • Allergies
  • Immunisations
  • Medication
  • Results
  • Procedures
  • Values
  • Problems/diagnoses
  • Other (ethnicity, QOF, etc.)

NHS England have published an information leaflet Patient Online which provides further detailed information about this obligation and how patients can access their health record online.

There are occasions when a GP may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals, or when the record has information relating to a third party.

Patients may request paper copies of health records and, regardless of the preferred method of access, patients and authorised third parties must initially complete a DSAR form. However, patients may request access to their health records informally: any such requests should be annotated within the individuals health record by the clinician dealing with the patient

3.2 Requests

Requests may be receieved from the following:

  • Competent patients may apply for access to their own records or authorise third party access to their records.
  • Children and young people may also apply in the same manner as other competent patients and St Clements Surgery will not automatically presume a child or young person has capacity under the age of 16. However, those aged 12 or over are expected to have the capacity to consent to medical information being disclosed.
  • Parents may apply to access their child’s health record as long as it is not in contradiction to the wishes of the competent child.
  • Individuals with a responsibilty for adults who lack capacity are not automatically entitled to access the individuals health records. St Clements Surgery will ensure that the patient’s capacity is judged in relation to particular decisions being made. Any considerations to nominate an authorised individual to make proxy decisions for an inidvidual who lacks capacity will comply with the Mental Capacity Act in England and Wales and the Adults with Incapacity Act Scotland.
  • Next of kin have no rights of access to health records.
  • Police are not able to access health records without first obtaining a court order or warrant. However, health professionals at St Clements Surgery may disclose relevant information to the police if the patient has consented or if there is no overriding public interest. For detailed information, see section 4.1.6 of footnote 2.
  • Solicitors and insurance companies in most cases will provide the patients signed consent to release information held in their health record. St Clements Surgery will ensure that patients are fully aware of the information being provided to the solicitor who is acting for that patient. In the case of a solicitor requesting information, the BMA has provided more information here. St Clements Surgery will ask solicitors to use the appropriate form when requesting information.
  • Deceased patients retain the right of confidentiality. There are a number of considerations to be taken into account prior to disclosing the health record of a deceased patient. Such considerations are detailed in the Access to Health Records Act 1990. Under the terms of this Act, St Clements Surgery will only grant access if you are either:
  1. A personal representative (executor of the deceased person’s estate) or
  2. Someone who has a claim resulting from the death

The medical records of the deceased will be passed to Primary Care Support England (PCSE) for storage. St Clements Surgery can advise you of who you need to contact in such instances. PCSE will retain the GP records of deceased patients for ten years, after which time they will be destroyed. PCSE have provided an application form which can be used to request copies of a deceased patient’s record

In the cases of any third-party requests, St Clements Surgery will ensure that the patient has consented to the disclosure of this information by means of a valid signature of the patient.

In accordance with the GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the DSAR. In order to ensure full compliance regarding DSARs, St Clements Surgery will adhere to the guidance provided in the GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the extension given.

Under The Data Protection (Subject Access Modification) (Health) Order 2000, St Clements Surgery will ensure that an appropriate healthcare professional manages all access matters. At St. Clements Surgery there are a number of such professionals, and wherever possible the individual most recently involved in the care of the patient will review and deal with the request. If for some reason they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

Furthermore, to maintain GDPR compliance, the data controller at St Clements Surgery will ensure that data is processed in accordance with Article 5 of the GDPR and will be able to demonstrate compliance with the regulation (see GDPR policy for detailed information). Data processors at St Clements Surgery will ensure that the processing of personal data is lawful and at least one of the following applies:

  • The data subject has given consent to the processing of his/her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or another natural person

3.3 Procedure for access

A DSAR form (Annex A) must be completed and passed to the data controller; all DSARs should be processed free of charge unless they are either complex, repetitive or unfounded (see GDPR Policy). The GDPR states that data subjects should be able to make access requests via email. St Clements Surgery is compliant with this and data subjects can complete an e-access form and submit the form via email.

Upon receipt of a DSAR, St Clements Surgery will record the DSAR within the health record of the individual to whom it relates, as well as annotating the DSAR log. Furthermore, once processed, an entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual.

Individuals will have to verify their ID at St Clements Surgery and it is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice’s Data Subject Access Request (DSAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. a driving licence or passport

A poster explaining how to access health records, for use in waiting-room areas, can be found at Annex D.

3.4 Additional Privacy Information notice

Once the relevant information has been processed and is ready for issue to the patient, it is a requirement, in accordance with Article 15 of the General Data Protection Regulation (GDPR), to provide an Additional Privacy Information notice (APIn).

3.5 Third-party requests

Third-party requests will continue to be received following the introduction of the GDPR. The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject.

The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject.

3.6 Summary

Having a robust system in place will ensure that access to health records is given only to authorised personnel. Patient confidentiality is of the utmost importance and any third-party requests must be accompanied by a valid patient signature. Staff are to adhere to this guidance at all times and where doubt exists, they are to discuss their concerns with St Clements Surgery.

Further Information


In accordance with the General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by St Clements Surgery; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Access to any other supplementary information held about them

Options for access

As of April 2016, practices have been obliged to allow patients access to their health record online. This service will enable the patient to view coded information held in their health record. Prior to accessing this information, you will have to visit the practice and undertake an identity check before being granted access to your records.

In addition, you can make a request to be provided with copies of your health record. To do so, you must submit a Data Subject Access Request (DSAR) form; this can be submitted electronically and the DSAR form is available on the practice website. Alternatively, a paper copy of the DSAR is available from reception. You will need to submit the form online or return the completed paper copy of the DSAR to the practice. Patients do not have to pay a fee for copies of their records.

Time frame

Once the DSAR form is submitted, St Clements Surgery will aim to process the request within 21 days; however, this may not always be possible. The maximum time permitted to process DSARs is one calendar month.


There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

Data controller

At St Clements Surgery the data controller is the Practice Manager and should you have any questions relating to accessing your medical records, please ask to discuss this with the practice manager.