Subject Access Request Policy





Under the General Data Protection Regulation (GDPR), individuals have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data (and only theirs)
  • Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

ICO - Rights of Access

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing and understand how and why the practice is using their data.

An application for access to health records may be made in any of the circumstances explained below. This policy does not apply to requests to access records of deceased patients, as the GDPR does not apply to the data of deceased patients.


Patient Requests

A request for access to health records in accordance with the GDPR can be made in writing to the Practice. A simple form is included in this policy for patients to use, if they wish. Requests for access can be made verbally, or in writing, to any member of Practice staff.

All requests should be documented. The documented request should then be passed on to either the Practice Manager. Requests must be recorded in the Subject Access Request Register.

A request does not have to include the phrase “subject access request” or “Article 15 of the GDPR” or “data protection” or “right of access”.

The requester should provide enough proof to satisfy the Practice of their identity (and the Practice is entitled to verify their identity using “reasonable means”). The Practice must only request information that is necessary to confirm who they are. The Practice should request any identity verification as soon as possible after the request has been received.

The default assumption when a requester asks for “a copy of their GP record” is that the information requested by the individual is the entire GP record. However, the Practice may check with the applicant whether all or just some of the information contained in the health record is required before processing the request. The GDPR permits the Practice to ask the individual to specify the information the request relates to (Recital 63) where the Practice is processing a large amount of information about the individual. As a result, the information disclosed can be less than the entire GP record by mutual agreement (the individual must agree so voluntarily and freely).

A patient, or their representative, is under no obligation to provide a reason for the request, even if asked by the Practice.


Secure Online Records Access

The Practice can offer, if appropriate, for a requester to be enabled to securely access their full GP electronic record online. This would then allow them to access all information that they might be seeking. Access should follow identify verification, and a review of the record.

Recital 63 of the GDPR states:

"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."


Patients Living Abroad

For former patients living outside of the UK and whom once had treatment for their stay here, under GDPR they still have the same rights to apply for access to their UK health records. Such a request should be dealt with as someone making an access request from within the UK.


Patient Representatives

A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf.

The Practice must be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney (Legal Power of Attorney for Health and Welfare) in the case of an individual who no longer has the mental capacity to manage their own health.

The Practice is entitled to send the information requested directly to the patient if we think that the patient may not understand what information would be disclosed to a third party who has made a request on their behalf.

A next of kin has no rights of access to medical record, unless they have Power of Attorney.


Court Representatives

A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied where the GP is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.



No matter their age, it is the child who has the right of access to their information.

Before responding to a subject access request for information held about a child, we should consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we should usually respond directly to the child. We may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.

What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a
result of doing so.

When considering borderline cases, The Practice should take into account, among other things:

  • the child’s level of maturity and their ability to make decisions like this;
  • the nature of the personal data;
  • any court orders relating to parental access or responsibility that may apply;
  • any duty of confidence owed to the child or young person;
  • any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
  • any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
  • any views the child or young person has on whether their parents should have access to information about them.

A person with parental responsibility is either:

  • the birth mother, or
  • the birth father (if married to the mother at the time of child’s birth or subsequently) or,
  • an individual given parental responsibility by a court

(This is not an exhaustive list but contains the most common circumstances).

If the appropriate health professional considers that a child patient is Gillick competent (i.e. has sufficient maturity and understanding to make decisions about disclosure of their records) then the child should be asked for his or her consent before disclosure is given to someone with parental responsibility. If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, their mother and the father applies for access to the child’s records, there is no “obligation” to inform the mother. In practical terms, however, this may not be possible and both parents should be made aware of access requests unless there is a good reason not to do so.

In all circumstances good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.


Notification of Requests

The Practice will keep a Subject Access Request Register of all requests in order to ensure that requests and response deadlines are monitored and adhered to.



The Practice must provide a copy of the information free of charge.

However, the practice may charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.


Manifestly Unfounded or Excessive Requests

Where requests are manifestly unfounded or excessive, the Practice can:

  • charge a reasonable fee taking into account the administrative costs of providing the information; or
  • refuse to respond.

Where the Practice refuses to respond to a request, the Practice must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay, and at the latest within one month.


Requirement to Consult an Appropriate Health Professional

It is the Practice’s responsibility to consider an access request and to disclose the records if the correct procedure has been followed. Before the Practice discloses or provides copies of medical records, the records must be checked, and the release must be documented and authorised.

It is the responsibility of the Practice to ensure that the information to be released:

  • Does not disclose anything that identifies any other data subject. The only exception to this is the identity of people involved in the care of the individual requester, such as community staff or hospital specialists
  • Does not disclose anything that is likely to result in harm to the data subject or anyone else
  • Does not disclose anything subject to a court order or that is privileged or subject to fertilisation or adoption legislation

Grounds for Refusing Disclosure of Health Records

The Practice should refuse to disclose all or part of the health record if the Health Professional is of the view that:

  • disclosure would be likely to cause serious harm to the physical or mental health of the patient or any other person; or
  • the records refer to another individual who can be identified from that information (apart from a health professional). This is unless
    • that other individual’s consent is obtained, or
    • the records can be anonymised, or
    • it is reasonable in all the circumstances to comply with the request without that individual’s consent, taking into account any duty of confidentiality owed to the third party
  • the request is being made for a child’s records by someone with parental responsibility or for an incapacitated person’s record by someone with power to manage their affairs, and:
    • the information was given by the patient in the expectation that it would not be disclosed to the person making the request; or
    • the patient has expressly indicated it should not be disclosed to that person

For the avoidance of doubt, we cannot refuse to provide access to personal data about an individual simply because we obtained that data from a third party.


Access to Medical Records Act

The Practice will not provide information under a Subject Access Request made on behalf of a patient by a solicitor, insurance agency or employer, and where it is clear that such a request should be made under the Access to Medical Records Act. This would refer to reports for employment (proposed or actual) and insurance purposes (any "insurance contract" so covering accident claims, insured negligence, or anything
covered by an insurance contract that requires a medical report to support an actual or potential insured claim).

If necessary, or unsure, the Practice will seek clarification from both the requester and the patient concerned.


Informing of the decision not to disclose

If a decision is taken that the record should not be disclosed, a letter must be sent by recorded delivery to the patient or their representative stating the grounds for refusing disclosure.

The letter must inform the patient or representative without undue delay and within one month of receipt of the request, and will state:

  • the reasons you are not taking action;
  • their right to make a complaint to the Practice;
  • their right to make a complaint to the ICO or another supervisory authority; and • their ability to seek to enforce this right through a judicial remedy.

The Practice should also provide this information where a request for a reasonable fee is made, or additional information to identify the individual is required.


Disclosure of the Record

Information must be provided without delay and at the latest within one month. This is calculated from the day after the request is received, which will be day 1, even if this is a non-working day.

The period for responding to the request begins at receipt of the request, or:
• When the Practice receives any additional information required to confirm the identity of the requester
• When the Practice receives any additional information requested (and required) to clarify the request

In addition to the information requested, the Practice Privacy Notice will also be provided to the individual.

When the information is provided by the Practice, this is for personal use only. The security and confidentiality of the records becomes the responsibility of the requestor and the Practice cannot be held responsible for any onward transmission or distribution.

If a request is made verbally, for example within a GP consultation, then the GP can – if appropriate and possible within the consultation and, no additional ID verification is required – provide the requested information immediately. Verbal Subject Access Requests should be recorded on the Subject Access Request Register.

The Practice will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the Practice must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Once the appropriate documentation has been received and disclosure approved, the copy of the health record may be sent to, or given to, the patient or their representative. If the information requested is handed directly to the patient, then verifiable identification must be confirmed at the time of collection.

It should be assumed that if an individual makes a request electronically (i.e. by email), the Practice should provide the information in a commonly used electronic format (e.g. as .pdf or .doc) and provide it to the requester by email.

If sending the information via email, the Practice will:

  • Check that the individual wishes to receive the information via email.
  • Check the email address, and send an email to the address requesting confirmation of receipt, in order to verify the address.
  • If in doubt about the recipient email address, the practice will not send the information via email.
  • Test that the individual can receive, and access, a test email and attachment via NHSmail’s [Secure] encryption service. The individual will need to register to access the information via Trend Micro upon receipt.
  • Usually send the information via a secure email from NHSmail, using [Secure] at the start of the subject line, and request the receiver acknowledges receipt.
  • Depending on the volume of data to be sent, the information may need to be split across multiple [Secure] emails, due to the maximum attachment files size. The individual should be made aware of this where this is the case.

Confidential information will not be sent by email unless:

  • the email address of the recipient is absolutely verified, and
  • the information is sent securely
  • policy stipulations (unless the patient clearly expresses a preference to receive unencrypted information in this way)

If sent by post:

  • the record should be sent to a named individual
  • by recorded delivery
  • marked “private and confidential”
  • “for addressee only”
  • and the Practice details should be written on the reverse of the envelope.

Confidential medical records should not be sent by fax unless there is absolutely no alternative:

  • If a fax must be sent, it should include the minimum information and names should be removed and telephoned through separately.

All staff should be aware that safe haven procedures apply to the sending of confidential information by fax, for whatever reason. That is, the intended recipient must be alerted to the fact that confidential information is being sent. The recipient then makes a return telephone call to confirm safe and complete receipt. A suitable disclaimer, advising any unintentional recipient to contact the sender and to either send back or destroy the document, must accompany all such faxes.

A suitable disclaimer would be:

"Warning: The information in this fax is confidential and may be subject to legal professional privilege. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, please notify the sender immediately. Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it."