Subject Access Requests

A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a subject access request (SAR).

If you want to see your health records or request a copy, you can access this via online services but have to be registered in order to do so. 

For those patients without computer access, please contact the Surgery directly.

When a request is from a third party on your behalf such as an insurance company or solicitor, it’s a good idea to state the dates of the records required. You should also keep a copy of your letter for your records. The practice has up to 28 days to respond. If additional information is needed before copies can be supplied, the 28 day time limit will begin as soon as the additional information has been received.

The 28 day time limit can be extended for two months for complex or numerous requests where the data controller needs more time to collate and supply the data. You will be informed about this within 28 days and provided with an explanation of why the extension is necessary.

When writing/calling, you should state if you:

  • Want a physical copy as well as to see them
  • Want all or just part of them
  • Would like your records to be given to you in a format that meets your needs; we will endeavour to accommodate your request
  • If you request your records to be emailed, then we will secure you or your representative’s agreement (in writing or in email) that they accept the risk if sending unencrypted information to a non-nhs email address

You may also need to fill in an application form and give proof of your identity. The practice has an obligation under the GDPR and DPA 2018 to ensure that any information provided for a patient, can be verified.

We never send original medical records because of the potential detriment to patient care should these be lost and would ask, wherever possible, that they are collected in person by the patient.

Who may apply for access?

Patients with capacity

Subject to the exemptions listed in paragraph 1(6) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for you to give reasons as to why they wish to access their records.

Children and young people under 16

Where a child is competent, they are entitled to make or consent to a SAR to access their record.

Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR.

However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR.

Next of kin

Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records.


You can authorise a solicitor acting on your behalf to make a SAR. We must have your written consent before releasing your medical records to your acting solicitors.

The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is any doubt, we may contact you before disclosing the information.

The practice may also contact you to let you know when your medical records are ready. If your solicitor is based within our area, then we may ask you to collect them and deliver them to your solicitor or alternatively ask your solicitor if they can arrange for collection of your medical records.

England and Wales only

Should you refuse, your solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the law society of England and Wales. While it is not compulsory for solicitors to use the form, it is hoped it will improve the process of seeking consent.

Supplementary Information under SAR requests

The purposes for processing data

The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is also processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.

The categories of personal data

The category of your personal data is healthcare data.

The organisations with which the data has been shared

Your health records are shared with the appropriate organisations which are involved in the provision of healthcare and treatment to the individual.

The existence of rights to have inaccurate data corrected and any rights of objection

Any automated decision taking including the significance and envisaged consequences for the data subject.

The right to make a complaint to the Information Commissioner’s Office (ICO)

Information that should not be disclosed

The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to you, we will inform you and discuss this with you.

Individuals on behalf of adults who lack capacity

The Mental Capacity Act in England and Wales contains powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The court of protection in England and Wales, can also appoint deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.

Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.

Deceased records

Once a patient has passed away their medical records are returned to Primary Care Support England (PCSE) and the practice is no longer the data controller. Should you require access to the records of a deceased patient, please contact the PCSE directly. You can only see that person’s records if you are their personal representative, administrator or executor.

Hospital Records

To see your hospital records, you will have to contact the hospital directly.

Power of attorney

Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney.

A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.

The person you appoint is known as your attorney. An attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the office of the public guardian before it can be used.

If you wish to see the health records of someone who has died, you will have to apply under the Access to Medical Records Act 1990.

You can only apply if you:

  • Are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person).
  • Have the permission of the next of kin or have obtained written permission from the deceased person before they died.
  • To access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the practice or the hospital where the records are stored.

If you think that information in your health records is incorrect, or you need to update your contact details (name, address, phone number), approach the relevant health professional informally and ask to have the record amended.

If you want to make a complaint, go to the organisation concerned and ask for a copy of their complaints procedure.

Alternatively, you can complain to the Information Commissioner (the person responsible for regulating and enforcing the Data Protection Act), at:

  • The Information Commissioner’s Office (ICO)
  • Wycliffe House
    Water Lane
    SK9 5AF
  • Telephone: 01625 545745

If your request to have your records amended is refused, the record holder must attach a statement of your views to the record.