Advising with empathy and experience

News and Events

GDPR - access to medical records.

  • Posted


For patients who wish to access their own medical records, the recent changes to data protection legislation eliminate one obstacle – fees.  From 25th May 2018, in most cases, patients must be given access to their medical records free of charge, including when a patient authorises a third party to access the records, such as a solicitor.

Medical records provide an account of a patient’s contact with the healthcare system and contain information relating to the physical or mental health of an individual.  Information tends to be recorded in electronic form now but some records are still kept in manual form or a mixture of both.  Records may include notes made during consultations, correspondence between health professionals such as referral and discharge letters, results of tests and their interpretation, X-ray films, videotapes, audiotapes, photographs, and tissue samples taken for diagnostic purposes. Obtaining a copy of an individual’s medical records will always form part of the initial investigation process for a solicitor assisting an individual with making a potential claim for clinical negligence.  Requests for medical records by a patient, or an authorised third party, are called subject access requests. 

The British Medical Association (BMA) has provided some useful guidance in respect of Subject Access Requests. The full guidance can be found at:

Below is a summary of the BMA guidance on applying for your medical records which you may find useful if you wish to make the application yourself.

Who may apply for access?

       - Patients with legal capacity

It is not necessary for patients to give reasons why they wish to access their records.

       - Children and young people under 18

Where a child is competent, they are entitled to make or consent to a subject access request to access their records.  Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR. However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records.

- Solicitors

A patient can authorise a solicitor acting on their behalf to make a request for their medical records. Health professionals releasing information to solicitors acting for their patients should ensure that they have the patient’s written consent.

Who do I contact?

Requests for GP records should be made to your GP practice.

Requests for hospital records should be made to the patient record department of the relevant hospital.

When should access be given?

Requests for records can be made electronically, in writing or verbally.

Before access is provided the identity of the person making the request must be verified.  Once the request has been received and verified, the individual must be provided with a copy of their data without undue delay, and at the latest within 28 days from the date of the request.

The 28-day time-limit can be extended for two months for complex or numerous requests where the

Healthcare provider needs more time to collate and supply the data. Individuals should be informed about this within 28 days and provided with an explanation of why the extension is necessary.


Initial access should be provided free of charge.

For further requests for the same information, a ‘reasonable fee’ can be charged to cover administration costs.

A ‘reasonable fee’ can also be charged where the request is ‘manifestly unfounded’ or ‘excessive’.

What if I don’t get a response?

You should always receive a response of some kind to a subject access request. Even if the organisation holds no information about you, or it has a reason to withhold your information from you, it must still write to you and explain that this is the case.

If more than one month has passed since you made your subject access request and you've not heard anything back, you should:

  1. Write to the organisation reminding them of your request, and of their obligations under General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) have a standard template letter for this here on their website.
  2. Make a complaint to the organisation. If you still don't hear back from them after writing to them to remind them of their obligation, you should complain directly to them using their complaints process.
  3. Complain to the Information Commissioner's Office (ICO). If you aren't happy with their response to your complaint, and you still believe that they should share the information you've asked for, you can complain to the ICO.

If you would like to discuss a potential claim for clinical negligence or making a request for your medical records, a member of the CNCI team is available for a free no obligation meeting or telephone call with you.