Last updated:

Medical records access

GDPR changes to Subject Access Requests and fees from 25 May 2018

The General Data Protection Regulations and the Data Protection Act 2018 replaced the Data Protection Act 1998 on 25 May 2018, bringing in widespread changes to UK data protection legislation. For GPs the act brings in a number of changes, specifically the charges that were in place for undertaking Subject Access Requests.

Since 25 May, in most cases, patients must be given access to their medical records as a Subject Access Request (SAR) free of charge, including when a patient authorises access by a third party such as a solicitor.

If the request is for a medical report to be created, or for interpretation of information within a medical report/record, this will fall under the Access to Medical Report Act (AMRA) - as these both require new data to be created, which is out with the scope of the GDPR and Subject Access Requests. In these cases, a fee can be charged.

A medical report/record that already exists will be accessible, for free, as a SAR. A ‘reasonable fee’ can be charged for a SAR if the request is manifestly unfounded or excessive, however, these circumstances are likely to be rare.

The ICO advise that a request may be deemed manifestly unfounded if the requestor makes it clear they are only requesting the information to cause disruption to the organisation or if the requestor makes completely unsubstantiated accusations against the controller. If however, the requestor has some form of genuine intention in obtaining their information, it is unlikely the request could be deemed as manifestly unfounded.

A request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee based on the administrative costs of providing further copies or refuse the request.

Further guidance on when a SAR can be refused can be found in the ICO’s right of access for organisations.

Please also see our main guidance and our FAQs on GDPR which cover in more detail SARs requested by solicitors. We are very much aware that these changes are causing serious concerns to our members and we are doing all we can to ensure doctors and their practices do not suffer under these changes. We continue to collate information from our members to use in future planned discussions with Government.