Fill out a triage form to get a non-urgent callback from our team during surgery hours.

Subject Access Request (SAR)

A request by a patient or an authorised third party for access to medical records under the GDPR (and DPA 2018) is called a Subject Access Request (SAR).

The Practice has up to 28 days to respond to your request unless additional information is required.

The 28-day time limit can be extended for two months for complex or numerous requests where the data controller needs more time to supply the information. You will be informed about this within 28 days and informed about the reason an extension is necessary.

When submitting a SAR you should indicate:

  • if you require all or just part of your record
  • if you want your records provided in a specific format to meet specific needs which we will aim to accommodate
  • how you would like your records to be provided. If you request your records to be emailed, we will obtain you or your representative’s agreement (in writing) that you/they accept the risk of sending information to a non-NHS email address

We never send original medical records because of the potential detriment to patient care should these be lost

Who may apply for access?

1(1) Patients with capacity

Subject to the exemptions listed in paragraph 1(6) patients with capacity have a right to access their health records via a SAR. They can also authorise a third party such as a Solicitor to do so on their behalf. Competent young people may also seek access to their own records.

1(2) Children and young people under 18

Where a child is competent, they are entitled to make or consent to a SAR to access their record.

Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed to make or consent to a SAR. However, those who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records.

In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks the competency to understand the nature of a SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 1 (3) below)

1(3) Next of kin

Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights to access medical records. For parental rights of access, see the information above.

1(4) Solicitors

You can authorise a Solicitor acting on your behalf to make a SAR. We must have your written consent before releasing information to a Solicitors. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is doubt, we may contact you before disclosing the information. (England and Wales only – should you refuse, your Solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for Solicitors to use the form, it is hoped it will improve the process of seeking consent).

1(5) Supplementary Information under SAR requests

Purposes for processing data

The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.

Categories of personal data

The category of your personal data is healthcare data.

Organisations with which the data is shared

Your health records are shared with the appropriate organisations involved in the provision of healthcare and treatment. Other organisations will receive your confidential health information, for example, Digital or the Scottish Primary Care Information Resource (SPIRE) or research bodies such as the Secure Anonymised Linkage Databank (SAIL). (This information is already available to patients in our Practice privacy notices).

Rights to have inaccurate data corrected and any rights of objection

For example, a national ‘opt-out’ model such as SPIRE etc.

Any automated decision including the significance and envisaged consequences for the data subject

For example, risk stratification.

The right to make a complaint to the Information Commissioner’s Office (ICO)

1(6) Information that should not be disclosed

The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to you, we will inform you and discuss this with you.

1(7) Individuals on behalf of adults who lack capacity

Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Court of Protection in England and Wales, and the Sheriff’s Court in Scotland, can also appoint Deputies. This may entail giving access to relevant parts of the incapacitated person’s medical record unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.

Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.

1(8) Deceased records

The law allows you to see records of a patient who has died as long as they were made after 1st November 1991. Records are usually only kept for three years after death.

Who can access deceased records?

You can only see a deceased person’s record if you are their personal representative, administrator or executor. You won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.

Accessing deceased records

Before you get access to these records, you may be asked for:

  • proof of your identity
  • proof of your relationship to the person who has died

Viewing deceased records

You won’t be able to see information that could:

  • cause serious harm to your or someone else’s physical or mental health
  • identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission
  • If you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.

1(9) Hospital Records

To see Hospital records you will have to contact the relevant Hospital.

1(10) Power of Attorney

Your health records are confidential and members of your family are not allowed to see them unless you give them written permission, or they have Power of Attorney.

A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.

The person you appoint is known as your Attorney. An Attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal Power of Attorney must be registered with the Office of the Public Guardian before it can be used.

If you wish to see the health records of someone who has died, you will have to apply under the Access to Medical Records Act 1990. You can only apply if you:

  • are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person),
  • have the permission of the next of kin or have obtained written permission from the deceased person before they died.
  • To access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the Practice or the Hospital where the records are stored.