GDPR and accessing medical records - A practice manager's guide

The Data Protection Act 2018 enshrined GDPR into UK law and also brought up a number of questions for GP practices, especially when it comes to the matter of when (or if) it’s possible to charge for access to patients’ records.

Under the DPA 2018, patients have the right to request access to their own medical records under a Subject Access Request without charge, including situations where they give consent for a third party such as a solicitor or insurer to access the data.

Key points for general practice staff to bear in mind are:

  • GDPR applies to both digital and physical (paper) records
  • Information is subject to confidentiality obligations that already exist, e.g. between a doctor and patient
  • GDPR only applies to living people, but the Access to Health Records Act (AHRA) extends to deceased individuals

Requests from solicitors

A patient can authorise their solicitor to make a SAR, and these requests should be treated as if they were made from the patient themselves - the solicitors are effectively acting on the patient’s behalf.

A solicitor can request access to a patient’s full medical record as long as they provide the patient’s written consent. The solicitor may need to access the whole record in order to assess which parts of the patient’s medical history are relevant to their case, including for compensation or insurance claims.

Requests from insurers

Insurance companies do not have the same privileges to access patient records as solicitors – the ICO has said insurance companies using SARs to obtain full medical records is an abuse of the process. The DPA 2018 says that any information that is shared in a SAR must be relevant and not excessive in relation to the purpose for which the data is processed.

If an SAR is received from insurers, GPs should contact the patient to explain the implications and the extent of the disclosure, and should provide the information to the patient themselves instead of directly to the insurance company.

As GPs are the Data Controllers for the Practice, they would be liable for any breach of the DPA, and as such should be wary of what information is shared. This doesn’t mean that GPs can refuse to respond to a SAR from an insurance company, but it does mean they need to stay vigilant and compliant.

The DPA has made it a criminal offence to make a SAR in order to access information about individuals’ convictions and cautions, and a clause will soon be enacted to extend this to cover using medical records to access this information. If you suspect that a SAR from an insurer is trying to collect information about an individual’s criminal record then it should be reported to the ICO and the Association of British Insurers.

To charge or not to charge…

Where a request is made from an appropriate party for a medical report or record that already exists, then this can be made under a Subject Access Request, without charge. You can however charge what the DPA 2018 describes as a ‘reasonable fee’ if the request is ‘manifestly unfounded or excessive’. This term is subjective, and depends on the practice’s interpretation. If you decide to charge for a SAR for this reason, you should be 100% sure you are justified in doing so.

Another circumstance where you can charge for a SAR is where an individual or body makes repeated request for the same information. You can even refuse to provide information that has already been requested and provided several times (although there’s no definition of precisely what ‘several’ means).

If the request means you will have to create a medical report or interpret the information in a medical record or report, this would place it under the Access to Medical Reports Act (AMRA) – and in these circumstances a fee would be payable. This is because both of these requests mean new materials need to be created, something not included under a Subject Access Request. SARs are all about accessing existing information about a patient.

The need for clarification 

Manifestly unfounded or excessive requests – you can refuse to provide this information or you can provide the information, and state the charges for providing this information.

The BMA have asked for clarification on what ‘manifestly unfounded and excessive’ means in practice. The ICO responded by saying: “A charge to cover administrative costs can be made for additional copies but we await guidance on what will constitute a ‘reasonable’ fee”. Again, there’s no definition of what ‘manifestly’ or ‘unfounded’ means in DPA terms, leaving it open to interpretation.

However, the ICO have said that “a SAR for the whole medical record would never be considered excessive for the purposes of imposing a charge.”  That means a patient asking for their whole medical record cannot be classified as an excessive request.

From some of the chatter amongst legal groups, there is an option in the DPA 2018 that may allow for charging fees for SARs in the future, but we’ll have to wait and see whether we get further clarification on this topic.

How to provide the information

The ICO are in favour of ‘electronic SARs’, and guidance seems to indicate that if the request is made electronically, you can provide the information in the same way, meaning USB drives or CDs are acceptable. However, it’s best to agree the best medium with the data subject first.

In terms of physical records and posting them out to patients, the ICO’s has said that: “The Practice may also request that the physical response is picked up by the requestor from the surgery but if the requestor refuses to do so, the Practice cannot withhold the data and must send it on”.

NHS Patient Online is a good, paper-free method for distributing SARs. Providing a secure portal for data subjects is recommended by the GDPR regulations.

Request denied

If you refuse to provide the details requested in a SAR, then you need to be prepared to fully explain your decision. It might be an opportunity to discuss what information the third party actually needs – do they really want access the whole of their medical records, or is there a particular piece of information that they require?

If a SAR or other request is refused, you need to explain why, and within the deadline period. Reasons may include:

  • The personal data also includes information about third parties (bear in mind it would still be reasonable to include clinicians’ details);
  • Sharing the information could result in harm to the data subject or any other person;
  • It includes information about a child or non-capacitous adult, which they would not expect to be disclosed to the person making the request;
  • It includes legally privileged data;
  • Information is subject to a court order;
  • Sharing data would prejudice regulatory activities

Access to deceased patients’ records

The BMA’s updated guidance Access to Health Records released at the end of June 2018 says:

…the ethical obligation to respect a patient’s confidentiality extends beyond death… Health professionals should therefore counsel their patients about the possibility of disclosure after death and solicit views about disclosure where it is obvious that there may be some sensitivity. Such discussions should be recorded in the records.”

It goes on to confirm that if a request is made to a GP practice to access the deceased person’s records (and they are not currently held by PCSE or local health boards), then the practice should respond to the request under the AHRA processes.

The GDPR does not apply to data concerning deceased individuals. However, the BMA document Access to Health Records points out that legislative changes to the Data Protection Act 2018 has also amended the Access to Health Records Act 1990, which now states access to the records of deceased patients and any copies must be provided free of charge.

FPM members can leep an eye on the FPM Policy Library for more documents to help your GP practice stay GDPR compliant, and head to our GDPR Toolkit area to access even more resources.

Originally published July 18, 2018


  • 1


Timothy Wright 27/08/2021

The BMA guidance is: 4.8 Can a fee be charged? Initial access must be provided free of charge (including postage costs) unless the request is ‘manifestly unfounded’ or ‘excessive’ – in which case a ‘reasonable’ fee can be charged. These circumstances are likely to be rare and should be assessed on a case by case basis. The ICO has advised us that a request may be deemed ‘manifestly unfounded’ if the requestor makes it clear they are only requesting the information to cause disruption to the organisation or if the requestor makes completely unsubstantiated accusations against the controller. If however, the requestor has some form of genuine intention in obtaining their information, it is unlikely the request could be deemed as manifestly unfounded. A request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee based on the administrative costs of providing further copies or refuse the request. I think it is a matter for the requesting solicitor if that solicitor wants to send a courier at the solicitors cost. However most disclosure is done electronically now days anyway

jan harvey 23/08/2021

Do we have to pay the postage to send medical notes requested by a solicitor or can we ask them to either send a courier or the patient to collect the notes or can we ask the solicitor to pay the postage fee

susan west 03/02/2021

what is the most you can charge for a medical report to a solicitor

Kay 06/02/2020

Hi, can anyone advise, if you are sending the patients notes through post can you charge a postage fee?

Novomedici 22/05/2019

Thanks for sharing a lot of information through this post. The points you noted here will really help me in the future. Keep Sharing!

First Practice Management 06/12/2018

Hi Tim - thanks for pointing out this updated information, we've adapted the article accordingly. FPM

Timothy Wright 05/12/2018

My apologies for criticising your comment above: "The GDPR does not apply to data concerning deceased individuals. A fee can be charged for supplying a copy of deceased patients’ records, but it must not exceed the cost of making and posting the copy. Health professionals may charge a professional fee to cover the costs of giving access to the records of deceased patients that is not covered by legislation" It is correct that GDPR does not apply and the process of disclosure remains under the Access to Health Records Act 1990. However the Data Protection Act 2018 amended the charging provision so that a charge can no longer be made for disclosure of a deceased persons records. This set out at para 8.4 in the current BMA guidance on Access to Heath Records.

Adrian Wise 18/07/2018

I'm looking at one of these solicitor requests now. Could I get patient set up with Patient Access and give access to all records, including text, and documents, etc, etc and ask them to log in and download them selves? Or do I raise an invoice showing SAR foc and administration and postage £50.00 (or whatever is reasonable to cover my costs)

Paul Drinkwater 18/07/2018

So a solicitor sends in a SAR request and wants copies of all the patients notes, we allow access to this information and will not charge a fee for this information as consent from the patient is included, now what do we do in a situation where there is no means to send this information electronically and it must be posted? I don't see why I as a GP practice should foot the postage bill for this when really this is a private request and not NHS work. The ICO have said that we are allowed to request the patient to collect the documents as they are the data subject however if the solicitors state that they are not happy for the patient to collect it or the patient refuses to post it to them where do we stand? Shall i just start paying postage for every Tom Dick and Harrys request and shut up shop now as this is not a financially viable option for us.

Leave a Comment


Post Archive

Upcoming Events

There are currently no events scheduled.


Practice Manager (Executive Manager) - Leeds

Closing Date: 21 October 2021

Salary: £55,000 per year depending on experience

Practice Manager and Central Services Manager - Manchester

Closing Date: 24 October 2021

Salary: £50,000 to £58,000, depending on experience

Practice Manager - London

Closing Date: 20 October 2021

Salary: £37,500 to £47,500 a year

Practice Manager - Accrington

Closing Date: 30 October 2021

Salary: of £38-40K Pro Rata (depending on experience)

Practice Manager - London

Closing Date: 20 October 2021

Salary: £37,500 to £47,500 a year

Practice Manager (Executive Manager) - Leeds

Closing Date: 21 October 2021

Salary: £55,000 per year depending on experience

What others are viewing now

Latest Forum Posts

Fetching latest posts...