Last updated:

Medical records access

GDPR changes to Subject Access Requests and fees from 25 May 2018

The General Data Protection Regulations and the Data Protection Act 2018 replaced the Data Protection Act 1998 on 25 May 2018, bringing in widespread changes to UK data protection legislation. For GPs the act brings in a number of changes, specifically the charges that were in place for undertaking Subject Access Requests.

Since 25 May, in most cases, patients must be given access to their medical records as a Subject Access Request (SAR) free of charge, including when a patient authorises access by a third party such as a solicitor.

If the request is for a medical report to be created, or for interpretation of information within a medical report/record, this will fall under the Access to Medical Report Act (AMRA) - as these both require new data to be created, which is out with the scope of the GDPR and Subject Access Requests. In these cases, a fee can be charged.

A medical report/record that already exists will be accessible, for free, as an SAR. A ‘reasonable fee’ can be charged for SAR if the request is manifestly unfounded or excessive, however, these circumstances are likely to be rare. The GDPR does not provide more detail than this and as yet the ICO have not issued further guidance. We are in the process of seeking clarification from the ICO on what would constitute “manifestly unfounded or excessive” and will update this guidance once we have more details.

Please also see our main guidance and our FAQs on GDPR which cover in more detail SARs requested by solicitors. We are very much aware that these changes are causing serious concerns to our members and we are doing all we can to ensure doctors and their practices do not suffer under these changes. We continue to collate information from our members to use in future planned discussions with Government.