What is a Subject Access Request and do I have the right to access my medical records in England?

A Subject Access Request (SAR) is a formal request made to a data controller — such as a GP surgery, NHS Trust, hospital, or private clinic — to obtain a copy of all personal data held about you, including your medical records. The right to make a SAR is enshrined in Article 15 of the UK General Data Protection Regulation (UK GDPR), as retained and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and in section 45 of the Data Protection Act 2018 (DPA 2018). In England and Wales, every individual aged 18 or over has the right to access their own medical records, and parents or guardians may make requests on behalf of children under 16 where the child does not have the competence to consent (the Gillick competence standard under the House of Lords decision in Gillick v West Norfolk and Wisbech Area Health Authority [1985] UKHL 7). The data controller must respond within one calendar month of receipt of the request, extended to a maximum of three months for complex or numerous requests. Access to medical records is entirely free of charge. In addition to the UK GDPR right, specific statutory rights also apply under the Access to Health Records Act 1990 (for records of deceased persons) and the Access to Medical Reports Act 1988 (for reports prepared for employment or insurance purposes).

How long does an NHS GP surgery or hospital have to respond to my medical records request?

Under Article 12(3) of UK GDPR, a data controller must respond to a Subject Access Request without undue delay and in any event within one calendar month of receipt of the request. The one-month period runs from the day after the day the request is received. If the request is complex or if you have made multiple requests simultaneously, the controller may extend the response period by a further two months, but they must inform you within the first month of the extension and provide reasons. If the controller requires clarification about which records you are requesting (for example, to narrow an extremely broad request), they may pause the one-month clock while waiting for your response, but only where the clarification is genuinely necessary to process the request. If the data controller fails to respond within the statutory time limit, or provides an inadequate response, you have the right to complain to the Information Commissioner's Office (ICO), which can investigate the controller and impose sanctions of up to £17.5 million or 4% of global annual turnover under the DPA 2018 for serious infringements. The ICO's helpline is 0303 123 1113.

Can a data controller refuse my Subject Access Request for medical records?

A data controller can refuse or limit a Subject Access Request only in specific circumstances set out in UK GDPR and the DPA 2018. The most common grounds for refusal are: the request is manifestly unfounded or manifestly excessive (Article 12(5) UK GDPR), in which case the controller must provide reasons and you have the right to challenge the refusal with the ICO; the information would reveal the identity of a third party who has not consented to the disclosure and it is not reasonable to disclose without consent (Schedule 2, Part 2, DPA 2018); disclosure would be likely to cause serious harm to the physical or mental health of the data subject or any other person (the 'serious harm' exemption in Schedule 3 of the DPA 2018, relevant to health records); the information was recorded in connection with criminal proceedings or is subject to legal professional privilege; or the data is held solely for research, statistical, or archival purposes in the public interest. Where an exemption applies, the controller must tell you that an exemption is being claimed (though they do not have to identify which exemption, if doing so would itself reveal exempt information). You can challenge any refusal by complaining to the ICO or by applying to the court under section 167 of the DPA 2018.

Can I request my deceased relative's medical records in England and Wales?

The UK GDPR and the Data Protection Act 2018 only apply to the personal data of living individuals. After a person has died, UK GDPR does not grant next of kin or personal representatives any automatic right to access the deceased's medical records. However, a separate right of access to the health records of deceased persons is provided by the Access to Health Records Act 1990. Under section 3 of that Act, the personal representative of the deceased (the executor or administrator of the estate) and any person who may have a claim arising out of the death have the right to apply for access to the health records of the deceased person. The application must be made to the holder of the health records (for example, the GP surgery or hospital). The holder may refuse access if they believe the disclosure would cause serious harm to the physical or mental health of any individual, or if the record contains information provided by the deceased in the expectation that it would not be disclosed after their death. Requests for the records of deceased persons should reference the Access to Health Records Act 1990 rather than UK GDPR. There is no statutory fee for access under the 1990 Act, though a reasonable fee for copying may be charged.

What should I do if a GP or hospital ignores or refuses my SAR without a valid reason?

If a data controller fails to respond to your Subject Access Request within one calendar month, provides an incomplete response, or refuses your request without citing a valid legal exemption, you have several remedies available under English law. First, you should write to the controller's Data Protection Officer (if they have one) or to senior management, formally drawing their attention to the breach and requesting an immediate response. Second, you may submit a complaint to the Information Commissioner's Office (ICO) online at ico.org.uk or by telephoning 0303 123 1113. The ICO can investigate the matter, issue enforcement notices, and impose significant financial penalties. Third, you may apply to the County Court or the High Court under section 167 of the Data Protection Act 2018 for an order requiring the controller to comply with the SAR. The court may award compensation under section 169 of the DPA 2018 or Article 82 of UK GDPR for any damage or distress suffered as a result of the breach. For NHS providers, you may also raise a formal complaint under the NHS Complaints Procedure set out in the Local Authority Social Services and National Health Service Complaints (England) Regulations 2009, and if unresolved, escalate to the Parliamentary and Health Service Ombudsman.

Can I request medical records on behalf of someone else, such as my elderly parent?

Yes, it is possible to make a Subject Access Request on behalf of another person, but you must have a recognised legal basis for doing so. The most common bases of authority in England and Wales are: a registered Lasting Power of Attorney for Health and Welfare made under the Mental Capacity Act 2005, which must be registered with the Office of the Public Guardian and gives the attorney authority to access the donor's health information; a deputyship order made by the Court of Protection under section 16 of the Mental Capacity Act 2005; parental responsibility under section 2 or section 4 of the Children Act 1989 for requests on behalf of a child, subject to the Gillick competence assessment; a court order specifically authorising access to the data subject's records; or written authority from the data subject themselves, if they have mental capacity to give consent. The data controller is entitled to request evidence of your authority before complying with the request. You should enclose a copy of the relevant document (for example, the registered LPA or birth certificate) with your SAR. If the person has lost mental capacity and no LPA is in place, your solicitor may be able to advise on an emergency application to the Court of Protection.

Medical Records Subject Access Request (UK) — United Kingdom

Exercise your right to access your medical records held by GPs, NHS Trusts, hospitals, and private clinics in England and Wales. This Subject Access Request letter complies with Article 15 of UK GDPR and section 45 of the Data Protection Act 2018. Covers personal and third-party requests, scope of records, data portability, preferred delivery format, and regulatory escalation rights under the ICO. Download as PDF or Word.

What Is a Medical Records Subject Access Request (UK)?

A Medical Records Subject Access Request (SAR) is a formal written request made to a healthcare data controller — such as a GP surgery, NHS Trust, private hospital, specialist clinic, or mental health service — to obtain copies of all personal data held about you, including your medical records. The right to make this request is established by Article 15 of the UK General Data Protection Regulation (UK GDPR) and section 45 of the Data Protection Act 2018 (DPA 2018), which together provide one of the most powerful individual rights in English data protection law.

The legal foundation for medical record access in England and Wales is built on several overlapping statutory frameworks. The UK GDPR (retained from Regulation (EU) 2016/679 by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) applies to all personal data processed by living individuals. Section 45 of the DPA 2018 specifically addresses subject access requests and incorporates the restrictions and exemptions that apply to health data. The Access to Health Records Act 1990 provides a complementary right of access to the health records of deceased persons. The Access to Medical Reports Act 1988 governs access to medical reports prepared for employment or insurance purposes.

Your Article 15 rights extend beyond simply receiving a copy of your records. You are also entitled to receive: confirmation that your personal data is being processed; the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom your data has been disclosed; the envisaged retention period; information about your rights to rectification, erasure, restriction, and objection; and information about your right to lodge a complaint with the Information Commissioner's Office (ICO). If your data has been transferred outside the UK, you are entitled to information about the safeguards in place.

The ICO is the independent supervisory authority for data protection in the United Kingdom, established under section 114 of the DPA 2018. The ICO has powers to investigate complaints, issue enforcement notices, and impose administrative fines of up to £17.5 million or 4% of global annual turnover for the most serious infringements. The ICO's guidance on subject access requests for health data is publicly available at ico.org.uk.

Healthcare data falls within the special categories of personal data under Article 9 of UK GDPR, attracting heightened protection. Despite this, data controllers may only rely on exemptions from subject access obligations where expressly authorised to do so by schedule 3 of the DPA 2018 or by another specific statutory provision. The most commonly cited exemption in a healthcare context is the 'serious harm' exemption, which allows a controller to withhold information where disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another individual. However, this exemption must be applied narrowly and must be justified in each specific case.

When Do You Need a Medical Records Subject Access Request (UK)?

A Medical Records Subject Access Request is needed in a wide range of situations where you wish to review, verify, or obtain copies of your own health information held by a healthcare provider in England and Wales.

The most common reason for making a SAR is to obtain a full copy of your medical records for personal review. Many patients make requests after changing GP practice, after a prolonged hospital admission, or after a serious health event to ensure they have a complete record of their medical history. Having access to your records allows you to identify any inaccuracies (which you can then seek to have corrected under Article 16 of UK GDPR), to understand diagnoses and treatment decisions, and to compile a complete health history.

A SAR is also frequently used in connection with personal injury claims, clinical negligence litigation, and insurance disputes. Solicitors acting in personal injury cases routinely advise clients to exercise their subject access rights to obtain medical records that may be relevant to quantum of damages or the causation of an injury. In clinical negligence cases, the records obtained through a SAR form the foundation of the investigation into whether the standard of care fell below an acceptable level.

Employment-related health matters are another common trigger. If your employer has obtained a medical report about you under the Access to Medical Reports Act 1988, you have specific rights to see and comment on that report before it is sent to your employer, or to request a copy after it has been sent. If your GP or an occupational health provider holds other health data relevant to your employment, a UK GDPR SAR may be the appropriate mechanism to access that information.

Making a SAR is also important when you suspect your medical records contain errors. Inaccurate medical records can lead to incorrect diagnoses, inappropriate prescriptions, or adverse insurance decisions. Once you have obtained your records and identified an inaccuracy, you may request rectification under Article 16 of UK GDPR. If the controller disputes that the information is inaccurate, you may request that a restriction is placed on processing under Article 18.

Finally, a SAR may be needed when planning for future healthcare, when seeking a second medical opinion, when applying for life insurance or income protection (where insurers ask for access to your medical history), or simply as a precautionary measure to ensure that your records are complete and accurate before a planned surgical procedure or other significant medical intervention.

What to Include in Your Medical Records Subject Access Request (UK)

A well-drafted Medical Records Subject Access Request should contain several essential elements to ensure that it is legally compliant, clearly communicated, and effective in obtaining the information you require.

The identity of the requester is the most fundamental element. The letter must clearly state the full legal name, date of birth, current address, contact details, and NHS number (if known) of the data subject. Where the request is made on behalf of another person, the identity of both the requester and the data subject must be stated, together with the legal basis of authority (such as a registered Lasting Power of Attorney for Health and Welfare or evidence of parental responsibility). Data controllers are entitled to ask for evidence of identity, but may only require information that is necessary to verify identity with reasonable confidence — they cannot demand disproportionate amounts of documentation.

The legal basis of the request must be explicitly stated. Referencing Article 15 of UK GDPR and section 45 of the Data Protection Act 2018 establishes the statutory framework and signals to the controller that you are aware of your rights. Controllers who receive a technically framed SAR are less likely to delay or obstruct the response.

The scope of the request must be clear. Specifying whether you are requesting all records, records for a defined period, or specific types of records (such as GP notes, referral letters, test results, or imaging reports) helps the controller process the request efficiently and reduces the risk of an incomplete response. You should also specify any additional contextual information that will help identify the relevant records, such as a hospital episode, a specific condition, or a treating consultant's name.

The preferred format for delivery is an important practical element. Under Article 15(3) of UK GDPR, where technically feasible and where the request is made electronically, the controller should provide the information in a commonly used electronic form. You should specify whether you prefer email delivery, access via an online patient portal, paper copies by post, or access to inspect records in person.

The request for supplementary information under Article 15(1) of UK GDPR should be included. This ensures that the controller provides not just the records themselves but also the accompanying information about processing purposes, retention periods, recipients, and your right to complain to the ICO.

The data portability request under Article 20 of UK GDPR may be included where relevant. This right allows you to receive the data in a structured, commonly used, machine-readable format — useful if you wish to transfer your records to a new healthcare provider or to use them with a health management application.

A reference to any previous unanswered request, or to any previous partial response, should be included where applicable. This provides a clear chronology and signals that you are aware of the statutory time limits and the consequences of non-compliance.

Finally, a clear statement of your intention to escalate the matter to the ICO or to seek a court order under section 167 of the DPA 2018 if the request is not properly complied with within the statutory period provides an important incentive for prompt and complete compliance.

What Is a Medical Records Subject Access Request (UK)?

When Do You Need a Medical Records Subject Access Request (UK)?

What to Include in Your Medical Records Subject Access Request (UK)

Frequently Asked Questions

Related Documents

Lasting Power of Attorney — Health and Welfare (UK)

Lasting Power of Attorney — Property and Financial Affairs (UK)

Advance Decision to Refuse Treatment (UK)

Consent Form (UK)

Data Processing Agreement — UK GDPR (England & Wales)