Medical Records Subject Access Request (UK)
SUBJECT ACCESS REQUEST — MEDICAL RECORDS
Made under Article 15 of UK GDPR and Section 45 of the Data Protection Act 2018
Date: [Request Date]
TO:
[Controller Name]
[Controller Contact]
[Controller Address]
FROM:
[Requester Full Name]
[Requester Address], [Requester City], [Requester County], [Requester Postcode]
Email: [Requester Email]
Telephone: [Requester Phone]
Date of birth: [Requester DOB]
NHS number: [NHS Number]
1. LEGAL BASIS FOR THIS REQUEST
1.1 I am writing to exercise my right of access to my personal data pursuant to Article 15 of the UK General Data Protection Regulation (UK GDPR) as retained and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and section 45 of the Data Protection Act 2018 (DPA 2018).
1.2 Under Article 15 of UK GDPR, I have the right to obtain from you, as the data controller, confirmation as to whether personal data concerning me are being processed, and where that is the case, access to those personal data and supplementary information as set out in Article 15(1).
1.3 Under Article 12(3) of UK GDPR, you are required to provide the requested information without undue delay, and in any event within one month of receipt of this request. That period may be extended by a further two months where the request is complex or numerous, but you must inform me within the first month if such an extension is required.
1.4 I confirm that this request is made free of charge, as provided by Article 12(5) of UK GDPR. Where you consider this request to be manifestly unfounded or excessive within the meaning of Article 12(5), you must notify me in writing of your reasons before refusing or charging a fee.
2. IDENTITY OF THE DATA SUBJECT
2.1 I am [Requester Full Name], date of birth [Requester DOB], of [Requester Address], [Requester City], [Requester County], [Requester Postcode]. This request is made for: [Request For].
2.2 I am registered (or have previously been registered) as a patient or service user at your organisation. My NHS number, where applicable, is [NHS Number].
2.3 I am willing to provide such further information as may be reasonably necessary to verify my identity, including a copy of photographic identification, within a reasonable time of being requested to do so. Any such request must comply with the ICO guidance on verification of identity for subject access requests and must not require information beyond what is necessary to confirm my identity with reasonable certainty.
3. PERSONAL DATA AND MEDICAL RECORDS REQUESTED
3.1 I request access to the following personal data and medical records held by your organisation: [Records Scope] [Records From] [Records To] [Records Description].
3.2 [Additional Info]
3.3 Specifically, I request copies of all or any of the following, to the extent that they form part of the personal data held about me: GP consultation notes and correspondence; referral letters and specialist reports; hospital discharge summaries; test results including blood tests, imaging, and pathology; prescription and medication records; mental health records; immunisation and vaccination records; any records created in connection with any complaint, enquiry, or third-party disclosure relating to me; and any other personal data held by your organisation concerning me.
3.4 I also request the following information as required by Article 15(1) of UK GDPR: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom my personal data has been or will be disclosed; the envisaged period for which my personal data will be stored, or if not possible, the criteria used to determine that period; information about any automated decision-making including profiling under Article 22 of UK GDPR; and the right to lodge a complaint with the Information Commissioner’s Office (ICO).
4. PREFERRED FORMAT FOR RESPONSE
4.1 I request that the records and information be provided in the following format: [Preferred Format].
4.2 Where records are extensive, I am willing to attend your premises to inspect them in person, or to arrange for a subset of the most critical records to be provided as a priority.
5. REGULATORY OVERSIGHT AND COMPLAINTS
5.1 I note that the Information Commissioner’s Office (ICO) is the supervisory authority responsible for enforcing UK GDPR and the Data Protection Act 2018 in England and Wales. In the event that this request is refused, that an inadequate response is provided, or that the statutory time limit is not met, I reserve the right to refer this matter to the ICO and to pursue all other remedies available to me, including under Article 79 of UK GDPR (right to an effective judicial remedy against a controller).
5.2 I also note that healthcare providers in England are subject to the additional right of access to health records under the Access to Health Records Act 1990 in relation to the records of deceased persons, and under the Access to Medical Reports Act 1988 in relation to reports prepared for insurance or employment purposes.
5.3 This request is made under the laws of England and Wales and is governed by UK GDPR and the Data Protection Act 2018.
Yours faithfully,
[Requester Full Name]
[Requester Address], [Requester City], [Requester Postcode]
Email: [Requester Email] | Tel: [Requester Phone]
Data Subject / Authorised Representative
[Requester Full Name]
Signature
Date: ________________
What Is a Medical Records Subject Access Request (UK)?
A Medical Records Subject Access Request in the United Kingdom puts facts on the record under a formal declaration so they can be relied on by a court, registrar, or third party, under the framework of the Health Records Act 1990.
The legal foundation for medical record access in England and Wales is built on several overlapping statutory frameworks. The UK GDPR (retained from Regulation (EU) 2016/679 by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) applies to all personal data processed by living individuals. Section 45 of the DPA 2018 specifically addresses subject access requests and incorporates the restrictions and exemptions that apply to health data. The Access to Health Records Act 1990 provides a complementary right of access to the health records of deceased persons. The Access to Medical Reports Act 1988 governs access to medical reports prepared for employment or insurance purposes.
Your Article 15 rights extend beyond simply receiving a copy of your records. You are also entitled to receive: confirmation that your personal data is being processed; the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom your data has been disclosed; the envisaged retention period; information about your rights to rectification, erasure, restriction, and objection; and information about your right to lodge a complaint with the Information Commissioner's Office (ICO). If your data has been transferred outside the UK, you are entitled to information about the safeguards in place.
The ICO is the independent supervisory authority for data protection in the United Kingdom, established under section 114 of the DPA 2018. The ICO has powers to investigate complaints, issue enforcement notices, and impose administrative fines of up to £17.5 million or 4% of global annual turnover for the most serious infringements. The ICO's guidance on subject access requests for health data is publicly available at ico.org.uk.
Healthcare data falls within the special categories of personal data under Article 9 of UK GDPR, attracting heightened protection. Despite this, data controllers may only rely on exemptions from subject access obligations where expressly authorised to do so by schedule 3 of the DPA 2018 or by another specific statutory provision. The most commonly cited exemption in a healthcare context is the 'serious harm' exemption, which allows a controller to withhold information where disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another individual. However, this exemption must be applied narrowly and must be justified in each specific case.
When Do You Need a Medical Records Subject Access Request (UK)?
A Medical Records Subject Access Request is needed in a wide range of situations where you wish to review, verify, or obtain copies of your own health information held by a healthcare provider in England and Wales.
The most common reason for making a SAR is to obtain a full copy of your medical records for personal review. Many patients make requests after changing GP practice, after a prolonged hospital admission, or after a serious health event to confirm they have a complete record of their medical history. Having access to your records allows you to identify any inaccuracies (which you can then seek to have corrected under Article 16 of UK GDPR), to understand diagnoses and treatment decisions, and to compile a complete health history.
A SAR is also frequently used in connection with personal injury claims, clinical negligence litigation, and insurance disputes. Solicitors acting in personal injury cases routinely advise clients to exercise their subject access rights to obtain medical records that may be relevant to quantum of damages or the causation of an injury. In clinical negligence cases, the records obtained through a SAR form the foundation of the investigation into whether the standard of care fell below an acceptable level.
Employment-related health matters are another common trigger. If your employer has obtained a medical report about you under the Access to Medical Reports Act 1988, you have specific rights to see and comment on that report before it is sent to your employer, or to request a copy after it has been sent. If your GP or an occupational health provider holds other health data relevant to your employment, a UK GDPR SAR may be the appropriate mechanism to access that information.
Making a SAR is also important when you suspect your medical records contain errors. Inaccurate medical records can lead to incorrect diagnoses, inappropriate prescriptions, or adverse insurance decisions. Once you have obtained your records and identified an inaccuracy, you may request rectification under Article 16 of UK GDPR. If the controller disputes that the information is inaccurate, you may request that a restriction is placed on processing under Article 18.
Finally, a SAR may be needed when planning for future healthcare, when seeking a second medical opinion, when applying for life insurance or income protection (where insurers ask for access to your medical history), or simply as a precautionary measure to confirm that your records are complete and accurate before a planned surgical procedure or other significant medical intervention.
What to Include in Your Medical Records Subject Access Request (UK)
A well-drafted Medical Records Subject Access Request should contain several essential elements to confirm that it is legally compliant, clearly communicated, and effective in obtaining the information you require.
The identity of the requester is the most fundamental element. The letter must clearly state the full legal name, date of birth, current address, contact details, and NHS number (if known) of the data subject. Where the request is made on behalf of another person, the identity of both the requester and the data subject must be stated, together with the legal basis of authority (such as a registered Lasting Power of Attorney for Health and Welfare or evidence of parental responsibility). Data controllers are entitled to ask for evidence of identity, but may only require information that is necessary to verify identity with reasonable confidence — they cannot demand disproportionate amounts of documentation.
The legal basis of the request must be explicitly stated. Referencing Article 15 of UK GDPR and section 45 of the Data Protection Act 2018 establishes the statutory framework and signals to the controller that you are aware of your rights. Controllers who receive a technically framed SAR are less likely to delay or obstruct the response.
The scope of the request must be clear. Specifying whether you are requesting all records, records for a defined period, or specific types of records (such as GP notes, referral letters, test results, or imaging reports) helps the controller process the request efficiently and reduces the risk of an incomplete response. You should also specify any additional contextual information that will help identify the relevant records, such as a hospital episode, a specific condition, or a treating consultant's name.
The preferred format for delivery is an important practical element. Under Article 15(3) of UK GDPR, where technically feasible and where the request is made electronically, the controller should provide the information in a commonly used electronic form. You should specify whether you prefer email delivery, access via an online patient portal, paper copies by post, or access to inspect records in person.
The request for supplementary information under Article 15(1) of UK GDPR should be included. This confirms that the controller provides not just the records themselves but also the accompanying information about processing purposes, retention periods, recipients, and your right to complain to the ICO.
The data portability request under Article 20 of UK GDPR may be included where relevant. This right allows you to receive the data in a structured, commonly used, machine-readable format — useful if you wish to transfer your records to a new healthcare provider or to use them with a health management application.
A reference to any previous unanswered request, or to any previous partial response, should be included where applicable. This provides a clear chronology and signals that you are aware of the statutory time limits and the consequences of non-compliance.
Finally, a clear statement of your intention to escalate the matter to the ICO or to seek a court order under section 167 of the DPA 2018 if the request is not properly complied with within the statutory period provides an important incentive for prompt and complete compliance. The forms-legal.com Medical Records Subject Access Request (UK) template covers the mandatory elements under Data Protection Act 2018.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Medical Records Subject Access Request (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/estate-planning/healthcare-directives/medical-records-subject-access-request-uk
"Medical Records Subject Access Request (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/estate-planning/healthcare-directives/medical-records-subject-access-request-uk.
@misc{formslegal-medical-records-subject-access-request-uk,
author = {{Forms Legal}},
title = {Medical Records Subject Access Request (UK) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/estate-planning/healthcare-directives/medical-records-subject-access-request-uk}},
note = {Free legal document template. Based on Data Protection Act 2018}
}Also available for these jurisdictions:
Frequently Asked Questions
A Subject Access Request (SAR) is a formal request made to a data controller — such as a GP surgery, NHS Trust, hospital, or private clinic — to obtain a copy of all personal data held about you, including your medical records. The right to make a SAR is enshrined in Article 15 of the UK General Data Protection Regulation (UK GDPR), as retained and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and in section 45 of the Data Protection Act 2018 (DPA 2018). In England and Wales, every individual aged 18 or over has the right to access their own medical records, and parents or guardians may make requests on behalf of children under 16 where the child does not have the competence to consent (the Gillick competence standard under the House of Lords decision in Gillick v West Norfolk and Wisbech Area Health Authority [1985] UKHL 7). The data controller must respond within one calendar month of receipt of the request, extended to a maximum of three months for complex or numerous requests. Access to medical records is entirely free of charge. In addition to the UK GDPR right, specific statutory rights also apply under the Access to Health Records Act 1990 (for records of deceased persons) and the Access to Medical Reports Act 1988 (for reports prepared for employment or insurance purposes).
Under Article 12(3) of UK GDPR, a data controller must respond to a Subject Access Request without undue delay and in any event within one calendar month of receipt of the request. The one-month period runs from the day after the day the request is received. If the request is complex or if you have made multiple requests simultaneously, the controller may extend the response period by a further two months, but they must inform you within the first month of the extension and provide reasons. If the controller requires clarification about which records you are requesting (for example, to narrow an extremely broad request), they may pause the one-month clock while waiting for your response, but only where the clarification is genuinely necessary to process the request. If the data controller fails to respond within the statutory time limit, or provides an inadequate response, you have the right to complain to the Information Commissioner's Office (ICO), which can investigate the controller and impose sanctions of up to £17.5 million or 4% of global annual turnover under the DPA 2018 for serious infringements. The ICO's helpline is 0303 123 1113.
A data controller can refuse or limit a Subject Access Request only in specific circumstances set out in UK GDPR and the DPA 2018. The most common grounds for refusal are: the request is manifestly unfounded or manifestly excessive (Article 12(5) UK GDPR), in which case the controller must provide reasons and you have the right to challenge the refusal with the ICO; the information would reveal the identity of a third party who has not consented to the disclosure and it is not reasonable to disclose without consent (Schedule 2, Part 2, DPA 2018); disclosure would be likely to cause serious harm to the physical or mental health of the data subject or any other person (the 'serious harm' exemption in Schedule 3 of the DPA 2018, relevant to health records); the information was recorded in connection with criminal proceedings or is subject to legal professional privilege; or the data is held solely for research, statistical, or archival purposes in the public interest. Where an exemption applies, the controller must tell you that an exemption is being claimed (though they do not have to identify which exemption, if doing so would itself reveal exempt information). You can challenge any refusal by complaining to the ICO or by applying to the court under section 167 of the DPA 2018.
The UK GDPR and the Data Protection Act 2018 only apply to the personal data of living individuals. After a person has died, UK GDPR does not grant next of kin or personal representatives any automatic right to access the deceased's medical records. However, a separate right of access to the health records of deceased persons is provided by the Access to Health Records Act 1990. Under section 3 of that Act, the personal representative of the deceased (the executor or administrator of the estate) and any person who may have a claim arising out of the death have the right to apply for access to the health records of the deceased person. The application must be made to the holder of the health records (for example, the GP surgery or hospital). The holder may refuse access if they believe the disclosure would cause serious harm to the physical or mental health of any individual, or if the record contains information provided by the deceased in the expectation that it would not be disclosed after their death. Requests for the records of deceased persons should reference the Access to Health Records Act 1990 rather than UK GDPR. There is no statutory fee for access under the 1990 Act, though a reasonable fee for copying may be charged.
If a data controller fails to respond to your Subject Access Request within one calendar month, provides an incomplete response, or refuses your request without citing a valid legal exemption, you have several remedies available under English law. First, you should write to the controller's Data Protection Officer (if they have one) or to senior management, formally drawing their attention to the breach and requesting an immediate response. Second, you may submit a complaint to the Information Commissioner's Office (ICO) online at ico.org.uk or by telephoning 0303 123 1113. The ICO can investigate the matter, issue enforcement notices, and impose significant financial penalties. Third, you may apply to the County Court or the High Court under section 167 of the Data Protection Act 2018 for an order requiring the controller to comply with the SAR. The court may award compensation under section 169 of the DPA 2018 or Article 82 of UK GDPR for any damage or distress suffered as a result of the breach. For NHS providers, you may also raise a formal complaint under the NHS Complaints Procedure set out in the Local Authority Social Services and National Health Service Complaints (England) Regulations 2009, and if unresolved, escalate to the Parliamentary and Health Service Ombudsman.
Yes, it is possible to make a Subject Access Request on behalf of another person, but you must have a recognised legal basis for doing so. The most common bases of authority in England and Wales are: a registered Lasting Power of Attorney for Health and Welfare made under the Mental Capacity Act 2005, which must be registered with the Office of the Public Guardian and gives the attorney authority to access the donor's health information; a deputyship order made by the Court of Protection under section 16 of the Mental Capacity Act 2005; parental responsibility under section 2 or section 4 of the Children Act 1989 for requests on behalf of a child, subject to the Gillick competence assessment; a court order specifically authorising access to the data subject's records; or written authority from the data subject themselves, if they have mental capacity to give consent. The data controller is entitled to request evidence of your authority before complying with the request. You should enclose a copy of the relevant document (for example, the registered LPA or birth certificate) with your SAR. If the person has lost mental capacity and no LPA is in place, your solicitor may be able to advise on an emergency application to the Court of Protection.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Lasting Power of Attorney — Health and Welfare — Medical (UK)
Plan ahead for the future with a Lasting Power of Attorney for Health and Welfare under the Mental Capacity Act 2005. This LP1H-style instrument allows you (the Donor) to appoint one or more attorneys to make decisions about your medical treatment, daily personal care, living arrangements, and life-sustaining treatment if you lose mental capacity. Governed by the laws of England and Wales. Must be registered with the Office of the Public Guardian (OPG) before it can be used. This template guides you through all key sections including attorney appointment, life-sustaining treatment authority, replacement attorneys, certificate provider requirements, and persons to be notified.
Lasting Power of Attorney — Property and Financial Affairs (UK)
Appoint one or more trusted people to manage your property, finances, and business affairs on your behalf. A Lasting Power of Attorney for Property and Financial Affairs, created under the Mental Capacity Act 2005, can be used while you still have capacity (with your consent) or only after you lose capacity. Covers bank accounts, investments, property, bills, pensions, and legal proceedings. Must be registered with the Office of the Public Guardian (OPG) before use. Governed by the laws of England and Wales.
Advance Decision to Refuse Treatment (UK)
Record your legally binding refusal of specific medical treatments in advance, in case you later lose the mental capacity to make or communicate those decisions yourself. An Advance Decision to Refuse Treatment, made under sections 24–26 of the Mental Capacity Act 2005, allows you to specify which treatments you do not wish to receive and the circumstances in which your refusal applies. If your refusal includes life-sustaining treatment, the document must be written, signed, and witnessed. Governed by the laws of England and Wales.
Consent Form (UK)
Create a general Consent Form for use in England and Wales. This versatile template covers medical consent, activity consent, data processing consent, photography consent, and research participation consent. Compliant with common law informed consent principles, the Mental Capacity Act 2005, the Children Act 1989, and UK GDPR Article 7. Includes risk and benefit disclosures, right to withdraw, capacity confirmation, parental consent for minors, and emergency contact information. Fill in the details and download as PDF or Word.
Data Processing Agreement — UK GDPR (England & Wales)
Create a Data Processing Agreement (DPA) fully compliant with UK GDPR Article 28 and the Data Protection Act 2018 for England and Wales. This template covers all mandatory Article 28(3) processor obligations, ICO registration, sub-processor authorisation with prior notice, UK IDTA provisions for international transfers outside the UK, technical and organisational security measures under Article 32, personal data breach notification timelines, data subject rights assistance, DPIA support, audit rights with advance notice, and data deletion or return obligations. Includes controller ICO registration details, special category data provisions, and automatic termination with the principal services agreement. Governing law: England and Wales. Download as PDF or Word.