Skip to main content

Access to medical records

Patient access to GP online services

Registration

Patients who wish to register for online services to cancel appointments, order repeat prescriptions and view their medical records and clinical correspondence online are to complete the registration process by following the NHS England Getting full access to the NHS App guidance. Additionally, NHS Digital provides further guidance on the online sign up process.

If requesting access at the practice, then the process at Annex B is to be followed. Additionally, those applicants wishing to apply for access to retrospective information held about other people must complete the relevant sections of this registration form and the application should be processed in line with the proxy requirements.

Prospective access to full records is subject to the same safeguarding information requirements as are applied to detailed coded record access.

Verification

Unlike for registration, identity (ID) verification is required to ensure that online access is granted only to the patient or their authorised representative(s).

  • Online verification

Proving identity online can be completed both with or without photo ID and as detailed within the NHS Digital guidance titled Patient verification levels and proving identity.

  • Practice verification

If proving ID within the practice, patients will be requested to provide two forms of ID verification in line with NHS England’s Good Practice Guidance on Identity Verification and the organisation accepts appropriate forms of ID outlined as follows:

  • Documentation (forms of identification)
  • Vouching
  • Vouching with confirmation of information held in the applicant’s records

One of the two forms of ID must contain a photo. Acceptable documents include passports, photo driving licences and bank statements but not bills. When a patient does not have suitable photographic identification, vouching with confirmation of information held in the medical record can be considered by the data controller or responsible clinician. This should take place discreetly and ideally in the context of a planned appointment.

This process is the same in cases of proxy access requests.

It should be noted that it is extremely important that the questions posed do not incidentally disclose confidential information to the applicant before their identity is verified.

For detailed guidance, refer to the NHS England guidance titled DAPB3051: Identity Verification and Authentication Stand for Health and Care Digital, Data, Analytics and Technology Use.

Further supporting documentation for this subject can be found at:

Processing the request

Completed documentation will be reviewed by the clinician responsible for processing including the review of online records for third party references and any information that may cause harm or distress to the patient/applicant that may need to be hidden from online access using confidentiality policies.

Patient and practice records may contain confidential information that relates to a third person. This may be information from or about another person and it may have been entered in the record intentionally or by accident. This does not include information about or provided by a third party that the patient would normally have access to, such as hospital letters. All confidential third party information must be removed or redacted following review by the appropriate responsible clinician or data controller.

It should be noted that if this is not possible then access to the information will be refused.

For all applications, requesters should be advised that it will often take several days to process any online service request. 

Refusal of, or limited access to, any request

Access will be denied or limited when, in the reasonable opinion of the responsible clinician, access to such information would not be in the person’s best interests because:

  • It is likely to cause serious harm to the person’s physical or mental health
  • It is likely to cause serious harm to the physical or mental health of any other person
  • The information includes a reference to any third party who has not consented to its disclosure

A reason for denial of information must be recorded in the medical records and when possible and appropriate, an appointment made with the patient to explain the decision.

Post registration

Once a patient has registered at the organisation and the request has been processed, they are to be issued with a letter that includes their unique username, password and instructions how to access the online services. Only the completed registration form should be scanned into the individual’s healthcare record.

Coercion

Registering patients for online services requires awareness of the potential impact of coercion and children, adults in an abusive relationship and the elderly or otherwise vulnerable adults who can all be victims. Patients may be forced into sharing information from their record including log-in details, medical history, repeat prescription orders, appointment booking details and other private, personal information. By gaining access to a person’s record, an abuser may gain further control or escalate harm.

Access to a patient’s health record can be particularly attractive to an abusive partner, carer or parent. All staff are to be aware of the potential impact of coercion and the signs to look out for to help patients who might be subject to coercion.

For further detailed information, refer to the organisation’s Safeguarding Handbook and the Home Office Domestic abuse: how to get help guidance.

Children and young people’s access

It is impossible to say at what age the child will become competent to make autonomous decisions regarding their healthcare as between the ages of 11 and 16 this varies from person to person. In accordance with Article 8 of the UK GDPR, from the age of 13 young people can provide their own consent and will be able to register for online services.

For detailed information, refer to the RCGPs Children and Young People guidance.

Proxy access

About

NHS England in its Proxy access guidance explains that some patients find it helpful for a second person to have access to their online GP record. This is often a family member, medical next of kin, a close friend or a carer whom they trust to act on their behalf and is called proxy access.

As the NHS England guidance states, the patient can limit which online services they want the nominated individual to access.

For detailed guidance, refer to the NHS England guidance titled DAPB3051: Proxy. This details audit and governance, actions needed to maintain safeguarding standards, the basis for access, age milestones, the redaction requirements and also the verification processes.

Proxy access should not be granted when:

1There is any suspicion of coercive behaviour
2There is a risk to the security of the patient’s record by the person being considered for proxy access
3The patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily; this should be recorded in the patient’s record
4The responsible clinician assesses that it is not in the best interests of the patient and/or that there are reasons as detailed in denial or limitation of information

The arrangement for proxy access may be formal or informal.

For further detailed information, refer to NHS England’s Manage health service for other in the NHS App guidance.

Proxy access in adults with capacity

Under the Data Protection Act 2018, patients over the age of 13 are assumed to have mental capacity to consent to proxy access. When a patient with capacity gives their consent, the application should be dealt with on the same basis as the patient.

The consent form at Annex F allows nominated persons with capacity access to specific areas of a named person’s medical records.

This form can be used for a named proxy to simply to book an appointment or order medication, or for greater access such as to have access to obtaining test results or consultations. The form has tick boxes that specifically allow a named person to have partial or full access to the named person’s healthcare information. This form must be signed by the patient prior to being considered valid.

It should be noted that this form does not permit any third party individual to make healthcare decisions on behalf of the named patient. Furthermore, the patient is responsible for this agreement and any changes or updates that may be required at a later date.

Any concerns with regard to coercion must be discussed with the safeguarding lead.

Proxy access in adults without capacity

Proxy access without the consent of the patient may be granted in the following circumstances:

  • The patient has been assessed as lacking capacity to decide on granting proxy access and has registered the applicant as a lasting power of attorney for health and welfare with the Office of the Public Guardian
  • The patient has been assessed as lacking capacity to decide on granting proxy access and the applicant is acting as a Court Appointed Deputy on behalf of the patient
  • The patient has been assessed as lacking capacity to make a decision on granting proxy access and, in accordance with the Mental Capacity Act 2005 code of practice, the responsible clinician considers it in the patient’s best interests to grant access to the applicant
  • When an adult patient has been assessed as lacking capacity and access is to be granted to a proxy acting in their best interests, it is the responsibility of the responsible clinician to ensure that the level of access enabled, or information provided is necessary for the performance of the applicant’s duties

The template at Annex G provides to support these requests.

Adult proxy access verification and identity confirmation

Before the organisation provides proxy access to an individual or individuals on behalf of a patient, further checks must be undertaken:

  • There must be either the explicit informed consent of the patient or some other legitimate justification for authorising proxy access without the patient’s consent
  • The identity of the individual who is asking for proxy access must be verified as outlined above
  • The identity of the person giving consent for proxy access must also be verified as outlined above. This will normally be the patient but may be someone else acting under a power of attorney or as a Court Appointed Deputy

The process to confirm the identity for a proxy is as detailed in the verification section at Annex A.

For detailed guidance, refer to the NHS England guidance titled DAPB3051: Identity Verification and Authentication Stand for Health and Care Digital, Data, Analytics and Technology Use and the supporting documentation:

Lasting power of attorney

A more formal approach can be for a lasting power of attorney (LPA) to have been delegated. An LPA is a legal document that allows individuals to give people they trust the authority to manage their affairs if they lack capacity to make certain decisions for themselves in the future.

To nominate an LPA, the person must be over 18 years old and have the ability to make their own decision (mental capacity). There are two types of LPA, the vast majority of LPAs deal with health and welfare although occasionally there may be a need to be involved with LPAs that deal with property and financial affairs. For further detailed information, refer to the Make, register or end a lasting power of attorney guidance.

When someone is applying for proxy access on the basis of an enduring power of attorney, an LPA or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian.

Should an LPA have been granted, this will allow the nominee to access healthcare records for the patient who they are acting on behalf of. This may include sharing medical records with other third parties as they deem appropriate. An example when an LPA could be used is when a patient without capacity is in a care home. A template for this can be found at Annex G.

For any concerns about an LPA, then guidance should be sought from the Office of Public Guarding document titled Report a concern about an attorney, deputy or guardian.

Further reading can be sought from NHS England guidance titled DAPB3051: Proxy.

Proxy access in children without consent

The organisation may authorise proxy access without the patient’s consent when:

  • The patient does not have capacity to make a decision on giving proxy access
  • The applicant has an LPA (health and welfare) and the patient is without capacity
  • The applicant is acting as a Court Appointed Deputy on behalf of the patient
  • The GP considers it to be in the patient’s best interests

The person authorising access has responsibility to ensure that the level of access enabled is appropriate for the performance of the applicant’s duties.

The nominated individual is to complete the online services registration form at Annex B or the SAR application form at Annex E. Should the organisation opt not to grant the person access to an individual’s record, the responsible clinician will contact the patient and advise them of the reasons why this decision has been reached.

The organisation may refuse or withdraw formal proxy access at any time if it is judged that it is in the patient’s best interests to do so.  Formal proxy access may be restricted to less access than the patient has, e.g., appointments and repeat prescriptions only.

Patients who choose to share their account credentials with family, friends and carers (including a care home) must be advised of the risks associated with doing so. Formal proxy access is the recommended alternative in all circumstances.

Any concerns must be discussed with the safeguarding lead.

For further detailed information, refer to the NHS England guidance titled DAPB3051: Proxy and the organisation’s Consent Policy.

Parents and professional bodies gaining access to a child’s medical record

This organisation will allow parents access to their child’s medical records if the child or young person consents or lacks capacity and it does not go against the child’s best interests. However, if the records contain information given by the child or young person in confidence then this information should not normally be disclosed without their consent.

The following documentary evidence is to be used to establish parental responsibility:

  • Parents being named on a birth certificate
  • Parents being named on an adoption certificate
  • Parents being named on a court-issued parental order
  • Parents being named on a parental responsibility agreement
  • Parents being named on a parental responsibility order
  • Parents being named on a special guardianship order
  • A local authority with a care order or interim care order
  • Step-parents being named on a step-parental responsibility order

Evidence to help the organisation to understand the extent to which parents share responsibility for a child:

  • Parental responsibility is not normally affected by a separation between parents
  • Parents in possession of a child arrangement order orconsent order will still share responsibility for the child even if they are separated
  • It is a parent’s role in a child’s life that should influence thedecision as to whether granting proxy access is necessary, andat which level

It should be noted that divorce or separation does not affect parental responsibility and therefore both parents will continue to have reasonable access to their children’s health records unless legally advised not to do so.

Evidence to help to understand when it might not beappropriate for all parents to have access:

  • Parents in possession of a prohibited steps or specific issueorder may specify that access is curtailed on this basis. In all complex cases of parental responsibility, advice is to be sought from the medical indemnity organisation

Evidence to help to identify when a local authority and/orfoster parents need to be involved in the childs care(whether or not they have parental responsibility for thechild):

  • A child being cared for under a care order
  • A child being cared for under a voluntary order
  • A child being on a child protection plan
  • A child being cared for under an emergency protection order
  • A child being cared for under a supervision order

Health and care organisations can use the Child Protection –Information Sharing service to identify when a child is cared for,when they have a legal basis to do so.

Authoritative sources that can be used to help establish parental responsibility:

  • Personal Demographics Service records
  • General Registry Office records

For further detailed information, refer to the GMC Accessing medical records by children, young people and parents guidance and the organisation’s Safeguarding Handbook.

Child proxy access verification

Before the organisation provides parental proxy access to a child’s medical records the following checks must be made:

  • The identity of the individual(s) requesting access via the method outlined above
  • The identified person is named on the birth certificate of the child

In the case of a child judged to have capacity to consent, there must be the explicit informed consent of the child.

Subject Access Request (SAR) process

Subject Access Requests (SAR) to medical records

In accordance with Article 15 of the UK GDPR, individuals have the right to access

their data and any supplementary information held by this organisation. SARs are predominantly used for access to, and the provision of, copies of medical records. This type of request need not always be in writing (e.g., letter, e-mail). However, applicants should be offered the use of a SAR application form which allows for an explicit indication of the required information.

The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them. In addition, data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.

When a data subject (individual) wishes to access their data, they are to be encouraged to use the SAR form. All staff must note that the ICO states, “An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data”.

To request a SAR, the requester must be:

  • The data subject OR
  • Have the written permission of the data subject OR
  • Have legal responsibility for managing the subject’s affairs to access personal information about that person, such as a lasting power of attorney (LPA)

It is the requester’s responsibility to satisfy this organisation of their legal authority to act on behalf of the data subject. The identity of the requester is required before this organisation can provide any personal information. The verification process is as detailed at Annex A.

Requests may be received from the following:

Competent patientsMay apply for access to their own records or authorise third party access to their records  
Children and young people  May also apply in the same manner as other competent patients. This organisation will not automatically presume a child, or young person has capacity under the age of 16. However, those aged 13 or over are expected to have the capacity to consent to medical information being disclosed.   This reflects the information given in the UK GDPR and also in CQC GP mythbuster 8: Gillick competency and Fraser guidelines.  
ParentsMay apply to access their child’s health record providing this is not in contradiction of the wishes of the competent child.   Should a child or young person be capable of giving consent, access to their health record may then only be given with consent. It may be necessary to discuss parental access alone with the child or young person if there is suspicion that they are under pressure to agree.   Guidance on parental access to a child or young person’s healthcare records is detailed within the BMA guidance titled Children and young people ethics toolkit and within the Children and young people section at Annex A.  
Individuals with a responsibility for adults who lack capacityAre not automatically entitled to access the individual’s health records. This organisation will ensure that the patient’s capacity is judged in relation to the particular decisions being made.   Any consideration to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act 2005 in England and Wales and the Adults with Incapacity Act in Scotland.  
Next of kinHave no rights of access to health records  
PoliceIn all cases, the organisation can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statutes (e.g., Road Traffic Act 2006).   Nevertheless, health professionals have power under the Data Protection Act 2018 and the Crime Disorder Act 1998 to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:   To protect the patient or another person’s vital interests, or   For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g., when the seriousness of the crime means there is a pressing social need for disclosure)   Only information that is strictly relevant to a specific police investigation should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it.  
Court representatives  A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application.   Access may be denied when the responsible clinician is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.  
Representatives or solicitorsA patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf for copies of their medical records.   This organisation may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation. It is important to stress to the patient that under a SAR, all health records are provided unless a specific time period is stated and patients should be mindful of giving access to this level of health data.   Solicitors who are acting in civil litigation cases for patients should obtain consent from the patient using the form that has been agreed with the BMA and the Law Society. If a consent form from the patient is not received with the application form, then no information must be provided until this has been received.  
Requests for insurance medical reportsSARs are not appropriate should an insurance company require health data to assess a claim. The correct process for this at this organisation is for the insurer to use the Access to Medical Reports Act 1988 when requesting a GP report.   In most cases, the requester will provide the patient’s signed consent to release information held in their health record. The BMA have issued guidance titled Requests for medical information from insurers. Therefore, this organisation will contact the patient to explain the extent of disclosure sought by the third party. The organisation can then provide the patient with the medical record as opposed to the insurer. The patient is then given the opportunity to review their record and decide whether they are content to share the information with the insurance company.   Insurers are to be advised that the following fees are applicable and as detailed within BMA Guidance Fees.  

Responsibility

It is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the organisation’s SAR form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification.

Processing a SAR request

Upon receipt of a SAR, a record of this is to be detailed within the individuals’ health record, as well as annotating the organisation’s Data Subject Access Request (SAR) Register. Once processed, another entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual in addition to updating the SAR Register.

Under the Data Protection (Subject Access Modification) (Health) Order 2000, an appropriate healthcare professional (responsible clinician) manages all access matters. Whenever possible, the healthcare professional most recently involved in the care of the patient will review and deal with the request. If, for some reason, they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

To ensure compliance, the data controller will ensure data is processed in accordance with Article 5 of the UK GDPR. Individuals will have to verify their identity, and it is the responsibility of the data controller to verify all requests using reasonable measures.

For further detailed information, refer to NHS England’s Good practice guidance on identity verification and as detailed at the verifications section within Annex A

The process upon receipt of a SAR form is illustrated by the SAR desktop aide-memoire at Annex H which is an aide-memoire/flow diagram for staff. A poster with suggested wording explains how health records can be accessed is at Annex I.

Timeframe for responding to requests

In accordance with Article 12 of the UK GDPR, this organisation must respond to a SAR without undue delay and at the latest within one month of the receipt of the request. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the applicant must be informed in the first month and the reasons for the extension given.

As detailed in Article 15 of the UK GDPR, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the data.

Should the request involve a large amount of information, the data controller will ask the data subject to specify what data they require before responding to the request. In this instance, the data controller is permitted to ‘stop the clock’ in relation to the response time until the clarification is received. For further detailed information, see the BMA’s Access to health records.

Fees

As stated by the ICO, this organisation is not permitted to charge a fee to comply with a SAR. However, a reasonable fee may be charged if the request is deemed to be manifestly unfounded or excessive, or if an individual requests further copies of their data.

Fees are detailed within the BMA Access to health records guidance.

Should a SAR be initiated from a solicitor and they are asking for a report to be written, or the request is asking for an interpretation of information within the record, this request goes beyond a SAR and therefore a fee can be charged. The organisation may ask the nature of the request from the solicitor to confirm if this should be charged for or not. However, if the solicitor confirms that they are seeking a copy of the medical record, then this should be treated as a SAR and complied with in the usual way. 

Method of response to requests

ICO guidance explains that the decision on what format to provide the requested information in should take into consideration the circumstances of the request and whether the individual can access the data in the format provided. It is considered good practice to establish the individual’s preferred method before fulfilling their request. Article 15 explains that when a data subject makes a request by electronic means, and unless otherwise requested by the data subject, the information is to be provided in a commonly used electronic format.

When the patient/applicant requests their information to be emailed to them, it is strongly recommended that the organisation explains to the patient/applicant the risks (for example, unauthorised interception of the data) of receiving the data via unencrypted means to a non-NHS email address. The organisation should document the patient’s agreement (expressed in writing or via email) to receive their data via unencrypted means in the medical record. If the patient/applicant agrees, alternative electronic formats may be used, i.e., a memory stick.

For those requests that are not made electronically, a paper copy can be provided unless the patient has explicitly requested a different format.

Amendments to medical records

Records should not be amended because of a request for access; it is a criminal offence under the Data Protection Act 2018 to amend or delete records in response to a SAR. If amendments are made between the time that the request for access was received and the time at which the records were supplied, these must only be amendments that would have been made whether or not the request for access was made. When dealing with a SAR, the most up to date information should be provided.

Information that is clinically relevant must not be deleted from medical records. For electronic records, information can be removed from display, but the audit trail will always keep the record complete. Amendments to records can be made provided the amendments are made in a way that indicates why the alteration was made so that it is clear that records have not been tampered with for any underhand reason.

Patients may also seek correction of information that they believe is inaccurate. In these instances, refer to Section 4.

Additional Privacy Information notice

Once the relevant information has been processed and is ready for issue to the patient, it is a requirement, in accordance with Article 15 of UK GDPR, to provide an Additional Privacy Information notice (APIn).

A template with suggested wording can be found at Annex J.

Organisation disclaimer

The template at Annex K can be issued to patients upon receipt of them obtaining a copy of their medical records.

This disclaimer outlines that they are responsible for the security and confidentiality of their own records, and that the organisation will not accept any responsibility for copies of medical records once they leave the premises.

Refusal to provide medical records following a SAR request

This organisation will only refuse to comply with a SAR when exemption applies or when the request is manifestly unfounded or manifestly excessive. In such situations, the data controller will inform the individual of:

  • The reasons why the SAR was refused
  • Their right to submit a complaint to the ICO
  • Their ability to seek enforcement of this right through the courts

Each request must be given careful consideration and, should it be refused, this must be recorded and the reasons for refusal justifiable. The ICO explains that an organisation has the right to refuse any online access or SAR although any such refusal will be within the allotted timescale and the reasons for the refusal will be given. A letter template for refusal can be found at Annex L.

If sharing full records could cause harm or involves third-party information, healthcare professionals may redact relevant details from the patient’s view but must not delete them.

It should be noted that if unable to or should the system functionality to redact information not be available, then the record should not be shared with the patient as detailed below in the non-disclosure section.


For further detailed information, refer to When you can disclose personal information.

Non-disclosure

The UK GDPR provides for several exemptions in respect of information falling within the scope of a SAR. Information can generally be treated as exempt from disclosure and should not be disclosed, if:

  • It is likely to cause serious physical or mental harm to the patient or another person
  • It relates to a third party who has not given consent for disclosure (when that third party is not a health professional who has cared for the patient) and after considering the balance between the duty of confidentiality to the third party and the right of access of the applicant, the data controller concludes it is reasonable to withhold third party information
  • It is requested by a third party, and the patient had asked that the information be kept confidential or the records are subject to legal professional privilege or, in Scotland, the records are subject to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation. In such cases, the information will be exempt if, after considering the third party’s right to access and the patient’s right to confidentiality, the data controller reasonably concludes that confidentiality should prevail, or it is restricted by order of the courts
  • It relates to the keeping or using of gametes or embryos or pertains to an individual being born because of in vitro fertilisation
  • In the case of children’s records, disclosure is prohibited by law, e.g., adoption records

The data controller must redact or block out any exempt information. Depending on the circumstances, it may be that the data controller should take steps to explain to the applicant how the relevant exemption has been applied. For further detailed information, refer to section 4.9 of the BMA Access to health records guidance.

Page published: 5 October 2023
Last updated: 25 June 2026