Department of Health Skip to content

Please note that this website has a UK government access keys system.

Questions and answers about accessing health records

Patient confidentiality and Caldicott Guardians FAQ  

Health records

Question

What legislation governs access to health records?

Answer

Data Protection Act 1998 governs access to the health records of living people. It became effective from 1st March 2000, and superseded the Data Protection Act 1984 and the Access to Health Records Act 1990, though the Access to Health Records Act 1990 still governs access to the health records of deceased people. The Data Protection Act 1998 gives every living person the right to apply for access to their health records.

Question

What is a health record?

Answer

A health record is defined in the Data Protection Act 1998 as a record consisting of information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care that individual.

Question

How are health records recorded?

Answer

A health record can be recorded in a computerised form or in a manual form or a mixture of both. Health records may include such things as: hand-written clinical notes, letters to and from other health professionals, laboratory reports, radiographs and other imaging records e.g. X-rays and not just X-ray reports, printouts from monitoring equipment, photographs, videos and tape-recordings of telephone conversations.

Question

What about private health records?

Answer

The Data Protection Act 1998 is not confined to health records held for the purposes of the National Health Service ("the NHS"). It applies equally to the private health sector and to health professionals’ private practice records. It also applies to the records of employers who hold information relating to the physical or mental health of their employees, if the record has been made by or on behalf of a health professional in connection with the care of the employee.

Question

Does it matter when the record was created?

Answer

No. Individuals have a right to apply for access to records irrespective of when they were compiled. Whereas the Access to Health Records Act 1990 did not provide individuals with a statutory right of access to records compiled prior to November 1991, under the Data Protection Act 1998 there is no such limitation.

Inspecting health records

Question

Can applicants directly inspect their medical records?

Answer

The Act gives patients the right, among other things, to know whether a data controller is processing information about them, a description of the data, and the information constituting the data. It remains Department of Health policy that patients who wish to actually see what is written about them in their records should be allowed to do so, subject to given exemptions and unless there are compelling reasons to the contrary.

Question

Are individuals entitled to apply for access to their complete health record?

Answer

Individuals are entitled to apply for access to their total health record as it stands at the time the request was received. The information provided may, however take account of any amendment or deletion which is made to the record in the period between the request having been received and dealt with, being an amendment or deletion that would have been made regardless of the receipt of the request.

Question

Who has a duty under the Act to deal with access requests ?

Answer

Responsibility for dealing with a subject access request lies with the "data controller". A data controller is defined in the Data Protection Act 1998 as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data about an individual are, or are to be, processed.

Applying to inspect health records

Question

How should access to health records requests be made ?

Answer

Any request for access to health records must be made in writing or electronically to the data controller i.e. the applicants local GP, for GP records or the Records Manager at the hospital, for hospital records. NHS bodies may wish to use a standard form for this purpose.

Question

Will there be a financial charge for access to health records?

Answer

Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2001 the maximum fee that can be charged for providing copies of health records is £10 for computer records and £50 for copies of manual records or a mixture of manual and computer records. Charges are for copying and posting the records only and should not result in a profit for the record holder. Some types of records, such as x-rays, may be expensive to copy.

Question

What are the time limits for dealing with a subject access request?

Answer

There is no obligation to comply with an access request unless the data controller has such information as he or she needs to identify the applicant and locate the information and unless the required fee has been paid. Once the data controller has all the relevant information and fee where relevant, they should comply with the request promptly and within 21 days, though in exceptional circumstances this may take up to 40 days. Please note that the 21 day limit is Department of Health policy, not a legal obligation. However the 40 day limit is a requirement under the Data Protection Act 1998. In exceptional circumstances if it is not possible to comply within this period the applicant should be informed.

Question

Does the applicant need to specify what period they are requesting access to?

Answer

No reason need be given for an application and staff should be ready to assist applicants in making subject access requests.

Assessment of applications to inspect health records

Question

How should a data controller process an application for access to health records?

Answer

On receiving a request in writing from a data subject or their representative, the data controller should log the application and immediately examine it to confirm its validity as part of best practice. This is very important as patients have a right to have their personal health information kept confidential.

Question

Are there any circumstances in which information contained in health records may be withheld from the data subject?

Answer

Under the Data Protection Act 1998 there are certain circumstances in which the record holder may withhold information. Access may be denied, or limited, where the data controller judges that information in the records would cause serious harm to the physical or mental health or condition of the patient, or any other person, or where giving access would disclose information relating to or provided by a third person who had not consented to the disclosure. Data controllers must be prepared to justify decisions to withhold information.

Question

Where information has been withheld are record holders obliged to advise applicants that this is the case?

Answer

No. Record holders are free to advise applicants of the grounds on which information has been withheld but are not obliged to do so. If it is thought likely to cause undue distress the record holder may not wish to volunteer the fact that information has been withheld.

Question

Can a record holder refuse to process an application for access to health records?

Answer

Yes. Where an access request has previously been complied with, the Act permits record holders not to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous compliance.

Question

How do record holders decide whether a reasonable interval has elapsed?

Answer

Data controllers should consider the nature of the information, how often it is altered and the reason for its processing. The reason for the request(s) may also be relevant.

Question

Can the obligation to provide a copy be waived?

Answer

The obligation to provide a copy may be waived where the patient agrees otherwise or it is not possible to supply a copy of the material sought, or to do so would involve disproportionate effort (for example because papers have been destroyed, or are spread around the country). However, cost alone is not sufficient grounds on which to refuse to provide a copy.

Question

What if the specified fee is not paid when the access request is made?

Answer

Data controllers do not have to release the information until the required fee has been paid.

Question

What if the patient feels their medical notes are incorrect, can they have them amended?

Answer

If a patient feels information recorded on their health record is incorrect then they should firstly make an informal approach to the health professional concerned to discuss the situation in an attempt to have the records amended. If this avenue is unsuccessful then they may pursue a complaint under the NHS Complaints procedure in an attempt to have the information corrected or erased. They could further complain to the Information Commissioner, formerly the Data Protection Commissioner, who may rule that any erroneous information is rectified, blocked, erased or destroyed. Further information can be obtained from the Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone number 01625 545700.

Question

Where it is agreed that an individual may directly inspect their medical record does access need to be supervised?

Answer

Yes. The data controller should consider whether access should be supervised by the attendance of a health professional or whether an appointment should be made for supervision by a lay administrator. Lay administrators must not comment or advise on the content of the record and if the applicant raises enquiries, an appointment with a health professional should be offered.

Question

What if the information isn’t readily intelligible?

Answer

Where the information is not readily intelligible, an explanation (e.g. of abbreviations or medical terminology) must be given.

Applications made by someone other than the patient

Question

What about when the application is being made on behalf of the data subject by another individual?

Answer

Where the applicant is not the patient, the applicant should have access to only the information and explanation which would otherwise have been made available to the patient.

Question

How should data controllers deal with requests from solicitors acting on behalf of an individual?

Answer

A request from a solicitor acting on behalf of a patient should be dealt with in exactly the same way as a request from a patient.

Question

Are the charging arrangements different for solicitors?

Answer

The arrangements for charging for access to health records are no different for solicitors i.e. the maximum fee that can be charged for providing copies of health records is £10 for computer records and £50 for copies of manual records or a mixture of manual and computer records.

Question

Can patient’s original medical records be sent to a solicitor?

Answer

Whilst the Data Protection Act 1998 allows an applicant to be supplied with a copy of a medical record, it does not require data controllers to provide access to the original record. It is strongly recommended that data controllers do not allow original notes to be sent to solicitors because of the potential detriment to patients should the records be lost.

Advice on applications

Question

When dealing with a subject access request who should the data controller consult?

Answer

Once the data controller has all the information he or she needs to deal with the request and is in possession of the fee, he or she should then consult the appropriate health professional, normally the individual who is or was responsible for the clinical care of the patient during the period to which the application refers.

Question

What if there is more than one or no suitable health professional to advise on access?

Answer

Where there is more than one, the most suitable available health professional should advise on access, otherwise a health professional with the necessary qualifications and experience should advise on the matters to which the information requested relates. This only applies to data controllers who are not health professionals.

Access to UK health records for those living abroad

Question

How can a person apply for access to their health records if they are not living in the UK?

Answer

In cases where a patient moves abroad, their GP health records are sent to the local Primary Care Trust and their hospital records are stored in the hospital or sent to a local archive. They are retained for the minimum period. Hospital records are kept for a minimum of 8 years following the end of treatment and GP records for 10 years, though please note that certain types of records are kept for longer. At the end of the minimum retention period the Records Manager at the Trust/hospital/archive will decide whether to retain further or destroy the records. Under the UK Data Protection Act 1998, a patient has the right to apply for access to copies of their health records. The request should be made in writing to the record holder(s), and a fee will be payable, with the maximum that can be charged set at £50.

Question

Can a person take their health records with them for their new doctor, if they are living outside the UK?

Answer

No. however patients can make a subject access request for copies of their records, and then take the copies with them. The GP may be prepared to provide the patient with a summary of the patient’s treatment to take to their new GP.

Access to a child’s health record

Question

Who has the right of access to a child’s health record?

Answer

As a general rule a person with parental responsibility will have the right to apply for access to a child’s health record.

Question

What is parental responsibility?

Answer

Parental responsibility for a child is defined in the Children’s Act 1989 as "all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property". Although not defined specifically, responsibilities therefore would include:- - Safeguarding and promoting a child’s health, development and welfare. - Financially supporting the child. - Maintaining direct and regular contact with the child.

Question

What rights could be considered to fulfil these responsibilities?

Answer

Included in the parental rights which would fulfil the parental responsibilities above are:- - Having the child live with the person with responsibility or having a say in where the child lives. - If the child is not living with her/him, having a personal relationship and regular contact with the child. - Controlling, guiding and directing the child’s upbringing.

Question

Can a parent not living with the child have access to the child’s health record?

Answer

Yes, if they have parental responsibility for the child e.g. separated/divorced parent.

Question

Are there situations in which access to the child’s records can be refused?

Answer

Yes. As the child grows older and gains sufficient understanding, he/she will be able to make decisions about his/her own life. Where a child is considered capable of making decisions about his/her medical treatment, the consent of the child must be sought before a person with parental responsibility can be given access. Where, in the view of the appropriate health professional, the child patient is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it were not felt to be in the patient’s best interests.

Question

Do parents have the right to know what treatment their adolescent child is receiving from their GP?

Answer

The law regards young people aged 16 or 17 to be adults for the purposes of consent to treatment and right to confidentiality. Therefore if a 16 year old wishes a medical practitioner to keep the treatment confidential then that wish should be respected. For example, children under the age of 16 who have the capacity and understanding to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected, for example if they were receiving counselling or treatment about something they did not wish their parent to know. Case law has established that such a child is known as ‘Gillick Competent’, i.e. where a child is under 16 but has sufficient understanding in relation to the proposed treatment to give, or withhold consent, consent or refusal should be respected. However, good practice dictates that the child should be encouraged to involve parents or other legal guardians in any treatment.

The complaints procedure

Question

How can someone make a complaint if they are unable to obtain access to their reports?

Answer

Complaints about any aspect of an application to obtain access to health records should first be made to the person concerned. If this does not resolve the matter, a complaint can be made under the NHS Complaints Procedure. If a patient follows this procedure and is dissatisfied with the outcome of the investigation, they have the right to take their complaint to the Health Service Ombudsman or, as a last resort, to court. Alternatively, a person has the right to complain to the Information Commissioner, formerly the Data Protection Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel 01625 545700. Please note that the Department of Health is not able to deal with individual cases or complaints. These are best dealt with locally or through the above channels.

Application for deceased person's health records

Question

What are the rights of access to a deceased persons’ health records?

Answer

Health records relating to deceased people do not carry a common law duty of confidentiality. However, it is Department of Health and General Medical Council policy that records relating to deceased people should be treated with the same level of confidentiality as those relating to living people. Access to the health records of a deceased person is governed by the Access to Health Records Act 1990. Under this legislation when a patient has died, their personal representative or executor or administrator or anyone having a claim resulting from the death (this could be a relative or another person), has the right to apply for access to the deceased’s health records.

Question

How can a person apply for access to a deceased persons’ health records?

Answer

A request for access should be made in writing to the record holder ensuring that it contains sufficient information to enable the correct records to be identified. The request should also give details of the applicant’s right to access the records.

Question

Who is the relevant data controller to apply to?

Answer

For GP records, contact the GP surgery the deceased person attended for advice.  When a patient dies their GP records are normally transferred to the local primary care trust: the GP should be able to advise whether records have been transferred and if so, who the appropriate person [normally the record manager] to contact would be.

For hospital records, contact the Record Manager at the hospital(s) the patient attended to determine if the records have been retained or destroyed.

General guidance on Record Management to NHS organisations recommends paper based GP records are retained for a minimum of 10 years and 8 years for hospital records after death.

If you know the area where the deceased person lived or was treated you can find the hospital or GP surgery using the NHS Choices website:

Question

Will there be a financial charge for accessing copies of the records of deceased people?

Answer

A fee of £10 may be charged for access to the health records, where the record has not been added to in the 40 days preceding the application. An additional fee may be charged for copying and posting the records. There is no limit on this charge, but it should not result in a profit for the record holder. Please note that some types of records, such as x-rays, may be expensive to copy.

Question

What are the time limits for dealing with a request for copies of records?

Answer

Once the data controller has all the relevant information and fee where relevant, they should comply with the request promptly and within 21 days, where the record has been added to in the last 40 days, and within 40 days otherwise.

Question

Can a person have unlimited access to the health records of the deceased person?

Answer

If the deceased person had indicated that they did not wish information to be disclosed, or the record contains information that the deceased person expected to remain confidential then it must remain so. In addition the record holder has the right to deny or restrict access if it felt that disclosure would cause serious harm to the physical or mental health of any other person, or would identify a third person.

Question

Where should health records of the deceased be sent?

Answer

When a patient dies, their GP health records are transferred to the relevant Primary Care Trust where they are retained for the recommended retention period before the Records Manager will decide whether to further retain or destroy them. In the case of hospital health records, these remain at the relevant hospital, or may be sent to a local archive for storage where they are retained for the recommended retention period. The Department of Health recommends that GP records are kept for a minimum of 10 years and hospital records are kept for a minimum of 8 years following the end of any treatment, or the patient's death if the patient died whilst receiving treatment. At the end of that specified time Records Manager at the Trust will decide whether to retain the records further or destroy them. For further details see HSC 1999/053 'For the Record'

Access to medical reports

Question

What legislation governs access to medical reports?

Answer

The Access to Medical Reports Act 1988 governs access to medical reports made by a patient’s normal clinician for insurance or employment purposes.

Question

How should requests for medical reports be dealt with?

Answer

Specific provision is made in the Access to Medical Reports Act 1988 for a patient’s medical practitioner to supply a third party, such as an employer or an insurance company with a medical report about the patient.

Question

Reports written by who?

Answer

The Act only applies to a report prepared by the medical practitioner who usually looks after the clinical care of the person. Reports prepared by other medical practitioners, such as those contracted by the employer or insurance company are not covered by the Act. Reports prepared by such medical practitioners are covered by the Data Protection Act 1998.

Question

Does the patient have to consent for a report to be written?

Answer

Yes. The Access to Medical Reports Act 1988, provides that a person cannot ask a patient’s medical practitioner for a medical report on him/her for insurance or employment reasons without the patient’s knowledge and consent. Patients have the option of declining to give consent for a report about them to be written.

Question

Do patients have the right to amend the report if they feel it is incorrect?

Answer

Yes. The patient has the right to see the report, subject to certain safeguards, before it is supplied and to ask for any part that (s)he thinks incorrect to be amended. If a patient request an amendment to a report, the medical practitioner should either amend the report accordingly, or, at the patient’s request, attach to the report a note of the patients views on the part of the report which the doctor is declining to amend. Patients should request amendments in writing.

Question

Do patients have the right to have a copy of the report?

Answer

Patients can be supplied with a copy of the report before it goes to the employer. They have to notify the medical practitioner of this wish. When a patient requests to see a copy of the report before it is supplied to the employer, the medical practitioner who wrote the report must comply with this (unless 21 days have passed since the patient has communicated with the doctor about making arrangements to see the report). A medical practitioner may make a reasonable charge for supplying the patient with a copy of the report. When a patient has been given access to the report, the report cannot be passed on to the employer without the patient’s consent. Doctors should keep copies of reports they supply for 6 months. A medical practitioner should provide a copy of a report supplied to an employer in the previous 6 months, if a patient requests it. There may be a reasonable charge for this. Medical practitioners are not required to give copies of reports to patients under certain, specific circumstances. The medical practitioner may refuse to give access to the report if it would reveal information about a third person, or if it would reveal the identity of a third person who had given the medical practitioner information about the patient for the report (unless the person has consented, or is a doctor). If access is refused to part of a report the doctor should tell the patient this.

Question

Does the patient have to consent for the report to be supplied to the person who applied for it?

Answer

Yes. The medical practitioner must seek the patient’s consent before he or she supplies the report to the person who applied for it. If the patient requests a copy of the report and access is refused to part of a report, the doctor cannot supply the full report to the employer without the patient’s consent.

Question

What powers do the courts have?

Answer

A court may order a person to comply with this Act if it feels that the person has not been compliant.

Access keys