Medical records access

GDPR changes to Subject Access Requests and fees from 25 May 2018

The General Data Protection Regulations and the Data Protection Act 2018 replaced the Data Protection Act 1998 on 25 May 2018, bringing in widespread changes to UK data protection legislation. For GPs the act brings in a number of changes, specifically the charges that were in place for undertaking Subject Access Requests.

Since 25 May, in most cases, patients must be given access to their medical records as a Subject Access Request (SAR) free of charge, including when a patient authorises access by a third party such as a solicitor.

If the request is for a medical report to be created, or for interpretation of information within a medical report/record, this will fall under the Access to Medical Report Act (AMRA) – as these both require new data to be created, which is out with the scope of the GDPR and Subject Access Requests. In these cases, a fee can be charged.

A medical report/record that already exists will be accessible, for free, as a SAR. A ‘reasonable fee’ can be charged for a SAR if the request is manifestly unfounded or excessive, however, these circumstances are likely to be rare.

The ICO advise that a request may be deemed manifestly unfounded if the requestor makes it clear they are only requesting the information to cause disruption to the organisation or if the requestor makes completely unsubstantiated accusations against the controller. If however, the requestor has some form of genuine intention in obtaining their information, it is unlikely the request could be deemed as manifestly unfounded.

A request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee based on the administrative costs of providing further copies or refuse the request.