How to obtain a copy of your medical records in the UK
This is something that FND Hope UK sees quite often on its social media forums. Sometimes members believe that they must use the Freedom of Information law but this is incorrect. If you wish to obtain a copy of your medical records you must make what’s called a “subject access request” or “SAR” under the Data Protection Act 2018 (Article 15 of the General Data Protection Regulation 2016/679). It is a simple process requiring you to ask for a copy of the information that you want.
It is important to understand that the organisation holding your medical records does not actually have to provide you with a COPY of your records. They are required, by law, to tell you only what sort of the information they hold. However, in practise most organisations do comply by providing a copy of the document/s you ask for. They may black out parts (this is called “redaction”) if there is specific information that does not relate to you and/or mentions or concerns another person.
You can make a SAR verbally or in writing (which includes an email or filling out an on-line electronic application). However, it is strongly advised that you make the request in writing and that you keep a copy of your request and proof of postage or delivery, just in case the organisation fails to respond or takes longer to reply to you than the law permits.
Data protection legislation requires any organisation that holds medical information about you to provide what is known as a “Privacy Notice” or a “Fair Processing Notice” which includes the person or office to contact if you wish to make a SAR. These Notices should be on their website. They may be called a number of things such as ‘GDPR’, ‘Data Protection’, ‘How we use your information’, ‘Privacy Centre’ or another term.
Access to make a SAR should not be difficult to find as data protection law requires organisations to be transparent in how they use your personal information. This includes making it easy for you to find out how to make a SAR. If it is not immediately clear, you could search their website using for “data protection” or you could simply phone or email the organisation and ask where it is and how to make a request.
When you make a SAR, it is important to be as clear and precise as you can about the information that you want. It will help the organisation locate your information as quickly as practical. If they reasonably need more input from you in order to help them find your information or to identify you, they should ask you, but this necessarily may cause a delay in providing you with the information that you are after.
Making a SAR
When making a SAR you must include the following information:
- Your full name and contact details (email and postal address, telephone number);
- Any information used by the organisation to identify or distinguish you from other people with the same name (this could be a hospital reference, other identification number or your date of birth or National Insurance number.);
- Any details or relevant dates (such as the duration of a stay in the hospital or the period when you were treated) that will help it identify what you want.
You may find that some organisations respond to a written approach by asking you to complete their standard SAR template, which could be on-line. However, there is no legal requirement either for you to use their template or if it requires you to provide a countersignature to confirm your identification to provide one. You should remember that the organisation is holding very sensitive information about you, and it is important that they make sure that you are who you say you are. If asked, your identity could be confirmed by providing, for example, a copy of your passport or driving licence or other formal documentation.
You must be provided with the information free of charge. An organisation may charge a fee only if you want additional copies or if it thinks that the request is ‘manifestly unfounded or excessive’. Although this phrase is not defined in the law, it is likely to include such things as repetitive requests. Making the same or a similar request within six months when there has been no material change in circumstances is likely to be taken as a repetitive request. “Manifestly unfounded” would cover the situation where you threatened to inundate an organisation with SARs unless they give you something. This is evidence that your motive is not to exercise your data protection access right. However, the organisation must be able to justify a refusal to comply with a SAR on the grounds that it is either “manifestly unfounded or excessive”.
An organisation can refuse to provide you with information in your medical records, if it considers that releasing the information to you would be likely to cause serious harm to your or another person’s physical or mental condition. Again, the organisation must be able to justify using this exemption to refuse.
Once your SAR has been submitted, the organisation must act without undue delay and, at the latest, within 1 month from receiving your request. This time starts to run from the day the organisation receives your request (even if that day is a weekend or public holiday) and ends on the corresponding calendar day in the next month, or the next working day if that date is a public holiday or there is no corresponding calendar day.
- If the organisation receives your request on the 3rd September, the time limit will start on that day and they must comply with your request by the 3rd October. If the 3rd October is on a weekend or is a public holiday, then the organisation must comply with your request before the end of the next working day after the 3rd October.
- If the organisation receives your request on the 31st March, the time limit will start on the 31st March. However, as there is no 31st April, the organisation has until 30th April, the last day of the next calendar month, to comply. As in the previous example, if the 30th April is on a weekend or is a public holiday, then the organisation must comply before the end of the next working day.
This response period can be extended by a further two months if the request is complex or you have made a number of SARs.
Please note that not all organisations are yet fully aware of their responsibility under data protection law and there are some that choose to trivialise applications or just fail to or delay their response. It may take several contacts and reminders before you receive the information you are entitled to. However, it is not your responsibility constantly to chase an organisation, particularly not until the time limit has expired.
If after you receive a response you are unhappy with it, or if there has been no response, you should first make a polite written complaint directly to the organisation. This should contain full details of the original SAR with the date it was sent. You should state that no response has been received within the legally required time period. If you have already followed this step and still remain unsatisfied, then you have the option to complain formally to the Information Commissioner. Their website is https://ico.org.uk and there is a standard form for making a complaint that is explained.
It should be stressed that it is important for you to make a SAR as soon as possible, particularly if you feel there is a risk that essential information might be destroyed.
[Your full name]
[Name and address of the organisation]
Subject Access Request under the Data Protection Act 2018, Article 15 of the General Data Protection Regulation 2016/679
[Provide details to help identify you.]
Please will you supply the personal data about me to which I am entitled under data protection law. This information relates to:
[Provide give specific details of the data you want. This could be my medical records between [dates] held by ‘Dr X’ in ‘Department’ at ‘hospital Y’. You could also request any relevant correspondence.]
If you need any more information from me, or a fee, please let me know as soon as possible. I would be grateful for a response to this request within one calendar month, as required under data protection law.
If you are not responsible for dealing with a request for information, please pass this letter to your Data Protection Officer, or relevant member of staff, without delay.