Patient access to health records – guidance on viewing prospective record access

The NHS wants to give people better ways to see their personal health information online. We know that people want to be able to access their health records. It can help you see test results faster. It also lets you read and review notes from your appointments in your own time.

We are now letting you see all the information within your health record automatically. If you are over 16 and have an online account, such as through the NHS App, NHS website, or another online primary care service, you will now be able to see all future notes and health records from your GP. Some people can already access this feature; this will not change for you.

This means that you will be able to see notes from your appointments, as well as test results and any letters that are saved on your records. This only applies to records from your GP not from hospitals or other specialists. You will only be able to see information from when you register at the Practice. For most people, access will be automatic, and you will not need to do anything.

Your GP may talk to you to discuss test results before you are able to see some of your information on the app. Your GP may also talk to you before your full records access is given to make sure that having access is of benefit to you. There might be some sensitive information on your record, so you should talk to your doctor if you have any concerns.

These changes only apply to people with online accounts. If you do not want an online account, you can still access your health records by requesting this information through reception. The changes also only apply to personal information about you. If you are a carer and would like to see information about someone you care for, speak to reception staff.

The NHS App, website and other online services are all very secure, so no one is able to access your information except you. You will need to make sure you protect your login details. Don not share your password with any one, as they will then have access to your personal information.

If you do not want to see your health record, or if you would like more information about these changes, please speak to your GP or reception staff.

There are occasions when a GP may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals, or when the record has information relating to a third party.

Patients may request paper copies of health records and, regardless of the preferred method of access, patients and authorised third parties must initially complete a DSAR form. However, patients may request access to their health records informally; any such requests should be annotated within the individual’s health record by the clinician dealing with the patient.

Requests may be received from the following:

Competent patients may apply for access to their own records or authorise third-party access to their records.

Children and young people may also apply in the same manner as other competent patients and West Heath Primary Care Centre will not automatically presume a child or young person has capacity under the age of 16. However, those age 12 or over are expected to have the capacity to consent to medical information being disclosed.

Parents may apply to access their child’s health record so long as it is not in contradiction to the wishes of the competent child.

Individuals with a responsibility for adults who lack capacity are not automatically entitled to access the individual’s health records. West Heath Primary Care Centre will ensure that the patient’s capacity is judged in relation to particular decisions being made. Any consideration to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act in England and Wales and the Adults with Incapacity Act Scotland.

Next of kin have no rights of access to health records.

Police are not able to access health records without first obtaining a court order or warrant. However, health professionals at West Heath Primary Care Centre may disclose relevant information to the police if the patient has consented or if there is overriding public interest. For detailed information, see section 4.1.6 of footnote 2.
Solicitors and insurance companies in most cases will provide the patient’s signed consent to release information held in their health record. West Heath Primary Care Centre will ensure that patients are fully aware of the information being provided to the solicitor who is acting for that patient. In the case of a solicitor requesting information, the BMA has provided the following templates:
Consent form to release information to solicitors in England & Wales

West Heath Primary Care Centre will ask solicitors to use the appropriate form when requesting information.

Deceased patients retain the right of confidentiality. There are a number of considerations to be taken into account prior to disclosing the health record of a deceased patient. Such considerations are detailed in the Access to Health Records Act 1990. Under the terms of this Act, West Heath Primary Care Centre will only grant access if you are either:
a personal representative (executor of the deceased person’s estate), or
someone who has a claim resulting from the death

The medical records of the deceased will be passed to Primary Care Support England (PCSE) for storage. West Heath Primary Care Centre can advise you of who you need to contact in such instances. PCSE will retain the GP records of deceased patients for ten years, after which time they will be destroyed. PCSE have provided an application form which can be used to request copies of a deceased patient’s record.

In the cases of any third-party requests, West Heath Primary Care Centre will ensure that the patient has consented to the disclosure of this information by means of a valid signature of the patient.

In accordance with the GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the DSAR. In order to ensure full compliance regarding DSARs, West Heath Primary Care Centre will adhere to the guidance provided in the GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the extension given.

Under The Data Protection (Subject Access Modification) (Health) Order 2000, West Heath Primary Care Centre will ensure that an appropriate healthcare professional manages all access matters. At West Heath Primary Care Centre there are a number of such professionals, and wherever possible the individual most recently involved in the care of the patient will review and deal with the request. If for some reason they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

Furthermore, to maintain GDPR compliance, the data controller at West Heath Primary Care Centre will ensure that data is processed in accordance with Article 5 of the GDPR and will be able to demonstrate compliance with the regulation (see GDPR policy for detailed information). Data processors at [West Heath Primary Care Centre will ensure that the processing of personal data is lawful and at least one of the following applies:
The data subject has given consent to the processing of his/her personal data for one or more specific purposes
Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
Processing is necessary for compliance with a legal obligation to which the controller is subject
Processing is necessary in order to protect the vital interests of the data subject or another natural person

Procedure for access


A DSAR form(Paper Copies available at the Surgery-Please ask the Reception Staff) must be completed and passed to the data controller; all DSARs should be processed free of charge unless they are either complex, repetitive or unfounded The GDPR states that data subjects should be able to make access requests via email. West Heath Primary Care Centre is compliant with this and data subjects can complete an e-access form and submit the form via email.
Upon receipt of a DSAR, West Heath Primary Care Centre will record the DSAR within the health record of the individual to whom it relates, as well as annotating the DSAR log. Furthermore, once processed, an entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual.

Individuals will have to verify their ID at West Heath Primary Care Centre and it is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice’s Data Subject Access Request (DSAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. a driving licence or passport.

The process upon receipt of a DSAR form is clearly illustrated at Annex C, which is an aide-memoire/flow diagram.

Third-party requests

Third-party requests will continue to be received following the introduction of the GDPR. The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject.

The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject.


Having a robust system in place will ensure that access to health records is given only to authorised personnel. Patient confidentiality is of the utmost importance and any third-party requests must be accompanied by a valid patient signature. Staff are to adhere to this guidance at all times and where doubt exists, they are to discuss their concerns with the Practice Manager or Information Governance Lead GP