• Ranked in Chambers & Legal 500 for Personal Injury & Clinical Negligence
  • Featured in the Times Top Law Firms 2019, 2020, 2021 & 2022 List for Personal Injury & Clinical Negligence
  • In 2021 alone, we were successful in securing over £85 million in damages for our clients
  • Over £98 MILLION in damages secured for our clients during lockdown!

A Guide to Obtaining Medical Records Under the GDPR

There are a number of circumstances under which an individual might require a copy of their medical records, whether to flag up an inaccuracy or to gather evidence to support a legal claim.

However, many people are unclear on how to obtain these medical records - particularly since the introduction of the General Data Protection Regulation (GDPR), which significantly changed the way the process works.

As such, Potter Rees Dolan has partnered with the Birth Trauma Association to put together this comprehensive guide to getting hold of medical records under GDPR, which should help you to obtain the information you require as efficiently as possible.

To find out more information on your medical data rights, contact Potter Rees Dolan on 0800 027 2557; if you have been affected by birth trauma and are looking for information and compassionate support, contact the Birth Trauma Association on 01264 860 380.

How do I make a request to obtain my medical records?

To ensure you are able to receive the medical information you require with as little delay as possible, follow these practical steps:

  • Identify the organisation holding your health records, known as the data controller. This may be a hospital trust, GP practice, optician or dentist.
  • Find the person who deals with data requests for the organisation in question, and clearly mark your request for their attention.
  • For a GP surgery, this might be the practice or patient services manager, or for a hospital it may be the access to medical records team. It is best to contact the organisation before making your request, so you can check who it should be marked for and that you have the correct address.
  • If you are requesting access to your own medical records, ensure you include your full name, date of birth and current address.
  • If you are making a request for access to medical records on someone else’s behalf, include their details as well as your own, and detail your relationship (e.g. as the parent of a child) to explain why you are the appropriate person to make the request.
  • Try to be as specific as possible in your request for the medical records, particularly if there is a long history of treatment. For example, you might request copies of your medical records within a certain date range, or ask for information pertaining to a specific operation.
  • Confirm that you are making a ‘Subject Access Request’ under GDPR and that you understand that this means there should be no charge for the copy records.This will ensure that you are not charged for being provided with copies of your records.
  • Make your request in writing by email or letter, and keep a copy. This will ensure you have a record of your correspondence that you can refer back to.
  • Contact the organisation to confirm that they have received your request. Make a note of the date on which they received the correspondence, the date by which the records will be sent, and the format in which they will be provided to you. The records should be provided to you within one month of your request being received. This will help you keep on top of the process and ensure the organisation can be held accountable for fulfilling the request.

What kind of medical records are covered by GDPR?

GDPR is a piece of EU legislation that came into force in the UK on May 25th 2018. It represents the most important change in data privacy regulation in 20 years.

It is designed to provide individuals with greater access to and control over their own personal data, specifically in terms of how it is held and used by third parties.

The UK government has since passed the Data Protection Act (DPA) 2018, which enshrined GDPR into British law. This has led to a change in how individuals in the UK can access their medical records from GP surgeries, hospitals and other institutions, with data requests made under either GDPR or the DPA treated in the same way.

  • Under GDPR/DPA 2018, GP practices and hospitals are classified as data controllers, meaning they have collected personal identifying information and medical data regarding their patients, which has then been processed. As data controllers, they are responsible for the highest level of data protection compliance under GDPR.
  • As such, when a request is made for data to be provided under GDPR/DPA 2018, these medical organisations have an obligation to comply with that request, regardless of whether or not the person in question is a former or current patient.
  • GDPR/DPA requests apply to both digital and physical (paper) data records; providers are encouraged to agree the format in which the data is going to be provided with the individual requesting it. Some organisations may request that physical data be collected in person from their offices; however, if the requestor is unable to do so, the organisation cannot withhold the data and must send it on.
  • All information that is sent is subject to any pre-existing confidentiality obligations that already exist, e.g. between a doctor and patient.

Does it cost anything to access my medical records?

Before the introduction of GDPR/DPA 2018, individuals could expect to be charged for accessing their medical records, but they now have the right to request access to their own medical records under a Subject Access Request without any associated costs.

However, a handful of situations remain in which a charge may or may not apply:

  • When a patient gives consent for a third party - such as a solicitor or insurer - to access their medical data, there is no charge.
  • When a request is made for a medical report or record that already exists, there is no charge.
  • When a request is made for a medical report or record that does not yet exist and would require the creation of a new document, a fee will be required under the terms of the Access to Medical Reports Act (AMRA).
  • If the organisation considers the request to be “manifestly unfounded or excessive”, they may be entitled to charge a “reasonable fee”. This term is subjective, and depends on the individual practice’s interpretation. If you are notified that a fee is going to be charged, you should seek confirmation as to exactly why they consider such a fee to be required.
  • If you make repeated Subject Access Requests for the same information, and that information has already been provided several times, you may be required to pay a fee. The definition of the word “several” is subjective, and in these circumstances the organisation can either impose a charge or refuse to provide the information at all. It is therefore important to keep track of all documents you receive, as they cannot be requested multiple times.

How long will it take for my records to be provided to me?

Organisations have exactly one month from the date they received the Subject Access Request to provide the records to you. For example, if you request a copy of your GP records on July 1st and hand-deliver your request to the GP surgery on the same day, the requested records should arrive no later than August 1st.

If you send your Subject Access Request to the organisation by post, email or any other method of indirect delivery, you will need to confirm the date on which the request was received.

Ensuring you have the correct address on your request, and that you have sent it to the right department, will help prevent any long delays between your request being sent and it being received.

Does GDPR/DPA 2018 apply to deceased patients?

GDPR and DPA 2018 do not specifically apply to the records of deceased patients, but they have nevertheless led to legal changes that may make this information easier to obtain.

The updated Access to Health Records guidance from the British Medical Association (BMA), released at the end of June 2018, notes that GDPR/DPA 2018 amends the terms of the Access to Health Records Act 1990, the legislation that provides access to the records of deceased patients. As such, any copies requested must now be provided free of charge.

The BMA guidance confirms that a doctor’s ethical obligation to respect a patient’s confidentiality “extends beyond death”, meaning health professionals are required to counsel their patients about the possibility of disclosure of sensitive personal data after their death. These discussions will be noted in the records, and may influence the availability of the data.

Can I request for my medical records to be amended?

If you identify inaccuracies in your medical records after you receive them, you may wish to request for them to be amended and corrected, although the outcome of this process will depend on the circumstances.

Under article 16 of GDPR, individuals have the right to ask for any inaccurate or misleading personal data held by a third party to be rectified, or added to if it is incomplete.

You may, for example, ask for corrections to errors in recording your name, date of birth, address and NHS number, or ask for your medical records to be amended if you have changed your name.

Individuals can make a request for rectification verbally or in writing, and the organisation will have one month from the date of receipt of the request to respond.

However, it is worth noting that GDPR does not give a specific definition of the term “accuracy”, and there may be situations in which requests for corrections will be refused:

  • A record of a prior mistake is not itself considered to be inaccurate data. For example, if a GP were to make an incorrect diagnosis of a particular condition that was later proven to be wrong, the record of the original diagnosis would remain on record with a note explaining the up-to-date findings.
  • Subjective medical opinions with which the patient disagrees are unlikely to be corrected, as long as the record shows clearly that the information is an opinion, and proper attribution is included where necessary.

In the event that the organisation considers the requested correction to be unnecessary, they will inform you of their decision and the reasons behind it. If you are still unhappy with the outcome, you have the right to make a complaint to the Information Commissioner’s Office.

Useful links

For more information on this subject, check out the official NHS information page on how to access your health records:


If you are looking for the relevant organisation to submit your request for information, begin by consulting the NHS online database of hospital trusts:


If you need more information or advice on your data rights, contact the Information Commissioner’s Office (ICO), the UK governing body responsible for ensuring organisations comply with their obligations under GDPR/DPA, on their helpline at 0303 123 1113, or visit the organisation’s website at www.ico.gov.uk. You can also contact their regional offices below:

Information Commissioner's Office – England

Wycliffe House

Water Lane




Telephone: 01625 545 745

Email: mail@ico.gsi.gov.uk

Information Commissioner's Office – Scotland

45 Melville Street



Telephone: 0303 123 1115

Email: scotland@ico.gsi.gov.uk

Information Commissioner’s Office – Wales

Churchill House, 2nd Floor

Churchill Way


CF10 2HH

Telephone: 0330 414 6421

Email: wales@ico.gov.uk

Information Commissioner's Office - Northern Ireland

14 Cromac Place, 3rd Floor



Telephone: 028 9027 8757 or 0303 123 1114

Email: ni@ico.org.uk

By filling out this form you are authorising Potter Rees Dolan to use the details you provide to contact you regarding your potential claim. Read our Website Privacy Notice.

Contact Us

* required fields
Tag Cloud
Clinical negligence Personal Injury serious injury medical records GDPR birth trauma association