The Data Regulator Confirms That Patients Are Not Required to Collect Medical Records

5th November 2019 Media Law

The UK Regulator of data protection, the Information Commissioner’s Office (ICO) has confirmed that data controllers (such as GPs) are required to provide data to individuals. The ICO confirmed the position in a series of tweets published last week and said that there is no requirement for individuals to collect data from the data controller, such as collecting medical records from the GPs surgery.

As Data Law Solicitors, we have noticed an increase in GPs requesting that patients collect their records.

The increase may be because under the previous law, which was the Data Protection Act 1998, GPs were entitled to charge an administrative fee for patients to receive copies of their medical records. Under the current law, the General Data Protection Regulation (GDPR) and Data Protection Act 2018 which came into effect in May 2018, data controllers can no longer ask patients to pay a fee.

Since May 2018, we have noticed that some GPs and clinics have asked patients or their Solicitor to collect records from the surgery. This is not only impractical, the ICO has now confirmed this is the incorrect approach.

The ICO said:

A court decision concerning the release of patient records has been the subject of online discussion in recent days. Despite reports, the case didn’t involve the issue of Subject Access Requests (SARs) but rather the release of patient records by order of the courts.”

As such, the legal position regarding GP practices responding to SARs remains unchanged and surgeries should follow ICO guidance and advice from the BMA on how to comply with the law.”

Data controllers are responsible for providing SAR responses to the individual or their appointed representative. A person should not have to take action to receive the information, such as by collecting it from a controller’s premises, unless they agree to do so.

What does this mean?

The ICO has confirmed that when an individual makes a subject access request, the GP or clinic has the responsibility of providing the medical records to the individual making the request.

When an individual has appointed a representative, such as a Solicitor, the medical records should be provided to the representative. It may assist GPs to know that appointing a representative should be done in writing by the patient.

The GDPR says that when an individual makes a subject access request, if the request is made electronically, the information should be provided in a “commonly used electronic format” and best practice would be to provide remote access where available.

If you are a patient requesting your medical records electronically, do let your GP know that you would like to receive your SAR response in a secure electronic form such as encrypted or with password protection.

Talk to Us

If you have not received a response to a subject access request or received a delayed response you may be entitled to compensation for the distress caused. You can contact the Data Law team at JMW Solicitors on 0345 872 6666 to discuss your case.

We're Social

Dominic Walker is a Solicitor located in Manchesterin our Media Law department

View other posts by Dominic Walker

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest