Medical Records Access in the United Kingdom

By , Founding Editor

Last verified:

Source: Data Protection Act 2018; UK General Data Protection Regulation (UK GDPR); Access to Health Records Act 1990

Reviewed by the Commoner Law Editorial Team. Sourced from UK Acts of Parliament, statutory instruments, and official guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

UK National Law

What is this right?

For decades, accessing your own medical records meant writing to a hospital and waiting weeks. The Data Protection Act 2018 — the UK GDPR's domestic implementation — turned that on its head. Now you have a clear right to see GP records, hospital records, mental health records, and test results, usually within a month and usually for free.

The headline rules:

  • A Subject Access Request (SAR) under UK GDPR Article 15 has to be answered within one month. Complex requests can be extended by a further two months, but only with a written explanation.
  • No charge for most requests. A reasonable fee is only allowed for "manifestly excessive" or repeated requests.
  • The NHS App and many GP online services already give you direct access to records, prescriptions, and test results — often quicker than a SAR.

Records of deceased patients can be accessed by their personal representative or those with a claim arising from the death — that route runs under the older Access to Health Records Act 1990, which UK GDPR didn't replace.

When does it apply?

  • You want to see your own medical records — whether for personal information, a legal case, an insurance application, or a second opinion.
  • Information can only be withheld in very limited circumstances: if disclosure would cause serious harm to your physical or mental health, or if it includes information about a third party who hasn't consented.
  • Parents can access their child's records if the child lacks capacity to consent — but a Gillick-competent child can refuse parental access.
  • Your records must be kept for specified periods: GP records are kept for 10 years after death (or the patient leaving the practice), hospital records for 8 years (30 years for maternity and children's records).

What to Do If the NHS Refuses to Give You Your Medical Records

Try the NHS App first. For everything else, write a formal SAR.

  • Open the NHS App. It's the fastest route to GP records, test results, and prescriptions.
  • For a formal SAR, write to the provider's Data Protection Officer stating you're making a Subject Access Request under UK GDPR. Include name, date of birth, and NHS number.
  • If the response is refused, partial, or late, complain to the provider, then escalate to the Information Commissioner's Office (ICO).
  • Spot an error? You have the right to request correction under Article 16 of UK GDPR. The provider must rectify or annotate the record.

What should you NOT do?

  • Don't accept silent delays. If the provider needs the extra two months, they must tell you in writing within the first month — otherwise they're in breach.
  • Don't assume records flow automatically between NHS organisations. They mostly don't. You may need to request from each provider separately.
  • Don't pay an upfront fee. Standard SARs are free; charges are only valid for manifestly unfounded or excessive requests.

Common Questions

When does medical records access apply?

You want to see your own medical records — whether for personal information, a legal case, an insurance application, or a second opinion.Information can only be withheld in very limited circumstances: if disclosure would cause serious harm to your physical or mental health, or if it includes information about a third party who hasn't consented.Parents can access their child's records if the child lacks capacity to consent — but a Gillick-competent child can refuse parental access.Your records must be kept for specified periods: GP records are kept for 10 years after death (or the patient leavi...

What should I do if my GP or NHS trust won't give me access to my medical records in the UK?

Try the NHS App first. For everything else, write a formal SAR.Open the NHS App. It's the fastest route to GP records, test results, and prescriptions.For a formal SAR, write to the provider's Data Protection Officer stating you're making a Subject Access Request under UK GDPR. Include name, date of birth, and NHS number.If the response is refused, partial, or late, complain to the provider, then escalate to the Information Commissioner's Office (ICO).Spot an error? You have the right to request correction under Article 16 of UK GDPR. The provider must rectify or annotate the record.

What mistakes should I avoid with medical records access?

Don't accept silent delays. If the provider needs the extra two months, they must tell you in writing within the first month — otherwise they're in breach.Don't assume records flow automatically between NHS organisations. They mostly don't. You may need to request from each provider separately.Don't pay an upfront fee. Standard SARs are free; charges are only valid for manifestly unfounded or excessive requests.

More in Healthcare Rights

NHS Constitution RightsThe NHS Constitution distinguishes between rights (legally binding entitlements) and pledges (aspirations the NHS works ...Read more →Right to Informed ConsentFor most of the twentieth century, English medical law operated on the Bolam standard — what a reasonable body of doctor...Read more →Right to ComplainThe NHS complaints system runs on two levels. Stage one is local resolution — straight to the trust, GP surgery, or serv...Read more →

Related Topics

Family LawChild MaintenanceWorkers' RightsUnfair Dismissal
← Browse all Healthcare Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission