Policies and Procedures IT and Data Management

Dealing with third-party requests for patient records

A recent court ruling could help GP practices to handle third-party requests for copies of medical records more confidently and efficiently. GP and IT expert Dr Trefor Roscoe explains how the ruling came about, and what it means for your practice.

Why are third-party requests for records causing problems?

The General Data Protection Regulation (GDPR) caused an increase in work for GPs when introduced in May 2018. Requests for copies of patient records increased dramatically as a result.

A subject access request (SAR) is a request for information to an organisation who holds personal data.  In general practice, this means a patient can ask for a copy of their entire medical record, for free.

Until the introduction of GDPR, the Data Protection Act (DPA) and the Access to Medical Reports Acts covered such data requests.  Solicitors, with the patient’s informed consent, could ask for copies of their client’s GP medical record to be sent to them directly for a maximum £50 fee.

Since last May, we know from anecdotal reports and the BMA that they have increasingly used a SAR to get the record for free.[1]

Should GP practices release records to a third party?

The BMA and the ICO have said GPs can (with the patient’s consent) release copies of records produced in response to a SAR direct to a third party, notwithstanding the extra costs involved for postage, printing and staff time.

However, even with the patient’s consent, this may result in releasing information the patient was not aware or had forgotten was in their record, or thought the GP would not release. One medical defence organisation recently reported a case where the patient thought the GP would remove references to a termination of pregnancy when releasing the notes for an action against a hospital. The patient’s husband found this out, while reviewing her case alongside her, and that it occurred several years after he had undergone vasectomy, leading to divorce proceedings. The only defence in this situation is if the patient has fully consented or has seen the record before it is sent.

GP notes contain all sorts of such sensitive information, including evidence of Class A drug use (such as A&E reports of treatment of the consequences), driving offenses, spells in custody, treatment of STIs and social information.

In addition, at least one solicitor has warned that asking a claimant to request a SAR in order to obtain their health record amounts to forced disclosure, which is a criminal offence.[2]

Why did the court case come about?

Given the confidentiality issues outlined above, GPs have been concerned about how the GDPR rules should be applied when making requested information available to a third party, in particular to ensure the patient understands exactly what is being released.

A consensus was reached by a GP discussion group on Facebook that making the record available on paper or in an electronic format (for example, compact disc) for the patient to collect at the reception desk was appropriate and sufficient to meet both the solicitor’s or insurer’s requirements and the practice’s obligations under the DPA 2018.

However, in a recent court case, one firm of solicitors disagreed and told their client not to collect records left at reception.

The practice in question continued to refuse to post the records to the solicitors’ client, which led to legal action by the solicitors. They alleged the SAR made by the patient had not been upheld (ie, disclosure of the requested information had not been made) and requested that the court should order the practice to supply the information directly to them.    

The practice stood its ground, despite facing potential legal costs of up to £20,000, arguing that its obligations under GDPR meant it should release the information to the patient not the third party, and that it was reasonable to expect the patient to collect their records.

What did the court rule?

The judge ruled that the patient’s right of access had been fully upheld by the practice’s actions, and dismissed the application for the court order to release the information to the solicitor, as this would bypass the data subject completely.   

What about concerns a patient could tamper with records?

One of the arguments the solicitor made in this particular case was that the patient might tamper with the data, for example removing information they did not want to release. This would lead to an unreliable chain of evidence.

In this case, the judge ruled that this notion was ‘fanciful’ and would mean the subject was being accused of ‘fundamental dishonesty’ by their solicitor.

The practice’s barrister similarly pointed out that if the patient had not seen the full record, then an expert report by a doctor who had seen them might make the patient claim the notes were incorrect or incomplete. 

In any case, a patient is entitled to remove information they feel they do not want to release – this is one of the fundamental principles of all data protection legislation: the data subject is in control.

Was it reasonable for the patient to pick up the notes?

In this case, given the patient lived only a few hundred yards from the surgery and attended over 10 times while the notes were in reception, it was agreed by the court that there was no barrier to collection.

Exceptions to collection might be if the patient was unable to attend personally because of being housebound, temporarily abroad (for example, in hospital following an accident on holiday) or in prison.

In these cases, however, they could nominate a friend or relative to do the collection – or alternatively a medical report could be prepared from the notes and posted. In the latter case the AMRA applies and a charge can be made.

Could providing the information electronically help?

Electronic requests under GDPR should result in an electronic response. Unfortunately for GPs, this is usually not possible. The file size created after collating the notes and redacting third party information is often large and exceeds the limit on NHS email making them impossible to send in one file. Breaking it into smaller sections is extremely time consuming and the patient would have difficulty making sense of multiple files.

Making the file available on the cloud is also problematic. There is no provision within NHSnet for such secure storage and most commercial cloud services are hosted on servers all over the world and so could be at risk of interception.

One solution is to use CDs or USB sticks. As these can get lost or damaged in the post, however, collection is still the most secure way to deliver the information to the patient. Practices must also use new devices to ensure they are virus free.

All such files should be encrypted and the key sent to the patient separately, usually by SMS text. This makes redaction by the patient difficult without printing it all out and using a black marker pen, then rescanning it. Initial redaction can be done by software that is now widely available.


This court case has helped to clarify a difficult aspect of compliance with GDPR in primary care.

The BMA continues to advise that, under the regulations, practices should supply medical records to a third party (solicitor) if authorised to by the patient – unless they have particular concerns about doing so.

The ICO has stated that the ruling does not mean subjects should have to collect records from a data controller’s premises.

However, many GP experts in IT think the recent judgment is clear and supports the view that:

  • practices can make copies of records available at reception to patients within the 30-day deadline set out in GDPR, and
  • while they are permitted to send copies direct to third parties, they do not have to – and this approach is fraught with difficulties.

A group of over 100 GPs and practice managers have now written to the ICO to ask that GP practices are excepted from the obligation to post records to a subject, where the subject lives within a few miles of the surgery.


1. Lind, S. BMA: Subject access requests to GPs increased by more than a third since GDPR. Pulse Today; December 2018

2. DAC Beechcroft – Forms of authority for medical records post-GDPR; June 2018

Guide URL:
XYou have free access remaining to read.

You have reached your limit of free access to articles.

Please login to access all guides.

Or, please register for a free trial to access all of the guides and unlock all features.