BMA updates SARs guidance for healthcare sector

BMA updates guidance on Subject Access Requests: Health records |  Revised UK healthcare sector SARs best practices The British Medical Association has recently updated its guidance on Subject Access Rights (SARs) pertaining to medical records.

Who may apply for access to their own health records?

Subject to certain exemptions detailed in the BMA’s Access To Health Records publication, the following groups may apply for access:

  • Patients with capacity;
  • Children and young people under 18 with competency;
  • Some parents, and;
  • Authorised individuals acting on behalf of patients lacking capacity

Applicants may submit a Subject Access Request electronically, verbally, or in writing.

Processing Subject Access Requests – Medical records

Doctors are advised to ensure their methods of keeping health records facilitate access by patients, if and when requested. Records containing information that should not be disclosed should be clearly identified, flagged, or highlighted. Patients’ views concerning any future disclosure to third parties should be documented. Also, doctors should consider initiating such discussion with some patients, if sensitive or controversial data becomes the issue of a future problem.


How and when to provide access to health records

Whilst it is not necessary to provide original health records, a member of staff should be present. This is because some patients can become distressed when reading their medical records. A medical practitioner present can also explain clinical terms to the patient. When providing access, the identity of the requester must be verified using ‘reasonable means’.  The individual must then be provided with a copy of their data without undue delay. This must be at the latest within 28 days of their request being received. There may be certain circumstances where additional time is needed in order to facilitate a Subject Access Request. For example, in the case of complex or multiple requests requiring extra time in which to assemble and provide the data.

SARs – provision, refusals, and exemptions

The GDPR requires the following information to be provided, under a Subject Access Request:

  • purpose of processing;
  • categories of personal data;
  • third parties with whom the data has been shared;
  • explanation of rights to have incorrect or inaccurate information corrected, plus any rights of objection, and;
  • the right to submit a formal complaint to the Information Commissioner’s Office (ICO)

A request for access can be refused if the request is ‘manifestly unfounded’ or is found to be repetitive. In cases where a SAR is refused for this reason, the patient must be:

  • provided with an explanation of the refusal, and;
  • advised of their right to lodge a complaint with the ICO.

Certain information can be deemed as exempt from disclosure, and therefore not disclosed if:

  • it is likely to cause physical or mental harm to the patient, or to another person;
  • it relates to a third party who has not given their consent to the disclosure. – and it is reasonable to withhold third party information;
  • the data is requested by a third party and the patient has requested that the information be kept confidential, or;
  • the health records are subject to legal professional privilege;
  • the information is restricted by a court order;
  • the data relates to the keeping of gametes or embryos;
  • it pertains to the birth of an individual as a result of vitro fertilisation, or;
  • in the case of children’s medical records, disclosure is prohibited by law. e.g. adoption records

Access requests from other third parties

Although the GDPR does not apply to personal data pertaining to deceased individuals, there are certain ethical obligations. Respect for a patient’s personal privacy extends beyond death. Legislation also attaches a duty of confidence to the health records of the deceased. However, this must be balanced with other considerations, such as those who were close to the deceased patient. Consideration must also be given to access requests by the police or the courts.

Data retention and destruction

Medical records should be retained for a minimum of 8 years, after the cessation of treatment. Doctors’ records must be kept for 10 years, and certain types of health records may be retained for longer periods. These can include children’s records, mental heal records, and obstetric records. It is the responsibility of medical professionals to ensure an effective method of records destruction, which does not compromise confidentiality. Data destruction methods can include, shredding, pulping, or incineration. Digital data should be destroyed using certified data erasure software.


This article is not intended as advice to medical practitioners, hospitals or other health related organisations. The

British Medical Association

provides complete and accurate guidance on this subject.

More articles concerning

Patient Records

Sources, credits and further reading:

BMA (Access-to-health-records-October-2018)

Contact Our Team Today
Your confidential, no obligation discussion awaits.