Since the new Data Protection Act was introduced in 2018, GP practices have faced several issues relating to GDPR (The EU’s General Data Protection Regulations – still an integral part of UK law). These practices handle sensitive data regularly, and patients expect their privacy to be fully protected.


Contact Us Now


The legislation allows patients to access their medical records free of charge via a Subject Access Request (SAR). This includes circumstances where they authorise a third party, like an insurance firm or lawyer, to request the data. To remain legally compliant and avoid action from the Health and Care Professions Council, GP practices should take heed of the rules concerning patient data, as outlined below:

Document Retention

In England, Northern Ireland, and Wales, GP records should be retained while a patient is alive and at least ten years after they die. In Scotland, these records should be kept for at least three years after a patient dies. While patients can request the deletion of their Summary Care Records, per the ‘right to be forgotten’ under GDPR, this should not usually happen during the advised period of retention. This helps to preserve the integrity of audit trails.

The main thing to remember about GDPR is that it complements pre-existing privacy obligations between doctors and patients. Also, the legislation applies to paper (physical) records and digital records alike. GDPR does not cover the rights of deceased patients (the Access to Health Records Act serves this purpose).

Subject Access Requests

A solicitor can ask to access the medical record of a patient if he or she has the patient’s consent in writing. Sometimes, the full document will be requested, to determine which elements relate to an insurance claim or compensation case. GPs who receive SARs from insurance firms should contact patients to discuss how the disclosure could impact them. Rather than sending the data to insurance firms directly, GPs should give it to the patients concerned.

Can A GP Charge For A SAR?

Organisations are customarily expected to process SARs for free. However, GP practices can charge fees for SARs if an organisation or individual requests the same data repeatedly. Also, payments can be charged if practices have to interpret medical record data, or produce medical reports.

Digital Or Hard Copy Records?

As far as providing information to patients goes, the Information Commissioner’s Office favours digital formats. The guidance indicates that GP practices can deliver the data in the same manner if a request is received digitally. This means that CDs or USB drives are acceptable, although it is prudent to confirm the best format with patients beforehand.

Find Out More

At CAS, we offer a range of digital storage options, and have served NHS Trusts for over twenty-five years. Contact us today to find out more.

Image source: Unsplash

New call-to-action