Improved access to NHS records - EU GDPR

Published : Sunday 25 March 2018

Within the NHS there is a great deal of misunderstanding and  misinterpretation when it comes to the Data Protection. ...

Please note: this content is 6 years old. It may be of lower quality or no longer accurate.

From 25th May 2018 new UK data protection laws come in to effect as a result of the EU and something called  GDPR (General Data Protection Regulation). The new Data Protection Bill will replace the current UK Data Protection Act (DPA).

While not immediately obvious this is great news for individuals and patients alike.

Why should you care?

Access to health records is incredibly important. Many studies, notably the the US OpenNotes programme, which now includes over 20 million patients, have shown that access to records improves communication, understanding and importantly health outcomes not to mention the importance at the point of care. This is something we can all benefit from today.

It’s worth noting that the Data Protection Act today gives you as a patient the right to access your records but, to date has been poorly understood and implemented in the NHS.

Alongside this and compounding issues many patients assume because we have a so called “National Health Service” that our records are available or shared between organisations however, more often than not this isn’t the case.

From personal experience having access to my record would address a number of issues:

  • The need to recall drug names, doses and key parts of my history.
  • Being subjected to unnecessary repeat procedures because information is missing or unavailable.
  • Being subjected to a delays, unnecessary tests and even admission because I can’t convince A&E to just treat me as on previous occasions.
  • Two separate record mix ups leading to me being sent to other patients appointments including an xray.

These are just a few of my personal experience and I have what I would consider fairly limited interactions with the NHS. I can only imagine these issues go on every day and just get lost in the noise of the day to day, pillar to post that is the NHS.

This is incredibly bad (and indeed dangerous) for patients and woefully inefficient for the NHS.

The problem to date

Within the NHS there is a great deal of misunderstanding and  misinterpretation when it comes to the Data Protection. This then gets conflated with national and local policies which spill over in to all areas, not least patients rights to access their records, but it has also heavily hampered the sharing of information between organisations.

This can make it very hard for patients to access their records, especially if they ask for anything other than faded photocopies stuffed in to an envelope. More times than not if you ask for something as humble and accessible as an email it will be refused.

Another issue today is the NHS can charge a “reasonable” fee up to £50 for access to your records which quickly mounts up if like me your records are distributed across a number of NHS silos.

Despite three reports led by Dame Fiona Caldicott as the National Data Guardian, the NHS has struggled to untangle itself from this mess and indeed many responsible for data have never even seen these reports.

The NHS has spent as many years as it has billions trying to solve data sharing issues since the Data Protection act first came in to being in 1998.

What does GDPR change?

GDPR is the opportunity for organisations including the NHS to set things right. GDPR will give  individuals greater rights with harsher penalties for organisations which fail to comply.

For me GDPR takes what was already permicable in law and makes it crystal clear :

  • Organisation cannot refuse a request for access because it was for example requested via email :

    “Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.” -  Article 15 GDPR

  • NHS organisations can only charge a fee for additional copies not the initial copy of your record :

    “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs."  - Article 15 GDPR

  • Patients have the right to request that their data be transferred from one organisation to another :

    ”… have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided" -  Article 20 GDPR

  • Organisations could be held liable if the use of or lack of availability of data infringes on the freedoms of an individual :

    “In the context of a hospital, if critical medical data about patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled and lives put at risk.” -  The EU GDPR working group.

Of course the new regulation will only be as effective as those who implement and regulate it and this remains to be seen, but patients can help buy highlighting areas that are not being met.


Having a copy of your health record is good for your health and the NHS. Come  25th May 2018 you will have greater rights to ensure this is in the right place and indeed have a copy yourself.

So drop your GP or hospital an email and ask them to send you a copy of your record.

Dan's Blog

Information Technology, programming, health, fitness and photography enthusiast.

  • Not a writer.
  • All views are my own.
  • Offence is optional.
  • Do your own research.

Post by tag