The reality of NHS patient record access

Published : Wednesday 27 February 2019

The NHS is misinterpreting Data Protection laws, bamboozling patients and denying their right to access their medical records in the process ...

Please note: this content is 5 years old. It may be of lower quality or no longer accurate.

As someone born with a long term condition who has travelled around due to study and work, my medical records are scattered across the NHS.

Having been in situations where my record was not available when needed and been subjected to medical errors arising from problems with my record, I decided to take matters into my own hands.

My plan was to gather up a complete copy of my medical record so at least I had a copy even if no one else did. This blog summarises my experiences of NHS patient record access starting in 2017 through to the end of 2018.

Disclaimer: I am not legally qualified but I have used my experience of working in this field and previous NHS background to understand and exercise my rights.

Banbury Health Centre

Having moved out of London I ended up registered with Banbury Health Centre where I tried to obtain online access to my record. Despite a number of emails, 3 visits and phone calls the practice were unable to provide access.

In an attempt to obtain a copy of my record I decided to make a subject access request. This was refused on the grounds that I asked for the information to be emailed to me.

A formalĀ complaintĀ later and I got access to Patient Online with a lot of features switched off and eventually I was emailed a copy of my full record in PDF form.

The explanation I received from the “Practice Manager” for this pantomime was that it’s not something they did regularly and therefore they didn’t have a process for it.

  • Access to records has been a basic legal right since the Data Protection Act 1998 and every organisation should have a process for handling such requests.Ā 
  • GPs have also been contracted to provide patients with online access to records including the ability to book appointments and order prescriptions for some years.

NHS Patient Online
NHS Patient Online
(Click for full resolution)

EMIS Patient Online with many of the basic features locked out.

Wirral University Teaching Hospital NHS Foundation Trust (WUTH)

I was admitted to Arrowe Park Hospital for 4 or 5 days some years ago when I had a flare-up with my condition.

I emailed my standard subject access request and after some back and forth I received the following: “we are unable to send records via an unsecured email account”, however they offered me the option of a CDROM.

I did not have a CD drive, nor did I intend on buying one, especially when an email would suffice. The NHS should note that digital inclusion/exclusion isn’t just about disadvantaging those who are non-digital!

As part of this email exchange, the “Health Records Manager & Access to Information Manager” started quoting Data Protection legislation out of context and seemingly without any real understanding. They also suggested that if I did not have a CD drive I could use a public computer such as at a local library.

So much for all their concern about privacy and security!

Sometime later following a formal complaint I received an email saying that as I had consented to receive the information by email they would now oblige.

  • Neither the postal service or email is perfectly secure. The lawful basis to share information can easily be established through informed consent.Ā 
  • The law is applicable/necessary for paper and electronic processes.Ā 

Oxford University Hospitals (OUH)

As with the Wirral I sent my standard Subject Access Request and had a similar experience in terms of initial refusal and debate, but OUH threw in another barrier.

The “Access Team Manager” from the “Data Quality Department” insisted that unless I filled in the hospital’s paperwork they would not respond to my request. I reminded them that I had submitted a lawful request and that I considered the clock was now ticking. The response I received wasĀ  “The clock does not begin until we have received the correct paperwork”.

After complaining I eventually receive an electronic copy of my record including DICOM images.

  • The law has always been very clear that organisations cannot require individuals to complete specific paperwork and more recently they are also required to tell you that it is optional.

My actual NHS xray which I have stylised
My actual NHS xray which I have stylised
(Click for full resolution)

Royal Free Hospital (RFH)

In the case of RFH I emailed their PALS team. I received an automatic response to confirm receipt of my email and never heard from them again.

This isn’t the first time I have had issues with the Royal Free. On at least 2 occasions they mixed me up with another patient. This did make me wonder if they had just lost/ignored my request or perhaps something more sinister was going on due to the fact there were serious errors in my record as a result of their mix-ups.

  • The law requires that organisations respond within 1 month.
  • One key patient safety benefits of accessing your record is the ability to check for errors and exercise your legal right to have mistakes rectified.

Manchester University NHS Foundation Trust

I was admitted to A&EĀ during my time at university andĀ more recently I learnt that this hospital group took over from theĀ children’sĀ hospital I attended as an infant.

When I asked about my paediatric surgery records the hospital stated that these records were not available and were destroyed so I asked for details of this. I was passed to the “Medical Records Manager” who ignored the request.

In this case, the record should be retained for 20 years, and I was just outside of this so I did half expect that my record would have been destroyed, however, record distruction is not always carried out systematically.

As they have been unable to provide me with details myĀ conclusion is that they cannot find the record or details of its destruction. NHS Policy states:

  • The destruction of records is an irreversible act and must be clearly documented.
  • Destruction of records must not take place without recorded agreement from the Records Manager and completion of a Certificate of Records Destruction.Ā 

Farnworth Family Practice

In late 2018 having struggled to track down a key part of my record from when I was a child, I decided to go back to my first GP practice where I had been a patient up until my university years. My hope was they might have a copy a of key information, in particular, the summary produced when I was discharged from children’s services aged 16, as this is something my consultant created for me.

This practice fails to provide an email address but their website did have a contact form for enquiries, complaints, etc. so I submitted my usual request and the website confirmed my request had been sent.

My request was ignored.

  • The law is clear that a valid request can be made to anyone and through pretty much any channel and indeed you can even make a request over the phone or by social media.

Hampstead Group Practice (HGP)

In 2017 when Banbury Health Centre we’re making my life unnecessarily difficult I decided to email my previous GP practice HGP, to ask them for information which Banbury denied was on my record.Ā  In less than 12 hours the practice had emailed me back the key pages.

They were quick, polite, very helpful and did not ask any ridiculous questions or make me jump through hoops and hurdles. Of course, they could have been cavalier, but I would like to think that as the practice was generally quite good, they understood the basics of Data Protection and had a process.

Finally a result!


In all only one request for access went smoothly and indeed in that particular case, I would say they went above an beyond the call of duty. In all other cases, there were major issues in understanding and execution of patients basic rights.

NHS Access request summary
NHS Access request summary
(Click for full resolution)

In most cases,Ā they had either completely misinterpreted Data Protection Law or were perhaps just trying to use it to bamboozle patients.

DespiteĀ their apparent concerns about “security”, they all contradict themselves in some shape or form :

  • Being happy to send my information via an insecure postal service but refusing other means.
  • Suggesting I use a public computer to access my information without any guidance.
  • Asking me to email themĀ identification documents but refusing to email me information.

As someone who works in this area and indeed having spent my time in the NHS I was able to find my way through and fight my case, but how many patients are armed with this information?


It is incredible that in a so-called National Health Service these basic functions, which are well established in law and national policy are so poorly understood and appallingly executed.

  • Since 1998 the Data Protection Act has given individuals rights to their data (including medical records) and in 2018 this was updated to bring it in line with European General Data ProtectionĀ  (GDRP).
  • Alongside this, the National Data Guardian for the NHS has conducted a number of reviews and published 3 reports to set the record straight and dispell many of the myths.
  • There is plenty of evidence to support the benefits of patients having routine access to their records including improvements in communication, understanding and health outcomes.
  • The majority of GPs and hospitals have health record systems which support portals and APIs to enable patients to more easily and readily access and reuse their information.

Despite 20 years,Ā  Ā£billions invested into NHS IT and all the rhetoric about patient empowerment it seems much of the NHS has yet to get some of the absolute basics correct.

This is clearly bad for the patientĀ but the implications have far wider and more devastating implications when it comes to technology and information sharing.

This basic lack of understanding holds back effective information sharing and in doing so compromises the safety and quality of care which puts patients directly in harm’s way.

Dan's Blog

Information Technology, programming, health, fitness and photography enthusiast.

  • Not a writer.
  • All views are my own.
  • Offence is optional.
  • Do your own research.

Post by tag