B
Boring DSAR

How to Make a Subject Access Request to the NHS

How to request your medical records from the NHS via subject access request. GP, hospital, and mental health records — step by step.

Last updated: 2026-05-10

Your Right to Your NHS Medical Records

Every patient has the legal right to request a copy of their medical records from the NHS. This is called a subject access request (SAR), and it is a right under the UK GDPR and the Data Protection Act 2018. The NHS cannot refuse simply because the request is inconvenient, and they cannot charge you for it.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Privacy regulations and NHS procedures may change. Verify current procedures with the relevant NHS body or consult qualified legal counsel for guidance specific to your situation.

Whether you want to review your GP records, obtain hospital notes for a legal claim, or access mental health records, the process is largely the same. This guide walks through who to contact, what you are entitled to, the timelines involved, and what to do if things go wrong.

Who Holds Your NHS Records?

There is no single central repository for all your NHS medical records. Different parts of the NHS hold different records, and you need to direct your request to the right organization.

GP Records

Your GP practice holds your primary care record. This is typically the most comprehensive record of your medical history, as it includes consultation notes, test results, referral letters, prescriptions, and information received from hospitals and specialists. Your GP record follows you when you change practices, so your current GP should hold your full primary care history.

To request your GP records, contact your current GP practice directly. Most practices have a process for this — some have a form on their website, others will ask you to put your request in writing or submit it at reception.

Hospital Records

Each NHS hospital trust maintains its own patient records. If you were treated at a hospital, the trust that runs that hospital holds those records. This includes admission notes, discharge summaries, operation notes, outpatient clinic letters, imaging reports, and pathology results.

To request hospital records, contact the information governance team or health records department of the relevant NHS trust. You can usually find contact details on the trust's website by searching for "subject access request" or "medical records request."

If you were treated at multiple hospitals run by different trusts, you will need to make a separate request to each trust.

Mental Health Records

Mental health records are held by the NHS mental health trust that provided your care. These are separate from your GP records and from general hospital records, although your GP will typically receive copies of correspondence from mental health services.

Contact the mental health trust's information governance team to make your request. The process is the same as for hospital records.

Other NHS Services

Other NHS organizations that may hold your data include:

  • Ambulance trusts — records of emergency callouts and treatment
  • Community health services — district nursing, health visiting, community therapy records
  • NHS dentists — dental treatment records
  • NHS England — certain centralized records including screening program results and vaccination records
  • NHS Digital (now NHS England) — summary care records and other national datasets

Each requires a separate request directed to the relevant body.

What Health Data Is Included?

Under the UK GDPR, you are entitled to all personal data the organization holds about you. In an NHS context, this typically includes:

  • Consultation notes — what was discussed during appointments, including the clinician's notes
  • Diagnoses and clinical findings — formal diagnoses, clinical observations, and assessments
  • Test results — blood tests, imaging (X-rays, MRIs, CT scans), pathology, and other diagnostic results
  • Prescriptions and medication history — what was prescribed, dosages, and changes over time
  • Referral letters and correspondence — letters between your GP and specialists, discharge summaries, and clinic letters
  • Treatment records — details of procedures, operations, therapies, and ongoing treatment plans
  • Mental health assessments and care plans — if applicable
  • Maternity records — pregnancy, birth, and postnatal care records
  • Vaccination records — immunization history
  • Screening results — cervical screening, bowel cancer screening, and other national programs

You are also entitled to supplementary information under Article 15 of the UK GDPR, including the purposes of processing, who the data has been shared with, and how long it will be retained.

What Can Be Withheld?

The right of access is broad, but there are specific exemptions that apply to health data. The most significant is the serious harm exemption.

The Serious Harm Test

Under the Data Protection Act 2018 (Schedule 2, Part 2, Paragraph 3), health data can be withheld if disclosing it would be likely to cause serious harm to the physical or mental health of the data subject or another individual. This is not a general exemption — it requires a specific clinical judgment about the likely impact of disclosure on a case-by-case basis.

In practice, this exemption is applied narrowly. A clinician (usually the doctor responsible for the patient's care) must make the judgment that disclosure would cause serious harm. The fact that information might be upsetting or unwelcome is not enough. The threshold is serious harm, not distress.

If any data is withheld under this exemption, the NHS body should tell you that some information has been withheld and explain the reason, without revealing the withheld content.

Third-Party Information

If your records contain information about another identifiable individual (other than a health professional involved in your care), that information may be redacted. For example, if a family member provided information about you to your doctor, the family member's identity might be redacted if they have not consented to disclosure and it would not be reasonable to disclose without consent.

The names of health professionals who provided your care are generally not withheld. You are entitled to know which doctors, nurses, and other clinicians were involved in your treatment.

How to Make the Request

Step 1: Identify the Right Organization

Determine which NHS body holds the records you want. If you are unsure, start with your GP practice for primary care records, and the relevant hospital trust for secondary care records.

Step 2: Submit Your Request

You can make a subject access request in any format — there is no legal requirement to use a specific form. However, using the organization's own form (if they have one) can speed things up, because it captures the details they need to locate your records.

Your request should include:

  • Your full name (including any previous names the records might be under)
  • Date of birth
  • Address (and any previous addresses if relevant)
  • NHS number (if you know it — this is not mandatory but helps)
  • What records you want — you can ask for everything, or specify a date range, department, or type of record
  • How you want to receive the data — electronically (email or secure portal) or in hard copy
  • Proof of identity — the NHS body will need to verify your identity before releasing records; this typically means a copy of photo ID and proof of address

You do not need to use the words "subject access request" or cite any law. If the substance of your request is "I want a copy of my medical records," that is a valid SAR.

Step 3: Send It

Send your request to the relevant department. For GP practices, this is often the practice manager. For hospital trusts, look for the information governance or health records team. Most trusts list the correct contact on their website.

Keep a copy of your request and note the date you sent it. The deadline runs from the date the organization receives your request.

Timelines and Fees

How Long Should It Take?

Under the UK GDPR, the NHS must respond to your subject access request within one calendar month of receiving it (UK GDPR Article 12(3)). If the request is complex — for example, it covers a very long period of care across multiple departments — the organization can extend this by up to two additional months (three months total), but they must tell you within the first month that they are extending and explain why.

In practice, GP records requests are often fulfilled relatively quickly, sometimes within two to three weeks. Hospital trust requests can take longer, particularly if the records span multiple departments or involve paper files that need to be located and scanned.

Is There a Charge?

No. Under the UK GDPR, the first copy of your data must be provided free of charge. The NHS cannot charge you for a subject access request. This changed in 2018 — before the UK GDPR came into force, the NHS could charge up to 50 pounds for health records and up to 10 pounds for GP records. Those fees no longer apply.

The only exception is if you ask for additional copies of the same data, in which case a reasonable fee based on administrative costs may be charged. But your first request is free.

Requesting Records on Behalf of Someone Else

You can make a subject access request on behalf of another person in certain circumstances:

  • Parents requesting children's records — parents can request records on behalf of a child if the child is too young to understand the request. For older children (generally those over 12, though there is no fixed age), the child's own views and competence should be considered. If a child is competent to make their own request, their consent is usually needed.
  • Representatives with written authority — if you have written authorization from the patient, you can request their records. This includes solicitors acting on behalf of clients.
  • Individuals with lasting power of attorney — if you hold a health and welfare lasting power of attorney for someone who lacks capacity, you can request their health records.
  • Bereaved relatives — access to deceased patients' records is governed by the Access to Health Records Act 1990 (for records made before November 1991) and common law. This is a more limited right than a SAR, and the rules are different. The NHS body will usually require evidence of your relationship and may consult with the clinician who treated the patient.

What to Do If Your Request Is Refused or Delayed

If the NHS Body Does Not Respond Within the Deadline

Chase them. Send a written follow-up reminding them of the deadline and asking for a response. Keep a record of all communications.

If They Refuse Your Request

Ask for a written explanation of why the request has been refused and which exemption they are relying on. If the serious harm exemption is cited, ask which clinician made that assessment.

Complain Internally

Most NHS organizations have an internal complaints process (often through their Patient Advice and Liaison Service, or PALS). This can sometimes resolve the issue more quickly than going to the regulator.

Complain to the ICO

If the NHS body has not responded, has refused without a valid reason, or has unreasonably delayed, you can complain to the Information Commissioner's Office (ICO). The ICO can investigate and order the organization to comply. There is no fee for making a complaint to the ICO.

You can submit a complaint online through the ICO's website. Include a copy of your original request, any responses you received, and details of what went wrong.

Legal Action

As a last resort, you have the right to apply to the court for an order compelling the organization to comply with your request. This is under Section 167 of the Data Protection Act 2018. Court action should generally be a last resort after the ICO process, but there is no legal requirement to complain to the ICO before going to court.

Tips for a Smooth Process

  • Be specific where you can. While you are entitled to everything, specifying a date range or department can speed up the process significantly. If you only need records from a particular hospital admission, say so.
  • Include your NHS number. This makes it much easier for the organization to locate your records accurately.
  • Request electronic copies. Electronic delivery is generally faster and easier for both parties. Most NHS organizations can provide records via secure email or a portal.
  • Follow up proactively. If you have not received an acknowledgment within two weeks, contact the organization to confirm your request was received.
  • Keep copies of everything. Save your original request, any correspondence, and the date you sent each communication.

References

Last reviewed: May 2026. Privacy laws and NHS procedures change. Verify all statutory references against the current text of the law and consult qualified legal counsel before making decisions based on this information.

Related Guides