Can a patient submit a SAR for their full medical records?

Yes. A patient has the right to request access to all personal data held about them, including their full medical records. The SAR right under UK GDPR runs alongside — and has largely superseded — the older subject access regime under the Access to Health Records Act 1990, which still applies to records of deceased individuals.

Subject Access Requests in Healthcare: A Guide for NHS and Private Providers

Q: Can a healthcare provider withhold medical information from a SAR?

In limited circumstances, yes. Under Schedule 3 of the Data Protection Act 2018, a healthcare provider may withhold information if disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another person. This is a high bar and must be assessed on a case-by-case basis by an appropriate health professional.

Subject Access Requests in healthcare are not straightforward. Patient records may span years and multiple clinical systems. They frequently contain third-party information — references to family members, other patients, staff clinical judgements — that requires careful handling. And the consequences of over-disclosure can be severe, both for individuals and for the organisation.

This guide explains what healthcare organisations need to know about SARs: who has the right to request, what must be disclosed, what can be withheld, and how to build a response process that is both compliant and defensible.

Who Has the Right to Submit a SAR in a Healthcare Context?

The right of access under Article 15 of UK GDPR applies to any individual whose personal data an organisation holds. In a healthcare context, this includes:

Current and former patients — requesting their own clinical records, correspondence, referral letters, test results, clinical notes and any other data held about them
Parents and guardians — requesting records relating to a child, subject to age and capacity considerations
Individuals with lasting power of attorney — acting on behalf of an adult patient who lacks capacity
Personal representatives of deceased patients — under the Access to Health Records Act 1990, which still applies to records of deceased individuals
Employees and former employees — NHS and private healthcare staff have the same employment SAR rights as in any other sector

Note on deceased patients

UK GDPR does not apply to deceased individuals. Access to records of deceased patients is governed by the Access to Health Records Act 1990, not the SAR regime. However, the practical process for responding is similar and many of the same exemptions apply.

What Data Must Be Disclosed in a Healthcare SAR?

A healthcare organisation must disclose all personal data it holds about the data subject. In clinical practice, this typically includes:

Clinical notes, consultation records and treatment histories
Test results, imaging reports and investigation outcomes
Referral letters, discharge summaries and correspondence with other providers
Correspondence with the patient themselves
Internal communications where the patient's personal data is recorded
Complaints and PALS correspondence
Any other record held across clinical, administrative or HR systems that contains the patient's personal data

The breadth of this obligation is often underestimated. It is not limited to the patient's primary clinical record — it extends to every system and location where their personal data appears.

The Special Category Data Dimension

Health data is special category data under Article 9 of UK GDPR, which means it attracts the highest level of protection at the point of collection and processing. However, this does not limit the patient's right to access their own health data — if anything, the sensitivity of health data makes transparency more important, not less.

What the special category classification does affect is how third-party health data within the records is handled. If a patient's records contain references to another person's health condition — for example, a family member's medical history recorded as clinically relevant — that information about the third party must be handled with particular care. In most cases, it should be redacted before disclosure.

What Can Be Withheld?

Several exemptions may apply to healthcare SARs, but they must be applied carefully and documented:

The Serious Harm Exemption

Schedule 3 of the Data Protection Act 2018 provides that health data may be withheld from a SAR response where disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another person. This exemption must be assessed by an appropriate health professional — it cannot be applied as a blanket policy or as a matter of administrative convenience.

The bar is high. Routine clinical notes that a patient might find distressing do not qualify. The harm must be serious, likely and specifically linked to disclosure. This exemption is relatively rarely applied in practice.

Third-Party Personal Data

Where records contain personal data about other individuals — other patients, staff members, family members — that information may need to be redacted. The third party's privacy rights must be balanced against the patient's right of access. Where the third party is identifiable and their consent cannot be obtained, redaction is usually required.

Staff names in clinical notes present a nuanced question. Information about a member of staff acting in their professional capacity (a consultant's name, a nurse's clinical observations) is generally disclosable. Information that reveals details about the staff member personally (their own health conditions, personal circumstances) should be withheld.

Legal Professional Privilege

Communications between the organisation and its legal advisers in connection with litigation or potential claims are exempt from disclosure. This is particularly relevant where the SAR is related to a clinical negligence claim.

Other DPA 2018 Exemptions

Management information, information held in connection with negotiations, and other categories defined in Schedule 2 of the DPA 2018 may also apply in specific circumstances. Each must be assessed on the facts of the particular request.

Common error

Applying the serious harm exemption broadly to withhold information that is merely sensitive or that a patient might find upsetting. The exemption requires a genuine clinical assessment that disclosure would cause serious harm. Using it as a blanket response to difficult requests will not withstand ICO scrutiny.

The Volume Challenge: Managing Large Healthcare SARs

Healthcare SARs are frequently large. A patient with a long treatment history across multiple services may have thousands of documents in scope — clinical notes from multiple specialties, years of correspondence, imaging records, pharmacy records, and communications held across several IT systems that may not be well integrated.

The one-month deadline applies to healthcare SARs in the same way as any other. Where the complexity and volume of the request genuinely makes compliance within one month impractical, the two-month extension mechanism under Article 12(3) of UK GDPR may be available — but only where the request genuinely qualifies as complex, and only with proper notification to the individual within the original one-month period.

In practice, the most effective approach to high-volume healthcare SARs combines systematic data collection across all relevant systems, AI-assisted review to identify relevant documents and flag redaction candidates, and specialist human review for clinical content and exemption decisions.

Healthcare SAR support — from £495

We work with NHS trusts, private clinics, care homes and other healthcare providers across the UK. Our team understands the specific complexities of health data disclosure — including special category handling, third-party redaction and the serious harm exemption. Fixed fee, on your case within 24 hours.

Get a Free Quote →

Children, Capacity and Access to Records

Healthcare organisations regularly receive SARs from parents seeking access to their child's records — particularly in relation to mental health treatment, sexual health, or where the parent and child are in dispute.

The general principle is that children who are Gillick competent — capable of understanding the nature and implications of their healthcare — have their own right to consent to treatment and, by extension, to control access to their health data. A parent does not automatically have a right to access a Gillick competent child's records, and the child's wishes should be taken into account.

Where a child lacks capacity, the parent or guardian acting with parental responsibility has the right to access records on the child's behalf — but only where this is in the child's best interests.

These questions are genuinely complex and should be assessed carefully, with clinical input, on a case-by-case basis.

Building a Compliant SAR Process for Healthcare

Healthcare organisations that receive SARs regularly benefit from having a documented, repeatable process rather than responding ad hoc. Key elements of a robust healthcare SAR process include:

A single point of coordination — a dedicated SAR co-ordinator or team responsible for logging requests, tracking deadlines and managing the response process
A system inventory — a documented list of all clinical and administrative systems that may hold patient data, so the scope of each search is consistent and comprehensive
Clinical involvement in exemption decisions — the serious harm exemption must be assessed by a health professional; build this into the process rather than leaving it as an afterthought
A redaction log — documenting every redaction, its legal basis, and who made the decision
An escalation path — for SARs involving potential litigation, clinical negligence claims or complex capacity questions, a clear route to legal and clinical leadership

Frequently Asked Questions

Do healthcare organisations have to respond to SARs?

Yes. All healthcare organisations — NHS trusts, GP practices, private clinics, care homes and other providers — are subject to UK GDPR and must respond to valid Subject Access Requests within one calendar month.

Can a healthcare provider withhold medical information from a SAR?

In limited circumstances. The serious harm exemption under Schedule 3 of the DPA 2018 permits withholding where disclosure would be likely to cause serious harm. This must be assessed by a health professional on the specific facts, and the bar is high. Other DPA 2018 exemptions — such as third-party data and legal privilege — may also apply.

Can a patient request their full medical records via a SAR?

Yes. A patient is entitled to request all personal data held about them, including their full clinical records. There is no charge for this unless the request is manifestly unfounded or excessive.

How should staff clinical notes be handled in a patient SAR?

Staff names and professional observations recorded in a clinical context are generally disclosable. Information that reveals details about a staff member personally should be redacted. Where clinical staff have expressed personal opinions about a patient rather than clinical observations, careful assessment is needed.

What happens if we can't respond within one month?

Where a healthcare SAR is genuinely complex — due to volume, multi-system data or difficult exemption questions — a two-month extension is available under Article 12(3) of UK GDPR. You must notify the individual of the extension and the reasons for it within the original one-month period. The extension does not apply simply because the response is time-consuming.