Access to Medical Records

The days when doctors wrote in Latin to keep their notes secret are long gone and computer terminals are now found on all surgery desks.  Most GPs are happy to explain what they are writing in your notes.

Doctors and healthcare workers take confidentiality very seriously.  A third party such as an employer or relative cannot demand sight of your notes or any medical information about you unless you give written permission.

Insurance companies and solicitors cannot see any part of your medical history unless you allow them access.

Test results, such as HIV status or pregnancy, will not be released to anyone without your consent.

Access to your health records

Patients are being given online account access to their future, or prospective, full general practice health record including free text, letters and documents. Future (prospective) records access means access to information and data added to the patient record from a set date onwards. This may be the date that a patient joined the practice or from a date when access has previously been granted.

Patients will see new information once it is entered, or filed, onto their record in the clinical system. Patients will not see their historic, or past, health record information unless they have already been given access to it by their general practice.

Patients whose general practice uses the TPP or EMIS system will see new general practice records entered. This will be made visible to patients through the NHS App or existing GP online services apps that already securely provide patients with access to this health information.

Under the Data Protection Act, subject to certain conditions, an individual is entitled to be:

  • Told whether any personal data is being processed
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
  • Given a copy of the information comprising the data; and given details of the source of the data (where this is available).

The Data Protection Act extends equally to all relevant records relating to living individuals, including records held in the private health sector and health professionals’ private practice records.

 Application for Access to Medical Records Form

Everyone working for the NHS has a legal duty to keep information about you confidential.

You may be receiving care from other people as well as the NHS. So that we can all work together for your benefit we may need to share some information about you. We only ever use or pass on information about you if people have a genuine need for it in your and everyone's interests. Whenever we can we shall remove details which identify you.  Anyone who receives information from us is also under a legal duty to keep it confidential.

Making a Subject Access Request (SAR)


The Data Protection Act gives every living person (or authorised representative) the right to apply or access to their health records.

Online Access to Medical Records

Since March 2016, coded information from Medical Records can be accessed as part of the Practice's online services. For security reasons, you will have to visit the practice to undertake an identity check before you are granted access to these records.

To make a subject access request

A request for your medical health records held at Somerset Bridge Medical Centre must be made in writing (e-mails accepted) to the data controller who is: The Practice Manager (please contact the practice for alternative methods of access if you are unable to make a request in writing).

You can apply using an Application for Access to Medical Records Form available from reception if you wish.


Under the Data Protection Act you will not normally be charged a fee to view your health records or to be provided with a copy of them unless the request is judged to be unfounded or excessive.

In the event that a request is deemed to be unfounded or excessive, a fee will be incurred based on the administrative cost of providing the information.

Once the data controller has all the required information, and fee where relevant, your request should be fulfilled within one month (in exceptional circumstances where it is not possible to comply within
this period, you will be informed of the delay within one month of the request. We will provide you with a timescale of when the information will be made available, which will be no more than three months
after the request was made).


In some circumstances, the Act permits the data controller to withhold information held in your health record. These rare cases are:

  • Where it has been judged that supplying you with the information is likely to cause serious harm to the physical or mental health or condition of you, or any other person, or;
  • Where providing you with access would disclose information relating to or provided by a third person who had not consented to the disclosure. This exemption does not apply where that third person is a clinician involved in your care.

When making your request for access, it would be helpful if you could provide details of the time-periods and aspects of your health record you require If you are using an authorised representative, you
need to be aware that in doing so, they may gain access to all health records concerning you, which may not all be relevant. If this is a concern, you should inform your representative of what information you wish them to specifically request when they are applying for access.

GPs have ethical obligations around how patient records are shared, and will explain to patients, in broad terms, the implications of making a Subject Access Request so they can make an informed decision on whether they wish to exercise their rights under the Data Protection Act.

Proxy Access to Online Services

This is where someone is given access to another person’s medical record. For example:

  • A parent or guardian who has legal responsibility for a patient under 11
  • A parent or guardian where a patient aged 11 or over has given permission
  • A parent or guardian who has legal responsibility for a patient between 11 and 16
  • Where a GP has assessed that the patient is not capable of making their own decisions re medical health
  • A carer for a patient over the age of 16 – we would need a letter from the patient giving them permission

The proxy does not have to be a registered patient at the practice, but must be registered for online services on the GP system and always use their own login credentials.

To be given proxy access, a patient’s representative must have the informed consent of the patient or, in cases where the patient does not have capacity to consent; the GP has decided that it is in the best interests of the patient for them to have proxy access.

The level of access is configured per patient for each proxy user, as they may care for more than one patient and need different levels of access. Once proxy access has been activated in EMIS, an extra option will appear under the Online Services tab to enable registration of proxy users.  Once registered, proxy users will be managed in online users.

Patients aged 16 or above are assumed to have the capacity to consent unless there is an indication that they are not.  Young patients between the ages of 11 and 16 who are judged as having capacity to consent by their GP may also consent to give proxy access to someone else. A parent or guardian can request proxy access if they have legal responsibility for a patient under 11 years.

Legitimate reasons for the practice to authorise proxy access without the patients consent includes:

  • The patient has been assessed as lacking capacity to make a decision on granting proxy access and the applicant has lasting power of attorney for health and welfare that is registered with the Office of the Public Guardian
  • The applicant is acting as a Court Appointed Deputy on behalf of the patient or, where the GP considers it to be the patients interest in accordance with the Mental Capacity Act 2005 code of practice
  • The patient is a child who has been assessed as not competent to make a decision on granting proxy access

The practice may refuse or withdraw proxy access, if they judge that it is in the patient’s best interest to do so.

On a child's 11th birthday, the scope of the current proxy access will be restricted, unless the GP has already assessed the child as able to make an informal decision and the child has given explicit consent for their record to be shared. This is the national standard imposed by NHS England to protect the confidentiality rights of young people.

From 11-16, a parent with proxy access will be able to manage certain elements of the young persons record, such as demographic data, and make appointments and order repeat prescriptions, but they will not be able to see the young persons past appointments or clinical record, although they would still be able to see current repeat prescription record.

At the childs 16th birthday they remain proxy access will be switched off, except where the young person is competent and has given explicit consent to the parental access. If the child wants proxy access re-instated, they will need to come to the surgery in person, with proof of ID, and request it.

Parents may continue to be allowed proxy access to their child’s online services, after careful discussion with the GP, if it is felt to be in the child’s best interests.

Background Information

In UK law, a person's 18th birthday draws the line between childhood and adulthood.

(Children Act 1989 s105) - so in health care matters, an 18 year old enjoys as much autonomy as any other adult.

To a more limited extent, 16 and 17 year-olds can also take medical decisions independently of their parents. The right of younger children to provide independent consent is proportionate to their competence - a child's age alone is clearly an unreliable predictor of his or her competence to make decisions.

Gillick Competence

The 'Gillick Test' helps clinicians to identify children aged under 16 who have the legal capacity to consent to medical examination and treatment. They must be able to demonstrate sufficient maturity and intelligence to understand the nature and implications of the proposed treatment, including the risks and alternative courses of actions.

In 1983, a judgment in the High Court laid down criteria for establishing whether a child had the capacity to provide valid consent to treatment in specified circumstances, irrespective of their age. Two years later, these criteria were approved in the House of Lords and became widely acknowledged as the Gillick test. The Gillick Test was named after a mother who had challenged health service guidance that would have allowed her daughters aged under 16 to receive confidential contraceptive advice without her knowledge.

Fraser Guidelines

As one of the Law Lords responsible for the Gillick judgment, Lord Fraser specifically addressed the dilemma of providing contraceptive advice to girls without the knowledge of their parents. He was particularly concerned with the welfare of girls who would not abstain from intercourse whether they were given contraception or not. The summary of his judgment referring to the provision of contraceptive advice was presented as the 'Fraser guidelines'. Fraser guidelines are narrower than Gillick competencies and relate specifically to contraception.

Key points at a glance (EMIS)

  • You can register a proxy user (whether they are registered at your practice or not).
  • Configure the level of access for each patient they care for.
  • Remove, restrict or suspend access at any time.
  • Age maturity notifications for patients reaching 11 and 16.
  • Patient précis icon.
  • Warnings in relation to Gillick and Fraser.
  • EMIS competency code changes.
  • Record sharing.
  • Protocol trigger.

Freedom of Information

A copy of our FOI Publication Scheme is available on request from the practice manager.