Sign Up for FREE WARM RTW Guide

Guidance Note

Approval prior to disclosing information by Medical Services Manager only.

A Subject Access Request is a request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a Subject Access Request (SAR). If a patient wants to see their health records, or want a copy, they should complete a Subject Access Request Form which can be requested from They don’t have to give a reason for wanting to see their records and there is no charge for this service (However, we can charge a 'reasonable fee' for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if a requests further copies of their data). They will however be required to produce proof of identity before being allowed to read them.

Sparta Health has up to 28 days to respond to the request. If additional information is needed before copies can be supplied, the 28-day time limit will begin as soon as the additional information has been received.

The 28-day time limit can be extended for two months for complex or numerous requests where the data controller (usually Sparta Health) needs more time to collate and supply the data. We should inform the patient about this within 28 days and provide an explanation of why the extension is necessary.

When writing/calling, the patient should say:

  • they want a copy of their healthcare records (if they wish a member of staff can be made available to assist them and explain any medical terms to them)
  • they want all or just part of them
  • they would like their records to be given to them in a specific format that meets their needs, and we will endeavour to accommodate the request

If the patient requests for their records to be emailed, then we will secure the patient’s or their representative’s agreement (in writing or by email) that they accept the risk of sending unencrypted information to a non-Sparta email address

They may also need to fill in an Application Form and give proof of their identity. Sparta Health has an obligation under the GDPR and DPA2018 to ensure that any information provided for the patient can be verified.

Please note we never send original medical records because of the potential detriment to patient care should these be lost.

Proof of Identity 



Patient applying for their own

One which must be photographic i.e. passport. One containing individuals name and address

Third Party Applying. Consent of Patient will be required  BEFORE the request will be processed

One containing Third Party name and address. One must be Photographic ID of Third Party  

Applying on behalf of a child 

We will ALWAYS obtain consent for release of records from a child age 13+ to <16 if a third party is making request

One which must be Child’s birth certificate Photographic ID of person with parental rights


Who may apply for access?

1(1) Patients with capacity

Subject to the exemptions listed in paragraph 1(6) (below) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a Solicitor to do so on their behalf. Competent young people may also seek access to their own records. It is not necessary for them to give reasons as to why they wish to access their records.

1(2) Children and young people under 18

Where a child is competent, they are entitled to make or consent to a SAR to access their record.

Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR. However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 1 (3) below)

1(3) Next of kin

Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records. For parental rights of access, see the information above.

1(4) Solicitors

A patient can authorise a Solicitor acting on their behalf to make a SAR. We must have their written consent before releasing medical records to their acting Solicitors. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is any doubt, we should contact the patient before disclosing the information. (England and Wales only – should we refuse, a Solicitor can apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for Solicitors to use the form, it is hoped it will improve the process of seeking consent).

Sparta Health may also contact the patient to let you know when their medical records are ready.

1(5) Supplementary Information under SAR requests

The purposes for processing data

The purpose for which data is processed is for the delivery of healthcare to individual patients.

The categories of personal data

The category of personal data is healthcare data.

The organisations with which the data has been shared

Health records are shared with appropriate organisations which are involved in the provision of healthcare and treatment to the individual.  Additional information available to patients is in our privacy notices.

The existence of rights to have inaccurate data corrected and any rights of objection

Any automated decision including the significance and envisaged consequences for the data subject

For example, risk stratification.

The right to make a complaint to the Information Commissioner’s Office (ICO)

1(6) Information that should not be disclosed

The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to the patient, we will inform them and discuss this with them.

1(7) Individuals on behalf of adults who lack capacity

Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Court of Protection in England and Wales, and the Sheriff’s Court in Scotland, can also appoint Deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.

Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.

1(8) Deceased records

The law allows patients to see records of a patient that died as long as they were made after 1st November 1991.

Records are usually only kept for three years after death

Who can access deceased records?

Individuals can only see that person’s records if they are their personal representative, administrator or executor.

They won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.

Accessing deceased records

Before an individual get access to such records, they may be asked for:

  • proof of their identity
  • proof of their relationship to the person who has died

Viewing deceased records

An individual won’t be able to see information that could:

  • cause serious harm to them or someone else’s physical or mental health
  • identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission
  • If they have a claim as a result of that person’s death, they can only see information that is relevant to the claim.

1(9) Hospital Records

To see Hospital records, patients will have to contact their local Hospital.

1(10) Power of attorney

Patient health records are confidential, and members of their family are not allowed to see them, unless they give them written permission, or they have power of attorney.

A lasting power of attorney is a legal document that allows an individual to appoint someone to make decisions for them, should they become incapable of making decisions.

The person they appoint is known as their attorney. An attorney can make decisions about their finances, property, and welfare. It is very important that they trust the person they appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the Office of the Public Guardian before it can be used.

If an individual wishes to see the health records of someone who has died, they will have to apply under the Access to Medical Records Act 1990. They can only apply if they:

  • are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person),
  • have the permission of the next of kin or have obtained written permission from the deceased person before they died.
  • To access the records of a deceased person, they must go through the same process as a living patient.

If a patient thinks that information in their health records is incorrect, or they need to update their personal details (name, address, phone number), they can approach us informally and ask to have the record amended.

Our complaints procedure can be found at

Alternatively, they can complain to the Information Commissioner (the person responsible for regulating and enforcing the Data Protection Act), at:

The Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane

Telephone: 01625 545745

If a patient request to have their records amended is refused, the record holder must attach a statement of our views to the record.

Get in Touch With Sparta Health Today!

Sparta Health can make a big difference to your employees wellbeing and your business productivity whilst reducing health risks and liability. Find out how by contacting Sparta Health today!

CONTACT US or 0345 872 2161

Sparta Health Cyber Essentials Badge

About Sparta Health

Sparta Health – providing leading health care and management services for staff members, employers, insurers, solicitors and mutuals across the UK. You can contact us on:

Tel: 0345 872 2161


© 2019 Sparta Health  |  All rights reserved