The practice is registered with the Information Commissioner’s Office. We comply with the Data Protection Act 2018.
We manage requests for access to medical records according to the Act.
To access your medical records:
- use your NHS App account (on the NHS App Online website or in the NHS App)
- request access by filling in an online form
- fill in a form on this website
- visit the practice, when we are open
Summary Care Record
If you’re registered with a GP surgery you’ll have a Summary Care Record, unless you’ve chosen not to have one. It contains basic information including your allergies and medicines. It also includes any previous reactions you’ve had to medicine.
Having this information in one place makes it easier for healthcare staff to treat you in an emergency, or when the practice is closed.
Follow this link to the NHS website for more information on how to access your health records
GP2GP
GP2GP transfers electronic health records between a patient’s old and new practices. It is a direct, secure and quick way to send your medical records when you change GPs.
Find out more about GP2GP on the NHS Digital website
Your data matters to the NHS
Your health records contain a type of data called confidential patient information. This data can help with research and planning.
You can choose if you want to share your data. You can also choose for someone else, such as your children under 13.
Your choice will only apply to the health and care system in England. It will not apply to services you use in Scotland, Wales or Northern Ireland.
Follow this link to find out how this data is used and how to opt out
Subject Access Request (SARS)
At our GP surgery, we are committed to handling Subject Access Requests (SARs) promptly and securely. Once a request is received, our team begins compiling the relevant medical records, ensuring all information is reviewed in line with data protection regulations and third-party confidentiality. We aim to complete SARs within one calendar month. Please note that while most requests are processed free of charge, those deemed excessive or repetitive may incur a reasonable administrative fee, as permitted under data protection legislation. We will always inform you in advance if a fee applies.
What Counts as “Excessive” Under UK GDPR?
According to the Information Commissioner’s Office (ICO) and legal guidance:
- Repetitive Requests: If the same individual repeatedly asks for the same or similar information within short intervals, especially when nothing has changed in the data.
- Unreasonable Scope: If the request demands all records without any clear purpose or relevance, especially when the volume is vast and difficult to compile.
- Disproportionate Burden: If fulfilling the request would require an unreasonable amount of time, resources, or disruption to normal operations — for example, manually redacting thousands of pages of sensitive third-party data.
- Harassment or Abuse: If the request appears to be part of a pattern of vexatious behaviour or intended to disrupt or burden the practice.
- Lack of Specificity: Broad or vague requests that don’t help the practice identify what the individual actually wants.
ICO reference link What should we consider when responding to a request? | ICO