Website of the Department of Health

Under the Data Protection Act 1998, which became effective from 1 March 2000, patients already have a right to have access to their medical records. Most letters about a patient which are written between clinicians form part of these records, whether they are held at the general practitioner's surgery or at a hospital. The initiative to copy letters to patients is simply building on these existing legal provisions. Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2000 the maximum fee that can be charged for providing copies of health records is £10 for computer records and £50 for copies of manual records or a mixture of manual and computer records. People are also entitled to apply to see their records for free if created in the last 40 days. Where a permanent copy is required, the charges referred to earlier in this paragraph apply.

Under this legislation, there are certain circumstances in which data about a patient may be withheld. Access may be denied or withheld, where the information may cause serious harm to the physical or mental health or condition of the patient, or any other person, or where giving access would disclose information relating to or provided by a third person who had not consented to the disclosure.

The need to ensure that safeguards, equivalent to those provided by the Data Protection Act 1998, support this initiative has already been recognised by the Working Group. An excerpt is given below from the Statutory Instrument 1987 Number 1903, Data Protection (Subject Access Modification) (Health)Order 1987 on the safeguards provided in the Data Protection legislation:

4. (1) The subject access provisions shall not have effect in relation to any personal data to which this Order applies in any case where either of the requirements specified in paragraph (2) below is satisfied with respect to the information constituting the data and the obligations contained in paragraph (5) below are complied with by the data user.

(2) The requirements referred to in paragraph (1) above are that the application of the subject access provisions-

(a) would be likely to cause serious harm to the physical or mental health of the data subject; or
(b) would be likely to disclose to the data subject the identity of another individual (who has not consented to the disclosure of the information) either as a person to whom the information or part of it relates or as the source of the information or enable that identity to be deducted by the data subject either from the information itself or from a combination of that information and other information which the data subject has or is likely to have.