Accurate
Country-specific legal content
Drafted with legal expertise for each jurisdiction, far more thorough than AI-generated drafts that copy generic clauses across borders.
Data Protection / HealthUnited Kingdom
Free SAR to GP Healthcare Records Template
A Subject Access Request (SAR) to a United Kingdom GP practice is the patient route to copies of healthcare records under Article 15 of the UK GDPR as supplemented by the Data Protection Act 2018. The practice must respond without undue delay and at the latest within the published statutory window from verified receipt — extendable for complex requests with reasons notified in the first window. There is no fee for the first copy of personal data since 25 May 2018. Health data is special category data under Article 9 of the UK GDPR; the lawful basis is typically Article 9(2)(h) provision of health or social care read with Data Protection Act 2018 Schedule 1 Part 1 paragraph 2. Deceased-patient records are governed by the Access to Health Records Act 1990 for personal representatives and persons with a claim arising out of the death. Our free United Kingdom template builds a structured SAR letter covering subject details, records sought (date range and category), format preferred, identity verification and delivery method, with four Expert clauses on Article 9 special category protections, third-party redaction limits, manifestly unfounded or excessive refusal rebuttal and ICO escalation path.
Free to useInstant PDFNo account required
PDF (free) + editable Word (.docx) with Expert
Subject Access Request — GP Healthcare Records
UK GDPR Article 15 + Data Protection Act 2018 · 12 June 2026
Yasmin Caroline Ashworth
22 Sycamore Drive, Manchester M14 6NX
0161 555 8842
y.ashworth@email.co.uk
12 June 2026
Data Protection Officer / Practice Manager
via the GP practice address on file
RE: Subject Access Request — healthcare records
I, Yasmin Caroline Ashworth, make this Subject Access Request under Article 15 of the UK General Data Protection Regulation as supplemented by the Data Protection Act 2018. I request copies of the personal data held about the patient identified below by the practice in the categories and date range set out in this letter. I supply identity evidence and elect the preferred format and delivery method. I request the practice to respond without undue delay and at the latest within the published one-month window from verified receipt.
I, Yasmin Caroline Ashworth, make this Subject Access Request under Article 15 of the UK General Data Protection Regulation as supplemented by the Data Protection Act 2018. I request copies of the personal data held about the patient identified below by the practice in the categories and date range set out in this letter. I supply identity evidence and elect the preferred format and delivery method. I request the practice to respond without undue delay and at the latest within the published one-month window from verified receipt.
1. SUBJECT AND APPLICANT PARTICULARS
| APPLICANT NAME | Yasmin Caroline Ashworth |
| ADDRESS | 22 Sycamore Drive, Manchester M14 6NX |
| TELEPHONE | 0161 555 8842 |
| y.ashworth@email.co.uk | |
| DATE OF BIRTH | 19 July 1988 |
| NHS NUMBER | 702 884 1175 |
| STATUS OF THE REQUEST | Request by the living data subject for personal records |
2. RECORDS SOUGHT.
(a) Date range: from 1 January 2018 to 12 June 2026.
(b) Scope: Combination of categories — see detail.
(c) Specific detail:
All consultation notes, prescribing history, test and imaging results, referral letters and correspondence between the practice and any secondary care, mental health or musculoskeletal service from 1 January 2018 to date. The applicant is preparing a personal injury claim arising out of a road traffic accident on 14 March 2024 and a parallel occupational health claim. Records relating to the orthopaedic referral to the Manchester University NHS Foundation Trust dated 22 March 2024 and to the mental health referral to the Cheshire Partnership Trust dated 7 May 2024 are of particular interest.
The request covers structured and unstructured records — consultation notes, free-text problem entries, prescribing history, test and imaging results, referrals, discharge summaries, correspondence to and from the practice and any other personal data undergoing processing.
(a) Date range: from 1 January 2018 to 12 June 2026.
(b) Scope: Combination of categories — see detail.
(c) Specific detail:
All consultation notes, prescribing history, test and imaging results, referral letters and correspondence between the practice and any secondary care, mental health or musculoskeletal service from 1 January 2018 to date. The applicant is preparing a personal injury claim arising out of a road traffic accident on 14 March 2024 and a parallel occupational health claim. Records relating to the orthopaedic referral to the Manchester University NHS Foundation Trust dated 22 March 2024 and to the mental health referral to the Cheshire Partnership Trust dated 7 May 2024 are of particular interest.
The request covers structured and unstructured records — consultation notes, free-text problem entries, prescribing history, test and imaging results, referrals, discharge summaries, correspondence to and from the practice and any other personal data undergoing processing.
3. FORMAT PREFERRED.
Preferred format: encrypted PDF by secure email.
Notes on format:
Encrypted PDF preferred — single pack rather than multiple emails. The applicant can supply a public PGP key on request, or accept password-protected PDF with the password supplied by separate channel.
Where the practice prefers a different format on accessibility or proportionality grounds, the practice is invited to discuss alternatives in advance of the response deadline rather than imposing a different format unilaterally.
Preferred format: encrypted PDF by secure email.
Notes on format:
Encrypted PDF preferred — single pack rather than multiple emails. The applicant can supply a public PGP key on request, or accept password-protected PDF with the password supplied by separate channel.
Where the practice prefers a different format on accessibility or proportionality grounds, the practice is invited to discuss alternatives in advance of the response deadline rather than imposing a different format unilaterally.
4. IDENTITY VERIFICATION.
(a) Primary identity evidence: United Kingdom or foreign passport — reference GBR 5224 1107.
(b) Secondary identity evidence: Recent council tax statement — reference Manchester City Council reference CT-22-SD-2026.
(c) Attendance in person: The applicant offers certified copies of the identity documents by post or secure email rather than attending in person.
The response window only begins once the practice has verified the applicant identity. The applicant invites the practice to confirm verification by return so the response timetable can be calculated from a fixed start date.
(a) Primary identity evidence: United Kingdom or foreign passport — reference GBR 5224 1107.
(b) Secondary identity evidence: Recent council tax statement — reference Manchester City Council reference CT-22-SD-2026.
(c) Attendance in person: The applicant offers certified copies of the identity documents by post or secure email rather than attending in person.
The response window only begins once the practice has verified the applicant identity. The applicant invites the practice to confirm verification by return so the response timetable can be calculated from a fixed start date.
5. DELIVERY METHOD AND ACCEPTANCE TERMS.
(a) Preferred delivery: Encrypted PDF emailed to the address recorded above.
(b) Delivery address or email: y.ashworth@email.co.uk (encrypted)
The applicant confirms acceptance of receipt by signing for the delivery (where post or in person) or by acknowledging receipt by email (where secure email or portal download). The applicant invites the practice to bundle the response, the supplementary information required by Articles 13 and 14 of the UK GDPR and any redaction schedule into a single response pack.
(a) Preferred delivery: Encrypted PDF emailed to the address recorded above.
(b) Delivery address or email: y.ashworth@email.co.uk (encrypted)
The applicant confirms acceptance of receipt by signing for the delivery (where post or in person) or by acknowledging receipt by email (where secure email or portal download). The applicant invites the practice to bundle the response, the supplementary information required by Articles 13 and 14 of the UK GDPR and any redaction schedule into a single response pack.
6. ARTICLE 9 SPECIAL CATEGORY PROTECTIONS AND LAWFUL BASIS.
Health data is special category data under Article 9 of the UK GDPR. The lawful basis for processing by the practice is typically Article 9(2)(h) (provision of health or social care) read with the safeguards in the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2 (health and social care purposes). The Article 15 access right cross-references this framework.
(a) Lawful basis position:
The practice processes the applicant data under Article 9(2)(h) of the UK GDPR (provision of health or social care) read with the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2 (health and social care purposes). The Article 15 access right cross-references this framework — the practice must provide a copy of the personal data undergoing processing together with the supplementary information required by Articles 13 and 14 (purposes, recipients, retention, lawful basis, source).
(b) Health purpose position:
The specific health purposes engaged include direct care, GP audit, public health surveillance and commissioning information returns. The applicant requests the response pack to identify the recipients of any onward disclosures during the date range — typically the local hospital trusts, the integrated care board and any mental health trust — and the corresponding lawful basis for those disclosures.
(c) Retention purpose position:
The practice retention timetable is governed by the NHS Records Management Code of Practice — typically the lifetime of the patient plus ten years after death for GP records. The applicant invites the practice to confirm the retention schedule applied in practice and the basis for any longer retention (research, audit, statutory inquiry).
Health data is special category data under Article 9 of the UK GDPR. The lawful basis for processing by the practice is typically Article 9(2)(h) (provision of health or social care) read with the safeguards in the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2 (health and social care purposes). The Article 15 access right cross-references this framework.
(a) Lawful basis position:
The practice processes the applicant data under Article 9(2)(h) of the UK GDPR (provision of health or social care) read with the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2 (health and social care purposes). The Article 15 access right cross-references this framework — the practice must provide a copy of the personal data undergoing processing together with the supplementary information required by Articles 13 and 14 (purposes, recipients, retention, lawful basis, source).
(b) Health purpose position:
The specific health purposes engaged include direct care, GP audit, public health surveillance and commissioning information returns. The applicant requests the response pack to identify the recipients of any onward disclosures during the date range — typically the local hospital trusts, the integrated care board and any mental health trust — and the corresponding lawful basis for those disclosures.
(c) Retention purpose position:
The practice retention timetable is governed by the NHS Records Management Code of Practice — typically the lifetime of the patient plus ten years after death for GP records. The applicant invites the practice to confirm the retention schedule applied in practice and the basis for any longer retention (research, audit, statutory inquiry).
7. THIRD-PARTY REDACTION LIMITS AND SERIOUS-HARM TEST.
The Data Protection Act 2018 Schedule 3 Part 2 paragraph 6 governs the limited redaction of third-party clinical information and the serious-harm exemption. The practice may redact information that identifies a third party only where the third party has not consented and where disclosure would be unreasonable; the serious-harm exemption applies only where disclosure is likely to cause serious harm to the physical or mental health of the data subject or another person.
(a) Redaction principles:
The applicant accepts the practice may redact information that identifies a third party only where the third party has not consented and where disclosure would be unreasonable. The applicant does not accept redaction of clinician notes that pertain to the applicant herself or redaction of the applicant own contributions to the record. The applicant requests a redaction schedule identifying the redactions made and the basis for each.
(b) Clinician notes position:
Clinician opinion concerning the applicant is the applicant own personal data under the UK GDPR. It is not third-party data merely because a clinician recorded it. ICO published guidance on health-data SARs confirms that clinical opinion is generally disclosable. The applicant invites the practice to apply the disclosure principle to all clinician notes within the date range.
(c) Serious-harm test position:
The applicant does not anticipate any serious-harm exemption being engaged on these facts. The serious-harm exemption under the Data Protection Act 2018 Schedule 3 Part 2 paragraph 6 requires a documented likelihood of serious harm to the physical or mental health of the data subject or another person — not mere embarrassment or unease. The exemption is to be applied narrowly per ICO guidance.
The Data Protection Act 2018 Schedule 3 Part 2 paragraph 6 governs the limited redaction of third-party clinical information and the serious-harm exemption. The practice may redact information that identifies a third party only where the third party has not consented and where disclosure would be unreasonable; the serious-harm exemption applies only where disclosure is likely to cause serious harm to the physical or mental health of the data subject or another person.
(a) Redaction principles:
The applicant accepts the practice may redact information that identifies a third party only where the third party has not consented and where disclosure would be unreasonable. The applicant does not accept redaction of clinician notes that pertain to the applicant herself or redaction of the applicant own contributions to the record. The applicant requests a redaction schedule identifying the redactions made and the basis for each.
(b) Clinician notes position:
Clinician opinion concerning the applicant is the applicant own personal data under the UK GDPR. It is not third-party data merely because a clinician recorded it. ICO published guidance on health-data SARs confirms that clinical opinion is generally disclosable. The applicant invites the practice to apply the disclosure principle to all clinician notes within the date range.
(c) Serious-harm test position:
The applicant does not anticipate any serious-harm exemption being engaged on these facts. The serious-harm exemption under the Data Protection Act 2018 Schedule 3 Part 2 paragraph 6 requires a documented likelihood of serious harm to the physical or mental health of the data subject or another person — not mere embarrassment or unease. The exemption is to be applied narrowly per ICO guidance.
8. MANIFESTLY UNFOUNDED OR EXCESSIVE REFUSAL REBUTTAL.
Article 12(5) of the UK GDPR permits the practice to refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive. Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 and Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 confirm the narrow ambit of any "disproportionate effort" defence and that the motive of the applicant is generally irrelevant to access.
(a) Proportionality argument:
The request is proportionate — a defined date range, defined record categories, willingness to accept a single secure-email pack and willingness to discuss phased delivery for very large records. The applicant has narrowed the request to the categories relevant to the personal injury and occupational health claims rather than seeking exhaustive records on every collateral matter.
(b) Motive irrelevance position:
Per <em>Dawson-Damer v Taylor Wessing LLP</em> [2017] EWCA Civ 74, the motive of the applicant is generally irrelevant to access. The applicant is entitled to the records regardless of the personal injury or occupational health context, subject only to the manifestly unfounded threshold. The motive cannot be used as a basis to refuse or to limit the scope of disclosure.
(c) Search obligation position:
The practice owes a reasonable and proportionate search obligation per <em>Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd</em> [2017] EWCA Civ 121. This includes structured records on the EMIS or SystmOne clinical system, scanned correspondence on the Docman or equivalent system, and free-text problem entries. The obligation does not extend to exhaustive search of every clinician personal note unless the applicant identifies a specific entry of interest.
Article 12(5) of the UK GDPR permits the practice to refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive. Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 and Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 confirm the narrow ambit of any "disproportionate effort" defence and that the motive of the applicant is generally irrelevant to access.
(a) Proportionality argument:
The request is proportionate — a defined date range, defined record categories, willingness to accept a single secure-email pack and willingness to discuss phased delivery for very large records. The applicant has narrowed the request to the categories relevant to the personal injury and occupational health claims rather than seeking exhaustive records on every collateral matter.
(b) Motive irrelevance position:
Per <em>Dawson-Damer v Taylor Wessing LLP</em> [2017] EWCA Civ 74, the motive of the applicant is generally irrelevant to access. The applicant is entitled to the records regardless of the personal injury or occupational health context, subject only to the manifestly unfounded threshold. The motive cannot be used as a basis to refuse or to limit the scope of disclosure.
(c) Search obligation position:
The practice owes a reasonable and proportionate search obligation per <em>Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd</em> [2017] EWCA Civ 121. This includes structured records on the EMIS or SystmOne clinical system, scanned correspondence on the Docman or equivalent system, and free-text problem entries. The obligation does not extend to exhaustive search of every clinician personal note unless the applicant identifies a specific entry of interest.
9. ICO ESCALATION PATH AND ENFORCEMENT REMEDY.
If the practice refuses, delays beyond the statutory window or applies excessive redaction, the applicant may complain to the Information Commissioner under the Data Protection Act 2018. The ICO publishes guidance on health-data subject access and enforces the access right by information notice and enforcement notice.
(a) Escalation timeline:
If no response is received within the one-month statutory window or any properly notified complexity extension, the applicant will allow seven additional days for any practice administrative delay, then request internal review by the Practice Manager, then escalate to the Information Commissioner under the Data Protection Act 2018 within a reasonable time. The total escalation window is targeted at four months from the request date.
(b) Enforcement remedy sought:
The enforcement remedies sought from the ICO are (a) an information notice directing disclosure of the withheld material; (b) an enforcement notice requiring an audit of the practice subject-access process; and (c) a financial penalty where the failure is serious or systemic. The applicant also reserves the right to County Court compensation under section 168 of the Data Protection Act 2018 where loss has been caused.
(c) Judicial review backup:
The applicant has the option of a private law claim against the practice for breach of the access right under the Data Protection Act 2018 and the County Court route for compensation where loss has been caused. Judicial review against the ICO decision (if adverse to the applicant) is a further backup route subject to the three-month CPR 54.5 window and standing requirements.
If the practice refuses, delays beyond the statutory window or applies excessive redaction, the applicant may complain to the Information Commissioner under the Data Protection Act 2018. The ICO publishes guidance on health-data subject access and enforces the access right by information notice and enforcement notice.
(a) Escalation timeline:
If no response is received within the one-month statutory window or any properly notified complexity extension, the applicant will allow seven additional days for any practice administrative delay, then request internal review by the Practice Manager, then escalate to the Information Commissioner under the Data Protection Act 2018 within a reasonable time. The total escalation window is targeted at four months from the request date.
(b) Enforcement remedy sought:
The enforcement remedies sought from the ICO are (a) an information notice directing disclosure of the withheld material; (b) an enforcement notice requiring an audit of the practice subject-access process; and (c) a financial penalty where the failure is serious or systemic. The applicant also reserves the right to County Court compensation under section 168 of the Data Protection Act 2018 where loss has been caused.
(c) Judicial review backup:
The applicant has the option of a private law claim against the practice for breach of the access right under the Data Protection Act 2018 and the County Court route for compensation where loss has been caused. Judicial review against the ICO decision (if adverse to the applicant) is a further backup route subject to the three-month CPR 54.5 window and standing requirements.
10. CONCLUSION AND ACKNOWLEDGEMENT REQUESTED.
The applicant invites the practice to acknowledge this request by return, to confirm identity verification (so the response deadline can be calculated from a fixed start), and to provide an estimated response date. Any complexity extension under Article 12(3) must be notified to the applicant with reasons within the first month. The applicant looks forward to receiving the response within the published timetable.
The applicant invites the practice to acknowledge this request by return, to confirm identity verification (so the response deadline can be calculated from a fixed start), and to provide an estimated response date. Any complexity extension under Article 12(3) must be notified to the applicant with reasons within the first month. The applicant looks forward to receiving the response within the published timetable.
APPLICANT
Yasmin Caroline Ashworth
Date: ____________________
Available as a print-ready PDF or an editable Microsoft Word (.docx) file.
What Is a Subject Access Request to a GP?
A Subject Access Request (SAR) is the United Kingdom statutory right of access under Article 15 of the UK GDPR — the right of any data subject to obtain confirmation from a controller of whether personal data concerning that subject is being processed and, where it is, access to that personal data together with supplementary information about the purposes, recipients, retention, lawful basis and source. The right is supplemented by the Data Protection Act 2018 (DPA 2018) and the Schedule 3 exemptions which structure the way GP practices handle health-data requests. The right of access is a fundamental data-protection right.
The GP practice is the data controller for the records of its registered patients. The Data Protection Officer (DPO) or the Practice Manager handles SARs in practice. The statutory response window runs from verified receipt of the request — the practice must respond without undue delay and at the latest within the published one-month window, extendable by a further two months for complex or numerous requests with reasons notified in the first window under Article 12(3) of the UK GDPR. Since 25 May 2018 there is no fee for the first copy of personal data — the previous Data Protection Act 1998 fee regime (up to GBP 50 for paper records) was repealed. A reasonable fee may be charged only for further copies or for requests that are manifestly unfounded or excessive under Article 12(5).
Health data is special category data under Article 9 of the UK GDPR. The lawful basis for processing by the GP practice is typically Article 9(2)(h) — provision of health or social care — read with the safeguards in DPA 2018 Schedule 1 Part 1 paragraph 2. Third-party redaction is limited — DPA 2018 Schedule 3 Part 2 paragraph 6 permits redaction of information identifying a third party only where the third party has not consented and disclosure would be unreasonable, and the serious-harm exemption applies only where disclosure is likely to cause serious harm to the physical or mental health of the data subject or another person. Per Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 and Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 the "disproportionate effort" defence is narrowly drawn and the motive of the applicant is generally irrelevant. Deceased-patient records are governed by the Access to Health Records Act 1990 for personal representatives and persons with a claim arising out of the death.
What's Covered in This Template
Our United Kingdom SAR to GP template builds a structured request letter covering applicant and patient details, records sought (date range and category), format preferred, identity verification and delivery method, with four Expert clauses on Article 9 special category protections, third-party redaction limits, manifestly unfounded refusal rebuttal and the ICO escalation path.
Applicant and Patient Details
Captures applicant identification — name, address, contact, date of birth and NHS number — and the status of the request (living patient for own records, personal representative of deceased patient under the Access to Health Records Act 1990, or parent / person with parental responsibility for a minor child without competent capacity to consent).
Records Sought — Date Range and Category
Captures the date range (start and end dates) and the record category — full record from registration to date, specific consultations within the date range, test results and imaging reports, referral letters and discharge summaries, prescribing history and medication list, or combination of categories. Specific detail can be added to assist the practice in scoping the search.
Format Preferred — Paper / Secure Email / Portal
Captures the preferred format — printed paper copy, encrypted PDF by secure email, Patient Online Services portal download, or combination. Format notes capture encryption preferences (public PGP key on request, password-protected PDF with password supplied by separate channel) and accessibility requirements.
Identity Verification — Starts the Clock
Captures the primary identity evidence (United Kingdom or foreign passport, United Kingdom driving licence photocard, Biometric Residence Permit, EEA / Switzerland national identity card) and the secondary identity evidence (recent utility bill, council tax statement, bank statement, tenancy agreement or none). The statutory response window only begins once the practice has verified the applicant identity.
Delivery Method and Acceptance Terms
Captures the delivery method — posted hard copy, encrypted PDF by secure email, Patient Online Services portal download or collection in person — and the delivery address or email. Acceptance terms cover receipt by signing for the delivery, by email acknowledgement or by portal confirmation.
Article 9 Special Category Protections (Expert)
Expert clause structures the Article 9 special category protections. Health data is special category under Article 9 of the UK GDPR; the lawful basis is typically Article 9(2)(h) provision of health or social care read with DPA 2018 Schedule 1 Part 1 paragraph 2. The Article 15 access right cross-references this framework — the practice must provide a copy of the personal data together with supplementary information under Articles 13 and 14.
Third-Party Redaction Limits and Serious-Harm Test (Expert)
Expert clause holds the line on clinician notes. The practice may redact third-party identifiers only where the third party has not consented and disclosure would be unreasonable. Clinician opinion concerning the data subject is the data subject own personal data — not third-party data merely because a clinician recorded it. The serious-harm exemption is to be applied narrowly per ICO published guidance.
Manifestly Unfounded or Excessive Refusal Rebuttal (Expert)
Expert clause pre-empts the "manifestly unfounded" deflection. Article 12(5) permits refusal or a reasonable fee only for requests that are manifestly unfounded or excessive. Per Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 and Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 the disproportionate-effort defence is narrowly drawn and the motive of the applicant is generally irrelevant.
ICO Escalation Path (Expert)
Expert clause pre-stages the ICO route. If the practice refuses, delays beyond the statutory window or applies excessive redaction, the applicant may complain to the Information Commissioner under the Data Protection Act 2018. The ICO publishes guidance on health-data subject access and enforces the access right by information notice, enforcement notice and (in serious cases) financial penalty.
Deceased-Patient Route — AHRA 1990
The UK GDPR applies only to the personal data of living individuals. Deceased-patient records are governed by the Access to Health Records Act 1990 — the personal representative of the deceased and any person with a claim arising out of the death may apply, subject to AHRA 1990 exemptions and the 12 months from death cut-off for non-representative applicants. The template accommodates the deceased-patient request as a status option.
Documents Enclosed Index
Pre-drafts the documents-enclosed index — identity documents (primary and secondary), grant of probate or letters of administration where applicable, parental responsibility document where applicable. The bundle is sized to allow the practice to verify identity and begin the search without further correspondence.
Response Acknowledgement Request
Pre-staged response acknowledgement request — the practice is invited to acknowledge receipt, confirm identity verification (fixing the response start date), provide an estimated response date and notify any Article 12(3) complexity extension with reasons within the first window.
How to Build a SAR to Your GP
Follow these steps to produce a structured United Kingdom Subject Access Request letter that lands the access right and pre-empts the common refusal grounds.
- 1
Capture Your Details and the Basis of the Request
Record your full name, address, contact details, date of birth and NHS number. Pick the basis — living patient for your own records, personal representative of a deceased patient under the Access to Health Records Act 1990, or parent / person with parental responsibility for a minor child without competent capacity to consent.
- 2
Scope the Records Sought
Record the date range (start and end dates) and the record category — full record from registration to date, specific consultations within the date range, test results and imaging reports, referral letters and discharge summaries, prescribing history and medication list, or combination. Add specific detail (consultation dates, named clinicians, referral pathways) to assist the practice in scoping the search.
- 3
Pick the Format
Pick the preferred format — paper copy, encrypted PDF by secure email, Patient Online Services portal download or combination. Add format notes (public PGP key on request, password-protected PDF with password supplied by separate channel, accessibility requirements). Where the practice prefers a different format on accessibility or proportionality grounds, invite the practice to discuss alternatives in advance.
- 4
Supply Identity Evidence
Pick the primary identity evidence (passport, driving licence photocard, Biometric Residence Permit, national identity card for EEA / Switzerland) and the secondary identity evidence (utility bill, council tax statement, bank statement, tenancy agreement or none). The response window only begins once the practice has verified your identity — supplying identity evidence with the request avoids front-loaded delay.
- 5
Pick the Delivery Method
Pick the delivery method — posted hard copy, encrypted PDF by secure email, Patient Online Services portal download or collection in person. Add the delivery address or email if different from the address recorded above. Where collection is preferred, set out the collection arrangement (Practice Manager appointment, ID checks on collection).
- 6
Engage Article 9 Special Category Protections (Expert)
Expert clause. Health data is special category under Article 9 of the UK GDPR. The lawful basis is typically Article 9(2)(h) provision of health or social care read with the DPA 2018 Schedule 1 safeguards. Pre-stage the position so the response pack includes the supplementary information required by Articles 13 and 14 of the UK GDPR (purposes, recipients, retention, lawful basis, source).
- 7
Hold the Line on Third-Party Redaction (Expert)
Expert clause. The practice may redact third-party identifiers only where the third party has not consented and disclosure would be unreasonable. Clinician opinion concerning you is your own personal data — not third-party data merely because a clinician recorded it. The serious-harm exemption is narrow — it requires a documented likelihood of serious harm, not mere embarrassment or unease.
- 8
Pre-Empt the Excessive Refusal Deflection (Expert)
Expert clause. Article 12(5) permits refusal or a reasonable fee only for requests that are manifestly unfounded or excessive. Pre-empt the deflection by framing the request as proportionate — narrowly drawn date range, defined record categories, willingness to discuss format and phased delivery for very large records. Per Dawson-Damer the motive of the applicant is generally irrelevant.
- 9
Pre-Stage the ICO Escalation Path (Expert)
Expert clause. If the practice refuses, delays beyond the statutory window or applies excessive redaction, complain to the Information Commissioner under the Data Protection Act 2018. The ICO publishes guidance on health-data subject access and enforces the access right by information notice, enforcement notice and (in serious cases) financial penalty. The County Court route for compensation under section 168 of the DPA 2018 is available where loss has been caused.
- 10
Send the Letter and Track the Window
Send the letter by recorded delivery or secure email. Invite the practice to acknowledge receipt by return and to confirm identity verification (fixing the start date for the response window). Track the published statutory window and any Article 12(3) complexity extension notified in the first window. Escalate to the ICO if no response arrives within the window.
Why Doxuno documents are different
Four things that make our templates more thorough than AI-generated drafts and more current than static template libraries.
Always current
Always current with the law
Templates carrying statute references are continuously updated as the law changes. Your document always reflects the current legal framework.
Free PDF
Print-ready PDF
Free to download. Vector text, embedded fonts, statute citations baked in. Print, sign, file. Ready for any signing flow including electronic signature.
Word · .docx
Editable Word (.docx)
Continue editing in Word after download. Add custom clauses, reuse the template for similar agreements, or share with a colleague for collaborative review.
Requires Expert one-time unlock or any paid Doxuno subscription.
Legal Considerations — Subject Access Request to GP
The right of access is a fundamental data-protection right under Article 15 of the UK GDPR, supplemented by the Data Protection Act 2018. The right is enforced by the Information Commissioner (ICO) under the DPA 2018 and is justiciable in the County Court for compensation under section 168 of the DPA 2018 where loss has been caused.
This template is for general information and does not constitute legal advice. Subject Access Requests in healthcare involve substantive data-protection law, the Article 9 special category protections, the DPA 2018 Schedule 3 health-data exemptions and the ICO published guidance. Where the request engages complex redaction, serious-harm exemption analysis or deceased-patient AHRA 1990 issues, advice from a solicitor experienced in data protection or healthcare records, the ICO published guidance on health-data SARs, or the British Medical Association (BMA) guidance on SARs is recommended. The Citizens Advice service provides free first-tier guidance; the ICO website at ico.org.uk publishes detailed guidance and a complaints route.
Reviewed for the United Kingdom (England, Wales, Scotland, Northern Ireland)
Statutory Basis — UK GDPR Article 15 and DPA 2018
Article 15 of the UK GDPR confers the right of access on the data subject. The right is supplemented by the Data Protection Act 2018 — section 45 covers the right of access under Part 3 law-enforcement processing; Schedule 3 covers the health-data exemptions; Schedule 1 covers the substantial-public-interest conditions including health and social care purposes; sections 165 and 168 cover the ICO complaint and County Court compensation routes respectively. The right is one of a suite of data-subject rights including rectification, erasure, restriction and portability.
Statutory Window and Complexity Extension
The practice must respond without undue delay and at the latest within one month of verified receipt of the request. The window is extendable by a further two months under Article 12(3) where the request is complex or numerous, with reasons notified to the applicant within the first month. Identity verification is a precondition — the window does not begin until the practice has confirmed the applicant identity. Supplying identity evidence with the request avoids front-loaded delay.
No Fee Since 25 May 2018
Since 25 May 2018 there is no fee for the first copy of personal data under Article 15 of the UK GDPR. The previous Data Protection Act 1998 fee regime (up to GBP 50 for paper records) was repealed. A reasonable fee may be charged for further copies or for requests that are manifestly unfounded or excessive under Article 12(5). The "manifestly unfounded" threshold is high — Ittihadieh and Dawson-Damer narrow the disproportionate-effort defence and confirm that the motive of the applicant is generally irrelevant.
Article 9 Special Category and DPA 2018 Schedule 1
Health data is special category data under Article 9 of the UK GDPR. The lawful basis for processing by the GP practice is typically Article 9(2)(h) provision of health or social care read with the safeguards in DPA 2018 Schedule 1 Part 1 paragraph 2 (health and social care purposes). The Article 15 access right cross-references this framework — the supplementary information required by Articles 13 and 14 of the UK GDPR (purposes, recipients, retention, lawful basis, source) must accompany the response. The supplementary information is itself a check on excessive processing.
Third-Party Redaction and the Serious-Harm Exemption
DPA 2018 Schedule 3 Part 2 paragraph 6 governs the limited redaction of third-party clinical information and the serious-harm exemption. The practice may redact information that identifies a third party only where the third party has not consented and where disclosure would be unreasonable. The serious-harm exemption applies only where disclosure is likely to cause serious harm to the physical or mental health of the data subject or another person — not mere embarrassment or unease. The threshold is high and the exemption is to be applied narrowly per ICO published guidance.
Deceased Patient — Access to Health Records Act 1990
The UK GDPR applies only to the personal data of living individuals. Requests concerning the health records of a deceased patient are governed by the Access to Health Records Act 1990 — the personal representative of the deceased and any person with a claim arising out of the death may apply for the records subject to the AHRA 1990 exemptions (information likely to cause serious harm, third-party information, records made before 1 November 1991) and the 12 months from death cut-off for non-representative applicants.
Frequently Asked Questions
Build Your Subject Access Request to Your GP
Produce a structured United Kingdom Subject Access Request letter to your GP practice Data Protection Officer or Practice Manager under Article 15 of the UK GDPR and the Data Protection Act 2018 — applicant and patient details (self / personal representative under Access to Health Records Act 1990 / parent of minor child), records sought (date range, record category, specific detail), format preferred (paper / encrypted PDF by secure email / Patient Online Services portal), identity verification (primary and secondary evidence), delivery method, and four Expert clauses on Article 9 special category protections with the Article 9(2)(h) lawful basis and DPA 2018 Schedule 1 Part 1 paragraph 2 safeguards, third-party redaction limits and the narrow serious-harm exemption under DPA 2018 Schedule 3 Part 2 paragraph 6, manifestly unfounded or excessive refusal rebuttal under Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121 and Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, and the ICO escalation path with information notice, enforcement notice and County Court compensation under section 168 of the DPA 2018.
Free PDF · Editable Word with Expert · No account required