Skip to main content

Accessing your medical records

Introduction

In accordance with the General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by Merton Medical Practice; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Access to any other supplementary information held about them

At Merton Medical Practice, we are committed to ensuring that you have access to your health records in a secure and convenient manner. Below, you will find information on how you can view your records and make Subject Access Requests (SARs).

iGPR Technologies Limited

Merton Medical Practice use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests. Please do contact us if you have any queries in this regard. IGPR will contact you directly if they are processing your request.

Options for access

As of April 2016, practices have been obliged to allow patients access to their health record online. This service will enable the patient to view coded information held in their health record. Prior to accessing this information, you will have to visit the practice and undertake an identity check before being granted access to your records.

Subject Access Requests (SARs)

A Subject Access Request (SAR) is a way for you to ask an organisation, like ourselves, to provide you with a copy of the personal information they hold about you. It’s your right under data protection laws to see what data is being kept and how it’s being used, and will be provided free of charge.

If you wish to make a Subject Access Request to obtain a copy of your health records, please note the following:

  • Making a Request: We prefer SARs to be submitted in writing, by e-mailing us on swlicb.mertonmedical@nhs.net.  This ensures that we have a clear and documented request from you. Please note you will need to provide photographic proof of identification, which can be done by attaching a picture of you holding up your photo ID clearly visible next to your face. Alternatively, please come in person and speak with our reception team who can take your request in person.  Please note we will still require photo ID when you attend in person.
  • Receiving a Request: Upon completion of the SAR, a member of our team will contact the patient and confirm how they would like to receive the SAR.  This can either be printed for collection, or sent via password protected e-mail.
  • No Third-Party Sharing: Whilst we can accept SARs from third parties on behalf of patients, our policy is to not share SARs with third parties. We believe that patients should be fully informed of what they are consenting to, and this is best achieved once they have their records in hand.  There will invariably be information patients may not be aware of, and this should be reviewed by patients before forwarding the SAR.
  • Preparing a Request:  When you submit a SAR our practice aims to respond within one month. This is the standard timeframe set by data protection laws. However, there are certain circumstances where this period may be extended.  If your SAR is particularly complex or involves a large amount of information, we may need additional time to process it. In such cases, we are allowed to extend the response time by up to two additional months. Rest assured, we will notify you if an extension is necessary and keep you informed of the progress.  There may be rare instances where we are unable to fulfil a SAR. This could be due to legal reasons or if the request is deemed excessive or unfounded. If we need to reject your request, we will provide you with a clear explanation and inform you of your rights in such situations.
  • Redacting Confidential Information: In preparing your SAR, we must ensure that any confidential information related to other individuals is protected. This means we may need to redact, or black out, any third-party identifiable data to maintain their privacy. This process ensures that only your personal information is shared with you.
  • Charges for Repeated Requests: If you have previously submitted a Subject Access Request and received your personal information for a specific time period, any further requests for the same time period may incur a charge. This charge is based on the time and resources required to prepare the information again.  However, if your new SAR covers a different time frame that was not included in the previous request, this will be processed without any charge. We aim to ensure transparency and fairness in handling your requests while managing the resources involved.

If you have any questions or need assistance with accessing your records, please do not hesitate to reach out to us. We are here to help!

Viewing Your Records via the NHS App

Patients registered with our practice can view their prospective health records through the NHS App. This includes data from the time you joined our practice. Please note that if you transfer to another practice, your access to prospective data will reset, and you will need to re-establish access with your new practice.

To get started with the NHS App:

  1. Download the NHS App from your app store.
  2. Follow the registration process to link your account with our practice.
  3. Once registered, you can view your health records, book appointments, request your repeat medication and more.

Time frame

Once the DSAR form is submitted, Merton Medical Practice will aim to process the request within 28 days; however, this may not always be possible. The maximum time permitted for an extension to process DSARs is an additional two calendar months if complex. Patients will be informed if this is needed and an explanation as to why is also provided.

Exemptions

There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

Data controller

At Merton Medical Practice the data controller is the Practice Manager and should you have any questions relating to accessing your medical records, please ask to discuss this with the named data controller.

Data Controller is Merton Medical Practice

Data Protection Officer is Umar Sabat

Published: 09/12/24

Review: 09/12/25

Page published: 9 January 2024
Last updated: 14 March 2025