Skip to main content

Accessing your medical records

Introduction

In accordance with the General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by Merton Medical Practice; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Access to any other supplementary information held about them

At Merton Medical Practice, we are committed to ensuring that you have access to your health records in a secure and convenient manner. Below, you will find information on how you can view your records and make Subject Access Requests (SARs).

iGPR Technologies Limited

Merton Medical Practice engages a data processor, iGPR Technologies Limited (“iGPR”), to support us in handling report requests related to your patient data. This includes subject access requests submitted by you (or on your behalf), as well as report requests from insurers under the Access to Medical Records Act 1988 in connection with a life insurance policy you hold or are applying for.

iGPR facilitates the reporting process on our behalf by reviewing and responding to these requests in compliance with applicable laws, including UK data protection legislation. We provide iGPR with general instructions on how to respond to such requests.

If you have any questions about this process, please don’t hesitate to contact us. If iGPR is processing your request, they will contact you directly.

Options for access

Since April 2016, GP practices have been required to provide patients with online access to their health records. This service allows you to view coded information contained in your medical record.

Before access can be granted, you will need to visit the practice in person to complete an identity verification process.

Subject Access Requests (SARs)

Subject Access Request (SAR) allows you to request a copy of the personal information an organisation—such as our practice—holds about you. Under data protection laws, you have the right to know what data is being stored and how it is being used. This information will be provided to you free of charge.

If you wish to make a Subject Access Request to obtain a copy of your health records, please note the following:

  • Making a Request: We prefer Subject Access Requests (SARs) to be submitted in writing by emailing us at swlicb.mertonmedical@nhs.net. This helps ensure we have a clear and documented record of your request. To verify your identity, please include photographic proof by attaching a photo of yourself holding your photo ID clearly visible next to your face. Alternatively, you may visit the practice in person and speak with our reception team, who can assist you with submitting your request. Please note that photo ID will still be required when attending in person.
  • Receiving a Request: Upon completion of the SAR, a member of our team will contact you and confirm how you would like to receive the SAR.  This can either be printed for collection, or sent via password protected e-mail.
  • No Third-Party Sharing: Whilst we can accept Subject Access Requests (SARs) submitted by third parties on behalf of patients, our policy is not to share SAR responses directly with third parties. We believe it is important that patients are fully informed about the content of their records and what they are consenting to share. This is best achieved when patients receive and review their records themselves before deciding whether to forward them. There may be information within the records that patients are not previously aware of, and it is important that they have the opportunity to review this before sharing it with others.
  • Preparing a Request:  When you submit a SAR our practice aims to respond within one month. This is the standard timeframe set by data protection laws. However, there are certain circumstances where this period may be extended.  If your SAR is particularly complex or involves a large amount of information, for example, we may need additional time to process it. In such cases, we are allowed to extend the response time by up to two additional months. Rest assured, we will notify you if an extension is necessary and keep you informed of the progress.  In rare cases, we may be unable to fulfil a Subject Access Request (SAR). This could be due to legal restrictions or if the request is considered excessive or unfounded. If we need to reject your request, we will provide you with a clear explanation and inform you of your rights in such situations.
  • Redacting Confidential Information: In preparing your SAR, we must ensure that any confidential information related to other individuals is protected. This means we may need to redact, or black out, any third-party identifiable data to maintain their privacy. This process ensures that only your personal information is shared with you.
  • Charges for Repeated Requests: If you have previously submitted a Subject Access Request and received your personal information for a specific time period, any further requests for the same time period may incur a charge. This charge is based on the time and resources required to prepare the information again.  However, if your new SAR covers a different time frame that was not included in the previous request, this will be processed without any charge. We aim to ensure transparency and fairness in handling your requests while managing the resources involved.

If you have any questions or need assistance with accessing your records, please do not hesitate to reach out to us. We are here to help!

Viewing Your Records via the NHS App

Patients registered with our practice can view their prospective health records through the NHS App. This includes data from the time you joined our practice. Please note that if you transfer to another practice, your access to prospective data will reset, and you will need to re-establish access with your new practice.

To get started with the NHS App:

  1. Download the NHS App from your app store.
  2. Follow the registration process to link your account with our practice.
  3. Once registered, you can view your health records, book appointments, request your repeat medication and more.

Time frame

Once the DSAR form is submitted, Merton Medical Practice will aim to process the request within one month; however, this may not always be possible. The maximum time permitted for an extension to process DSARs is an additional two calendar months if complex. Patients will be informed if this is needed and an explanation as to why is also provided.

Exemptions

There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

Data controller

At Merton Medical Practice, the Practice Manager serves as the Data Controller. If you have any questions regarding access to your medical records, please ask to speak with the named Data Controller, who will be happy to assist you.

Data Controller is Merton Medical Practice

Data Protection Officer is Laura Watson (IG & GP DPO)

Page published: 9 January 2024
Last updated: 24 June 2025