Access to Personal Information (including Medical Notes)
You have a right, under the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR) to see any health and other personal information (e.g. Staff HR (Human Resources) Records) the organisation holds about you. To use this right, you can make what is known as a ‘Data Subject Access Request’ (DSAR).
You have the right to know whether or not we hold any information about you, and a right to have a copy of that information. You also have the right to know:
- What kind of information we keep about you
- The reason we are keeping it and how we use it
- Who gave us your information
- Who we might share your information with and who might see your information
- You also have the right to have any codes or jargon in the information explained by a medical professional.
How to Apply
NHS Fife has developed a Data Subject Access Request Form which should be completed and returned to the contact details below.
A guidance document is also available to assist with completing the application form. Please email Fife.email@example.com for a Subject Access Request Form and return to:
Or via email:
Who can make a Subject Access Request?
Only the following people may apply for access to personal information:
- The person who the information is about;
- Someone acting on behalf of the person that the data is about:
- a solicitor
- those with parental rights (parent or guardian)
- a patient representative (g. Patient Advocate) or
- a person appointed by a Court. (g. Power of Attorney, Incapacity Guardianship)
We will need to see evidence that you have the right to access these records and proof of your identity.
Applicants will be asked to provide photographic identification and proof of address before personal data is released.
Acceptable documentation is listed below. Please note, ONE document from each of the tables below should be provided.
Proof of identity
Acceptable identity documents:
- Current Passport
- Current Driving License
- National ID Card or other valid documentation relating to immigration status
- Current Bus Pass
- Signed photograph/confirmation of identity mandate by a professional person (i.e. Healthcare professional, solicitor, etc.)
- Student Card
Confirmation of address
- Recent Utility Bill
- Local Authority Council Tax Letter
- Driving License (if not already provided for proof of identity)
- Bank, Building Society or Credit Union statement
- Recent Mortgage Statement
For a third-party accessing data on your behalf a signed mandate must accompany the request.
In Scotland, a child can be considered to make their own decisions from 12 years old. Whether the child has the capacity to understand their rights, will be taken into account when responding to a DSAR.
If a child is competent, they can make a request or they may authorise an adult with parental rights, or other Third Party to make a DSAR on their behalf.
How long can I expect to wait for a response?
Under Article 13 UK GDPR, a Data Controller must respond to a DSAR “without undue delay and in any event within one calendar month of receipt of the request”. We may extend the time limit by a further two months in certain circumstances if:
- The request is complex
- We receive a number of requests from the individual
How much does it cost?
This is free. However, a charge can be made when a request is unfounded or excessive, particularly if it is repetitive.
What records can you see?
We can only provide records that are processed by NHS Fife. For records from any other health boards, please contact them directly.
You can apply for access to records that have been made about you, whether as a patient or a member of staff. You can ask for any information about yourself that you think is inaccurate or incomplete to be corrected or removed. Any abbreviations or jargon in the record can be explained to you by a medical professional.
Read more at - Health records | NHS inform
If you have records that are inaccurate or incomplete, you can contact the Information Governance and Security Department at the address below. Your request will be reviewed, and you will be informed of the outcome.
Can NHS Fife refuse to comply with my request?
In some circumstances, the UK DPA 2018 provides an exemption from UK GDPR provisions. If an exemption applies, we may not have to comply with all the usual rights and obligations. There are several different exemptions. They are detailed in Schedules 2-4 of the DPA 2018.
Whether or not we can rely on an exemption is dependent on the purposes for processing your personal data.
Here are some recognised reasons:
- If information in the record could cause you harm.
- If the record contains sensitive legal information.
- If your record contains information about another person, g. a letter about a family member.
Accessing records of deceased patients
The access to records of deceased patients is not included in the legislation above. The Access to Health Records Act, 1990 lays down strict guidance on what personal information can be provided to a third party regarding a deceased patient. Our application form has therefore been designed to provide us with sufficient information to ensure that we only provide access to those who are legally entitled to receive this.
The Access to Health Records Act gives certain people a right to see the health records of somebody who has died. These people are defined under section 3(1)(f) of that Act as:
- The patient’s personal representative. This will be the executor or administrator of the deceased person’s estate.
- Any person who may have a claim arising out of the patient’s death.
For further information on access to records you can contact:
The Information Governance and Security Dept - DSARSPOC
or email to: