6 British Medical Association Access to health records
4.8 Can a fee be charged?
Initial access must be provided free of charge (including postage costs) unless the request is
‘manifestly unfounded’ or ‘excessive’ – in which case a ‘reasonable’ fee can be charged. These
circumstances are likely to be rare and should be assessed on a case by case basis.
The ICO has advised us that a request may be deemed ‘manifestly unfounded’ if the requestor makes
it clear they are only requesting the information to cause disruption to the organisation or if the
requestor makes completely unsubstantiated accusations against the controller. If however, the
requestor has some form of genuine intention in obtaining their information, it is unlikely the request
could be deemed as manifestly unfounded.
A request could be deemed as ‘excessive’ if an individual was to receive information via a subject
access request (SAR), and then request a copy of the same information within a short period of time.
In this scenario, the organisation could charge a reasonable fee based on the administrative costs of
providing further copies or refuse the request.
4.9 When should information not be disclosed?
The GDPR read together with the Data Protection Act 2018 provides for a number of exemptions in respect
of information falling within the scope of a SAR. In summary, information can generally be treated as
exempt from disclosure and should not be disclosed, if:
– it is likely to cause serious physical or mental harm to the patient or another person; or
– it relates to a third party who has not given consent for disclosure (where that third party is not a health
professional who has cared for the patient) and aer taking into account the balance between the
duty of condentiality to the third party and the right of access of the applicant, the data controller
concludes it is reasonable to withhold third party information; or
– it is requested by a third party and, the patient had asked that the information be kept condential,
or the records are subject to legal professional privilege or, in Scotland, the records are subject to
condentiality as between client and professional legal advisor. This may arise in the case of an
independent medical report written for the purpose of litigation. In such cases, the information will be
exempt if aer considering the third party’s right to access and the patient’s right to condentiality, the
data controller reasonably concludes that condentiality should prevail; or
– it is restricted by order of the courts; or
– it relates to the keeping or using of gametes or embryos or pertains to an individual being born as a
result of in vitro fertilisation; or
– in the case of children’s records, disclosure is prohibited by law, e.g. adoption records.
The data controller must redact, or block out any exempt information. Depending on the circumstances, it
may be that the data controller should take steps to explain to the applicant how it has applied the relevant
exemption. However, such steps should not be taken if, and insofar as, they would in eect cut across the
protections aorded by the exemptions. Indeed, in some cases even conrming the fact that a particular
exemption has been applied may itself be unduly revelatory (e.g. because it reveals the fact that the
information sought is held where this revelation is itself unduly invasive of relevant third party data privacy
rights). There is still an obligation to disclose the remainder of the records.
While the responsibility for the decision, as to whether or not to disclose information, rests with the data
controller, advice about serious harm must be taken by the data controller from the appropriate health
professional. If the data controller is not the appropriate health professional, then the appropriate health
professional needs to be consulted before the records are disclosed. This is usually the health professional
currently or most recently responsible for the clinical care of the patient in respect of the matters which
are the subject of the request. If there is more than one, it should be the person most suitable to advise.
If there is none, advice should be sought from another health professional who has suitable qualications
and experience.
Circumstances in which information may be withheld on the grounds of serious harm are extremely
rare, and this exemption does not justify withholding comments in the records because patients may
nd them upsetting. Where there is any doubt as to whether disclosure would cause serious harm, the
BMA recommends that the appropriate health professional discusses the matter anonymously with an
experienced colleague, their Data Protection Ocer, the Caldicott Guardian, or a defence body.