Favourable changes regarding disclosure of medical records following GDPR

One piece of good news for clinical negligence practitioners is that their requests for medical records from healthcare providers should now be met free of charge, and more quickly than was sometimes the case pre-GDPR. Whilst the previous statutory charge of £50.00 (which applied except where the patient was deceased) was generally considered reasonable and had not been increased over the years, it could add up where there were large numbers of providers.

Authority for the change is at Chapter 3, Article 12 of the GDPR. Paragraph 5 reads: “Information provided under Articles 13 and 14…shall be provided free of charge”. Article 13 relates to personal data originating from the data subject and Article 14 to personal data originating elsewhere – medical records arguably could be both, but there is no need to go into this for the purpose of Article 12.

There is an exception to the free of charge principle, but only in the event of unfounded or excessive requests – effectively ‘nuisance’ or malicious approaches. Even then the burden is placed on the data controller to demonstrate that a (limited, administrative) fee is appropriate under the regulations so this looks unlikely to be sought in the context of a professional access request.

I have read that under GDPR, disclosure must be made within 30 days of the request being made. This would represent a considerable improvement on the previous position, in many cases. However when looking at the raw regulations they do not actually require substantive 30 day compliance. They say (Article 12, para 3) “The controller shall provide information on action taken on a request [including access to data] without undue delay and in any event within one month of receipt of the request”. This is not the same thing as providing the data itself within one month. Furthermore the same paragraph allows for a two month extension “where necessary” , again to provide information on action taken rather than provision of the data itself. In the absence of any meaningful deadline, it remains to be seen whether requests will actually be processed faster as appears to be the intention of the GDPR.