Online access to medical records

The right of patients to seek access to their medical records is governed by data protection law.

GP contract holders will soon be required to  make online access to patients’ full digital data available via the NHS App.  Full records access can include coded information, free text, consultations and documents.

Data protection legislation says access can only be limited or denied if:

  • it would be likely to cause serious harm to physical or mental health of the data subject or another individual – except for information of which the patient is already aware
  • it gives information about a third party, other than healthcare professionals involved in the treatment, unless that other person consents, or it is reasonable in all the circumstances to disclose without the third party’s consent.

Records should be checked carefully and any sensitive data redacted before online access is switched on.

GP practices will continue to be able to redact individual free-text consultation notes, clinical codes and documents from patient view, or amend a patient’s access after the changes have been made.



While enabling patients to view their medical records through the NHS App will be beneficial to many patients, there may be challenges for a some. This is especially true in relation to safeguarding vulnerable adults, as the record may contain information that is confidential and sensitive, which the patient must not see, or could be harmful if the patient is unable to keep their record secure, such as in cases of coercion. The importance of safeguarding patients from harm is paramount. It may be appropriate to redact specific information entered into the GP medical record or prevent the patient from having access.

It is not advisable to register a patient for online access if you suspect they are being coerced into making the request.

In this situation, you will need to discuss your decision with the patient.

Third party access

If someone requests access to online records on the patient’s behalf, they should be asked for evidence of their authority to act for the patient. This might be the patient’s written consent or the necessary legal authority (such as a certificate of Lasting Power of Attorney).

Guidance from the RCGP suggests that full access for those with parental responsibility should automatically be switched off when a child reaches age 11.  Full access to the medical record via the NHS App will be available for those aged 16 and above.

The age at which a child becomes competent will vary and it will be important to keep any access by those with parental responsibility under regular review.

If someone with parental responsibility requests access to the records of a competent child, the child’s consent should be sought.