Requests for medical records: GDPR, personal data, data controllers and processors

A court has ruled that an application for pre-action disclosure of a patient’s medical records should be dismissed. Data controllers and processors take note.

This case clarifies the grounds for disclosure against a non-party and in this case, a GP practice. While the decision is fact specific it serves as a reminder of the rules around disclosure of special category personal data, including the extent of disclosure in light of GDPR.

Distilled to its essence, the applicant was attempting to use the application procedure to put pressure on a GP practice, Barwell & Hollycroft medical centres, as part of a long-running dispute over the correct interpretation of the General Data Protection Regulation regarding the extent to which a data controller must go to provide access to personal data. The court was clear that the application should never have been brought and also awarded the medical centres a significant sum towards its costs.

The context

The claimant made an application for pre-action disclosure against Barwell & Hollycroft, seeking her entire medical records. The request had been received by the medical centre in late 2018, who processed it and left a copy at reception for the claimant to collect with photo identification. The claimant refused, ostensibly, on the orders of her solicitors to collect the records. Her solicitors demanded that the medical centre courier the records to her. The medical centre refused at which point the copy records waited at reception for months during which time the claimant, who lives 0.1 miles away, visited the GP surgery 11 times.

An application was brought for pre-action disclosure, in line with expectations set out in the Pre-action Protocol for Personal Injury Claims, seeking delivery of the documents and costs.

The decision

The claimant’s solicitors contended that the claimant did not want to incur the expense of posting the medical records to the solicitors and that by requesting them to be supplied directly, it may avoid any allegation that she had tampered with the records.

The judge found these submissions “surprising” and the suggestion that there would be allegations of tampering “fanciful”. The judge said the proportionate thing for the claimant to do would be not to make this application (incurring significant costs) but would be to collect and courier/post the documents herself.

It was also argued that the GP practice had not fulfilled its obligations under the General Data Protection Regulation. However the judge did not need to deal with the GDPR point because the matter could be dealt with under the Civil Procedure Rules.

Specifically, CPR 31.17 indicates that for disclosure against a non-party, the court may make an order only where:

  • the documents sought are likely either to support the case of the applicant or adversely affect the case of one of the other parties to the proceedings (this is not a contentious point, as it is common practice in every case of alleged medical negligence for medical records to be reviewed); and
  • it is necessary to dispose fairly of the claim or to save costs.

The judge was clear that there was no necessity here (so the second limb of rule 31.17 was not made out) given the close proximity of the claimant to the surgery, the fact that the medical records had been freely awaiting collection for months at reception, and the claimant had attended the medical practice 11 times and failed to collect despite knowing that they were there.

Comment: wider issues

This case raises a number of interesting issues which were not explored in this case but do need to be addressed.

Requests on the rise

A patient’s request to access their records (ie done via a Subject Access Request) must be processed free of charge and within a month under the new data protection regime. It therefore comes as no surprise that medical practices have reported a notable increase in SARs since the GDPR. Why? Lawyers are increasingly submitting SARs on behalf of clients to support legal claims. GPs want to act in the best interests of their patients and, so far, are not making much use of the right to refuse or charge for repeated requests as permitted by GDPR. However, processing these requests increases workload and drains GP resources and finances.

Protection of medical data

The issue as to whether GPs should be releasing special category personal data to anyone but the patient, except in exceptional circumstances, is a topic of contention. Inappropriate release of medical data can have life-altering consequences. Many patients are not aware of the content of their records, and may wish to review their records before deciding whether they do, in fact, want to hand them to third parties (including solicitors). Current conventions expect that full records will be released to solicitors – processing to which the patient may not in fact consent if they knew what data they contained.

Requests from legal advisers for specific purpose

Legal advisers have duties too. The question as to whether it is excessive for legal representatives to demand to see an entire medical record for every case may need additional scrutiny. Data protection principle three requires that data controllers (such as solicitors) only seek to obtain data limited to what is necessary for them to do their job. Processing of special category data for legal claims must also generally be necessary. It may be the case that entire records are in fact required. However, in a case based on failure to diagnose a fracture (such as the claimant was hoping to bring in this case), whether they were immunised as a child, have suffered depression, or had the flu 10 years ago, does not on its face appear to be relevant.


The shift to electronic records, to which a patient can simply be given remote access. and from which they can make their own copies, will resolve many issues for GPs. At present, however, Lloyd George envelopes remain a significant part of medical life. All parties need to work together to find cost effective solutions, noting that those requesting information should not refuse to engage with the process and that court processes should not be improperly invoked.

Mills & Reeve represented Barwell & Hollycroft medical centres in this litigation.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.