Finally Seen
Get my GP letter
NHS access

NHS Subject Access Request, free, by law, in 30 days

A Subject Access Request (SAR) is the formal name for asking any NHS body for a copy of everything they hold on you. It is free, it is your right under UK GDPR Article 15, and they have one calendar month. This is exactly how to make one — and what to do when they drag their feet.

Last updated 9 June 2026 · Sources re-audited 9 June 2026 · Reviewed by the Finally Seen editorial team · How we research · Spot an inaccuracy? Email us, we fix and credit within 48h

What a SAR is

A Subject Access Request is the legal mechanism under UK GDPR Article 15 for you to obtain a copy of all personal data an organisation holds on you. In the NHS context that includes clinical notes, letters, test results, imaging reports, scanned documents, correspondence about you, complaint files, safeguarding notes, internal emails that name you, and recordings of phone calls.

It must be free of charge (Article 12(5)), supplied in an accessible format, and delivered within one calendar month of a valid request.

Which NHS bodies hold which records

Crucially, the NHS is not one record. You need to SAR each body separately:

  • GP practice — your lifetime primary-care record. Address to the practice manager.
  • Hospital trust — clinic letters, A&E attendances, operation notes, imaging. Each trust separately. Address to the data protection officer (often via PALS).
  • Mental health trust — assessments, care plans, MHA records. Held entirely separately from the acute trust.
  • Community services — district nursing, podiatry, MSK physio — usually a community trust or the integrated care board (ICB).
  • Sexual health / gender / drug services — separate confidential records under their own data controller.
  • ICB — funding decisions (CHC, IFR), complaints sent to the ICB.
  • DWP — PIP and Universal Credit assessment papers including the HCP report. Address to DWP Subject Access Request, Mail Handling Site A, Wolverhampton WV98 2GY.

How to write the request

Email is fine — most NHS bodies prefer it. State the request clearly:

  • Your full name, date of birth, NHS number, current address and any previous names/addresses during the period requested.
  • The records you want — full record, or specific dates/clinicians/topics. Narrower = faster.
  • Preferred format — PDF by secure email is fastest.
  • The phrase "Subject Access Request under UK GDPR Article 15" — this triggers the formal clock.
  • One photo ID plus one recent proof of address attached.

Copy-paste template

To: [Data Protection Officer / Practice Manager], [Body name and address].

Subject: Subject Access Request under UK GDPR Article 15.

Dear Data Protection Officer,

I am writing under Article 15 of the UK GDPR to request a copy of all personal data you hold about me, including my full medical record and all related correspondence, emails, decision-making notes, and recordings.

My details: [full name], DOB [date], NHS number [number], current address [address]. Previous address during the period requested: [if any].

I would prefer to receive this in digital format (PDF) by secure email or download link. Proof of identity and address is attached.

Please confirm receipt and provide the information within one calendar month as required by UK GDPR. If you intend to rely on an extension under Article 12(3), please notify me in writing with reasons within the original month.

Yours faithfully, [name]

The one-month rule (and the extension trap)

The clock starts the day they receive both the request and your ID. They have one calendar month — so a request received 12 June is due by 12 July. They can extend by up to two further months, but only for genuinely complex requests (a 30-year cross-trust mental health record might qualify; your last GP entry does not). The extension is only valid if they notify you in writing within the original month with a reason. No notice = no extension = late.

If you are refused or ignored

Common unlawful refusals: "we are too busy", "we charge £50", "you need to fill in our paper form", "you need to come in person". None of these are valid grounds under UK GDPR. Steps:

Lawful narrow refusals: serious-harm exemption (a clinician judges disclosure would cause serious harm to your physical or mental health), third-party identification, ongoing investigation. The body must still tell you what they are withholding and why, and disclose everything else.

Records for a child, partner or deceased relative

Child under 13: a parent with parental responsibility can SAR.

Child 13+ with capacity: the child themselves consents; parental access usually requires the child's written agreement.

Adult with capacity: only with their written consent or a registered Lasting Power of Attorney for health.

Adult lacking capacity: a Court of Protection deputy or registered LPA for health can SAR on their behalf.

Deceased person: UK GDPR does not apply. Use the Access to Health Records Act 1990 as personal representative of the estate or someone with a claim arising from the death.

Frequently asked questions

Is a SAR free?

Yes. Under UK GDPR Article 12(5) a Subject Access Request is free unless the request is manifestly unfounded or excessive (for example, repeat requests for identical data). 'We are too busy' is not a lawful reason to charge.

How long does an NHS body have to respond?

One calendar month from the date the request and identification are received. They can extend by up to two further months for genuinely complex requests, but only if they tell you within the original month.

What can I ask for in a SAR?

Any personal data the organisation holds on you: medical records (clinical notes, letters, results, imaging reports), correspondence about you, complaints files, safeguarding records, internal emails mentioning you by name, recordings of phone calls, and any decision-making records.

Can the NHS withhold parts of my record?

Only in narrow circumstances under the Data Protection Act 2018 Schedule 3 — for example if disclosure would cause serious harm to your physical or mental health, or would identify a third party who has not consented. They must still disclose the rest and tell you what they are withholding and why.

What if I am ignored or refused?

Complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. The ICO is free, regulates UK GDPR, and can issue an enforcement notice compelling disclosure.

Can I SAR someone else's record (parent, partner, deceased)?

Living adult with capacity — only with written consent or a registered Lasting Power of Attorney for health. Child under 13 — parent with parental responsibility. Deceased person — use the Access to Health Records Act 1990 instead, as personal representative of the estate.

The next step

Stop being dismissed. Get it on the medical record.

Finally Seen turns your symptoms into a formal, NHS-cited letter your NHS GP can't quietly brush aside. You sign and send. One-off, no subscription.

Get my GP letter
Related guides

Get your NHS medical records

The NHS App route plus the SAR route, compared.

Formal complaint to GP

Records become evidence in a complaint.

How to switch GP practice

Your record follows you — here is how.

Get my GP letter