This site is intended for health professionals only


Practices will have to provide information requests for free under new legislation



New European legislation will ban GPs from charging for providing personal data, in a move that could cost practices into the tens of thousands a year. 

The European General Data Protection Regulation (GDPR), which comes into force next May, scraps the fees that data providers can charge people for their information.

The new rules mean practices will have to provide a free electronic copy of a patient’s data, instead of charging fees of up to £50 per ‘subject access request’.

This is despite GPs estimating that the requests can cost practices up to £80 a time.

The European Union says that the change in legislation is designed to ‘protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy’.

However, GP leaders have warned that this is likely to increase the number of requests coming in.

Former GPC IT subcommittee chair Dr Grant Ingrams said: ‘Despite GPs campaigning for years that they should not personally have to bear the cost of [subject access requests] by patients it is disappointing that even the minimal amount that GPs could charge is being swept away.

‘This will result in an increase in the number of requests and practices being significantly out of pocket. Coming at a time when practices are already on their knees this could be the last straw for some. ‘

Telford practice manager and practice partner Clive Elliott warned that practices will be left shouldering the burden of providing patients’ data, which will have a knock-on impact on frontline services.

It already costs his practice £80 a time to deal with a subject access request, with costs including staff time and redaction of third party data.

He estimates that the average practice currently subsidises the cost of SARs by £8,000 – a sum that will rise once demand increases when the requests are free for patients.

He told Pulse: ‘All of these costs have risen with no corresponding increase in funding for processing SARs whilst the maximum charge has remained the same for many years.

‘This gives all NHS organisations a stark choice: ask private sector profit making companies such as solicitors, limited companies and others including solicitors ‘service companies’ to make a contribution to cover the true cost or divert scarce NHS funding away from patient care to, in effect, subsidise the work of profit making organisations.’

‘If this is implemented, in a small practice such as ours we estimate it will cost us £12,000 taken from front line services to meet administration for others to profit from.

‘For us, this will mean the loss of a member of staff or we will simply not be able to deliver the service under the new legislation.’

BMA’s professional fees committee chair Dr Peter Holden told Pulse: ‘Medical records are not just a list of payments or transactions but a diary of somebody’s life which often includes third-party information.

‘In an ideal world of course patients would be able to obtain their records but only after the doctor had redacted them for any third party information. All of that takes time and money neither of which does the NHS possess in any spare capacity.’

He said GPs will face the bill ‘as unlike other businesses they are unable to adjust their pricing structure to factor in what might more broadly be called costs of compliance.’

What is the GDPR?

European General Data Protection Regulation (GDPR), which comes into force next May, scraps the fees data providers can charge people for their information

The new rules ‘are aimed at uniformly strengthening citizens’ rights while reducing burdens for companies and public authorities as well as adapting rules to the challenges of the digital era,’ according to the European Parliament.

It beefs up the rules which were introduced in 1995 before the digital revolution.

‘This change is a dramatic shift to data transparency and empowerment of data subjects,’ according to the EU GDPR website.

NHS Digital has published guidance on the legislation.

The new rules mean that patients can find out if their data is being processed, where it is being used and the reason why.

Providers will also have to hand over the information within 30 days, instead of the current 40 days.

Organisations which breach the legislation could be fined up to 4% of their turnover.

Other moves include ‘clear and affirmative consent’ for the processing of private data, the right to know when data has been hacked and to object to profiling.