Data protection covers medical records, which are classed as personal sensitive information, or special category data, along with other personal details such as race, ethnic origin, sexual orientation and trade union membership.

Accessing medical records is a vital part of a patient’s experience and is integral to forming a care plan for most health and social care professionals. In the UK, the NHS grants certain job roles authorised use of systems such as SystemOne, EMIS, EPIC, Vision and various other software in order to achieve their objectives of patient treatment and often, ongoing care. 

How does data protection impact access to personal data such as medical records? 

Several key pieces of legislation allow medical and social care professionals to access records lawfully, but only under specific conditions—primarily when it is necessary for providing care, and with appropriate safeguards for confidentiality and data protection. 

The Caldicott Principles are a well-established ethical framework guiding the use of patient information. Key principles include: 

• Only accessing patient data on a need-to-know basis 

• Being able to justify the purpose for access, under legitimate reasons 

• Only uing the minimum necessary information.

Under UK GDPR, the legal bases for accessing patient data may come under: 

• Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. 

• Article 9(2)(h) – Processing of special category data (e.g. medical records) is allowed when necessary for the provision of health or social care or treatment. 

Access must always be necessary, proportionate, and used only for the purpose of direct care, or for a valid legal reason. 

The Data Protection Act 2018 complements the UK GDPR and provides rules about how health and social care data, such as medical records, can be processed as well as requirements for data minimisation, security, and accountability.  There are also specific provisions for confidential patient information.

Specifically to the NHS, the Health and Social Care Act 2012 allows the sharing of information within NHS organisations for planning and delivering services. This may mean other departments accessing records of treatment in another department, such as GPs accessing x-rays or Emergency Department notes. Again, this must only be for necessary and proportionate means.

The Access to Health Records Act 1990 governs access to medical records of deceased patients and the Caldicott Principles would also apply.

In addition, the common law duty of confidentiality means patient information is always considered confidential, and: 

• Can only be shared with the patient’s consent, or 

• If it is required by law, or 

• If it is in the public interest, or 

• For direct and necessary patient care where the patient may not be able to consent (implied consent usually applies in this case). 

In summary, healthcare professionals must only access medical records when it’s directly related to patient care or with explicit authorisation. 

Healthcare professionals are legally allowed to access patient records only when it is necessary when: 

• Providing direct care 

• Performing official duties (with proper justification) 

• Consent or another lawful basis is present 

Improper access, even if out of curiosity, can breach multiple laws and lead to disciplinary, professional, and legal penalties. Data sharing itself is a risk, particularly if it is unnecessary or inappropriately managed, potentially resulting in a data breach. 

For those working in specific roles, BLS Stay Compliant offers training and guidance should it be needed (see our website for further details) and we can also support organisations directly through our managed services. If any of our services are of interest, please do get in touch.