Case file: Advice

Printed scan report

Patient in a CT scanner
  • Date: 25 October 2022
  • |
  • 2 minute read


Dr K has recently started a new job as a staff grade physician at a small hospital. He contacts MDDUS in regard to an incident at work.

Following a consultation with a patient during which the findings of the patient’s recent CT scan were discussed, Dr K agreed to the patient’s request to print out and hand over a copy of the CT scan report.

Later he was taken aside by his line manager and told this was not permitted. Such reports could only be released with a written application to the local health authority.

Dr K believes that he should be allowed to provide copies of such reports upon immediate request from patients. He asks MDDUS for clarification of the legal position.


An MDDUS adviser writes back to Dr K. She clarifies that disclosure of scan reports to patients would be compliant with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. The patient as a data subject is entitled to their medical information under a subject access request (SAR) but there is no requirement under either legislation for this request to be actioned immediately. Guidance from the Information Commissioner’s Office states that an organisation must comply with a SAR without “undue delay” and within one month of receiving a request.

As such, whilst a patient may be entitled to request a copy of their scan report, they would not necessarily be entitled to receive it upon immediate request. There is no prohibition under the legislation to printing out a scan report for a patient during a consultation but this would be at the discretion of the individual healthcare provider and a matter of local policy.


  • GDPR (UK) gives people the right to know what personal information an organisation has about them and a right to have a copy of that information.
  • Recognise when a patient has made a subject access request, which does not have to be in writing and can be made verbally.
  • Organisations must comply with a subject access request (SAR) for personal data within one month.
  • Immediate access to health records would be at the discretion of the data holder and a matter of local policy.
  • The clinical records should contain an entry noting that a SAR has been made and what, if anything, was disclosed in response. If the clinician decides not to disclose anything during the appointment, the patient should be signposted to the appropriate avenue for making the SAR, in line with local policy.

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Related Content

GDPR for independent self-employed doctors and private hospital consultants

Assessing capacity

Raising concerns

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

For registration, or any login issues, please visit our login page.