Version 1.1, 12 May 2023

This guidance is part of the Information governance and data protection section of the Good practice guidelines for GP electronic patient records.

Redacting information for online record access

When GP records are shared with patients or their representatives (nominated proxy), the GP practice is responsible for ensuring that only appropriate information is disclosed.  To ensure this happens, information in both the existing record and any new items should be checked and where necessary, redacted.

These guidelines explain what redaction is, when it should be used, and the processes for doing this.

Most records will not have content that requires redaction.  For individual requests for full online record access (i.e. past, historic and current records) it is best practice for all of the record to be checked in advance of being shared.

What is redaction?

Redaction is the process of restricting access or ‘hiding’ information in the online viewer from the patient and anyone they have granted proxy access to.  It does not remove the information from the patient’s record. 

Most GP practices are familiar with redacting information from paper-based subject access requests (SARs).  The same principles and safeguards used for paper-based SARs apply to GP online records, except this is done by electronically tagging the information to be redacted.  The tags are then stored in the live clinical system they are entered in.  

It is important to note that these tags may not transfer between clinical systems in the event of the patient record transferring between registered GP practices.

While the patient or patient proxy cannot see the redacted information, it is still visible to clinicians and other authorised practice team members.

Before information is shared, sensitive information which could be harmful to a patient or is about or refers to other people (third parties) should be assessed, and a decision taken about whether or not to redact it.

Individual words, sentences, or paragraphs within an entry cannot be redacted.  The entire entry, for instance the consultation or document  must be either shared (visible online) or redacted i.e. made not visible online). 

Currently not all GP IT systems can redact medications effectively, if there is a need to redact medication, check you are able to do so with your GP IT system supplier documentation.  This may be particularly important for contraception such as post-coital contraception.

Practices should assume that all patients (or their proxies) will eventually have real-time (prospective) access and ensure that the redaction tests of ‘serious harm’ and third-party information are applied by anyone entering information into the patient record.  This will save time in the long run.

Abnormal test results should not be automatically filed in a patient record.  They should only be filed once they have been assessed by a clinician. 

If you are using a third-party document management system (e.g. DOCMAN) ensure that it is correctly configured.

What to redact

For most patients there will be very little or no information in their record that needs redacting. They are likely to be fully aware of the information recorded and shared about them, including hospital letters, test results, and information which refers to other people such as family history or a family letter.

There are few hard and fast rules with redaction.  Information that may be fine to share with one patient, may need to be redacted for another.  Issues to consider are whether:

  • the patient already knows about or has already had access to the information (if the answer is yes, then there is a strong argument that the information should not be redacted)
  • any information could be harmful to the patient
  • any information needs to be discussed with the patient before it is shared

Full records access may require a review of historical (retrospective) information (paper-based and/or digital) and new approaches to entering and filing clinical information (prospective) information.

When to, and who should, redact?

Depending on when the information is added to a patient’s record will determine when, who and how the information is redacted.  A GP practice policy should be implemented, defining roles and responsibilities, including code lists, and how to redact information in the practice’s clinical system.

It is important that all clinicians and coders within the practice are trained how to redact information in a patient record and have access to the practice policy on maintenance of medical records and SARs.

When should a record be checked?

Before information is shared, sensitive information which could be harmful to a patient, or is about or references other people, should be assessed and a decision taken about whether or not it needs to be redacted.

A record should be checked for sensitive information likely to cause serious harm and/or contains third-party information when:

  • a request for access to the record is made, either by the patient or their proxy
  • a new patient’s record is received via GP2GP, as redactions are removed during the transfer (this may be addressed in future releases of GP2GP)
  • a subject access request is received
  • entering information into a patient record, including filing of letters, test results and free text

Real-time entering information into a record

With the roll-out of live record access for patients, it is important to consider the need for redaction at the time information is entered or filed in the record.

At the point information is being added to a patient record, whoever is entering or storing this information must consider whether it needs redacting.  Examples are:

  • the clinician entering information at the point of care (GP practices should ensure that new clinicians are aware of how to redact information prospectively)
  • the clinician or a suitably trained practice administrator checking and then filing external information (for example hospital letters and test results) into the record
  • admin staff processing requests and messages

Checking an existing record

The person responsible for redacting the existing record should be one of the following:

  • a suitably trained practice administrator with access to advice from the responsible clinician (in many practices the initial screening, using a screening tool, is carried out by a member of the admin team, with escalation to a clinical professional when potential redactions are identified)
  • an appropriate clinician who is aware of the practice policy and current national guidance, for example:
    • the lead/named clinician involved with the patient’s care
    • the clinician who last saw the patient
    • another appropriate clinical professional

It is good practice for redactions to be double checked by a suitably qualified and experienced practice member.

Managing sensitive information

Sensitive information must be redacted:

  • to protect the patient or another individual from serious physical or mental harm
  • to protect the identity of a third party, unless they have agreed to their information being shared
  • temporarily, until information can be discussed and shared with the patient
  • where a patient would like to give another person proxy access to their record and to comply with the instructions of the patient

Serious harm

The definition of ‘serious harm’ is a matter for clinical judgement and will vary from patient to patient.  It may be considered as a significant shock or upset that could impair the emotional and mental well-being of the person receiving the information in the short to long term.  The shock or upset could result in them being emotionally, psychologically and/or mentally vulnerable or damaged.  It may even affect their ability to reason and rationalise and leave them feeling diminished and open to risk.

It is not enough to say that disclosure would cause upset or stress to the individual.  Neither is it lawful to redact information that may protect a GP or other professional from criticism or challenge, or to hide an error or omission.

Key points

  • When redacting information which is deemed likely to cause serious harm to the individual, the reasons for this should be fully recorded, and the reasons themselves redacted.
  • In the case of uncertainties, it may be helpful to discuss with senior clinical colleagues in the practice and/or your medical defence union.
  • Wherever possible, sensitive content should be discussed with the patient, negating the need to redact it.
  • GPs continue to be legally and morally required to keep full and honest records of fact and opinion (where opinion is clearly identified as such).

Examples of serious harm

What could be thought of as serious harm will vary from patient to patient.  Examples of content that might cause serious harm could include:

  • a diagnosis of a personality disorder disputed by the patient, causing possible deterioration of the patient/doctor relationship and potential harm to practice staff
  • a safeguarding letter regarding children at risk in a perpetrator’s record
  • a diagnosis that hasn’t been disclosed in the patient’s best interest
  • reference to child abuse prior to adoption about which the patient might not have been made aware in the past (risk of harm to mental health)


  • A patient’s abnormal test result shows they have a brain tumour. Abnormal test results are normally entered automatically into a record but are not viewable until after the result has been viewed by a clinician.
  • A 13-year-old child adopted as a baby and now deemed mature enough to have access to their record. It is not clear whether they know they were adopted.  Redaction would be needed to avoid confusion and/or shock, at least in the short to medium term.
  • Some content may be sensitive in more than one sense. An example could be a memory prompt entered by a colleague referring to another family member being in prison (third-party and/or risk of serious harm).

Third-party information

In the context of GP clinical records, a third party is someone other than the clinician and the patient. 

If the patient does not know about the information provided by or about another person, then this information must not be shared except with the agreement of the third party.

A reference to a third party may be:

  • information about the patient given in confidence by a third party
  • information about a third party that is confidential to that person and to which the patient does not have a right to access
  • a letter or report that refers to more than one patient
  • an entry or attached file recorded in the wrong patient’s notes by mistake ‘an entry or attached file recorded in the wrong patient’s notes by mistake (refer to practice procedures, IG policy or IG/ DP lead or Caldicott Guardian for action required to rectify mis-filed information)

It may not be enough to redact only the name of the third-party if the associated content or its context would make it possible to identify the person.

The identity of a third-party must not be shared unless they:

  • are another clinical professional involved in the direct care of the patient and the information involves the patient
  • have consented to their identity being shared

Examples of third-party content

Third-party examples commonly found in clinical records include:

  • a safeguarding letter regarding children at risk in a perpetrator’s record
  • social care reports which have not been disclosed to the patient
  • letters that refer to the patient and other members of their family
  • references to domestic abuse or substance abuse relating to a family member
  • infectious disease disclosures from third parties (such as Hep B in household)
  • concerned neighbour reports of suspected physical abuse to an elderly person by a family member (to protect identity of both neighbour and accused family member until a discussion can take place with the patient if this is possible)
  • Multi-Agency Risk Assessment Conference (MARAC) reports which are likely to contain sensitive information about the victim, children and perpetrator including criminal records (these are meetings where information is shared on the highest risk domestic abuse cases between representatives of local police, health, child protection, housing practitioners, Independent Domestic Violence Advisors (IDVAs), probation and other specialists from the statutory and voluntary sectors)

Proxy access and redaction

As well as the proxy access article in this series, the Royal College of General Practitioners (RCGP) has published a guide to proxy access.

The competent patient

A competent patient is able to allow a proxy (another individual, usually a family member or carer) to access their record.

Before enabling access to a proxy, the practice should alert the patient to any information in their record that may not be appropriate to share and if necessary to then redact that content.

Impaired competency

Where a patient has impaired competency, the practice has a duty of care to ensure that information which could be harmful to the patient is not shared with the proxy.

Where the patient has previously and explicitly stated that information should not be shared with anyone or with a named individual, this must be adhered to.

If there are concerns relating to safeguarding and/or coercion, it may be appropriate for the practice to deny any level of access to a proxy. 

There is full article in this series on coercion and another on access to records by children and young people.

Examples of proxy access

Example 1 | Sarah

Sarah’s early onset dementia was progressing fast, and she agreed that her husband should have proxy access to her record before she became worse.  She’d had a termination of pregnancy when she was a college student and didn’t want her husband to know.  Her request was noted, and the record was redacted accordingly before access was given.

Example 2 | Amina

Amina had been sexually active for some time prior to her marriage and had been to her GP regarding a termination of pregnancy prior to starting a relationship with her current husband.  She had a number of serious health issues and agreed with her GP it would be sensible for her new husband to have access to her record. She did not want him to see references to her previous Termination of pregnancy. Her record was redacted accordingly.

Example 3 | Peter

Peter confided in his GP that a named family member, since deceased, had been violent towards him on occasion. This had been noted in his clinical record.  When Peter became frail and confused sometime later, another family member, who was his designated proxy, requested access to Peter’s full, retrospective record. 

After considering safeguarding issues, his GP redacted the reference to the violent family member to protect their identity, as Peter had not given explicit consent to this information being shared with any third party.

Code lists

As well as checking a record for sensitive and third-party information, you need to check for any sensitive or potentially harmful codes.  The software used to assess records for SARs includes these. 

You may also use other codes within your practice which you could consider sensitive, and these should also be included in a redaction review.

Screening tools

Tools to help identify information in the digital record that may need to be redacted have been available for use in subject access requests for some time now.  These are either built into the clinical system or are third-party bolt-ons.

Such systems do not redact content.  They run an assessment tool and produce a shortlist of content for the user to review.  Each item has to be reviewed individually and a decision taken by the user. 

Most practices will already have access to a screening tool for producing SAR reports.  It has been shown that using a screening tool can reduce the time it takes to assess and redact an electronic record by up to 90%, which averages 2 minutes per record.

Clinical system instructions

Specific clinical system redaction guidance can be found in a series of NHS videos.  As the provision of clinical systems training and optimisation is a core and mandated requirement of the GPIT Operating Model, practices should contact their integrated care board, as the commissioner of the service, to request clinical system training, which is usually provided by the clinical system supplier or the local GPIT delivery partner.

Each of the three main GP clinical systems handle redaction slightly differently.  It is important to ensure that you keep up to date with system functionality.

The systems redact the entry from the patient view only.  Practice and any other authorised clinical users will still see this information when redactions have been made.  The patient will not know that content has been redacted.

Redaction process checklist

  • Is there a practice policy defining redaction roles and responsibilities, including management of code lists, and when and how to redact information in the clinical system?
  • Who can review, redact, and check historical information?
  • Who enters information into records real-time and therefore needs to consider redaction at the point of entry?
  • How will staff receive briefing about/learn how to redact and when?
  • Familiarise staff with your GP system redaction functionality.
  • Consider using third-party screening software/add-on in addition to the clinical system redaction functionality. Screening software enables the practice user to add additional read codes (over and above the sensitive Technology Reference data Update Distribution (TRUD) code list that will be highlighted during the record screening process.
  • Be prepared to explain redaction to patients or their representatives, if required.
  • Decide how you will manage patient complaints/disagreements about redactions.
  • Use appropriate document workflow in GP practice foundation systems, to ensure the patient will not have access prior to clinical review.

Caution | The recommendation is that users of DOCMAN software await the imminent resolution of a current issue which will resolve current workflow issues.

  • Make sure all staff understand that any information entered into a patient record should be done so with the anticipation that the updated information will be accessed by the patient or their proxy via the digital online record.

End-to-end redaction process

  1. Practice offers record access to all patients. This can be done by letter, text, email, practice posters, the practice website, or during the patient registration process.
  2. Patient or their proxy asks for detailed care record (DCR – default retrospective) and/or full record access.
  3. For retrospective access the practice assesses the online record for sensitive and third-party issues (either manually or with the support of screening software). A list of data entries needing review is produced.
  4. The practice has the option to discuss the identified content with the patient, and either:
    • The patient decides they do not want access (in which case the process is complete)
    • can offer other forms of access, for example DCR instead of full record access
    • the practice and patient agree that it is safe for the patient to have access to their record
  5. Where it is decided not to discuss identified content with the patient, the designated practice user redacts it.
  6. The practice enables DCR and/or full record access on the clinical system for the patient.
  7. The practice informs the patient they have access.
  8. Process complete.

Other helpful information