FOI & EIR Requests for Health Records - Edinburgh

In Edinburgh, Scotland, requesting health records can involve different routes depending on who holds the information. Council-held records follow Freedom of Information (FOI) or Environmental Information Regulations (EIR) procedures, while personal health records held by NHS bodies are normally requested as a subject access request (SAR) under data protection law. For City of Edinburgh Council procedures see the council guidance^[1]. For NHS-held records use the NHS guidance on accessing health records^[2]. For statutory time limits, appeals and enforcement see the Information Commissioner Office guidance^[3].

When to use FOI, EIR or a Subject Access Request

Use FOI/EIR when you seek recorded information held by a public authority about its activities, policies or decisions. Use a SAR when you request your own personal health records held by an NHS organisation. Requests for information about environmental health matters (including some public health data) may fall under the EIR rather than FOI.

How to make a request in Edinburgh

• Identify the holder: City of Edinburgh Council for council records, the NHS organisation (for example NHS Lothian) for clinical records.
• Decide route: FOI/EIR for council-held information or SAR under data protection for your own health records.
• Provide details: clear description of the information, date ranges, and any reference numbers to help locate records.
• Supply ID if the controller requires identity confirmation for SARs; follow the controller's published process.
• Send the request to the correct contact: the council FOI email/address or the NHS data protection/SAR contact for the treating body.

Penalties & Enforcement

Enforcement varies by instrument and enforcing authority. For FOI/EIR requests made to the City of Edinburgh Council, responses are overseen by the council and appeals go to the Information Commissioner. Time limits under FOI and EIR are generally 20 working days; this is confirmed in ICO guidance^[3]. For subject access requests to NHS bodies, statutory time limits under data protection are generally one calendar month for a response, with limited extensions where complex or numerous requests apply; see ICO guidance^[3].

• Monetary penalties: for FOI/EIR the cited public pages do not specify fixed fines for non-compliance; this is not specified on the cited page^[1].
• Data protection fines: ICO enforcement powers under data protection include monetary penalties for serious breaches; amounts depend on the statutory regime and case facts and are set out on ICO pages^[3].
• Non-monetary sanctions: the ICO may issue decision notices, enforcement notices and require disclosure or corrective action; public bodies may face court orders if they fail to comply.
• Enforcer and complaints: the City of Edinburgh Council handles initial complaints about council-held records; NHS bodies have Data Protection Officers for SARs; appeals or complaints to the regulator are made to the ICO.
• Appeals and time limits: FOI/EIR appeals to the ICO follow a council decision; ICO complaint timescales and tribunal routes are described on the ICO site^[3].

Applications & Forms

City of Edinburgh Council accepts FOI requests via its published contact channels; the council provides a guidance page and contact details for submitting FOI requests^[1]. For NHS-held personal health records, NHS bodies commonly accept Subject Access Requests; NHS guidance describes how to apply and where to send proof of identity^[2]. If a specific downloadable form is required by a controller it will be linked on that controller's official page; if no form is published, a written request is sufficient and the cited pages should be consulted^[1].

Common violations and typical outcomes

• Late response: failure to meet statutory deadlines may lead to an ICO decision notice; specific fines for FOI tardiness are not specified on the cited page^[1].
• Improper refusal: unlawful application of an exemption can be overturned by internal review and ICO intervention.
• Insufficient identity checks for SARs: controllers may require reasonable ID; improper disclosure to third parties is a serious data protection breach subject to ICO enforcement.

FAQ

Can I get my NHS clinical notes for free?

Yes — a subject access request for your own health records is generally free, and NHS guidance explains how to apply^[2].

How long will the City of Edinburgh Council take to answer an FOI?

FOI and EIR responses are generally subject to a 20 working day limit under the statutory regime; consult ICO guidance for details^[3].

What if my request is refused?

Request an internal review from the public authority then, if unresolved, complain to the ICO; see the ICO complaints process^[3].

How-To

1. Identify whether the information is council-held or NHS-held and note the holder's contact details.
2. Draft a clear request: state you are making an FOI, EIR or SAR, describe records sought and provide dates or identifiers.
3. Submit by the controller's published channel (council FOI email/online form or NHS SAR contact) and keep a copy of your request.
4. Track timelines: expect 20 working days for FOI/EIR, one month for SARs, and ask for an internal review if refused.
5. If dissatisfied, escalate to the ICO using its complaint process described on the ICO site.

Key Takeaways

• Use FOI/EIR for council information and SAR for your own NHS health records.
• Observe statutory timescales: typically 20 working days for FOI/EIR and one month for SARs.

Help and Support / Resources

• City of Edinburgh Council Freedom of Information
• NHS Scotland - Accessing your health records
• Information Commissioner's Office - FOI guidance