“The right of subject access is a key element of the fundamental right to the protection of personal data provided for under Article 8 of the EU Charter of Fundamental Rights which is conferred upon individuals. It is not designed to underpin the commercial processes of the life insurance industry. The Commissioner takes the view that the use of subject access rights to access medical records in this way is an abuse of those rights.”
On the basis of the ICO ruling and on advice from the GPC, the LMC initially advised practices not to respond to subject access requests from insurance companies except to quote the ICO ruling. However, the ICO has now challenged the GPC’s original advice and has clearly stated that GP Practices cannot simply refuse to respond to Subject Access Requests.
The BMA has now published a ‘Focus On’ document which seeks to clarify how GPs can ensure they continue to meet their data controller obligations to process legitimate SARs and remain compliant with the other principles of the Data Protection Act. We strongly recommend that practice managers read the Focus On document.
Based on the ICO’s guidance, the following advice is now being given to practices:
What should GP practices do?
The ICO has stated that when a SAR from an insurance company is received, GPs should contact the patient to explain the implications of such a request and the extent of the disclosure. The ICO is also clear that GPs should provide the SAR information to the patient themselves, rather than directly to the insurance company.
The ICO's Subject Access Code of Practice states that 'If you think an individual may not understand what information would be disclosed to a third party who has made a SAR on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.'
The BMA has produced a template letter for GPs to send to patients which is in line with the advice from the ICO. The letter offers patients a choice between a SAR, whereby the medical record would be provided to them to share with the insurer as they wish, or asking their insurance company to seek a GP report. (The letter template is contained as Appendix 1 in the Focus On document.)
On a practical level, the LMC would suggest that practices first contact the Insurance Company and express surprise at the request, given the ICOs advice to the insurance industry, and inviting a request for a Report instead.
Regardless of whether a full SAR or a Medical Report is provided, the fee should be charged to the Insurance Company not the patient.