29th July 2019

Third party subject access requests (SARs) under the GDPR & the Data Protection Act 2018 to GPs

Two months on from the introduction of the 2019-20 GMS contract with its sweeping changes and major digital development plans for future contractual requirements, a huge amount of energy remains focused on primary care networks.

Good news has arrived with the Global Sum uplift of £20m for three years for the additional workload from SARs. NHS England has allowed three years for the digitalisation of Lloyd-George records to give patients online access to their electronic and digitalised records for SARs. Until then practices should note the ICO’s view that it is not the purpose of subject access rights to serve insurance companies’ commercial interests.

Since GDPR a year ago - enshrined in UK law within the DPA 2018 - instead of requesting a report from the patient’s GP - insurance companies have been obtaining medical records through the use of SARs. Using subject access rights to obtain entire medical records, together with the processing of full medical records by insurers, breach the principle of information being adequate, relevant and limited to the purpose for which it is processed. However, this does not mean GPs can or should simply refuse to respond to SARs for insurance purposes and leave it there.

The BMA clarified the position in respect of insurance companies with the ICO and provided the information GPs need to meet their data controller obligations, to process legitimate SARs and to remain compliant with the other principles of the GDPR/DPA.

When a SAR from an insurance company is received, the BMA advises practices to contact the patient using their template letter to explain the implications of the request and the extent of the disclosure. Based on the ICO’s advice, the BMA letter offers patients a choice between a SAR which would involve the medical record being provided to them to share with the insurer as they wish or asking their insurance company to request a GP report  under the provisions of the Access to Medical Reports Act 1988.  If the patient then agrees to the SAR, the practice must then provide the medical record to the patient – not the insurance company.

As far as SARs from third parties excluding insurance purposes are concerned, a solicitor  acting on behalf of a patient is entitled to make a SAR. The ICO Code of Practice requires practices to be satisfied the third party is entitled to act on behalf of the patient by  providing evidence of their entitlement to make the request on behalf of the patient which is the responsibility of the third party only and no-one else.

https://www.bma.org.uk/advice/employment/fees/insurance

*All information is correct at the time of publishing

Topics: GPs

Leah Biller

General Practice Specialist

Leah has an extensive background in all aspects of healthcare including practice management. She is seen as someone to depend on to take on a challenge and turn it around for the better. After a short time in working with the law she moved on to healthcare in 1985 after a routine appointment at her local GP had her walking out as practice manager. That started her on the general practice trail and then into acute, primary and community as well as health regeneration plus a Master’s in Primary Care from QMUL graduating in 2003 as the only non-clinician on the four-year course. Read more

Join over 53,000+ users already using the QCS Management System!
Start Free Trial
Back to Top

Register here for your FREE TRIAL

  • Try our unique Management System, or any of our individual packs
  • PLUS! Gain FREE trial access to our Mock Inspection Toolkit
  • Over 2,300+ pages of easy to use guidance and 300+ policies & procedures

Simply fill out the form below and get full access for 24 hours to a QCS Management System of your choice.

Start FREE Trial Click here