Third party subject access requests (SARs) under the GDPR & the Data Protection Act 2018 to GPs
Two months on from the introduction of the 2019-20 GMS contract with its sweeping changes and major digital development plans for future contractual requirements, a huge amount of energy remains focused on primary care networks.
Good news has arrived with the Global Sum uplift of £20m for three years for the additional workload from SARs. NHS England has allowed three years for the digitalisation of Lloyd-George records to give patients online access to their electronic and digitalised records for SARs. Until then practices should note the ICO’s view that it is not the purpose of subject access rights to serve insurance companies’ commercial interests.
Since GDPR a year ago - enshrined in UK law within the DPA 2018 - instead of requesting a report from the patient’s GP - insurance companies have been obtaining medical records through the use of SARs. Using subject access rights to obtain entire medical records, together with the processing of full medical records by insurers, breach the principle of information being adequate, relevant and limited to the purpose for which it is processed. However, this does not mean GPs can or should simply refuse to respond to SARs for insurance purposes and leave it there.
The BMA clarified the position in respect of insurance companies with the ICO and provided the information GPs need to meet their data controller obligations, to process legitimate SARs and to remain compliant with the other principles of the GDPR/DPA.
When a SAR from an insurance company is received, the BMA advises practices to contact the patient using their template letter to explain the implications of the request and the extent of the disclosure. Based on the ICO’s advice, the BMA letter offers patients a choice between a SAR which would involve the medical record being provided to them to share with the insurer as they wish or asking their insurance company to request a GP report under the provisions of the Access to Medical Reports Act 1988. If the patient then agrees to the SAR, the practice must then provide the medical record to the patient – not the insurance company.
As far as SARs from third parties excluding insurance purposes are concerned, a solicitor acting on behalf of a patient is entitled to make a SAR. The ICO Code of Practice requires practices to be satisfied the third party is entitled to act on behalf of the patient by providing evidence of their entitlement to make the request on behalf of the patient which is the responsibility of the third party only and no-one else.
*All information is correct at the time of publishing