ICO: Insurer SAR use 'an abuse' of Data Protection rights

clock

The Information Commissioner (ICO) has clarified its position and warned insurers that using rights in the Data Protection Act (DPA) to access patients' entire medical record is ‘inappropriate and an abuse of that right'.

The British Medical Association has advised GPs to not send information from patients' records to insurers when requests are made under the DPA but to instead direct insurers to ask for a GP's Report.

The Information Commissioner's Office (ICO) has however told GPs that contrary to the BMA's advice, GPs are still obliged to respond to subject access requests made under the DPA.

The Information Commissioner's Office said in a statement: "We recognise that insurance companies may have a genuine need to review medical information about its customers when providing policies like life and critical illness cover.

"To enable this, the Access to Medical Reports Act 1988 gives insurance companies a clear and established legal route to access medical information.

"The Act also gives appropriate safeguards to patients and respects the confidential relationship between a GP and their patient.

"Under the Act, a GP can provide a tailored report to an insurer, with their patient's consent, setting out only the information the insurer needs.

The statement from the ICO continued: "However, some insurance companies have instead been looking to rely on the subject access right given to consumers under the Data Protection Act in order to obtain medical records, rather than a tailored GP's report.

"A subject access request gives an individual the right to ask for all of the personal information an organisation holds about them.

'Powerful Right'

The ICO said: "This is a powerful right, designed to ensure individuals can access information held about them within a specified time period and at a nominal cost.

"This right was not designed to underpin the commercial processes of insurers.

"By making a subject access request on a patient's behalf, an insurance company may be provided with a patient's entire medical record, including information that is not relevant for the purpose of underwriting a policy.

"The ICO has recently written to the insurance industry to explain that we consider that the use of subject access rights in this way is inappropriate and an abuse of that right.

The ICO added: "We also have concerns that the processing of medical records by insurers once received from GPs is likely to breach the Data Protection Act.

"We will be speaking to the insurance sector further to ensure that future use of medical records is in line with the law.

"Patients continue to be able to make subject access requests to their GP.

"GPs have ethical obligations around how patient records are shared, and we advise GPs to explain to patients, in broad terms, the implications of making a subject access request so they can make a more informed decision on whether they wish to exercise their rights under the Data Protection Act.

"We also recommend GPs share any responses to subject access requests directly with patients, rather than to insurance companies."

The ICO has also disagreed with comments made by the British Medical Association. 

It said: "Contrary to comments made by the British Medical Association, GPs must still respond to subject access requests, in accordance with the guidance published on our website.

"The right to see personal information held about you by an organisation is an important one, and one from which GPs are not exempt.

"We will be speaking with the British Medical Association again to further clarify this."

Further Reading:

UnderwriteMe launches to 'address the protection famine'

Protection: Three priorities for the industry

CQC considering 1,200 GP inspections

 

More on PMI

Emma Thomson joins Reframe Cancer as consultant
PMI

Emma Thomson joins Reframe Cancer as consultant

Shaping protection proposition

Jaskeet Briah
clock 03 December 2024 • 2 min read
Record quarter for private hospital admissions
PMI

Record quarter for private hospital admissions

PHIN data

Cameron Roberts
clock 03 December 2024 • 2 min read
AXA Health names HBSUK CEO
PMI

AXA Health names HBSUK CEO

Supporting faster access to treatment

Jaskeet Briah
clock 03 December 2024 • 1 min read

Highlights

COVER Survey: Advisers damning of protection insurer service levels

COVER Survey: Advisers damning of protection insurer service levels

"It takes longer than ever to get underwriting terms"

John Brazier
clock 12 October 2023 • 5 min read
Online reviews trump price for young people selecting life and health cover

Online reviews trump price for young people selecting life and health cover

According to latest ReMark report

John Brazier
clock 11 October 2023 • 2 min read
ABI members with staff neurodiversity policy nearly doubles

ABI members with staff neurodiversity policy nearly doubles

Women within executive teams have grown to 32%

Jaskeet Briah
clock 10 October 2023 • 3 min read