The Secretary of State for Health has repeatedly promised that the government will legislate to prohibit people’s medical records being used for the purpose of “commercial insurance”. This may have been prompted by the sale of HES data to insurers, but it is not the only way that insurers get their hands on your medical records.
Press reports have revealed a massive increase in an insidious practice in the insurance and mortgage industries; pressuring applicants for insurance or loans to consent to a Subject Access Request (SAR) of their whole GP record – minus a few redactions, such as HIV status or sexually transmitted infections.
The practice of ‘enforced Subject Access Requests’ happens in other sectors as well, such as background checks by employers, where a prospective employee or volunteer is required to give consent for a SAR of their local police force as a proxy for a Disclosure and Barring Service check – what was formerly known as a CRB check.
The increase in enforced Subject Access Requests appears to be financially motivated. SAR charges are capped at £10 if the information requested is held on computer or £50 if some or all of it is held on paper, whereas an official DBS check costs £26 or £44 – depending on how wide a search has to be made – and a General Practitioners Report (GPR) may cost around £100, as opposed to the maximum of £50 for a Subject Access Request for your complete medical record.
Yet again, insurers are getting your medical information on the cheap.
Setting aside the issue of duress, demanding a copy of someone’s entire medical record rather than a report declaring just those details that may be relevant is self-evidently excessive and therefore in breach of the Third Principle of the Data Protection Act. One might also question what is done with the information gathered unlawfully from people’s medical records after the application process – especially given insurers’ notoriety for finding reasons not to pay out on claims.
And if patients are not fully aware of what they are consenting to, or are not giving their consent freely – which is arguably difficult to do if their application may otherwise be delayed or turned down – then fair processing is brought into question, and the First Data Protection Principle may have been breached as well.
With thanks to Tony Collins at Campaign4Change and a GP who would rather remain anonymous, via Pulse, we provide a template letter for GPs (not patients) to send to commercial third parties who have got their patients to consent to a Subject Access Request of their medical record:
To comply with such requests is not safe; it’s not safe for patients, nor is it safe for a GP practice to hand over excessive amounts of sensitive personal information to commercial third parties. Legal liability in case of breach would rest with the data controller.
There is a lawful mechanism – the General Practitioners Report – so GPs should make sure that insurers, mortgage providers and all other such companies use it. And patients should insist upon it as well; don’t be fooled or pressured into signing away access to your whole medical record.
But should this just be down to individual patients and GPs to deal with?
Amendments to the Care Act, which received Royal Assent last month, left a mile-wide loophole – the McDonald’s amendment, “for the promotion of health” – for commercial access to NHS patients’ information collected under care.data and other programmes, and industry practices such as enforced Subject Access Requests continue to put many thousands of patients’ medical confidentiality at risk.
If Jeremy Hunt is serious about shutting down commercial access to and exploitation of NHS patients’ medical records, when will he take action that genuinely protects patient data rather than allowing it to be sold to the lowest bidder?