Enforced Subject Access Requests from insurers, mortgage providers, etc.
Press reports in 2014 revealed a significant increase in an insidious practice in the insurance and mortgage industries; pressuring applicants for insurance or loans to consent to a Subject Access Request (SAR) of their whole GP record rather than applying for a General Practitioner Report (GPR).
The situation appears to have spiralled after the breakdown between the BMA and ABI on GPR fees but while duress in such circumstances may be arguable, demanding a copy of someone’s entire medical record (with a small number of redactions) rather than a GPR declaring just those details that may be relevant is self-evidently excessive and therefore in breach of the Third Principle of the Data Protection Act.
As data controllers, GPs should also question what is done with the unlawfully-gathered information from their patients’ medical records after the application process – especially given insurers’ notoriety for finding reasons not to pay out on claims.
If your patients are not fully aware of what they have consented to, or have not given their consent freely – which is arguably difficult to do if their insurance or loan application may otherwise be delayed or turned down – then fair processing is in question, and the First Principle may have been breached as well.
To comply with an enforced Subject Access Request – i.e. a consent form from a patient to release a copy of their medical record to an insurance or mortgage company – is not safe; it’s not safe for your patient, nor is it safe for a GP practice to hand over excessive amounts of sensitive personal information to commercial third parties. Legal liability in case of breach would rest with the data controller.
You may already be taking steps to deal with this, but if you do receive an enforced Subject Access Request then medConfidential strongly recommends you protect yourself, your patient and your practice by requiring the company to apply for a GPR in a lawful fashion.
With thanks to a GP who wishes to remain anonymous, via Pulse, we provide a template letter that you may wish to use or adapt:
UPDATE: the care.data programme was closed in 2016.
Here is a copy of the care.data briefing pack that we sent to GP practices, where a patient had suggested there may be a misunderstanding with the information being provided by the practice.
You will appreciate that medConfidential is not in any position to confirm that this happened, but we hope you agree it is better to err on the side of caution in such circumstances. Patients from around the country have sent us copies of incorrect forms they have been given and, in other instances, specific details of conversations with practice staff where there was evident confusion about care.data and/or the opt out.
The Information Commissioner’s Office has confirmed that GPs will be held responsible for any patient who complains they were not informed about how data from their medical records will be uploaded and shared, despite NHS England’s publicity campaign. After being uploaded to the care.data system your patients’ sensitive details cannot be deleted and will be disseminated to third parties.
As data controller of your patients’ medical records, the duty of ‘fair processing’ – i.e. letting your patients know what information of theirs you are going to disclose, to whom and for what purpose – falls to you. Whatever else NHS England’s publicity campaign may have been, it was not a guarantee that you had fulfilled or complied with your fair processing obligations under the Data Protection Act.
In response to this rather unpleasant news – that GPs stand to suffer for a scheme that is being imposed on them too – some practices have already put up posters of their own, given the lack of useful information for patients on the NHS England one:
If you believe your patients should be better informed about what is to happen to the confidential information you hold in their medical records about them and their family, you may wish to download on of our posters (below) and display it prominently in your practice. The poster has a blank box at the bottom for you let your patients know what arrangements you have made for them to be able to opt out.
We offer this poster as a bare minimum, but you will appreciate that only a proportion of your patients will attend the surgery before the planned upload and many did not read or receive the leaflet that was distributed via junk mail. We should point out that displaying this poster will not discharge your DPA obligations.
UPDATE: the care.data programme was closed in 2016.
UPDATE, June 2014: The BMA and RCGP – amongst many others – expressed serious concerns about the care.data programme and it was ‘put on pause’ in February 2014, initially for 6 months. NHS England has now said there is no “arbitrary deadline” on when care.data uploads will begin, but that there will be a number of pilots involving “between 100 – 500 GP practices” some time in the Autumn.
Meanwhile, LMC conference voted massively in favour of the scheme being run on an opt-in basis, and motion 356 at BMA’s Annual Representatives Meeting may make this binding.
medConfidential is aware that lobbying on this issue has been intense. There are clearly benefits to be had if patients choose to share information from their medical records. But if care.data continues to conflate purposes such as ethically-approved medical research and public health with more controversial uses such as commissioning and the utterly unacceptable commercial exploitation of patients’ records, then trust and confidentiality will be broken.
If care.data proceeds in its present form, patients will withold essential information from GPs to the detriment of their own care – and ultimately to the creation of misleading research data and management data. There is no conflict between good research, good care and proper consent. There is a major conflict between poor ethics and good medicine.
We would like to thank Hampshire GP, Dr Neil Bhatia for helping us with the text of this poster and strongly recommend you visit his website www.NHSdataSharing.info for a comprehensive look at what the care.data scheme could mean for you and your patients.
care.data poster – A4, black text on light blue background
care.data poster – A4, white text on
dark green background
care.data poster – A4, black and white only
Or, if you would prefer to make a poster design of your own, here is the text for you to use: