For GPs

Enforced Subject Access Requests from insurers, mortgage providers, etc.

Press reports in 2014 revealed a significant increase in an insidious practice in the insurance and mortgage industries; pressuring applicants for insurance or loans to consent to a Subject Access Request (SAR) of their whole GP record rather than applying for a General Practitioner Report (GPR).

The situation appears to have spiralled after the breakdown between the BMA and ABI on GPR fees but while duress in such circumstances may be arguable, demanding a copy of someone’s entire medical record (with a small number of redactions) rather than a GPR declaring just those details that may be relevant is self-evidently excessive and therefore in breach of the Third Principle of the Data Protection Act.

As data controllers, GPs should also question what is done with the unlawfully-gathered information from their patients’ medical records after the application process – especially given insurers’ notoriety for finding reasons not to pay out on claims.

If your patients are not fully aware of what they have consented to, or have not given their consent freely – which is arguably difficult to do if their insurance or loan application may otherwise be delayed or turned down – then fair processing is in question, and the First Principle may have been breached as well.

To comply with an enforced Subject Access Request – i.e. a consent form from a patient to release a copy of their medical record to an insurance or mortgage company – is not safe; it’s not safe for your patient, nor is it safe for a GP practice to hand over excessive amounts of sensitive personal information to commercial third parties. Legal liability in case of breach would rest with the data controller.

You may already be taking steps to deal with this, but if you do receive an enforced Subject Access Request then medConfidential strongly recommends you protect yourself, your patient and your practice by requiring the company to apply for a GPR in a lawful fashion.

With thanks to a GP who wishes to remain anonymous, via Pulse, we provide a template letter that you may wish to use or adapt:

Letter declining an enforced Subject Access Request – editable MS Word (.doc) format

Letter declining an enforced Subject Access Request – editable Rich Text Format (.rtf)

UPDATE: the programme was closed in 2016.

Here is a copy of the briefing pack that we sent to GP practices, where a patient had suggested there may be a misunderstanding with the information being provided by the practice.

You will appreciate that medConfidential is not in any position to confirm that this happened, but we hope you agree it is better to err on the side of caution in such circumstances. Patients from around the country have sent us copies of incorrect forms they have been given and, in other instances, specific details of conversations with practice staff where there was evident confusion about and/or the opt out.

The Information Commissioner’s Office has confirmed that GPs will be held responsible for any patient who complains they were not informed about how data from their medical records will be uploaded and shared, despite NHS England’s publicity campaign. After being uploaded to the system your patients’ sensitive details cannot be deleted and will be disseminated to third parties.

As data controller of your patients’ medical records, the duty of ‘fair processing’ – i.e. letting your patients know what information of theirs you are going to disclose, to whom and for what purpose – falls to you. Whatever else NHS England’s publicity campaign may have been, it was not a guarantee that you had fulfilled or complied with your fair processing obligations under the Data Protection Act.

In response to this rather unpleasant news – that GPs stand to suffer for a scheme that is being imposed on them too – some practices have already put up posters of their own, given the lack of useful information for patients on the NHS England one:

GP practice posters

If you believe your patients should be better informed about what is to happen to the confidential information you hold in their medical records about them and their family, you may wish to download on of our posters (below) and display it prominently in your practice. The poster has a blank box at the bottom for you let your patients know what arrangements you have made for them to be able to opt out.

We offer this poster as a bare minimum, but you will appreciate that only a proportion of your patients will attend the surgery before the planned upload and many did not read or receive the leaflet that was distributed via junk mail. We should point out that displaying this poster will not discharge your DPA obligations.

UPDATE: the programme was closed in 2016.

UPDATE, June 2014: The BMA and RCGP – amongst many others – expressed serious concerns about the programme and it was ‘put on pause’ in February 2014, initially for 6 months. NHS England has now said there is no “arbitrary deadline” on when uploads will begin, but that there will be a number of pilots involving “between 100 – 500 GP practices” some time in the Autumn.

Meanwhile, LMC conference voted massively in favour of the scheme being run on an opt-in basis, and motion 356 at BMA’s Annual Representatives Meeting may make this binding.

medConfidential is aware that lobbying on this issue has been intense. There are clearly benefits to be had if patients choose to share information from their medical records. But if continues to conflate purposes such as ethically-approved medical research and public health with more controversial uses such as commissioning and the utterly unacceptable commercial exploitation of patients’ records, then trust and confidentiality will be broken.

If proceeds in its present form, patients will withold essential information from GPs to the detriment of their own care – and ultimately to the creation of misleading research data and management data. There is no conflict between good research, good care and proper consent. There is a major conflict between poor ethics and good medicine.

We would like to thank Hampshire GP, Dr Neil Bhatia for helping us with the text of this poster and strongly recommend you visit his website for a comprehensive look at what the scheme could mean for you and your patients.

care.data_poster_blue poster – A4, black text on light blue background

791KB PDF file

care.data_poster_green poster – A4, white text on
dark green background

547KB PDF file

care.data_poster_B&W poster – A4, black and white only

368KB PDF file

Or, if you would prefer to make a poster design of your own, here is the text for you to use: poster text – editable MS Word format (.doc) poster text – editable Rich Text Format (.rtf)

8 thoughts on “For GPs

  1. John Brumby

    I am a retired GP and therefore am not directly affected by the current changes as a doctor. I am however also a patient. My medical history is relevant to me,my family and my doctors.No one else.
    When in practice I often received highly confidential information which potentially could destroy a family.This information was received on the strict understanding that was necessary to be part of a patients diagnosis /treatment but would never be otherwise be communicated to another person.
    These changes to the regulations retrospectively breaks my promise to patients as it is not being used for diagnosis or treatment and is being given to non medical personal.
    For consent to be valid it is necessary for every patient that I have treated for more than thirty years to be individually contacted to give valid informed consent to release their medical records.
    It should be that a patient must opt in and not opt out.
    The information is also being sold,surely this in itself is not ethical.No patient has agreed to this.
    I will be opting out, as will my family.

  2. Andrew

    I am a working GP and I entirely agree with Dr Brumby. However, I have no choice but to allow uploads to happen unless instructed by a patient not to. It is totally back to front compared to the professional rules and ethics I signed up to.
    I fear trying to get this across to my patients will breach some legal position I don’t know or understand.

    1. Marie Edwards

      “GP surgeries have an obligation to ensure that information about the use of their data is actively communicated to patients, by any and all reasonable means”
      Andrew as the Data Controller it is within your power and should be a moral duty to write to every patient household and inform them directly of and the extraction of their medical record, to HSCIC, without their consent. Patients must be informed & given the choice whether or not to Opt Out of Care.Data. If you do nothing, what will you say to your patient who has not been to your surgery for over 6 months, does not visit your website or collect a prescription (therefore knows nothing about when they realise that their identifiable medical information has been uploaded to a database, to be shared by all & sundry and you knew this was going to happen but you didn’t inform them beforehand? Put yourself in their shoes.

  3. Tony

    Another knife in the back for GPs and the NHS. This Government will have their way and privatise these NHS services without a thought for the needs of the nation. This is just another step in providing an opportunity for private concerns to take control and it will more than likely be American companies that will eventually run our health services and that means the insurance companies will be keen to get this information.
    None of these changes seems ethical, but this Government does not care about ethics, just profit. I fear for the GPs position in this as they are being forced into breaking their promise of confidentiality.
    I will definitely opt out and will encourage as many people as I can to do likewise.

  4. John

    Dear Tony and Andrew,
    Thank you for your comments.
    I have just received my information leaflet.It seems so benign and reasonable about who will have access to the information.
    “Approved Researchers”-I wonder who approves them?-I think we can .
    “Never identify a particular person”-Your post code and your NHS number certainly will.
    This information potentially has enormous commercial value.
    Disease data is already available-via Hospitals in/out patients.Prescriptions costed and issued.Disease screening programmes.These are the obvious ones.
    I am continually amazed how much of the NHS is already being out-sourced and privatised without any public knowledge or discussion.
    It is or moral and ethical duty to inform our patients of the danger of these changes.
    It appears that if a patient subsequently is unhappy with the information that has been released it is their GP who is responsible-Not the NHS managers or government.

  5. Habib Khan

    I am so angry at this decision that I feel like to swear at the governing bodies who came across this idea and now on the way to the implementation. I believe one’s medical record is completely between a patient and their doctor. Who the hell are those people wants to share our data. I believe they should be punished for breaching the common human right of every patient.

    1. Phil Post author

      At this point, with the latest 6 month delay, you in theory have until September 2014. *BUT* NHS England has reserved the right to run ‘pilots’ in an unspecified number of GP practices across England before September. We have no way of knowing which practices these will be – so our recommendation at this point is, if you have any concerns, opt out NOW. If NHS England manages to convince you that what it is doing is OK, you can always opt in later.


Leave a Reply

Your email address will not be published. Required fields are marked *