Information Commissioner's Office
Blog: Why the right of access to patient data needn’t be a headache for GPs
Blog posted by: Jovian Smalley, Group Manager – Engagement (Public Services), 07 March 2019.
A patient’s right to access their own medical records from their GP is a long-established principle supported and strengthened by data protection law, most recently the General Data Protection Regulation (GDPR).
Under the updated data protection regime a patient’s request to access their records (commonly known as a subject access request (SAR) must now be processed free of charge and within one month.
Requests on the rise
Medical practices have reported a significant rise in SARs since the GDPR came into effect in May last year, which is a similar trend in other sectors. Many believe this is partly down to lawyers increasingly submitting SARs on behalf of clients to support legal claims. Ultimately, we want to promote a culture of transparency and compliance without any detrimental impact on individual data rights, patient care or the ability of both the medical and legal professions to do their jobs as efficiently as possible.
SARs are designed to be ‘purpose-blind’ because access is a cornerstone right of data protection, so GPs cannot query the reason for a patient or their representative requesting the information. However, we do appreciate the administrative impact of the increased workload on GP surgeries. The GDPR is an evolution – not revolution – of data protection legislation, and many of the ways practice staff dealt with requests to ease the burden of printing reams of paper under the previous framework are still valid.
With this in mind we’ve put together some practical advice and tips for dealing with requests:
- Practices may be able to comply with a SAR by offering to provide a patient with online access to their health records, where available. The Government is committed to increasing access to online patient records in GP surgeries, and to support this aim we are working with health sector organisations to explore new ways for people to access their information online or at their surgery.
- Practices can provide the SAR response electronically (subject to safeguards such as encryption). A surgery only needs to print paper copies if it is asked to do so and this is reasonable.
- If GPs hold a large amount of information about a patient they can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.
- While the costs of providing initial copies need to be borne by the GP practice, it’s worth knowing that further copies can be charged for.
Requests from legal representatives
Where a SAR is made on behalf of a patient by their legal representative and is accompanied by the patient’s clear authority for that specific request, it should be treated in the same way as if it was made directly by the patient. The British Medical Association (BMA) have worked with the legal profession to create a standard form which legal representatives can use, which can be found in their guidance.
Legal representatives must, of course, also consider their own responsibilities under the law. They should only request the data they need for their specific purpose and they must make sure they are using the correct legal framework.
When practices receive requests from a third parties they can consider the following:
- Before responding ask for evidence that the third party has the clear, specific authority of the data subject to exercise their right of access. A general authority to act on the data subject’s behalf, or to request the sharing of personal data, is not sufficient.
- If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought.
- In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient who can then make their own choice about what information they pass on to their representative.
Requests from insurers
Insurers may also request patient information from GPs as part of managing policies and assessing claims.
A separate framework – the Access to Medical Reports Act 1988, commonly known as AMRA - already exists as a mechanism for the insurance industry’s access to tailored medical reports used as part of underwriting policies or assessing claims. This route allows practices to charge insurance companies a fixed fee for access to patient information and includes important safeguards for patients.
We would expect insurers to use this mechanism in most instances and we have previously worked with the industry to formalise this understanding. This led to the Association of British Insurers creating principles for their members to follow which can be accessed here.
GPs can currently find further advice within our guidance on the right of access under GDPR, and also in the British Medical Association's recently updated guidance on access to health records. The ICO will continue to work with key stakeholders to ensure that GP practices can provide critical patient care and uphold people’s information rights.
Latest News from
Information Commissioner's Office
ICO fines home security company for making thousands of nuisance calls14/06/2019 09:10:00
The Information Commissioner’s Office (ICO) has fined Smart Home Protection Ltd £90,000 for making nuisance calls to people registered with the Telephone Preference Service (TPS).
Former customer services officer fined after unlawfully accessing personal data10/06/2019 17:20:00
A former customer services officer at Stockport Homes Limited (SHL) has been found guilty of unlawfully accessing personal data without a legitimate reason to do so.
G20 Side Event - International Seminar on Personal Data05/06/2019 12:25:00
Speach given yesterday by the ICO at the G20 Side Event – International Seminar on Personal Data.
Blog: Counting the cost of accessing environmental information04/06/2019 11:10:00
Blog posted by: Gill Bull, Director of Freedom of Information, 03 June 2019.
When it comes to explaining AI decisions, context matters03/06/2019 12:25:00
Alex Hubbard, Senior Policy Officer at the ICO, looks at some of the key themes identified in the ICO and The Alan Turing Institute’s interim report about explanations of AI decisions.
Blog: GDPR – One Year on31/05/2019 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 30 May 2019.
Blog: ICO regulatory sandbox29/05/2019 12:25:00
Work begins on creating ICO Sandbox short list as application period closes.
Known security risks exacerbated by AI24/05/2019 09:25:00
As part of our AI auditing framework blog series, Reuben Binns, our Research Fellow in Artificial Intelligence (AI), Peter Brown, Technology Policy Group Manager, and Valeria Gallo, Technology Policy Adviser, look at how AI can exacerbate known security risks and make them more difficult to manage.