Information Commissioner's Office
Blog: Why the right of access to patient data needn’t be a headache for GPs
Blog posted by: Jovian Smalley, Group Manager – Engagement (Public Services), 07 March 2019.
A patient’s right to access their own medical records from their GP is a long-established principle supported and strengthened by data protection law, most recently the General Data Protection Regulation (GDPR).
Under the updated data protection regime a patient’s request to access their records (commonly known as a subject access request (SAR) must now be processed free of charge and within one month.
Requests on the rise
Medical practices have reported a significant rise in SARs since the GDPR came into effect in May last year, which is a similar trend in other sectors. Many believe this is partly down to lawyers increasingly submitting SARs on behalf of clients to support legal claims. Ultimately, we want to promote a culture of transparency and compliance without any detrimental impact on individual data rights, patient care or the ability of both the medical and legal professions to do their jobs as efficiently as possible.
SARs are designed to be ‘purpose-blind’ because access is a cornerstone right of data protection, so GPs cannot query the reason for a patient or their representative requesting the information. However, we do appreciate the administrative impact of the increased workload on GP surgeries. The GDPR is an evolution – not revolution – of data protection legislation, and many of the ways practice staff dealt with requests to ease the burden of printing reams of paper under the previous framework are still valid.
With this in mind we’ve put together some practical advice and tips for dealing with requests:
- Practices may be able to comply with a SAR by offering to provide a patient with online access to their health records, where available. The Government is committed to increasing access to online patient records in GP surgeries, and to support this aim we are working with health sector organisations to explore new ways for people to access their information online or at their surgery.
- Practices can provide the SAR response electronically (subject to safeguards such as encryption). A surgery only needs to print paper copies if it is asked to do so and this is reasonable.
- If GPs hold a large amount of information about a patient they can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.
- While the costs of providing initial copies need to be borne by the GP practice, it’s worth knowing that further copies can be charged for.
Requests from legal representatives
Where a SAR is made on behalf of a patient by their legal representative and is accompanied by the patient’s clear authority for that specific request, it should be treated in the same way as if it was made directly by the patient. The British Medical Association (BMA) have worked with the legal profession to create a standard form which legal representatives can use, which can be found in their guidance.
Legal representatives must, of course, also consider their own responsibilities under the law. They should only request the data they need for their specific purpose and they must make sure they are using the correct legal framework.
When practices receive requests from a third parties they can consider the following:
- Before responding ask for evidence that the third party has the clear, specific authority of the data subject to exercise their right of access. A general authority to act on the data subject’s behalf, or to request the sharing of personal data, is not sufficient.
- If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought.
- In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient who can then make their own choice about what information they pass on to their representative.
Requests from insurers
Insurers may also request patient information from GPs as part of managing policies and assessing claims.
A separate framework – the Access to Medical Reports Act 1988, commonly known as AMRA - already exists as a mechanism for the insurance industry’s access to tailored medical reports used as part of underwriting policies or assessing claims. This route allows practices to charge insurance companies a fixed fee for access to patient information and includes important safeguards for patients.
We would expect insurers to use this mechanism in most instances and we have previously worked with the industry to formalise this understanding. This led to the Association of British Insurers creating principles for their members to follow which can be accessed here.
GPs can currently find further advice within our guidance on the right of access under GDPR, and also in the British Medical Association's recently updated guidance on access to health records. The ICO will continue to work with key stakeholders to ensure that GP practices can provide critical patient care and uphold people’s information rights.
Latest News from
Information Commissioner's Office
ICO call for views on the application for powers under the Proceeds of Crime Act11/11/2019 09:10:00
The Information Commissioner invites views on her office being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002 (POCA).
Information Commissioner reminds political parties they must comply with the law ahead of General Election06/11/2019 09:10:00
The Information Commissioner has sent the following letter to the political parties in relation to the use of data in political campaigning.
Blog: Live facial recognition technology – police forces need to slow down and justify its use31/10/2019 13:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 31 October 2019.
Statement on an agreement reached between Facebook and the ICO30/10/2019 15:10:00
In 2017 the Information Commissioner's Office ("ICO") commenced a formal investigation into the misuse of personal data in political campaigns.
Blog: Embedding accountability – we want to hear from you29/10/2019 13:20:00
Blog posted by: Ian Hulme, Director for Regulatory Assurance, 28 October 2019.
AI Auditing Framework Call for Input: final considerations and next steps29/10/2019 09:10:00
As the initial Call for Input into the development of the ICO AI Auditing Framework comes to an end, Simon McDougall, Executive Director for Technology and Innovation, reflects on some of the overarching themes that have emerged in the first phase of our work.
Data Protection Impact Assessments and AI24/10/2019 10:20:00
Simon Reader, Senior Policy Officer, discusses some of the key considerations for organisations undertaking data protection impact assessments for Artificial Intelligence (AI) systems.
Blog: How coming to work at the ICO on a secondment can benefit both of us22/10/2019 15:05:00
Blog posted by: Simon McDougall, ICO Executive Director for Technology and Innovation, 22 October 2019.