GDPR Blog: Update on SARs made to GP and Care practices
The ability for individuals to request personal information that is held about them is one of the cornerstones of the GDPR and its principle of transparency.
Subject Access Requests (or SARs), may be made by a data subject to any organisation to obtain personal data held about them. SARs may be made electronically, in writing or verbally. There was nothing particularly contentious about this but it has become apparent in the time since GDPR was implemented, that this mechanism has been used by many law firms and claims management companies to seek medical records from GP and other care and rehabilitation practices, free of charge.
Historically, these records were requested under the Access to Medical Records Act 1990 and the old Data Protection Act 1998, and GP’s could levy fees which were fixed by tariff depending upon whether records were provided in hard copy or electronically. The introduction of the GDPR, however, has led to many requests for medical records to be made under this new legislation, essentially providing records free of charge, much to the consternation of practices and care professionals in the health sector.
Some challenges have been made by practices to this application of the GDPR but with limited success. Their plight was weakened significantly by guidance issued by the British Medical Association (BMA) in August 2018 and followed up with the report “Access to Health Records” in January 2019. This established that requests made by patients or their representatives using the SAR mechanism were “purpose-blind” and were a valid exercise of a patient’s rights. The BMA followed existing case law which pre-dated GDPR in permitting SARs in cases supporting a legal claim and clarified the position that a request made for this purpose would not place a limit or reduce a patients’ right to access personal data held about them.
From a client’s perspective, there was a hope that the ICO would deliver some guidance to benefit the health sector and restore some equilibrium to this process. The ICO have now responded and made the position clear but this has been to the detriment of the medical practices who are most affected.
Guidance issued on the 7 March 2019 now confirms that, despite the significant rise in SARs since the GDPR came into effect and the administrative impact and increased workload this has created for GP surgeries and care practitioners, claimant solicitors and other agents may validly obtain medical records of their client patients under the SAR procedure. The ICO offer some practical advice as to how SARs may be dealt with, namely:
- To offer patients online access to their health records where possible. The government is committed to increasing access to online patient records in GP surgeries and to explore ways in which the health sector can deliver access to patient information online or at their surgery;
- To provide an SAR response electronically, subject to adequate safeguards such as encryption;
- limit the scope of any requests made to those records that are relevant – electronic data may make it easier to narrow the search criteria to that required;
- To only provide the records once. Any repeat requests may be charged for; and
- To ensure that the requisite form of authority has been received before release of records to a claimant firm can be made.
As a reminder, requests made by insurance companies for access to patient records should be handled under a separate framework, the Access to Medical Reports Act 1988, which exists for the insurance industry’s access to tailored medical reports and is used to assess claims. This provides for GP and care practices to charge a fixed fee to gain access to patient information and is widely accepted in the insurance sector.
Whilst this is not the news that many practices wanted to hear, it may at least focus the attention away from the validity of SARs and towards more efficient and economical handling of the requests when they are received.
If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org, on Twitter @LNWdataprotect or by telephone on 0191 226 3699.