This site is intended for health professionals only

At the heart of general practice since 1960

Police 'potentially breaching data law' to gain GP info on firearms applicants

Police departments may have breached the law by sending subject access requests (SARs) to GP practices to establish whether patients are ‘medically safe’ to hold a firearms licence.

This is the finding of the Information Commissioner's Office (ICO), after it looked into a number of instances brought to it by the BMA's GP Committee.

The ICO found that not only are SARs 'unnecessary' when used by the police, but they could ‘potentially constitute a breach of the Data Protection Act’. 

The GPC, which is now in talks with the Home Office about the situation, said the requests create ‘potential risk for the public and problems for GPs’.

Following the new General Data Protection Regulation (GDPR), brought in earlier this year, copies of patient records can be requested from practices free of charge, using a SAR. The issue was reported by several LMCs, including North Staffordshire, Gloucestershire and Gateshead and South Tyneside.

In an update to practices, North Staffordshire LMC said: ‘In some parts of the country constabularies have taken to requesting a copy of patient records at the expense of the practice, instead of a medical report - for which practices can charge - to establish whether it is medically safe for patients to hold a firearms licence. They do this under the subject access request regulation of the Data Protection Act.

‘The GPC has sought advice from the ICO to establish whether this is appropriate, and the ICO has ruled that it is not.’

An ICO spokesperson told the GPC that the ‘police have adequate powers and authority to deal with this’ as they did previously - by approaching the GP directly for the information they require.

They explained that this ‘would permit the GP to provide only information which, in their professional judgement, was pertinent to the application’.

The spokesperson said: ‘It is the ICO’s view that the previous means of obtaining medical information, is still permissible under the Data Protection Act and that therefore the “enforced subject access” approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.’

While the GPC is unsure how widespread the requests are, it is working to ‘address’ the issue.

GPC deputy chair Dr Mark Sanford-Wood said: ‘It is of concern to us that different constabularies adopt widely varied approaches to the same issue, and this is creating potential risk for the public and problems for GPs.

‘We continue to engage with the Home Office to try and address this.’

Earlier this year, the GPC asked GPs to write to their MP highlighting the influx of subject access requests recieved by practices from solicitors and insurance companies., following the introduction of GDPR.

GPs have been involved in the firearms application process since 2016, when they were asked to place a ‘firearm reminder’ code in their records to act as an alert if the health of gun owners deteriorates.

The ICO's advice in full

The ICO is aware that the access to medical records for the purposes of firearms licensing has raised concerns, given the more stringent provisions of the new data protection regime, but it is our view that the police have adequate powers and authority to deal with this as they have done hitherto, namely by approaching the GP direct for information they require.

This would permit the GP to provide only information which, in their professional judgement, was pertinent to the application. Applicants would be asked to consent to the approach by the police to the GP.

This would not constitute consent in data protection terms – we are satisfied that the police would not be obtaining and processing the data on the basis of consent - but would be closer perhaps to the sort of consent which the medical profession uses when treating a patient.

It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.

To summarise, therefore, it is the ICO’s view that the previous means of obtaining medical information is still permissible under the Data Protection Act and that therefore the ‘enforced subject access’ approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.

Source: Gloucestershire LMC

Readers' comments (7)

  • Cobblers

    Is this provision of information to the Police for the assessment of whether patients are ‘medically safe’ to hold a firearms licence still rumbling along?

    To the sounds of a can being kicked down the road, yet again, came the answer.

    I am conscious of the oft quoted "For every complex problem there is an answer that is clear, simple, and wrong. And yet this is not a complex question, is it?

    Is this contractual? Explicitly so? For if not then this is the Police's problem and they can come up with a solution.

    Involving lots and lots of sausages (money) if it is done at all.

    Unsuitable or offensive? Report this comment

  • I don' think the police need to know if I had an abortion 15 years ago in order to process an application.

    Therefore holding that information is illegal.

    End of story.

    Unsuitable or offensive? Report this comment

  • Everyone is trying to pass the bug to the GP and make us do things for free. The police, social workers, carers,schools, councils, greedy fishing solicitors and as long as we keep accepting it, MDU fees will increase and in distracts us for doctoring and curing diseases. Once it is privatised, it all stops.

    Unsuitable or offensive? Report this comment

  • Took Early Retirement

    Stoopid picture Pulse. It is almost impossible to have a handgun legally in the UK since the Dunblane tragedy.

    Unsuitable or offensive? Report this comment

  • About time someone reported the ambulance chasing lawyers and insurance companies who make SARs for trivial reasons to the ICO as well I say.

    Unsuitable or offensive? Report this comment

  • If GP practice moves to private model you will then get the insurance companies telling you what to do and capping fees below fair rates as they do with secondary care private work

    Unsuitable or offensive? Report this comment

  • The GPC really had to ask the ICO to rule on this?
    Clearly GPC have failed to understand GDPR!
    SAR is only for the data subject to obtain information,so is not appropriate for Police. Police should charge the applicant the fee and pass on part of it to the GP practice as in the pre-existing arrangement made with BMA many years ago. (but updated in line with inflation of course!)

    Unsuitable or offensive? Report this comment

Have your say