This site is intended for health professionals only

At the heart of general practice since 1960

Report this comment to a moderator

Please fill in the form below if you think a comment is unsuitable. Your comments will be sent to our moderator for review.

Report comment to moderator

Required fields.


ICO wades in over insurer asking for full GP records


Please feel free to use our practice's standard reply: Thank you for your medical records subject access request. We formally decline to undertake this. We draw your attention to paragraph on page 112 of the ‘Information Governance Review: To Share or Not to Share’ published in March 2013 ( ‘12.12 Access to patient records from insurers and mortgage providers The Panel also heard concerns that insurers and mortgage lenders may seek to use their influence to request whole records from GPs, as a condition of supplying insurance or a mortgage. The General Medical Council has issued specific guidance for GPs112 and the British Medical Association and the Association of British Insurers (ABI) have produced joint guidelines113 to allow relevant data about patients to be shared appropriately with insurers on a basis of explicit, written consent. In addition, principle 3 of the Data Protection Act 114 offers further safeguards as it allows organisations to hold only “adequate, relevant and not excessive” personal data about an individual. This means insurers and mortgage lenders cannot hold more information about an individual than they need. The act also requires organisations to identify in advance and then request only the minimum amount of data needed for a particular purpose. The Review Panel concluded that these guidelines, combined with the safeguards offered by the Data Protection Act offer sufficient to prevent inappropriate sharing of whole records with insurers and mortgage lenders.’ We suggest that you apply for a PMA report in the normal way.Alternatively the patient may apply for a copy of their records having made a pre payment of £50 to the practice and is at liberty to send you any or all of their medical records.We cannot guarantee that the patient may withhold part of their medical record.You have a duty not to hold any more information than you require. I would like to advise that I believe you to be in breach of the DPA, in particular paras 112, 113 and 114 of the Information Governance Review. If we receive another similar request from your company we will be compelled to report the matter to the Information Commissioner.

Posted date

27 May 2014

Posted time