Police departments may have breached the law by sending subject access requests (SARs) to GP practices to establish whether patients are ‘medically safe’ to hold a firearms licence.
This is the finding of the Information Commissioner’s Office (ICO), after it looked into a number of instances brought to it by the BMA’s GP Committee.
The ICO found that not only are SARs ‘unnecessary’ when used by the police, but they could ‘potentially constitute a breach of the Data Protection Act’.
The GPC, which is now in talks with the Home Office about the situation, said the requests create ‘potential risk for the public and problems for GPs’.
Following the new General Data Protection Regulation (GDPR), brought in earlier this year, copies of patient records can be requested from practices free of charge, using a SAR. The issue was reported by several LMCs, including North Staffordshire, Gloucestershire and Gateshead and South Tyneside.
In an update to practices, North Staffordshire LMC said: ‘In some parts of the country constabularies have taken to requesting a copy of patient records at the expense of the practice, instead of a medical report – for which practices can charge – to establish whether it is medically safe for patients to hold a firearms licence. They do this under the subject access request regulation of the Data Protection Act.
‘The GPC has sought advice from the ICO to establish whether this is appropriate, and the ICO has ruled that it is not.’
An ICO spokesperson told the GPC that the ‘police have adequate powers and authority to deal with this’ as they did previously – by approaching the GP directly for the information they require.
They explained that this ‘would permit the GP to provide only information which, in their professional judgement, was pertinent to the application’.
The spokesperson said: ‘It is the ICO’s view that the previous means of obtaining medical information, is still permissible under the Data Protection Act and that therefore the “enforced subject access” approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.’
While the GPC is unsure how widespread the requests are, it is working to ‘address’ the issue.
GPC deputy chair Dr Mark Sanford-Wood said: ‘It is of concern to us that different constabularies adopt widely varied approaches to the same issue, and this is creating potential risk for the public and problems for GPs.
‘We continue to engage with the Home Office to try and address this.’
Earlier this year, the GPC asked GPs to write to their MP highlighting the influx of subject access requests recieved by practices from solicitors and insurance companies., following the introduction of GDPR.
GPs have been involved in the firearms application process since 2016, when they were asked to place a ‘firearm reminder’ code in their records to act as an alert if the health of gun owners deteriorates.
The ICO’s advice in full
The ICO is aware that the access to medical records for the purposes of firearms licensing has raised concerns, given the more stringent provisions of the new data protection regime, but it is our view that the police have adequate powers and authority to deal with this as they have done hitherto, namely by approaching the GP direct for information they require.
This would permit the GP to provide only information which, in their professional judgement, was pertinent to the application. Applicants would be asked to consent to the approach by the police to the GP.
This would not constitute consent in data protection terms – we are satisfied that the police would not be obtaining and processing the data on the basis of consent – but would be closer perhaps to the sort of consent which the medical profession uses when treating a patient.
It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.
To summarise, therefore, it is the ICO’s view that the previous means of obtaining medical information is still permissible under the Data Protection Act and that therefore the ‘enforced subject access’ approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.
Source: Gloucestershire LMC