What should GPs should do if they receive an Subject Access Request (SAR) for insurance purposes?
The BMA has said that GP practices should take steps to ensure they meet their obligations to process SARs legitimately and remain compliant with other principles of the Data Protection Act.
If such a request is received, practices should contact the patient to explain its implications and the extent of the disclosure. The patient should then be given a choice between an SAR, whereby the full medical record is provided to the patient to share with the insurer as they wish, or asking their insurance company to instead seek a tailored GP report directly from the practice.
The BMA has provided a new template letter that practices may wish to use for this. The advice reverses previous advice from the BMA – based on a ruling from the Information Commissioner’s Office – that said GP practices should not to comply with any SARs they receive for insurance purposes, and to return the request to the insurer as being inappropriate.
It is still expected that the newer ICO ruling will encourage insurance companies to stop requesting SARs, and that they will instead revert to requesting tailored GP reports.
What if the patient wants to respond via email?
The new guidance says electronic consent from the patient is also acceptable, as the Electronic Communications Act gives legal status to electronic signatures, though practices should take care that the patient has consented to the report, by checking with the patient if there is any doubt.
What about SAR requests from third parties for non-insurance?
The new guidance advises that under the Data Protection Act, a patient is entitled to make an SAR via a third party acting on their behalf, such as a solicitor. In such cases, the ICO says a practice must be ‘satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement’.