The Information Commissioner’s Office (ICO) has stepped in to calm GPs’ concerns about solicitors using the General Data Protection Regulation (GDPR) to obtain clients’ medical records.
The ICO said medical practices have reported a “significant rise” in subject access requests (SARs) since GDPR came into effect last May.
“Many believe this is partly down to lawyers increasingly submitting SARs on behalf of clients to support legal claims.
“Ultimately, we want to promote a culture of transparency and compliance without any detrimental impact on individual data rights, patient care or the ability of both the medical and legal professions to do their jobs as efficiently as possible.”
Under the updated data protection regime, a patient’s request to access their records must now be processed free of charge and within one month.
But in a blog published yesterday, Jovian Smalley, the ICO’s group manager – engagement (public services) said this “needn’t be a headache” for GPs.
He said that where a SAR was made on behalf of a patient by their legal representative and accompanied by the patient’s clear authority, “it should be treated in the same way as if it was made directly by the patient”.
Mr Smalley continued: “Legal representatives must, of course, also consider their own responsibilities under the law. They should only request the data they need for their specific purpose and they must make sure they are using the correct legal framework.”
He said that, if a GP thought more information than was necessary was being requested, “they can check that the patient is aware of the full extent of what is being sought”.
He added: “In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient who can then make their own choice about what information they pass on to their representative.”
The British Medical Association (BMA) and Law Society have collaborated to create a standard form which lawyers can use, published in BMA guidance.
The guidance said the client’s consent must cover “the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings”.
One of the most contentious issues has been whether GPs can charge for providing the information.
The BMA guidance said: “Initial access must be provided free of charge (including postage costs) unless the request is ‘manifestly unfounded’ or ‘excessive’ – in which case a ‘reasonable’ fee can be charged.
“These circumstances are likely to be rare and should be assessed on a case-by-case basis.”
The Legal Futures GDPR, e-Privacy and Cybersecurity Masterclass is being held on 2 April in London. Click here for all the details.