With the reported increases in the numbers of SARs requests received by GP practices since the introduction of GDPR in May 2018, the increased burden on resources will be an ever-present concern and frustration.

A recent pole to a number of practices showed just over half of respondents reported an increase in the numbers of SARs requests received, and with surveys performed showing that many people are still unaware of their rights under GDPR, increased requests are probable.

Estimated figures of a £20.6m cost to the NHS before the implementation of GDPR, by far the biggest public sector impact according to the findings of a recent FOI request, seem to emphasise the need for further review of how this access right is being used.

I doubt anyone could question the time and effort, not to mention money, put in by the NHS when current data shows 70% of businesses, of all sectors, are failing the new 30-day target, whereas the NHS is managing an average response rate of 27 days.

Obviously, it is too early to be able to draw reliable conclusions from the data available, but it is clear that within the primary care sector there are significant variations in practice experience. However, the long-established problems with 3rd party requests continue to be raised with the added concern of increased cost.

Clear guidance on insurance companies as 3rd party requesters was issued by the BMA in association with the Association of British Insurers (ABI). In January 2017, the ABI published a set of high-level principles on requesting and obtaining medical information.
The right for individuals to obtain medical records through SARs is permitted under the Data Protection Act 1998 and insurers were obtaining this medical information by requesting a declaration of consent from the individual, at the time of application. However, in July 2015, the use of SARs for insurance purposes was reviewed by the Information Commissioner’s Office (ICO) who expressed concerns regarding this process and possible Data Protection issues that it could potentially create. As a result of their findings, insurers previously using SARs should have ceased requesting them and only do so using the Access to Medical Reports Act 1988 (AMRA) process or Northern Ireland equivalent.

Information Commissioner’s view

The ICO wrote to the ABI to confirm that the right of subject access is not designed to underpin the commercial processes of the life insurance industry. The Commissioner takes the view that the use of subject access rights to access medical records in this way is an abuse of those rights and that the subsequent processing of full medical records by insurers is likely to fall foul of the DPA in a number of ways.

GP reports

It was the ICO’s expectation that insurance companies will discontinue the use of SARs and will instead revert to requesting medical reports under the provisions of the AMRA. The BMA has separate guidance on this legislation. (“Focus on Subject Access Requests for insurance purpose” BMA August 2015, reissued February 2018)

Advice for practices

The ICO has stated that when a SAR from an insurance company is received, GPs should contact the patient to explain the implications of such a request and the extent of the disclosure. The ICO is also clear that GPs should provide the SAR information to the patient themselves, rather than directly to the insurance company.

The BMA has therefore produced a template letter for GPs to send to patients which is in-line with the advice from the ICO. The letter offers patients a choice between a SAR, whereby the medical record would be provided to them to share with the insurer as they wish or asking their insurance company to seek a GP report. (“Focus on Subject Access Requests for insurance purpose” BMA August 2015, reissued February 2018)

A copy of the template letter can be accessed via the PMA.

Solicitors, often requesting for similar purposes to insurance companies, are considered separately. It would be a big step forwards if similar guidance on solicitors use of SARs was discussed, agreed and issued across all sectors. There have been suggestions that a solicitor needs to see a full set of notes to determine relevance to a case.

However, to exclude the patient’s GP by requesting full sets of notes, seems counter productive as it is the patient’s GP who would arguably have the best holistic view of the patient’s condition, and must save a solicitor or the legal team much time reading notes to determine what is or may be relevant.

Addressing such elements as 3rd party access would help reduce the financial burden on the NHS as a whole. Quite rightly, there are discussions and pressure around providing more funding to help meet the cost, which however reduced will remain an issue, but variations in experience, and further avenues for improvement with the guidance on areas such as 3rd party access, we too can look and see what smaller improvements we can make locally or how we can be confident our processes are as simple and efficient as possible.

One recent survey of just over 200 GP practices showed significant variations in time taken to respond and the costs incurred.

Concern over the increased cost – where cost includes time, effort and money – are a problem that in many cases could be avoided.

GDPR represents an opportunity for GP practices to take control of the process – and do things differently.

Paul Dodd, PMA Governance Lead
Ian Jones, PMA Operations Director

The PMA offer a number of workshops supporting implementation of GDPR within the NHS. Please see our workshops page for more details. 

If you would like more information, please contact the PMA Team at enquiries@practicemanagersuk.org