The Information Commissioner’s Office is examining why insurance companies are requesting patients’ full medical records from GP practices instead of using standard procedures to obtain relevant information.
A GP who received one of the requests is concerned that the companies may be breaching the principles of the Data Protection Act.
Dr Paul Cundy, who is joint chairman of the British Medical Association and Royal College of GPs’ joint IT committee, contacted EHI after receiving a subject access request from Aviva for the full medical records of one of his patients for a life insurance policy.
SARs are normally used by individuals to request personal information held about them by an organisation.
Aviva asked Dr Cundy to provide copies of all the patient’s medical records, excluding negative results for HIV, Hepatitis B and C, and details of STIs “unless they have long-term health implications”.
In a SAR consent form for the patient, the company said it would disregard any information it was sent that was not related to the application “unless the information will help us to make a more favourable decision”.
Dr Cundy said he is concerned that insurance companies’ use of SARs breaches the third principle of the Data Protection Act, which states that “personal data shall be adequate, relevant and not excessive in relation to the purpose…for which they are processed."
“In the letter, they admit to receiving information that goes beyond their purpose, so they’re breaking the law.”
Dr Cundy said the insurance companies should be asking for a general practitioner report, which is specifically set up to provide relevant information to insurance companies.
“An SAR is not designed for insurance purposes: the law is very clear that disclosure for insurance purposes needs to happen under a significantly different set of guidelines.”
He added that patients cannot rely on assurances that the additional data obtained will not be used by the insurance company.
“How do you know that they’re not using the information they shouldn’t see to increase your premium? You can only trust them, and that’s why there’s an agreed set of information that we have to send to insurers," he said.
“I’m concerned that patients don’t fully understand what’s happening when they fill in this form.”
An ICO spokesman told EHI it is “making enquiries” into how insurance companies are using SARs and whether their use fits with the Data Protection Act.
“These [SAR] requests are powerful and lead to all of the information held by an organisation being disclosed.
“There are already specific means for insurers to find out relevant medical information with appropriate safeguards.”
Robert Morrison, Aviva’s chief underwriter, told EHI that the company uses SARs so a decision can be made “much more quickly” for its customers.
Morrison said SARs also reduce the risk of receiving incomplete information “which inevitably means delays for the customer”.
Customers who have to provide additional information for an application can choose whether it is obtained through a GPR or an SAR, he said.
The company’s “robust confidentiality policy” ensuring that confidential medical information is only viewed by employees who need to see it to process the application.
“Irrespective of whether medical information comes from a SAR or GPR, we only factor in information which is specifically related to the health questions we ask on the application form.”
Morrison said Aviva is “satisfied from a legal perspective that our practice is valid and complies with the Data Protection Act”, as well as with guidance issued by the Association of British Insurers.
The company is working with the ICO to identify any areas where the process could be improved for customers, he said.