Police officers may be using an unlawful means of obtaining the patient records of firearm licence applicants, it has been reported.

According to some local medical committees (LMCs) in England, police are using subject access requests (SARs) to acquire the medical histories of individuals who have applied for a firearms licence.

The right to make a subject access request is given in the general data protection regulation (GDPR).

Under GDPR, GP practices can no longer charge people who request to see a copy of their patient record via a subject access request.

But, in an effort to cut costs, it seems some police forces are using this mechanism rather than requesting a medical report – for which GPs can still charge.

The General Practitioners Committee (GPC) of the British Medical Association is now said to be in talks with the Home Office about the matter, according to Pulse.

This follows the committee referring a number of cases to the Information Commissioner’s Office (ICO), the independent UK body which upholds information rights.

The ICO is reported to have advised that the police do have power to request such information, but made clear that applicants for firearms licences would have to consent to such an approach.

“It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.”

But the statement also makes clear that the “previous means” of police forces obtaining medical information is still permissible under the Data Protection Act.

“Therefore the ‘enforced subject access’ approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.”

‘Inappropriate use’

Both Birmingham LMC and Gloucester LMC have published guidance on the subject, reproducing the ICO statement in full. In Birmingham, practices are being advised to refuse to provide free access to medical records for firearms licence applications and to copy the LMC into any correspondence.

GDPR was rolled out across Europe on 25 May 2018, and enshrined in UK law via an update to the data protection act.

Organisations that fall foul of the legislation face sanctions by the Information Commission’s Office (ICO), including fines of up to €20 million for more serious infringements.