Home Office discussing potentially unlawful access to patient info by police

Cyber Security, News

  • 26 November 2018
Home Office discussing potentially unlawful access to patient info by police
Owen Hughes
October 24, 2017

Police officers may be using an unlawful means of obtaining the patient records of firearm licence applicants, it has been reported.

According to some local medical committees (LMCs) in England, police are using subject access requests (SARs) to acquire the medical histories of individuals who have applied for a firearms licence.

The right to make a subject access request is given in the general data protection regulation (GDPR).

Under GDPR, GP practices can no longer charge people who request to see a copy of their patient record via a subject access request.

But, in an effort to cut costs, it seems some police forces are using this mechanism rather than requesting a medical report – for which GPs can still charge.

The General Practitioners Committee (GPC) of the British Medical Association is now said to be in talks with the Home Office about the matter, according to Pulse.

This follows the committee referring a number of cases to the Information Commissioner’s Office (ICO), the independent UK body which upholds information rights.

The ICO is reported to have advised that the police do have power to request such information, but made clear that applicants for firearms licences would have to consent to such an approach.

“It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.”

But the statement also makes clear that the “previous means” of police forces obtaining medical information is still permissible under the Data Protection Act.

“Therefore the ‘enforced subject access’ approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.”

‘Inappropriate use’

Both Birmingham LMC and Gloucester LMC have published guidance on the subject, reproducing the ICO statement in full. In Birmingham, practices are being advised to refuse to provide free access to medical records for firearms licence applications and to copy the LMC into any correspondence.

GDPR was rolled out across Europe on 25 May 2018, and enshrined in UK law via an update to the data protection act.

Organisations that fall foul of the legislation face sanctions by the Information Commission’s Office (ICO), including fines of up to €20 million for more serious infringements.

Subscribe To Our Newsletters

Find out more

Subscribe to our newsletter

Subscribe To Our Newsletter

Prev News

Oxford University Hospitals FT ignites FHIR APIs from Cerner

Next News

Greater Manchester Connected Health City launches antibiotics dashboard

Related News

Data guardian seeks clarification on Palantir patient data access
AI and Data June 5, 2026

Data guardian seeks clarification on Palantir patient data access

The National Data Guardian has asked NHSE to explain how Palantir staff gained access to patient data in the FDP, something it was unaware of.
Almost 33,000 Bedfordshire patients had data stolen in cyber attack
News June 3, 2026

Almost 33,000 Bedfordshire patients had data stolen in cyber attack

Almost 33,000 Bedfordshire Hospitals NHS Foundation Trust patients had personal data stolen in the cyber attack on Synnovis in June 2024.
Digital Health Coffee Time Briefing ☕
News May 19, 2026

Digital Health Coffee Time Briefing ☕

Today's briefing features a blood test to detect Alzheimer’s disease earlier and an AI-imaging software platform to treat lung disease.