The Information Commissioner has recently been considering the practice whereby insurance companies use patients' subject access rights to obtain medical records.

The Access to Medical Reports Act 1988 established a clear, legal route for insurance companies to access medical information, allowing a GP, with their patient's permission, to provide a tailored report to an insurer setting out the information needed. More recently, some insurance companies have instead looked to rely on the subject access right of consumers under the Data Protection Act 1998 to gain full medical records rather than a GP's report.

The ICO is concerned that the processing of medical records by insurers is likely to breach the Data Protection Act, and has notified the insurance industry that this use of subject access rights is inappropriate and an abuse of the right. Furthermore, the ICO has advised that patients are still able to make subject access requests to their GP, and suggests that GP's should explain the implications of making subject access requests to patients, so that they are capable of making a more informed decision on exercising their Data Protection rights. GP's have been further advised that they must continue to respond to subject access requests in accordance with the guidance published on the ICO website, and should share responses with patients rather than insurance companies.

To read the ICO guidance click here