NEWS FROM ICO : Supplying records directly to patients
Some practices have questioned if it is appropriate to supply records directly to the patient, and advise has been sought from the ICO on this matter, please see the advise received from the OIC below: -
10 August 2018
Case Reference Number
Thank you for your email of 16 July (attached for your reference).
In relation to Subject Access Requests (SAR) received from solicitors, the requests should only be being made by solicitors when they are acting on behalf of, and with the authority of, their clients. We would always recommend GP surgeries contact the patient to verify that the request is made with their consent. If the request has not been made on behalf of the individual, it will not be a valid request.
You should also inform the patient of the scope of the information requested and make sure the patient is aware of what the solicitors will receive if this is disclosed. If the patient wishes to proceed in making the SAR, the GP should comply with that request by supplying the records in question directly to their patient.
Clearly, if the patient chooses not to forward any particular part of their medical records to the solicitors then he or she does not want them to have that information. Consequently the supply of such information will not be done with the authority of the patient. If the solicitor is attempting to circumvent or manipulate this process to obtain medical records that they do not believe the patient wishes them to have, it is not a lawful SAR but potentially an unlawful attempt to obtain Special Category personal data.
I recommend that you continue with your current policy as the objection that you say has been raised by the solicitors is that they cannot get medical records the patient doesn’t want them to have. A SAR is not designed to allow third parties to obtain personal data the data subject does not want disclosed so you should continue to resist attempts to obtain personal data without consent in this manner.
If the solicitor is concerned that their client is not providing them with all the medical information they require that is a matter for them to resolve directly with their client.
I hope this information is helpful to you. If you would like to discuss this enquiry further, please contact me on my direct number 0330 414 6484. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website at www.ico.org.uk. For information about what we do with personal data see our privacy notice.
Caitlin Muir Lead Case Officer Information Commissioner’s Office