Home Office discussing potentially unlawful access to patient info by police

Cyber Security, News

  • 26 November 2018
Home Office discussing potentially unlawful access to patient info by police
Owen Hughes
October 24, 2017

Police officers may be using an unlawful means of obtaining the patient records of firearm licence applicants, it has been reported.

According to some local medical committees (LMCs) in England, police are using subject access requests (SARs) to acquire the medical histories of individuals who have applied for a firearms licence.

The right to make a subject access request is given in the general data protection regulation (GDPR).

Under GDPR, GP practices can no longer charge people who request to see a copy of their patient record via a subject access request.

But, in an effort to cut costs, it seems some police forces are using this mechanism rather than requesting a medical report – for which GPs can still charge.

The General Practitioners Committee (GPC) of the British Medical Association is now said to be in talks with the Home Office about the matter, according to Pulse.

This follows the committee referring a number of cases to the Information Commissioner’s Office (ICO), the independent UK body which upholds information rights.

The ICO is reported to have advised that the police do have power to request such information, but made clear that applicants for firearms licences would have to consent to such an approach.

“It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.”

But the statement also makes clear that the “previous means” of police forces obtaining medical information is still permissible under the Data Protection Act.

“Therefore the ‘enforced subject access’ approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.”

‘Inappropriate use’

Both Birmingham LMC and Gloucester LMC have published guidance on the subject, reproducing the ICO statement in full. In Birmingham, practices are being advised to refuse to provide free access to medical records for firearms licence applications and to copy the LMC into any correspondence.

GDPR was rolled out across Europe on 25 May 2018, and enshrined in UK law via an update to the data protection act.

Organisations that fall foul of the legislation face sanctions by the Information Commission’s Office (ICO), including fines of up to €20 million for more serious infringements.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Prev News

Oxford University Hospitals FT ignites FHIR APIs from Cerner

Next News

Greater Manchester Connected Health City launches antibiotics dashboard

Related News

US patient data reportedly stolen following Oracle Health breach
News April 2, 2025

US patient data reportedly stolen following Oracle Health breach

An alleged data breach at Oracle Health has impacted multiple healthcare organisations and hospitals in the US.
Reduced fine of £3m imposed on Advanced following cyber attack
News March 27, 2025

Reduced fine of £3m imposed on Advanced following cyber attack

The ICO has reduced Advanced’s fine to £3.07 million for security failures that exposed the personal data of nearly 80,000 people.
Medefer refutes claim that security flaw left patient data vulnerable
AI and Data March 11, 2025

Medefer refutes claim that security flaw left patient data vulnerable

Online healthcare provider Medefer has denied claims that its application programming interface (API) left NHS patient data vulnerable.