Home Office discussing potentially unlawful access to patient info by police

  • 26 November 2018
Home Office discussing potentially unlawful access to patient info by police

Police officers may be using an unlawful means of obtaining the patient records of firearm licence applicants, it has been reported.

According to some local medical committees (LMCs) in England, police are using subject access requests (SARs) to acquire the medical histories of individuals who have applied for a firearms licence.

The right to make a subject access request is given in the general data protection regulation (GDPR).

Under GDPR, GP practices can no longer charge people who request to see a copy of their patient record via a subject access request.

But, in an effort to cut costs, it seems some police forces are using this mechanism rather than requesting a medical report – for which GPs can still charge.

The General Practitioners Committee (GPC) of the British Medical Association is now said to be in talks with the Home Office about the matter, according to Pulse.

This follows the committee referring a number of cases to the Information Commissioner’s Office (ICO), the independent UK body which upholds information rights.

The ICO is reported to have advised that the police do have power to request such information, but made clear that applicants for firearms licences would have to consent to such an approach.

“It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.”

But the statement also makes clear that the “previous means” of police forces obtaining medical information is still permissible under the Data Protection Act.

“Therefore the ‘enforced subject access’ approach is not only unnecessary, but could potentially constitute a breach of the Data Protection Act.”

‘Inappropriate use’

Both Birmingham LMC and Gloucester LMC have published guidance on the subject, reproducing the ICO statement in full. In Birmingham, practices are being advised to refuse to provide free access to medical records for firearms licence applications and to copy the LMC into any correspondence.

GDPR was rolled out across Europe on 25 May 2018, and enshrined in UK law via an update to the data protection act.

Organisations that fall foul of the legislation face sanctions by the Information Commission’s Office (ICO), including fines of up to €20 million for more serious infringements.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.
Patient data published online following south east London cyber attack

Patient data published online following south east London cyber attack

Cyber criminals have published patient data online which they claim was stolen as part of an attack on Synnovis, NHS England has confirmed. 
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.