Privacy watchdog warns insurance companies on subject access requests

The Information Commissioner's Office (ICO) also raised concerns that insurance companies' processing of data obtained through SARs might not comply with data protection laws.

"By making a subject access request on a patient’s behalf, an insurance company may be provided with a patient’s entire medical record, including information that is not relevant for the purpose of underwriting a policy," the ICO said in a blog.

"The ICO has recently written to the insurance industry to explain that we consider that the use of subject access rights in this way is inappropriate and an abuse of that right. We also have concerns that the processing of medical records by insurers once received from GPs is likely to breach the Data Protection Act. We will be speaking to the insurance sector further to ensure that future use of medical records is in line with the law," it said.

Insurers do have a "genuine need" to review medical information when providing certain insurance protection to customers, such as life insurance and critical illness cover, the ICO said. However, it said insurers should follow the "clear and established legal route" to the data they require that is provided for under the Access to Medical Reports Act.

"Under the [Access to Medical Reports] Act, a GP can provide a tailored report to an insurer, with their patient’s consent, setting out only the information the insurer needs," the ICO said. "However, some insurance companies have instead been looking to rely on the subject access right given to consumers under the Data Protection Act in order to obtain medical records, rather than a tailored GP’s report."

"A subject access request gives an individual the right to ask for all of the personal information an organisation holds about them. This is a powerful right, designed to ensure individuals can access information held about them within a specified time period and at a nominal cost. This right was not designed to underpin the commercial processes of insurers," it said.

Under the Data Protection Act (DPA) organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request.

In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."

Under rules which came into force in March, it is a criminal offence to force a person to make a SAR and reveal the result. The ICO had previously said that enforced SARs were being used by a number of organisations, including "insurers when dealing with claims".

Earlier this year technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said a High Court judge had placed too heavy an emphasis on the purpose of SARs when determining whether a SAR had to be complied with.

"The EU Data Protection Directive requires member states to 'guarantee' that people can access information about themselves 'without constraint'," Scanlon said. "To constrain the right to access data to only purposes which further other provisions of the DPA, such as to correct inaccuracies in data, ignores the fact that the aim of allowing people to access their data is a purpose of the legal framework that underpins the DPA itself – both the Data Protection Directive and the European Convention on Human Rights."

"That right of access ought to only be constrained where the specific exemptions or limitations included within the data protection legal framework apply, for example for national security reasons, not by analysing the possible reasons behind why someone would want to access information about themselves," he said.

The way organisations handle people's requests for access to personal data is the most common kind of data protection complaint in the UK, according to the ICO's most recent annual report.

The ICO has produced a code of practice on subject access requests which sets out guidance for organisations on what action they need to take when a SAR is submitted.

According to the ICO's code, businesses must "make extensive efforts to find and retrieve the requested information". However, companies are not obliged to carry out an "unreasonable or disproportionate" search for information in order to disclose data under in accordance with individuals' subject access rights, it said. The disproportionate effort exception has caused "considerable confusion", the ICO conceded, but businesses can only rely on it in "the most exceptional of cases".

"It will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient," the ICO said.