Insurers, particularly in personal injury claims, will require medical evidence to determine the nature and extent of any injury. Normally such information is obtained by requesting a report from a GP or other medical professional. Commonly many reports refer to the insured’s medical records. However, insurers are utilising an individual’s data protection rights by obtain access to full medical records by making a subject access request to the GP. Some of the data obtained as a result will be irrelevant and could disclose other sensitive information which is not required by the insurance company. Insurance companies processing full medical records are likely to breach the data protection principles as data should be adequate, relevant and not excessive for the purpose obtained.
There is also a 40 day statutory time limit for providing data following a subject access request made to a data controller (the GP in this case). In contrast, there is no time frame for providing a GP Report.
Some insurance companies have hit back by saying that subject access requests are of significant benefit to their insured to ensure that all pertinent information is obtained. This avoids the likelihood of claims being declined. It could also cut down on misrepresentation and confusion over whether the insured has declared certain medical conditions to insurers.
Legal and General has confirmed that it welcomes further discussions with the ICO and will cooperate with any GP surgery or insured who confirms that they do not wish to provide full medical records.
It is clear that there are benefits and drawbacks to providing full records and this is a matter to be considered by each individual to determine the level of information they wish to provide. We regularly advise on personal injury claims and data protection rights so if you would like to discuss either of these topics, please do not hesitate to contact us on 023 8064 4822.