There is a dispute between the British Medical Association and the insurance industry over payments for GP medical reports concerning the health of claimants and the underwriting of insurance. The result is that some insurance providers (e.g. Legal and General) are resorting to a variant of enforced subject access.
This trend is likely to continue, especially if Government plans to provide patients with on-line access to their own health records come to fruition. I can see many organisations being tempted to ask patients to provide a “looksy-peepsy” – with consent of course! And why limit this kind of procedure to medical records – why not online banking records etc?
In short, this issue is serious – and like most serious issues to do with data protection, there is a record of Government inaction that stretches out for more than two decades.
The history of enforced subject access
Enforced subject access is the technique used by employers to obtain copies of criminal record data about employees or prospective employees when they don’t have legal authority to obtain these details from the Criminal Record Bureau (CRB). Under section 56 of the Data Protection Act, the enforced subject access procedure is an offence.
However, the offence is dependent on the CRB being able to provide a “Basic Check” (or a “criminal conviction certificate” to use the Police Act 1997 terminology) to applicants (usually the data subject). For whatever reasons, the CRB have been unable to deliver this service.
Section 75(3) of the Data Protection Act states that section 56 (i.e. the enforced subject access offence) does not come into effect until the “criminal conviction certificate”, the “criminal record certificates” and the “enhanced criminal record certificates” are all available. As the CRB only provide the two criminal record certificates (i.e. they do not provide the “criminal conviction certificate”), the offence has never been commenced.
Government has refused to change this law. Statutory protection has thus been removed from data subjects for 15 years:– more if you consider that enforced subject access was first raised as a serious problem needing urgent Government attention by Eric Howe, the First Data Protection Registrar, in the early 1990’s – more than two decades ago.
The Information Commissioner has already told the Government that it has an opportunity in its Freedoms Bill to do something about the problem – wishful thinking (see references). And you know those infraction proceedings with the European Commission, I always go on (and on and on) about. Well the European Commission explicitly mentioned the absence of the enforced subject access offence in connection with health personal data and employment was a deficiency in the UK’s implementation of Directive 95/46/EC via the Data Protection Act (see references also).
I must admit, that until now, I was under the impression that medical records were subject to the same provisions as criminal records, but looking at the detail of Section 57 of the DPA, this impression is incorrect. Section 57 only deals with “Avoidance of certain contractual terms relating to health records” and merely states that in the context of a contract requiring a data subject to use his subject access rights to obtain medical records that: “Any term or condition of a contract is void”.
Note that this provision is very weak and affords hardly any protection to data subjects; it requires an explicit contractual provision AND it is not an offence. So if the insurer were to ask an applicant to use his subject access rights (i.e. it is not an explicit “condition of a contract”) then there is no prohibition. This is why I call the Medical Record SAR procedure a variant of the enforced subject access (SAR) procedure.
The variant of enforced subject access as used by the insurance industry
Mr. Russ Whitworth (see references), underwriting and claims director at Legal & General (L&G), has told the insurance trade press the attractions of the SAR approach. Noteworthy quotes include:
• "We're doing this to make us more attractive from a customer proposition angle," he said. (i.e. the procedure benefits the consumer because repudiation rate is lower because if the underwrites have everything, then “you're effectively indemnifying the customer from non-disclosure”);
• "This sometimes is inadvertent because of the questions which underwriters feel the need to ask, which can be quite tricky”, and
• "SARs have got a better return rate”.
According to L&G there is nothing different from usual GP Report mechanism. For instance Mr Whitworth is reported to have said:
• "The customer doesn't have to do anything more than they do at the moment - which is just sign the consent form and be informed about what we're about to do,".
• "The agent doesn't need to do any more either", and
• In relation to any extra medical information, “the industry has been dealing with this for sometime already and that the customer suffers no detriment” and in fact, “if any extra material is included that supports the client's case, this is used to adjust the underwriting accordingly”.
Mr Whitworth concludes his interview by saying "I see SARs as the future for L&G - whether others in the industry choose to follow, we'll see".
So can I first congratulate Mr Whitworth for projecting this “theoretically” unlawful SAR procedure as a form of altruism. I did not realise that the enforced subject access process helps customers, increases their claims payouts, and makes it easier for everybody concerned.
Perish my wicked thoughts that the procedure was installed to reduce costs, maximise profit and not to take on potentially uninsurable, loss-making customers. Oh how wrong you can be!
Potential breaches of data protection law
I also part company with L&G because I think its SAR procedure:
• quite simply, is ethically unacceptable (without considering any data protection issue);
• could result in the obtaining of personal data that are not necessary to be processed for the insurance purpose; any personal data that are not relevant could constitute a breach the Third and Fifth Data Protection Principles;
• could breach the Sixth Principle on the grounds that the procedure does not respect the rights of data subjects granted under the Data Protection Act; these rights are to protect the data subject and not increase L&G’s profitability.
• could breach the Fourth Principle if inaccurate medical records are disclosed and used in an insurance decision;
• undermines the statutory Code of Practice on data sharing between Third Parties; and finally,
• the outcome of the procedure could be unfair to data subjects in breach of the First Data Protection Principle if the excessive personal data were used to deny insurance.
In addition, the SAR procedure undermines the protection, granted by Parliament to individuals in the Access to Medical Reports Act 1998. Arguably, the processing is unfair in First Principle terms as the SAR procedure ensures the data subject is denied the right:
• to withhold permission for the company to seek a medical report (that is, to refuse consent to the release of information);
• to have access to the medical report after completion by the doctor either before it is sent to the company or up to six months after it is sent;
• to instruct the doctor not to send the report after seeing the report before it is sent; and
• to request the amendment of inaccuracies in the report.
My own view? If there is a problem of some people fiddling health and insurance, you find a procedure to deal with that issue. If there is a dispute with the BMA over payments with respect to GP reports, you negotiate an agreement.
What you don’t do is resolve an insurance problem by undermining the rights of everybody in the UK following a procedure that, in the context of criminal records, should be a criminal offence.
The trade press on the enforced subject access procedures: http://www.ifaonline.co.uk/cover/feature/2144639/battling-progress-gprs-vs-sars/page/3#ixzz1n1M15umH
The altruism of Legal & General is described here: http://www.ifaonline.co.uk/cover/interview/2142714/interview-gs-russ-whitworth
Changing the law to protect data subject from enforced subject access has been suggested by the ICO in the Freedoms Bill: http://amberhawk.typepad.com/amberhawk/2011/03/ico-evidence-identifies-data-protection-concerns-over-freedoms-bill.html
The weakness in the law surrounding enforced subject access was identified by the European Commission as why the UK’s Data Protection Act is deficient: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html
Our Update session on March 26th (London, £195+VAT; details on www.amberhawk.com has half a day devoted to the Regulation. As well as a guest speaker from the ICO on the Regulation, we have sessions on:
• What are changes in the definitions?
• What are changes in the Principles?
• What are changes in the Rights?
• What are changes in the Enforcement and other odds and ends?