The Information Commissioner (ICO) has told the Association of British Insurers (ABI) that their members who ask data subjects to exercise their rights of access to health records in order to obtain insurance products are making several breaches of the Data Protection Act.
Clearly, the ICO is expecting the ABI's variant of enforced subject access to cease; the only remaining question is whether the Insurance Industry disagrees and wants to “have its day in court”.
In a letter to the ABI (see references), the ICO states that the Access to Medical Reports Act (AMRA) “sets out a statutory regime - with appropriate safeguards - by which medical information about an individual may be obtained by an insurer for insurance purposes. It should be noted that AMRA makes provision for GP reports to be provided to insurers, and is not a regime for obtaining medical records.”
Despite this, the letter continues: “We believe that use of subject access rights in the manner described sidesteps the statutory regime under AMRA”.
The letter points out that there might be a competition issue as “Section 8(3) of the DPA provides that a data controller is not obliged to comply with a subject access request if they have previously complied with a request and a reasonable interval – having regard to the nature of the data, the purpose for which it is processed and the frequency with which it is altered – has not elapsed”.
The letter continues that this provision allows the data controller (e.g. the GP) “to refuse to comply with a SAR where it has already done so within a close period of time. As it currently stands, it is likely that section 8(3) would apply in the case of individuals seeking a quote from a number of insurers, and therefore individuals may be prevented from obtaining the most competitive price for a policy. This could create competition and other regulatory concerns that insurers should consider”.
The letter points out that “An insurer who processes an individual’s entire medical record is likely to fall foul of the third principle” (because a subject access request will provide details that are excessive in relation to the insurance purpose). In related paragraphs the ICO refers to breaches of the First and Fifth Principles for similar reasons.
The Commission hints of breaches of the UK’s International obligations. This is because “subject access is a key element of the fundamental right to the protection of personal data provided for under Article 8 of the EU Charter of Fundamental Rights which is conferred upon individuals”; the right of subject access “is not designed to underpin the commercial processes of the life insurance industry”.
In summary, “the Commissioner takes the view that the use of subject access rights to access medical records in this way is an abuse of those rights”. He adds that “if the specific statutory mechanism provided by legislators for obtaining medical information for insurance purposes is failing to provide the information within the timescales the industry needs, then those affected should seek to review that mechanism and have this subjected to proper parliamentary scrutiny with a view to changing it".
The ICO concludes: “Using individuals’ own data protection rights to side step the current statutory arrangements designed to meet the insurance industry’s needs, and including important safeguards for individuals, is not the appropriate approach”.
Biff, bang, bong, pow, smash! See you in court, if you want,.
References
A lot of the ICO’s letter was anticipated in my blog 2012 which links to references which explains how the Insurance uses enforced subject access: http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html
Download the ICO letter to the ABI here: Download ABI - Letter - 20150714 BLOG
Legal and General; how they use the Subject Access procedure at the moment: http://www.legalandgeneral.com/advisercentre/protection/underwriting/legislation-and-regulation/access-to-your-medical-history/
Our next Data Protection Foundation leading to the BCS qualification in London is on Sept 29th-1st October: http://www.amberhawk.com/DPFoundation.asp
Comments