MAPS publishes open letter to NHS medical records providers on the provision of medical records post-GDPR


"We believe that these enhanced requirements in regards to ‘reasonable doubt’ are a significant misinterpretation of GDPR."

MAPS Medical Reporting has published an open letter to provide an explanation of an issue that has recently been raised by multiple health trusts. Concerns have arisen about their blanket use of enhanced requirements for proof of identity documents prior to the disclosure of medical records, despite having been provided with a consent for disclosure in accordance with the agreed BMA and Law Society model.

David Stothard, managing director at MAPS Medical Reporting said: “We believe that these enhanced requirements in regards to ‘reasonable doubt’ are a significant misinterpretation of GDPR.

"Further, requests for additional information may in fact be in breach of both the second and seventh Caldicott Principles for safe data use by the NHS."

Thank you for your communication regarding the requirement for additional documentation to verify patient/client identity prior to the release of medical records, despite the provision of a signed form of consent authorising release by the patient/client.

With the greatest of respect, we believe that you have been misadvised regarding the position here.

The current legislation under the Data Protection Act s7 (3) says:-

Where a data controller—

(a) reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and

(b) has informed him of that requirement, the data controller is not obliged to comply with the request unless he is supplied with that further information.

The Data Protection Bill, currently passing through the Parliamentary Process so as to implement GDPR, at s52 (4) says:-

Where the controller has reasonable doubts about the identity of an individual making a request under section 45, 46 or 47, the controller may—

(a) request the provision of additional information to enable the controller to confirm the identity, and

(b) delay dealing with the request until the identity is confirmed.

The requirement under the new law is that you have “reasonable doubt” about the identity of the individual making the request before any entitlement to request additional information arises. We do not regard the mere fact of making a request for records as raising a reasonable doubt for every single request made. Nor do we regard it as an appropriate exercise of discretion to apply a blanket requirement to all cases without some evidence or justification for the “reasonable doubt” belief which may arise in a specific case. There is no merit in rehearsing the legal principles behind the phrase “reasonable doubt” or the appropriate exercise of discretion here but we would encourage you to obtain your own legal advice on the points.

The draft bill also says that even if there is reasonable doubt, you “may” request the additional information. Again we recommend that you take your own legal advice on the point but hope that you will quickly appreciate that “may” is a permissive right as opposed to the use of the word “must” which would create an obligation.

We are a medical reporting organisation. We operate across England and Wales and deal with hospital trusts and medical practices throughout that whole area. Our solicitor customers ask us to obtain medical records from yourselves on behalf of their clients, your patients, for the purpose of legal proceedings. We obtain a consent in the form agreed between the Law Society and the BMA, signed personally by the client, your patient. This is not a third party subject access request. It is a request from the data subject for their records, which we handle on their behalf.

We obtain more than 15,000 sets of records a year and have been operating in this way for almost twenty years now. We do not believe that we have ever previously been asked for documentation beyond the patient/client consent form for any living person. In that time we do not know of any single case where records have been requested or obtained by one person impersonating another. The individual making the request for their own data does so without any expectation of having to see or deal with the records themselves; they ask us to obtain their records and pass them to their lawyer and the medico legal expert witness instructed in their case. There is no reason to believe that any individual would seek access to records which do not relate to themselves.

We do not regard the request for additional proof of identify and address verification as reasonable or in any way being justified by the current or proposed law or the evidence of decades of experience of operating these processes. Furthermore your request for additional information puts you at risk of breach of both the second and seventh Caldicott Principles. The former by requesting unnecessary personal data and the latter by imposing unnecessary and unreasonable requirements which impede appropriate data sharing in your patients’ best interests.

Accordingly we invite you to confirm that you will be revising your stated approach to this situation as a matter of urgency.

MAPS Medical Reporting provides quick access to reputable experts and high quality, specialist medico legal reports, to provide its customers with robust medical evidence, to expedite both treatment services for the victim and the claims process.