View more on these topics

L&G clashes with ICO over protection info rules


Legal & General has clashed with the Information Commissioner’s Office over the use of medical data requests for protection customers.

The ICO has accused the insurer of “seriously misrepresenting” its position on the use of subject access requests.

Some insurers, including Legal & General and Aviva, have until now used subject access requests rather than GP reports to obtain medical information on protection applicants. They argue this gives them more comprehensive information which aids the underwriting process.

But after the British Medical Association raised concerns about the practice in July, the ICO branded it “inappropriate” in a strongly-worded statement.

The ICO said: “By making a subject access request on a patient’s behalf, an insurance company may be provided with a patient’s entire medical record, including information that is not relevant for the purpose of underwriting a policy.

“The ICO has recently written to the insurance industry to explain that we consider that the use of subject access rights in this way is inappropriate and an abuse of that right.

“We also have concerns that the processing of medical records by insurers once received from GPs is likely to breach the Data Protection Act.”

But in an email to advisers last week, Legal & General said it will continue to use subject access requests following further discussions with the ICO.

The email said: “The ICO have confirmed that we’re acting within the law. They acknowledged that we’re not abusing the Data Protection Act.”

The ICO, however, says its position remains unchanged.

A spokesman says: “Legal & General did not clear this with us in advance. It seriously misrepresents our position and we have asked Legal & General to send out a notice correcting it.”

A Legal & General spokeswoman says the insurer is having “ongoing conversations” with the ICO.

She says: “In the meantime we continue to use subject access requests and have not had any adverse reaction.”

Aviva says it is no longer using subject access requests.



Ukip to launch own EU referendum campaign

Ukip will launch its own campaign against joining the EU rather than joining one of two existing No campaigns, the BBC reports. According to the BBC, party leader Nigel Farage believes the two existing campaigns – one led by politicians in Westminster and the other by businessmen – do not have Ukip’s “political nous” and […]

FCA interior 620x430

FCA eyes Aviva/Friends Life merger probe

The FCA is investigating abnormal share price movements around Aviva’s £5.6bn merger with Friends Life, according to reports. The Financial Times reports the FCA has asked investment bankers on the deal to disclose any contact to discuss the merger ahead of the announcement. The FCA and Aviva declined to comment, although a source close to […]


News and expert analysis straight to your inbox

Sign up


There are 3 comments at the moment, we would love to hear your opinion too.

  1. £104 fee agreed between ABI and BMA for a GP report
    £10 max fee (set in 1998) allowed for medical records SAR by the Data Protection Act if the data is all held electronically (otherwise £50). (That’s if the DPA really does allow this at all, which the ICO seems to agree with some GPs that only releasing patient records to insurers in accordance with the Access to Medical Records Act is legal. Which does avoid some really embarrassing stuff being seen by people who have no business seeing it.)

    So this medical records stuff does look like another commercial reason for L&G to have left the ABI. In 2014 they sold the most UK protection policies, nearly 500k, and a typical number of cases in the industry going for medical evidence is 1 in 10. So that would be a GPR bill of about £5m vs a SARs bill of £0.5m (plus staff time ploughing through the info.)

    But mostly it looks like an abuse of the legislation and patient privacy at the cost of GPs’ resources, unless they save £94 by provision of the whole record instead of the GP answering specific questions from the record.

    So once we’ve got adequate e-records that can be interrogated (with patient permission) by insurance underwriting engines, should be a win-win for all concerned.

    • Another uninformed comment by someone (Ruth) who hasn’t really bothered to understand the issue. L&G had a number of reasons for following the SAR route, only one of which was fees. The vast majority of their applications are accepted by their POS u/w system. Speed of response and completeness of information provided by GP practices were other reasons. A material number of reports were so poorly completed that information that would have affected the final decision to offer terms or the rating. Why pay £100+ for a poorly completed report when you could get the full information you need for half the price. A significant number of GP practices did and still do just press the print button on the screen so insurers get lots of information they shouldn’t receive via that route but that doesn’t get flagged by the BMA does it? And when was the last time an insurer released any sensitive information, unlike the NHS which has regularly dumped copy reports on rubbish tips and emailed publicly the identities of HIV positive patients…

      L&G (and other insurers) would have eventually moved to digitally summarised reports that only reported material information but that initiative may not now happen.

      As for insurers systems being able to interrogate e-records, what planet are you on? Getting approval for insurers systems to access NHS records wont happen in my lifetime again due to consents, data security issues etc etc, oh and, of course, the loss of professional fees.

      I know from my time on ABI Committees that the BMA speaks with forked tongue. They like to pontificate about consents , privacy, ethics etc but in reality all they are interested in is maintaining Dr’s fees at a high level…

  2. OK, Jeremy, at risk of irritating you further, a few further possibly ill-informed points to offer:
    In today’s news “Bank details of thousands of Lloyds Premier account customers have been taken from an insurer” (RSA) The point being the more data is shared around, the more vulnerable to loss, not matter who is responsible for it.
    Yes, I know POS u/w deals with the majority these days thankfully. But there’s still a significant number of cases still needing additional evidence. Maybe L&G have got it down to 1 in 20 for going for GP info then? Still c.£2.5m at stake then under the GPR route.
    Yes, many naughty (and time-pressed) GPs have been guilty of submitting the “toilet roll” of medical history instead of completing the report… in which case, an industry united stand at paying only the SARS rate until the ICO and BMA sorted that out might have seemed a fair tactic. Poorly completed reports, admittedly harder to tackle through that route, and especially with charge first, report issuing later. Plus it all takes ages.

    All of which means we can maybe agree on one thing, which is that the current situation works for nobody, including advisers who see cases dropping off in the pipe-line.

    The planet I’m on for what might be a better version of reality is one not far beyond the digitally summarised reports usage you describe, maybe 5 or even 10 years hence, once e-records have become ubiquitous and sufficiently reliable, along with mainstream usage of personal data stores (as envisaged as part of the government’s midata strategy). The latter put consent in the hands of the person the data is about, and mediate the secure visibility or, if needed, transfer, of selected data to chosen recipients. Patient access to their NHS data is already envisaged as an “it’s going to happen” (though by when…requires patience), so loss of professional fees doesn’t come into it. Given the distraction from core activity, insurance enquiry reporting comprises for GPs, I’d think they’ll not be sorry to see enquiries drying up. Nor anyone else.

Leave a comment