L&G and ICO clash over use of medical data

Legal & General has clashed with the Information Commissioner’s Office over the use of medical data requests for protection customers.

The ICO has accused the insurer of “seriously misrepresenting” its position on the use of subject access requests.

Some insurers, including L&G and Aviva, have until now used subject access requests rather than GP reports to obtain medical information on protection applicants. They argue this gives them more comprehensive information, which aids the underwriting process.

But after the British Medical Association raised concerns about the practice in July, the ICO branded it “inappropriate” in a strongly worded statement.

The ICO said: “By making a subject access request on a patient’s behalf, an insurance company may be provided with a patient’s entire medical record, including information that is not relevant for the purpose of underwriting a policy.

“The ICO has recently written to the insurance industry to explain that we consider that the use of subject access rights in this way is inappropriate and an abuse of that right.

“We also have concerns that the processing of medical records by insurers, once received from GPs, is likely to breach the Data Protection Act.”

But in an email to advisers last week, L&G said it would continue to use subject access requests following further discussions with the ICO. The email said: “The ICO has confirmed that we’re acting within the law. It acknowledged that we’re not abusing the Data Protection Act.”

The ICO, however, says its position remains unchanged.

A spokesman says: “Legal & General did not clear this with us in advance. It seriously misrepresents our position and we have asked Legal & General to send out a notice correcting it.”

An L&G spokeswoman says the insurer is having “ongoing conversations” with the ICO.

She says: “In the meantime, we continue to use subject access requests and have not had any adverse reaction.”

Aviva says it is no longer using subject access requests.