L&G clashes with ICO over protection info rules

Legal & General has clashed with the Information Commissioner’s Office over the use of medical data requests for protection customers.

The ICO has accused the insurer of “seriously misrepresenting” its position on the use of subject access requests.

Some insurers, including Legal & General and Aviva, use subject access requests rather than GP reports to obtain medical information on protection applicants. They argue this gives them more comprehensive information which aids the underwriting process.

But after the British Medical Association raised concerns about the practice in July, the ICO branded it “inappropriate” in a strongly-worded statement.

The ICO said: “By making a subject access request on a patient’s behalf, an insurance company may be provided with a patient’s entire medical record, including information that is not relevant for the purpose of underwriting a policy.

“The ICO has recently written to the insurance industry to explain that we consider that the use of subject access rights in this way is inappropriate and an abuse of that right.

“We also have concerns that the processing of medical records by insurers once received from GPs is likely to breach the Data Protection Act.”

But in an email to advisers last week, Legal & General said it will continue to use subject access requests following further discussions with the ICO.

The email said: “The ICO have confirmed that we’re acting within the law. They acknowledged that we’re not abusing the Data Protection Act.”

The ICO, however, says its position remains unchanged.

A spokesman says: “Legal & General did not clear this with us in advance. It seriously misrepresents our position and we have asked Legal & General to send out a notice correcting it.”

A Legal & General spokeswoman says the insurer is having “ongoing conversations” with the ICO.

She says: “In the meantime we continue to use subject access requests and have not had any adverse reaction.”

Aviva says it is no longer using subject access requests.