"The issue of police requests for GP reports for firearms applications continues to cause problems for practices across the country. The BMA/GPC is in discussion with the home office to ensure that a fit for purpose national solution is put in place as soon as possible in order to resolve these problems. In the meantime BMA’s guidance remains extant:
Some parts of the country are now reporting that local police forces are inappropriately using GDPR subject access requests (SARs) in order to obtain copies of full medical records free of charge for the purpose of firearms licence applications. GPC has taken advice from the ICO on this matter, which has confirmed GPC’s opinion that these police forces are using ‘enforced subject access’ which is prohibited and will likely contravene the provisions of section 184 of the Data Protection Act 2018 (the DPA).
The ICO has stated: The ICO is aware that the access to medical records for the purposes of firearms licensing has raised concerns, given the more stringent provisions of the new data protection regime, but it is our view that the police have adequate powers and authority to deal with this as they have done hitherto, namely by approaching the GP direct for information they require. This would permit the GP to provide only information which, in their professional judgement, was pertinent to the application. Applicants would be asked to consent to the approach by the police to the GP. This would not constitute consent in data protection terms – we are satisfied that the police would not be obtaining and processing the data on the basis of consent - but would be closer perhaps to the sort of consent which the medical profession uses when treating a patient. It would represent a means of ensuring that the applicant was aware of, understood and accepted the need for obtaining medical data to support the decision whether or not to award a licence.
To summarise, therefore, it is the ICO’s view that the previous means of obtaining medical information, which you have mentioned, is still permissible under the DPA and that therefore the ‘enforced subject access’ approach you describe is not only unnecessary, but could potentially constitute a breach of the DPA.
Should any practice encounter a situation where a police force is attempting to use a GDPR SAR in order to obtain free access to medical records for a firearms licence application practices should refuse to provide this citing the ICO advice above; please also copy the LMC in to your correspondence. "
Select from the drop-down list below to view an item from our news archives.