BMA link shows that they believe they have consent to access medical records for the full length of holding a FAC.
But do they?
Here is a response from the Information Commissioner’s office regarding the limitations of consent:
Case Reference Number ENQ0571696
In your email you ask questions about third parties gaining consent to access your medical records from your GP.
Question: […] once consent is given, is that consent infinite until explicitly withdrawn? In other words once consent is so given is the passage of time, whether that be days, weeks, months or years irrelevant ?.
ICO answer: Consent would need to gained with each request.
Question: […] once that consent has been given in writing for a third party (as above) to access a patients medical records, at the point those records are provided (accessed), does that specific consent then expire?
ICO answer: The consent would last until the records were accessed by the third party.
Question: To clarify that, can that given consent be exercised more than once or continuously ?
ICO answer: Consent would need to be gained with every request.
Question: Would any request made now be considered a fresh request and any attempt to use a historical consent be denied ?.
ICO answer: If there is going to be a new request for your medical data, consent would need to be gained.
Question: Would any registered medical practitioner be acting unethically if they made such a request based on an historical consent ?.
ICO answer: A medical practitioner needs to comply with the Data Protection Act 1998(DPA) and could not use a historical consent.
Question: Would the ICO position be if such a historical consent was attempted to be used or presented as being valid (despite the passage of time and previous access) that any registered medical practitioner should reject such a request as invalid and require a ‘fresh and current consent’ from the patient ?.
ICO answer:The GP would be required to gain consent upon every request.
Question: Any consent should be subject to informed consent and valid, a gap of years surely must be contrary to the original informed consent ?.
ICO answer: The third party need to obtain consent from yourself, every time they wish to access your medical records. Requesting consent every time would mean the third party would be complying to the first principle of the DPA. The first principle is about processing fairly and lawfully and with respect to one of the conditions outlined in the act.
To clarify, this means that an organisation must:
have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how they intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;handle people’s personal data only in ways they would reasonably expect; and make sure they do not do anything unlawful with the data.
Information Commissioner’s Office
