Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what estimate he has made of the costs incurred to the NHS from third-parties making subject access requests under General Data Protection Regulation instead of using the Access to Medical Reports Act 1988.

No such assessment has been made. The General Data Protection Regulation (GDPR) is not the correct route for such requests. The right of access under GDPR confers more personal information than is needed or is justified for insurance underwriting. Accordingly, insurance companies should instead use the established mechanism of the Access to Medical Reports Act 1988 (AMRA) to obtain summary medical reports from general practitioner (GPs). The AMRA allows the GP to charge a reasonable fee to cover the cost of copying the report.