Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, what steps he is taking to ensure that insurance companies request medical reports under the provisions of the Access to Medical Reports Act 1988 instead of Subject Access Requests under the General Data Protection Regulation.

If a solicitor is acting on behalf of an insurer and is seeking health information about a prospective customer, these are not subject access requests under the GDPR. Such requests should be made under the Access to Medical Records Act (AMRA) 1988 and standard charges apply.

The Information Commissioner's Office (ICO) is responsible for regulating compliance with data protection legislation and may consider taking action against insurance companies which fail to comply with the relevant legislation.

The ICO has updated its guidance on Subject Access Requests and this can be viewed on its website at www.ico.org.uk.