Comment

06.06.18

GDPR: Record rights and wrongs

Source: NHE May/June 18

As patients get stronger legal rights to access and challenge the contents of their medical records, Dr Carol Chu, Medical Defence Union (MDU) medico-legal adviser, looks at the implications for clinicians and healthcare managers.

Requests from patients to see their records are likely to become more frequent amid growing public interest in the way organisations use personal information and the publicity surrounding the General Data Protection Regulation (GDPR), which came into force on 25 May. 

If you work in the NHS, you need to understand how to respond appropriately to access requests or your organisation could be reported to the Information Commissioner’s Office (ICO).

Transparency

The GDPR requires data controllers to inform patients about how their personal data will be used and their rights as a data subject. It’s likely that your organisation will have updated its privacy policies which set out these details. For example, the MDU’s privacy policy states that members can review and update the information we hold about them.

Privacy policies are expected to be written in clear and plain language and be easily accessible. You should be familiar with its content in case a patient needs clarification on any point. It’s also a good idea to find out the name of your organisation’s data controller and of your local data protection officer (DPO).

Access requests

Under the GDPR there are time limits to respond to Subject Access Requests, so it is important to understand how the process works so as not to cause unnecessary delays or mislead anyone who approaches you and asks to see their records. Here are some key points to know:

  • A Subject Access Request does not have to be in writing. A verbal request is also valid;
  • The identity of the person making the request should be verified;
  • The subject cannot be charged for copies of records unless the request is “manifestly unfounded, excessive or repetitive.” There is no definition of what constitutes this, however. Such cases should be discussed with your DPO;
  • The information should be provided within one month. This can be extended by a further two months if requests are complex or numerous. If you need an extension, the patient should be informed within one month;
  • Requests that are unfounded or excessive can be refused, but in such cases this should be explained and the subject told of their right to complain to the ICO and to seek judicial remedy;
  • Access requests must be documented, including details of any delay in providing the information and when requests have been refused.

Rights of rectification

Occasionally, patients may raise concerns about the information held in their records or ask for corrections. It is important to know how to respond appropriately to a request for rectification as these do not have to be made in writing to a specific person, even if they are ultimately managed by your organisation’s data controller. The time limits for responding to rectification requests echo those for Subject Access Requests and in most circumstances there should be no charge.

Requests for rectification of healthcare records can be problematic, as there is a risk that patients may object to the content because it is upsetting or they disagree with doctors’ clinical opinions. Although the GDPR gives data subjects the right to correct data if it is factually inaccurate or incomplete, the ICO has clarified that this does not extend to clinical opinions. However, it may be possible to make an additional note recording that the patient disagrees with the opinion. In the event that a factual correction is necessary, such as a misspelt name or incorrect date of birth, it must be obvious who made the amendment and when.

Four questions to ask

Here are four questions to consider now about the new data protection regulations:

  1. Does my organisation need a DPO?

The GDPR obliges data controllers to appoint a DPO if they are a public authority or a ‘large-scale’ processor of special category personal data. A public authority is defined by the Freedom of Information Act 2000 in England, Wales and Northern Ireland and the Freedom of Information (Scotland) Act 2002. Public authorities were required to appoint or make arrangements to share a DPO by 25 May.

Although it is not clear what large-scale processing entails, the need to appoint a DPO may not apply to an individual independent practitioner, for example.

DPOs must have proven expert knowledge of data protection law and practice. It is recognised they will not fully understand all the ramifications of the new legal requirements from 25 May, and they will need to keep up-to-date with any changes and clarifications (for example from the ICO) and understand the impact of these changes as the law becomes embedded. Further information about DPOs can be found on the ICO website and the Information Governance Alliance website.

  1. On what basis are we processing personal data?

The GDPR applies to ‘personal data,’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. You must have a valid lawful basis for processing (Article 6) and inform the subject of the basis or bases you are relying on.

Health data is considered to be special category data and therefore you will also need an additional condition for processing (Article 9).

Consent is one lawful basis for processing, but it may not be the best category for healthcare records and it may be better to choose a different basis.

  1. Have we updated our privacy notice?

Your organisation must provide individuals with information including the purposes for processing their personal data, retention periods for that personal data and who it will be shared with, as well as contact details for your DPO. This privacy information must be provided to individuals at the time you collect their data.

The ICO has a useful checklist explaining the information that privacy notices need to contain.

  1. Have we updated our subject access request procedure?

As outlined above, there are some changes to the procedure for individuals to request access to their records. These include that requests no longer have to be in writing, that a charge cannot usually be made, and there are reduced time limits.

Your organisation will need to ensure these changes are reflected in your procedure and that these are communicated to the team.

 

FOR MORE INFORMATION
The MDU’s GDPR guidance is available on
W: www.themdu.com

 

Other useful checklists and resources can be found on:
W: ico.org.uk
W: digital.nhs.uk

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

NHS at 72: Managing mental health services going forward

03/07/2020NHS at 72: Managing mental health services going forward

Sean Duggan, Chief Executive of the Mental Health Network Let’s take this opportunity to reflect on the amazing achievements of our he... more >
Government issues £16m funding to speed up life-saving diagnoses

03/07/2020Government issues £16m funding to speed up life-saving diagnoses

Patients may be set to receive earlier and more accurate diagnoses for potentially life-threatening diseases such as cancer and Crohn’s dis... more >
Telecoms deal benefits half a million NHS frontline workers

03/07/2020Telecoms deal benefits half a million NHS frontline workers

Almost 500,000 NHS frontline staff in England have benefited from mobile and fixed broadband offers to stay connected at work during the cor... more >

the scalpel's daily blog

NHS at 72: Managing mental health services going forward

03/07/2020NHS at 72: Managing mental health services going forward

Sean Duggan, Chief Executive of the Mental Health Network Let’s take this opportunity to reflect on the amazing achievements of our health system over the past few months. But as we recognise the best of the NHS and its response to the Covid-19 crisis we must not forget that for mental health the peak has yet to come. Covid-19 has placed enormous pressure on the entire health and care system. Despite the very real hardships f... more >
read more blog posts from 'the scalpel' >

interviews

Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

24/10/2019Matt Hancock says GP recruitment is on the rise to support ‘bedrock of the NHS’

Today, speaking at the Royal College of General Practitioners (RCGP) annual conference, Matt Hancock highlighted what he believes to be the three... more >
NHS dreams come true for Teesside domestic

17/09/2019NHS dreams come true for Teesside domestic

Over 20 years ago, a Teesside hospital cleaner put down her mop and took steps towards her midwifery dreams. Lisa Payne has been delivering ... more >
How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >

last word

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad: ‘We all have a role to play in getting innovations quicker’

Haseeb Ahmad, president of the Association of the British Pharmaceutical Industry (ABPI), sits down with National Health Executive as part of our Last Word Q&A series. Would you talk us th... more > more last word articles >

editor's comment

26/06/2020Adapting and Innovating

Matt Roberts, National Health Executive Editorial Lead. NHE May/June 2020 Edition We’ve been through so much as a health sector and a society in recent months with coronavirus and nothing can take away from the loss and difficulties that we’ve faced but it vital we also don’t disregard the amazing efforts we’v... read more >

health service focus

How NHS Property Services adapted to a new way of working

01/07/2020How NHS Property Services adapted to a new way of working

From May/June 2020 edition Trish Stephen... more >
Cleaner, greener, safer media: Increased ROI, decreased carbon

12/06/2020Cleaner, greener, safer media: Increased ROI, decreased carbon

Evolution is crucial in any business and Nati... more >