Information Governance - Personal Data Rights (access, correction, objection & more)
Data Protection legislation (UK GDPR & other related items) gives individuals the following rights:
- A right of access to a copy of the data held about them by a data controller
- A right to have errors corrected
- A right to have data erased (in limited circumstances)
- A right to restrict processing of their data
- A right to portability of their data
- A right to object to how their data is used
- A right not to be subject to decisions made by solely automated processing of their data
Practices must ensure they have appropriate policy and processes to respond to requests from patients in a timely and complete manner. All requests must be fully responded to within one month of receipt. There is the possibility of extending this timescale if you define a request as complex. There is no absolute definition of a complex request, but if you receive a request where the individual is asking for several rights to be supported at one time (such as a request for access accompanied with a request to correct data and object to other data being shared), then it may present significant complexities that cannot be dealt with appropriately within one month. On that basis a further two months can be taken. The individual must be informed of this within the first month and the basis on which it is deemed complex.
Access to Records
Any individual can request access to their records. In addition requests can come from:
- Solicitors acting on the individual’s instruction
- Individuals with lasting powers of attorney for health & welfare
- Parents on behalf of children (where the child is not of an age or capability to consent to parental access and where the parent has documented parental responsibility)
In processing a request you must:
- Verify the identity of the requestor
- Confirm the data subject is happy for information to be released to a party acting on their behalf
- Provide access to a copy of the record free of charge (if they require a second copy then an administration fee can be charged).
- Check the record for any information that could cause harm or distress to anyone (patient or third party)
- Check the record for any information about third parties (not the data subject or anyone acting in a professional capacity) that is confidential. Any such data should either be removed or only released with the consent of the third party.
The ICO have provided guidance and frequently asked questions here:
Note – there is some confusion over manifestly unfounded or excessive requests. A data subject does not have to give a reason to request access to their data, so their request cannot be unfounded. An individual with a large record cannot be deemed an excessive request. However an individual making many repeated requests or requests every week could be unfounded or excessive. The option to refuse or charge where a request is manifestly unfounded or excessive should be used with caution and only where request(s) are causing significant unnecessary work for the organisation.
When should information not be disclosed
Information should not be disclosed if:
- it is likely to cause serious physical or mental harm to the patient or another person;
- it relates to a third party who has not given consent for disclosure (where that third party is not a health professional who has cared for the patient);
- it is requested by a third party and the patient had asked that the information be kept confidential;
- the records are subject to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation;
- it is restricted by order of the courts;
- it relates to the keeping or using of gametes or embryos or pertains to an individual being born as a result of in vitro fertilisation;
- in the case of children’s records, disclosure is prohibited by law, eg adoption records.
The data controller should redact, or block out any information that they consider could be harmful and should be prepared to justify the decision to do so. The data controller may advise patients of the grounds on which information has been withheld, but is not obliged to do so. There is still an obligation to disclose the remainder of the records.
While the responsibility for the decision, as to whether or not to disclose information, rests with the data controller, advice about serious harm must be taken by the data controller from the appropriate health professional. If the data controller is not the appropriate health professional, then the appropriate health professional needs to be consulted before the records are disclosed. This is usually the health professional currently or most recently responsible for the clinical care of the patient in respect of the matters which are the subject of the request. If there is more than one, it should be the person most suitable to advise. If there is none, advice should be sought from another health professional who has suitable qualifications and experience. Circumstances in which information may be withheld on the grounds of serious harm are extremely rare, and this exemption does not justify withholding comments in the records because patients may find them upsetting. Where there is any doubt as to whether disclosure would cause serious harm, the BMA recommends that the appropriate health professional discusses the matter anonymously with an experienced colleague, the Caldicott guardian, or defence body.
A solicitor is engaged by a patient and so is deemed as acting on their behalf and so can with the authority of the patient may a subject access request. This authority should be evidenced to you to confirm that it is appropriate to release the record to the solicitor. As with a normal subject access request, this cannot be charged for.
Insurance companies must request information via the correct route by requesting a medical report under the Access to Medical Reports Act (1988). They must not require the patient to make a subject access request. Any contract they have with the patient for insurance that as a term or condition requires the patient to provide a copy of their health record is under data protection law deemed null and void for that contractual term or condition.
The BMA has stated that, where practices agree with the insurance company to provide a GP report, the legal position is that electronic consent is acceptable.
Patients wishing to view their notes
If a patient wishes to see part of their own record and is content not to receive a copy, then this can be allowed. A patient is not exercising their subject access rights in this situation. However you must ensure that any information that would be exempted if they asked for a copy is not available to them to view. If upon seeing their record, if they require a print out, then this becomes a subject access request. However if they only want a few pages, then it should be simpler and less time consuming to provide.
Providing Online Access
The GDPR supports and drives organisations towards providing online access to records by data subjects, however you cannot insist that a patient’s request is responded to by enabling online access. In many cases online access is not the full record held by the practice.
Requests for Access to Records on Deceased Patients
Right to Correction:
Individuals have a right to correction of information without undue delay (and within one month unless deemed complex) where data is found to be inaccurate or incomplete.
Where an error is purely factual and the patient’s view of the facts deemed to be correct, then it should be amended. Electronic systems generally allow for this and keep a record of the previous inaccuracy. Paper records should be corrected so that the erroneous information is marked so that it is clearly erroneous but the history of the error retained. The correct information must be added.
If there is debate between the patient and the practice about the facts, or a difference of opinion then the record must be annotated to indicate this and the conflicting view points. The test is that the record should be marked in such a way that a clinician who does not know the patient can see the conflict both from the patient and practice perspective and make appropriate decisions based on the full debated picture.
Right to Erasure (aka – right to be forgotten)
If a patient wants data to be removed from their record, then they must request this and the practice must respond within one month (unless the circumstances are deemed as complex). A request for erasure must be complied with if: (NB this list is not exhaustive, but does not contain basis that are not applicable in a health and care setting):
- The personal data in question are no longer necessary for the purposes for which it was collected.
- The processing of the data was based on consent and that consent is withdrawn and the individual wishes the data to be erased.
- The data subject objects to the processing, requests erasure and there are no overriding grounds to continue processing.
- The personal data has been unlawfully processed.
A request for erasure can be refused if:
- The practice is legally obliged to process the data or is carrying out a task in the public interest, or the exercise of their official authority.
- The practice is establishing, exercising or defending a legal claim.
General interpretation is data will not be erased from a health record used for the provision of care, unless the data is no longer necessary to keep. The patient’s view should be added to the record, so that this can be considered in future uses of the data.
Restricting the use of Data
A patient can request that the uses of their data are restricted. This can be whilst accuracy or lawfulness of use is being confirmed or where the patient has objected and the legitimate grounds to use the data are being established or contested.
If use of data is to be restricted, then it shall not be processed any further without consent or for the establishment, exercise or defence of a legal claim.
When accuracy, lawfulness or objections have been determined, then where relevant restriction can be lifted.
Portability of Data
This is unlikely to apply in a general practice setting, as the basis for application is where the data is processed electronically and with either consent or contract with the data subject. Whilst practices can transfer data via GP 2 GP system transfers, this is not on the basis of the right of portability.
Right to Object
Where a patient objects to the use of their data then the practice shall no longer process the data, unless it can show compelling legitimate grounds to continue, which override the interests, rights and freedoms of the patient, or is for the establishment, exercise or defence of legal claims.
In reality this is likely to be where a patient objects to the collection or sharing of data. If data needs to be collected to provide effective care, then there is likely to be a legitimate override. If an individual doesn’t want data shared for providing care with a partner agency, this also is likely to be legitimate override. The individual has the option to refuse care and if that is the case, data does not need to be shared.
Where use of data is less direct care related, then objections are more likely to be sustained and this is the basis for items such as the opt out of shared record systems or secondary uses of data (insert link to National Data Guardian opt out).
Right not to be subject to decisions made by solely automated means
This right applies where data is processed solely by computers to make a decision that has either a legal or significant impact on the individual. If that is the case, the patient should be informed about the decision making and be able to request the decision is made by a different route. This is likely to be more prevalent in health and care services in the near future. Key questions to ask about any decision making process are:
Is the processing solely automated, or are their interventions/checks by a person?
Does the processing result in a decision that has a legal or significant impact on the individual?
If the answers to both are yes, then the processing is likely to be an automated decision. The individual should be made aware of this prior to the decision being made and be able to challenge the decision made.