New data protection rules are coming into force on 25 May. Dr Rachel Birch, medicolegal adviser at Medical Protection, looks at two key areas that are changing.
Read this article to:
- Get the latest updates on data protection
- Ensure your own practice is ready before the new regulations
As we head towards the 25 May 2018 deadline, it is important for practices to prepare themselves for the implementation of the EU General Data Protection Regulation (GDPR)
1. Two areas in particular may be of interest and importance to patients: the patient’s right of access and confirming fair processing of their data.
Subject access requests
Picture the scene. It is 25 May 2018 and the practice receives a subject access request, in writing, from Mr S, a frequent attender who, in addition to extensive medical records on the practice computer system, also has two thick volumes of Lloyd George GP records. Mr S informs you he knows his rights and has waited until today to make his request, so that his request will be processed under the new rules.
Would you be ready for this scenario?
What information can the patient request?
The GDPR states that individuals will have a right to obtain:
- confirmation that their data is being processed
- access to their personal data
- other supplementary information, largely corresponding to information that should be provided in a privacy notice.
The GDPR clarifies that allowing individuals to access their data is so that they are aware of, and can verify, the lawfulness of the processing.
However, in terms of requests for copies of medical records, there may be varying reasons why patients may make requests, including keeping a record for personal reference, to jog their memory of distant events, or to investigate a potential complaint or claim. Irrespective of reasons, patients are entitled to make subject access requests and they do not need to provide a reason for doing so.
In this scenario, it transpires that the patient is asking for copies of all of his medical records. He has put his request to the practice in an email and has requested an electronic copy. You do not have a note of his email address on your computer system.
On looking at Mr S’s request further, it appears he made a subject access request three months ago and obtained a full copy set of his medical records.
How should you verify the patient’s identity?
Before proceeding, can you be sure that the person emailing you is the patient to whom the record relates? If you are in any doubt, it is reasonable to ask the patient to provide more information, such as a date of birth, a passport or a birth certificate.
Do you have to provide an electronic copy of the patient’s medical records?
The Information Commissioner’s Office (ICO) has published a helpful guide to the GDPR2, and there is specific reference to an individual’s right of access to information. The GDPR states that if a subject access request is made electronically, you should provide the information in a commonly used electronic format.
The GDPR also makes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system, which would provide the individual with direct access to his or her information. If this is not currently possible, you could consider whether it is feasible or desirable to develop such systems in the future.
How long do you have to comply with the subject access request?
Information should be provided without delay, but you will now have one month to comply, rather than the previous 40 days.
You may be able to extend this period by a further two months where requests are complex or numerous. However, if you need this further time, you must inform the patient within one month of the receipt of the request and explain why the extension is necessary.
It is important that you consider if your current system can meet this demand, if you have enough administrative staff, and whether they have received training on the new rules under the GDPR. Now is a good opportunity to update your practice protocols and procedures.
Can you charge a fee?
In most cases you will no longer be able to charge a fee. However, the ICO states that you can charge a “reasonable fee” when a request is “manifestly unfounded or excessive”, particularly if it is repetitive.
You may also charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that you can charge for all subsequent access requests.
Can you refuse to comply with his request?
The GDPR states that you can refuse requests that are “manifestly unfounded or excessive”. However, if you refuse a request, you must tell Mr S why, within one month, and inform him he has a right to make a complaint to the ICO.
It would be better to explore Mr S’s reasons for the repeat request – perhaps he has mislaid his previous copy or now wants it in an electronic format. In any case, three months has passed since his last request, so you may wish to clarify it is just his recent information within his medical record that he requires.
What about third party information?
You should remove third party information before disclosing the records to Mr S. Third party information is that which discloses information relating to or provided by a third party who has not consented to that disclosure; for example, information provided by relatives in confidence.
Usually the identity of treating clinicians is not considered third party information. However, personal details, such as the fact that Dr A saw the patient as Dr B was sick, should be redacted, as this is clearly confidential information relating to Dr B’s health.
You should also consider redacting any information that, if released, may cause serious harm to the physical or mental health or condition of the patient, or any other person. However, such circumstances are rare.
If you have any concerns regarding whether to redact specific information, contact Medical Protection for further advice.
Transparency and fair processing
As has always been the case under the existing Data Protection Act 1998, practices have an obligation to inform their patients what they are doing with their data. However, the GDPR will bring in more detailed and specific rules on providing privacy information to data subjects. The ICO has published specific guidance3,4 about such privacy notices.
When should information be provided?
Privacy notices should be used to inform patients at the time of collecting their data. Therefore, for example, information should be made available to patients when they register with your practice.
However, you should consider other situations when it would be appropriate to provide privacy information. This can be done by imagining yourself in the patient’s shoes – are there any ways you use information in a way that patients would not expect?
How should data be provided?
The GDPR places emphasis on the importance of privacy notices being easily accessible to patients. Information within such notices should be concise, truthful and written in clear straightforward language.
Consider the various groups of patients who are registered at the practice and their differing needs. It may be better to provide separate notices for each category of patient.
For example, if your clinicians consult with teenage children, with capacity to make their own health decisions, you must ensure that privacy notices are available appropriate to their level of understanding. The same principles would apply to vulnerable adults.
Privacy notices should also be translated into other languages, as necessary, for your non-English-speaking patients.
What data should be provided?
In order to decide what to include, you must first identify what personal information you hold and how it is used.
Once you have done so, you must provide the following notice within privacy notices:
- the data controller’s identity
- the data protection officer’s contact details
- the purpose of the processing
- the legal basis for processing
- the categories of personal data concerned
- the potential recipients of personal data
- how long the data will be retained
- a list of the data subject’s rights
- any safeguards that will be used if data is to be transferred to a country outside the EU.
In addition, patients must be informed that they can complain to the ICO if they believe there is a problem with how their data is being handled.
Where should you display the privacy notice?
You may choose to use various methods to display this information, including posters in the waiting room, leaflets at reception, information sheets attached to registration forms and letters to patients.
You could publicise the privacy notice on your practice website, with links to the relevant information.
It is important to keep notices under regular review and update them with any changes.
Further advice
The ICO has published the Data Protection Self Assessment tool,5 incorporating helpful checklists to assess your compliance with data protection law and identify what steps you need to take at this stage to be GDPR compliant on 25 May 2018.
References
- eugdpr.org
- Guide to the General Data Protection Regulation (GDPR)
-
- Privacy notices under the EU General Data Protection Regulation
- Privacy notices, transparency and control
- Data protection self assessment