Individual Rights & SARs – No. 4

Individual Rights & SARs – No. 4

Intro and comments

This week we looked at the individual rights of data subjects, which GPs as data controllers must now be able to provide under GDPR. They are detailed below. Discussing these new rights in practice meetings can be a good way of helping your team to understand and meet them. We have now reviewed our practices’ current policies and procedures to bring them up-to-date.

We also covered the topic of Subject Access Requests (SARs), again to ensure that we meet the latest requirements.

SARs have been the source of much discussion. There is some anxiety that if we are expected to respond to them in volume, without being able to charge, that the time and effort they require might overload our practices. It is possible to negotiate the terms of a SAR and also in a certain circumstance to charge a fee (e.g. where the purpose is for the production of a medical report). But the concern is understandable because it does seem likely that a significant number of SARs will need to be provided without charge, and the effort needed, other than in a tiny minority of cases where they are “unfounded and excessive”, is not a consideration of the law.

Fear of the unknown plays a part here, and as yet there has been no sign of the floodgates opening, although we are still in early stages post-GDPR. However, if there is any potential for a torrent of SARs, we should be considering any possible mitigation. Perhaps the most promising option will be to respond to a SAR by making patient records available to them electronically. We already have the means for doing this through our clinical systems, but the work required to make patient records fit for purpose (excluding 3rd party and potentially harmful data) is potentially a daunting one. However, the SAR scenario now adds to the imperative of a task which has been our mark on the horizon for some time. The bonus to this approach is that there will be clear benefits both to patients and practices. Consider the advantage to your patients, and the saving in reception and GP time if they were able to obtain their path results on-line and could be pointed to an NWL resource explaining the finer details of blood tests in plain English.

Historically the job of excluding 3rd party and harmful data has been the remit of GPs, and it is now law that a health professional needs to review the response prior to disclosure, but does this need to be the GP? The inclusion of third-party data in records is not that common and the presence of harmful data is exceptionally rare. It would not be difficult to train non-clinical staff to identify this information and defer to a clinician where identified and doing so would significantly reduce the clinical workload in this process. If we wish to share patient data widely with our patients (and there are many other reasons beyond the scope of this blog why we should), this work may become one of our high priorities following on from GDPR.

Review of action points from the prior session:

Below are last week’s action points, but please don’t forget to work through the blogs and actions points in order.  For instance, our first action point is to assign appoint a GDPR lead for your practice and let us know their name and email address by sending this and your practice details to nwl.infogovernance@nhs.net.

  • To do 08  Assess whether you need to complete a DPIA using the DPIA Process Flow Map
  • To do 09  Complete the DPIA (only if necessary)
  • To do 10   Practice Data Protection Officer to review and approve DPIA (if complete Action 09)
  • To do 11    Action and document mitigation actions from DPIA (if complete Action 09)

Work covered this week:

Below are details of the new rights which patients can expect you to deliver post-GDPR. After reviewing these we have updated our Individual Rights Policy and procedures and have published an Individual Rights Policy Document. Guided by the information below on the requirements for SARs and using a Managing SARs Flowsheet we have updated our SAR process and also produced a SAR template response to patients. You may wish to use these as templates for your own practice.

A) Individual Rights

  1. The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. Privacy notices must provide individuals with information regarding the organisation’s purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. The organisation is required by law to provide its privacy notice to individuals at the time you collect their personal data from them. Your response to a request for personal data from other sources must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. The information the organisation provides to individuals must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

  1. The right of access – Subject Access Requests (SARs)

EU GDPR provides individuals with the right to access their information. Subject access requests can be made verbally or in writing and the organisation has one month to respond to the request. It is important to note, that under GDPR, organisations are not permitted to charge the data subject in most circumstances. We cover SARs in more detail below in Section B this week.

  1. The right to rectification

EU GDPR and the Data Protection Act 2018 provides a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. The right to rectification can be applied for verbally or in writing and the organisation is required to respond within one month to a request. Some rights are not absolute and there are circumstances where a request can be refused. This will need to be reviewed on a case by case basis or advice sought from the legal team (your medical defence organisation).

  1. The right to erasure – doesn’t apply to Health Records

The EU GDPR and the Data Protection Act 2018 introduces a right for individuals to have personal data erased. The right to erasure can be applied for verbally or in writing and the organisation is required to respond within one month to a request. As noted, some rights are not absolute and there are circumstances where a request can be refused. This will need to be reviewed on a case by case basis or advice sought from the legal team (your medical defence organisation).

  1. The right to restrict processing

The EU GDPR and the Data Protection Act 2018 gives individuals the right to request the restriction or suppression of their personal data. For example, if the Data Controller is holding incorrect information on an individual, the individual can ask for the restriction of processing their data until the data is accurate or complete (restricted to store the information but not use it). The right to restrict processing can be applied for verbally or in writing and the organisation is required to respond within one month to a request. The right to restrict processing is not an absolute right and there are circumstances where a request can be refused. This will need to be reviewed on a case by case basis or advice sought from the legal team (your medical defence organisation).

  1. The right to data portability – doesn’t apply to health records

… unless it is an explicit consented process/pathway and/or if you are conducting automated decision making.

EU GDPR and the Data Protection Act 2018 allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The organisation must respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. The organisation must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where the organisation is not taking action in response to a request, they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

  1. The right to object

Under the EU GDPR and the Data Protection Act 2018, individuals have an absolute right to object, unless there is a compelling reason that the organisation is required to continue processing.

Individuals must have an objection on “grounds relating to his or her particular situation” and if they do, the organisation must stop processing the personal data unless:

  • the organisation can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

The organisation is required to inform individuals of their right to object “at the point of first communication” and in the organisation’s privacy notice and this must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

The organisation must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.

The organisation must deal with an objection to processing for direct marketing at any time and free of charge and the organisation must inform individuals of their right to object “at the point of first communication” and in your privacy notice.

  1. Rights in relation to automated decision making and profiling

Individuals have the right to object to automated decision making and profiling. Automated decision making means a process/pathway whereby the decision is based on automated means (e.g. electronic decision). Profiling means where an organisation is using personal data to evaluate certain things about an individual and includes using automated means to do this. Both scenarios do not have or only partly have a human component to the decision making. There are additional requirements to meet if you are solely utilising automated means without intervention – but GDPR restricts this processing if the processing has a legal or similar significant effect on the individual e.g. the decision would have a serious negative impact on the individual. The impact would impact the individual’s legal rights or something similar which would have an impact e.g. refusal of online loan application or using automated means for recruitment based on algorithms. In a health context, if you profile a group of patients (based on their sensitive health data) to whom you automatically provide a service, a patient may be able to object if there has not been any human input into the decision making process.

GDPR considers this type of processing as high risk, therefore, a Data Protection Impact Assessment (DPIA) is required to be completed. This is in order to identify the risks and document the mitigating actions which are to be implemented.

If there is a human component to the automated decision making, you will still be required to have a lawful basis to do so.  And ensure you have a process in place to process the request for objecting to this type of processing. GDPR states that it is important to bring this to the attention of the Data Subject and how they could object to this processing. To honour the data subject’s right to object to automated decision making, it is important to put in place an independent human review process.

Whilst this external resource is not related specifically related to health services, but it goes into more detail to explain the underlying principles related to rights in automated decision making.

Action Point: Through our review, we have developed an Individual rights policy which covers all rights and associated processes which you can adapt to your practice process. Please ensure that you have appropriate mechanisms in place to honour individual rights. 

B) Subject Access Requests (SARs)

EU GDPR provides individuals with the right to access their information which an organisation may hold on them. Subject access requests can be made verbally or in writing and the organisation has one month to respond to the request. The data subject is required to know the following:

  • Confirmation that you are processing their data
  • A copy of their personal data
  • Other supplementary documentation e.g. correspondence

There hasn’t been much change in how you process the request in itself, the following points still apply:

  • You can ‘stop the clock’ of the one-month time frame when you a) ask for identification and b) any further information to support the request e.g. ask for specific dates and times of information they are asking for.
  • You still need to verify the identification of the data subject
  • You still need to redact third-party information if you risk disclosing the third-party identity unless you have received consent from them or it is reasonable to comply with the request without the third-party consent.
  • It was a good standard practice that a clinician would review the requestor’s information prior to disclosure to the data subject. This is now a requirement in law under the provisions of the Data Protection Act 2018 (Schedule 3, Part 2(6) Data Protection Act 2018).

Changes to the SAR process:

The previous timeframe for responses was 40 days, which has now been decreased to one month. One month means:

  • An organisation receives a request on 3 September. The time limit will start from the next day (4 September). This gives the organisation until 4 October to comply with the request.
  • An organisation receives a request on 30 March. The time limit starts from the next day (31 March). As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
  • If 30 April falls on a weekend or is a public holiday, the organisation has until the end of the next working day to comply.

It is important to note that under GDPR, in most cases, organisations are no longer permitted to charge a fee for subject access requests. However, where the request is ‘manifestly unfounded or excessive’ you may charge a fee for administrative costs to comply with the request. You may also charge if you receive a request for further copies of their data following their request. Again, the charge must be based on administrative costs. Determining whether a request is unfounded or excessive must be made by the practice and decisions will be required to be documented. Should the practice decide not to comply with the request, the practice is required to explain the rationale and notify the data subject how to make a complaint to the Information Commissioner if they wish to do so.

We have received some questions from practices regarding when they can and can’t charge and what about AMRA (Access to Medical Reports Act 1988) where you are permitted to charge. The Access to Medical Reports Act 1988 is explicit in that where the medical reports produced are for insurance or employment purposes, the data controller is allowed to charge for the report. It is the purpose for requesting the SAR which is pivotal here. Subject access requests may come from a third party acting on behalf of the data subject with their consent, therefore, any request for information unrelated to a medical report and not creating information should be processed in line with the subject access request process which will not be chargeable.

You are now also required to provide certain information to the data subject regarding the information you hold on them. This includes:

  • The purpose(s) of the processing (this could be treatment and care or for the performance of a contract (e.g. employment)
  • The categories of personal data being processed (special category of data e.g. physical and mental health, ethnicity, Sexual Life, Trade Union membership)
  • The recipients or categories of recipients (who receives the data e.g. clinicians from the acute trust, the data subject)
  • The envisaged retention period or the criteria that determine it (as per your practice retention schedules which should reflect Information Governance Alliance: Records Management Code of Practice).
  • The rights of rectification, restriction, objection and where applicable erasure.
  • The right to complain to the ICO (Contract details can be found on the Information Commissioner’s website).
  • The right to know more about the source if it is not from the Data Subject (has the information come from a third party other than what the data subject has provided you).
  • The existence of and logic behind and consequences of any automated processing (why you are utilising automated decision processing, what are the benefits, what are the consequences).

It would be beneficial if you utilise the templates provided and use the bullet list in order to fulfil the requirements specified within GDPR.

There is further detail in the two blogs (below under resources used) by Dr Paul Cundy in relation to SARs which make essential reading.

Action point: Update your Subject Access Request Process and the other Individual Rights processes.

Resources used

Output documentation:

Learning points:

  • Patients have a series of new rights related to how data controllers manage their data
  • Discussing these new rights at practice meetings can be a good way of helping your staff to understand and meet them
  • GDPR has made significant changes to the timescales, fees and content of Subject Access Requests
  • Many SARs will no longer be chargeable. However, when a third party (e.g. an insurance company or lawyer) request a SAR, you should be told the purpose. If that purpose is for the provision of a medical report then you are entitled to charge for the service under the Access to Medical Reports Act (AMRA)
  • To date, there has not been a massive increase in the number of requests for SARs. However, you may wish to consider making your patients’ data available to them online (after excluding 3rd party and harmful data) as one way of meeting the potential demand.

Practice checklist:

  • To do 12  Review your Individual Rights Policy and procedures and update using advice and examples provided
  • To do 13  Review and update your SAR policies and procedures

Work planned for next session on 12.07.18

  • Next week will be focused on contract reviews. We will be looking at the requirements for processing contracts and what to look out for.

Comments are closed.