GDPR - GPC - Blog 10
10 Blog Ten, Erasure and Portability – NOT!
Article 17, the right to be forgotten
Most of you will have heard of the right “to be forgotten”, it was splashed across the news a couple of years ago. Its enshrined in Article 17 of GDPR, now you’re probably beginning to think “he can’t be serious, I know I voted out because the EU is bonkers but they can’t be so bonkers as to allow patients to erase their own health records, that’s as bonkers as even the most bonkers bonkers?!”
“You cannot be serious?”
Correct. No one’s that bonkers (yet). Yes, in certain circumstances, DSs have the right to have their data erased but its not an absolute and there are exceptions. Thank heavens. GPs of the UK breathe a sigh of relief.
Cut to the chase, and the exceptions (relevant to GPs) are?
Article 17(2)(b) says if processing is necessary for (amongst others);
- complying with a legal obligation (i.e your NHS contract)
- the exercise of official authority (i.e. what GPs are expected to do as GPs in the NHS).
then there is no right to erasure. Erasure gets double whammied.
However, these are the exemptions to Article 6 processing of “personal data” only, GPs also by default process “special category” data under Article 9 justifications. So, we also need exemption to Article 9 processing. Step up Article 17(3)(c), which establishes that the right to erasure will not apply if processing is additionally being undertaken under Article 9(2)(h), which is precisely the one that GPs rely on to process their special category data. So, if data has been processed for any of; “preventive or occupational medicine”, “medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and or under “Member State law or pursuant to contract with a health professional” there is no right to erasure. Just for the record GPs satisfy all those conditions.
So, your patients do not have the right to have their health records erased. Indeed, there are masses of reasons why GPs should never delete any patient records but that’s another story.
What about the charging for erasure requests I’ve read about?
There are other aspects to the right to erasure under Article 17 such as refusal of requests and charging for requests, but these only apply when there is a right to erasure in the first place. You can’t have a chargeable response to a request in relation to a right you don’t have. None of these apply to a GP because our patient DSs have no intrinsic right to erasure, ever, at all, full stop, period.
So what do we say to patients who want data deleted?
Well, the short Friday 7:48 pm been working since 6:30 am doing extended stupidity access to 70 so called “urgent” contacts all day done 5 visits on patients who were champing at the bit because they had appointments elsewhere signed 105 prescriptions, answer is “go fly a kite”. An alternative response might be to ask what it is they want deleted and why. Such requests are usually a result of a misunderstanding, “yes it really was your right leg that was amputated, not the left” and thus amenable to clarification. If you can agree all well and good but the bottom line is to point them to Article 17.
Ok so if its not deletion what about other changes?
Well patients expect their records to accurate, correct, up to date and correct. Incidentally so do whole bunch of other people; the GMC, CQC, NHSE, your CCG, your indemnity organisation and your partners or employers. So, there should be no argument, listen to the concern, if there are errors correct them, if there are none, explain why. If they are still unhappy offer to place a comment attributed to the patient linked to the disputed record.
GDPR deals with the same issue but back to front, Article 16. “Right to rectification. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.” So, its saying records must only ever be accurate by default and if they aren’t they are to be corrected. Note it also deals with completeness; “Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
Deleting electronic records
Finally, remember with electronic patient records deletion and or correction does not mean what it says on the tin. Deletion means the errant record will be removed from your screens and maybe replaced by a more accurate record displayed in its place, but the original record remains, now demoted and hidden to never be seen on your screen again. If it ever needs to be found it can be, as well as its own personal lifelong history in the form of the audit trail. It was this misconception that caught out Shipman. Read the Good Practice Guidelines for GPs V4 to remind yourself1.
The Good Practice Guidelines for GP electronic patient records - version 4 (2011)
Did you know that as part of your practice’s NHS contract you must have read and adhere to these? They are due a refresh but there’s still a heap of stuff in there that’s relevant and informative. The point about mentioning them here is that they help with GDPR. There are various parts of GDPR that allow for the development or adoption of “Codes of Conduct” and the like. Well here’s ours. I suggest the GPGs V4 2011 be adopted as the Code of Conduct for GP records under GDPR. They are already in your contract so it’s a bit of a no-brainer.
The right to Portability - another NOT!
This is another short one. GDPR creates under Article 20 the right to data portability. You will hear this talked about. This is a right to have personal data transferred electronically from an existing DC to the DS or another DC. It’s all about transferring music lists, contact and account details, streaming details, social media type data etc. Think transferring your mobile number to a different provider. The Article is intended to free up the passage of personal data between the service industries in the EU, it was never intended to apply to medical records, and thankfully it doesn’t.
There are many reasons why this right under Article 20 doesn’t apply;
It only applies to personal data supplied by the DS to the DC
It only applies to consented or explicitly contracted processing
It only applies to processing “carried out by automated means”
Personal data supplied by the DS to the DC
Some might think that a BP reading taken from a patient’s arm, or a weight or a blood test result are being “provided by the data subject”. Other types of data in the record, such as OPD letters are clearly not. If there is a possibility for a grey area of debate its soon shut down by the GPDR Guidance that specifically observes an “outcome of an assessment regarding the health of a user………cannot ………… be considered as “provided by” the data subject. Even though such data are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “provided by the data subject” and thus will not be within scope of this new right.”
Consented and contracted
Processing of patient data by NHS GPs is done under Articles 6(1)(e) and 9(2)(h) neither of which are consenting or contracting.
“carried out by automated means”
Well as daily users of GPSoC provided systems need I say more?
But we are DCs for more than just patient data; our employees
When it comes to employees’ data, the right to data portability typically applies only if the processing is based on a contract to which the data subject is a party. In many cases, consent will not be considered freely given in this context, due to the imbalance of power between the employee and the employer. So the records of our employees are not considerd to be consented.
What then of employee records?
Remember that last CQC visit? When they wanted to see the records of your staff recruitment and their references? Well those are records required under a law, the Health and Social Care Act. Not contracting, not consent, not automated, ergo portability does not exist.