Our fifth blog from Karen Heaton of Data Protection 4 Business covers how to handle a request from a patient or customer for details of the information that you hold on them.
In our blog today, we look at a data subject’s right to access, a powerful tool for individuals who have concerns about what information organisations hold about them. Unfortunately, it can also be used for litigious purposes and such a request should be taken very seriously within your organisation, so please read on!
A data subject, in other words, you or I, can request a free copy of all personal data relating to us that an organisation holds – in any format – paper files, digital, videos or voice records. Ok, do I have your attention now? Even for a small organisation, that can amount to a lot of data.
Oh, and you have one calendar month to respond.
So, what must you provide and what is exempt? Well, let’s see…
What information must I provide?
You must provide the following long list of information in relation to the personal data being processed as well as the data itself:
the purposes of your processing
the categories of personal data concerned
the recipients or categories of recipient you disclose the personal data to
your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
the existence of their right to request rectification, erasure or restriction or to object to such processing
information about the source of the data, where it was not obtained directly from the individual
the existence of automated decision-making (including profiling)
the safeguards you provide if you transfer personal data to a third country or international organisation
the right to lodge a complaint with the ICO or another supervisory authority
I have a question or two: would you know where to find the data? Would you be able to respond to the other information points above regarding the data you hold? This is not a simple task and can amount to an operational headache for many organisations.
What information can I withhold?
The most common type of data that should be withheld is data mentioning third parties (unless they have given consent for their data to be shared or it is reasonable not to require such consent – confused?). For example, an email chain where people other than the data subject are mentioned would need to be considered for redacting. How easily can your organisation find, review and redact third party information?
Other examples of exempted information:
Specific information regarding medical organisations
Often, my clients have concerns that some law firms may use SARs to obtain medical data for free that was previously chargeable.
Subject Access Request (free) vs Access to Medical Records Act 1988 (chargeable):
Requests from Solicitors acting on behalf of a Patient
The British Medical Association advises that a patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a medical practice will be able to lawfully decline such requests. In this instance, you should ask the person acting on their behalf if there is specific data that they require, for example, are they requesting data covering a specific time period or illness or operation? This is a valid question for you to ask if the patient data file is substantial.
Tip: Don’t forget to get valid consent from the patient to disclose their personal and sensitive data to the Solicitor or third party.
If, however, the request is asking for a report to be written or it is asking for an interpretation of information within the record, this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act 1988, for which a fee may be charged.
Requests from an Insurance company
The British Medical Association, ICO and Association of British Insurers currently advise that Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek access to medical records and that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights.
So, that scenario is a bit more clear cut.
The bottom line is….
Your organisation or medical practice must take the time to consider and plan how to respond to a Subject Access Request from an operational perspective. Don’t wait until you receive one to work out how it should be done. The clock starts ticking from the day you receive the request.
Today’s fact. Access to your data is a basic Right under GDPR and Data Protection Act 2018. A data subject can make a complaint to the ICO if an organisation fails to respond to a Subject Access Request. Further failures to respond to requests from the ICO and any Enforcement Notice they serve, is a criminal offence.
=> This is worst case scenario and easily avoided. Ensure you have a robust operating procedure to handle Subject Access Requests and train your staff in how to respond, when to respond and what information to provide.
We are currently publishing an up-to-date series of blogs related to GDPR, data protection and private medical practices, written by Karen Heaton of Data Protection 4 Business. Click here to start the series: GDPR for Healthcare – Introduction
UPDATED: JUNE 2018 – This blog was originally published in November 2017 in order to help private medical practices prepare for the implementation of the new General Data Protection Regulation (GDPR).
Whilst the deadline for compliance with the GDPR officially passed on 25th May, it is not too late to ensure that you have implemented the correct procedures in order to protect your patients and employees’ data.
Please read the blog for more information and useful links.
Next May sees the implementation of a new piece of EU regulation – the General Data Protection Regulation (GDPR).
Any business, including private medical practices, should be working in accordance with the Data Protection Act 1998 where any personal data is used or collected. There are similarities between the GDPR and the DPA, but this new regulation has some additional requirements that will need to be addressed. So, what are these requirements and what does your practice need to do to ensure you’re ready for May 2018?
New requirements for data controllers and processors
This new data regulation is applicable to data controllers and data processors. In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant, or anyone who acts on the processor’s behalf.
Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations. Medical photography will also be considered personal data, as will any social media interactions you may have with patients (although any communications made in this way will also be subject to additional guidance set out by the GMC).
Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are:
Penalties– Breaches of the GDPR can result in a fine of up to €20 million or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations. A company can also be fined up to 2% for less serious breaches.
Consent– Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.
Breach notifications – The relevant regulatory authority will need to be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the “rights and freedoms of individuals”.
Right to access – Data subjects (patients, in the case of private medical practices) have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose. The controller is obliged to provide a free electronic copy of any personal data being held.
Data portability– This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company.
Data protection officers – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the “regular and systematic monitoring of data subjects on a large scale”, or if the company is a public authority.
More information on all changes and requirements, including the full criteria for DPO appointments, can be found HERE.
What about Brexit – do I still need to prepare for the GDPR?
The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside of the EU will also need to comply with the regulation if they provide services to people residing in the EU. In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU.
How do I assess my practice for compliance?
For business managers or principal consultants who are unsure how compliant their practices are, the ICO has a useful self-assessment toolkit.
What happens if my practice does not comply?
The GDPR came into effect last year, but will be enforced in May 2018. Non-compliance could result in a fine of up to 4%, so it is crucial to take a look at your data management policies and procedures to ensure that you comply with the regulations.
Data protection at Designated Medical
Designated Group, including Designated Medical, is committed to protecting client’s privacy and conducts all work in line with the Data Protection Act 1998. We work closely with clients to ensure that data protection laws are adhered to, and all data is stored securely and is encrypted when necessary.
For more information on our services please call 020 7952 1008, or visit our website at designatedmedical.com.
Outsourcing your social media has so many benefits. Considering there are over 2.3 BILLION social media users, with 73 % deciding whether to buy a product based on social media reviews, there really is no excuse not to jump on the social media bandwagon anymore.
A whopping 93% of retail brands use 2 social media platforms!
On the downside, engaging, tweeting, creating pins for Pinterest and researching the best hashtags for a tweet does take considerable time, not to mention consistency. The majority of rising private medical centres realise the importance of connecting to their audience through social media. But an even larger majority either do not have the budget for a social media manager as a full timer. This is where outsourcing your social media comes in.
Benefits Outsourcing Social Media
With social media, you’re constantly learning. New trending hashtags are created on a daily basis along side new social platforms. You have to stay ahead of the game and have the ability to think outside the box, to think creatively and to multi-task beyond what’s usually thought capable. That’s why outsourcing to a social media specialist is a must.
A specialist can;
Schedule messages and blog posts to multiple different platforms
Create a digital marketing plan
Work out your brands specific goals and objectives
Know your target audience just as well, if not better than you
Find multiple ways to connect with them through social media
By outsourcing to one of our digital marketing executives, you can save time and money by only paying for how many hours you think you really need. No more finding office space and ordering expensive PCs. No payroll or tax concerns, a virtual PA will have an elaborate home office and manage their own taxes.
I’ve learned the hard way when it comes to consistency on social media. Whilst creating our popular Designated blog – marketing tips for small businesses – we discovered that posting consistently, at least 3 times a week tended to double our traffic and we had less ‘slump days’ in the week. Yes, it took more time, but we are now reaping the benefits of our highest traffic to date AND a substantial increase in our lead generation. Do you have the time to;
Post on Twitter at least 3 times a day including weekends?
Regularly update your business Facebook page and engage with your audience?
Source out alternative communities and possible target audiences through Facebook, Pinterest, LinkedIn and Google Plus?
Have a dedicated full timer to check all of these platforms, engage and reply to customer comments throughout the day?
If not, then outsourcing could be for you.
How much would it cost to hire a social media marketing manager in London? It ranges from 26- 40K, and this still doesn’t ensure the employee is the right fit for your brand. When you outsource, not only are you guaranteed a professional who has substantial social media experience, but you also save on the cost of hiring a full timer.
I for one can admit that I can get far more done working in the comfort of my own home in a 5 hour shift than I EVER could working an 8 hour one with office distractions.
I grew tired of the amount of times I had to waste time to attend meetings that had nothing to do with my sector, and the long expensive commutes. Working from home has seen my results double!
Designated PA are accustomed to getting results from their startups. We consistently improve brand awareness and create customer engagement with our bespoke packages.
Designated PA are also experts in the recruitment of medical secretaries and have substantial experience working with doctors in the exclusive district of Harley Street.