General Data Protection Regulation (GDPR) makes data subjects' rights clear.
Since Brexit, EU GDPR provisions have been incorporated directly into UK law as the UK GDPR. The Data Protection Act 2018 sets out the data protection framework in the UK, alongside the UK GDPR.
Your obligations to data subjects are summarised in the following eight rights.
1: The right to be informed
The GDPR sets out what information practices need to supply to data subjects - ie, patients. This can be done by displaying a privacy notice (for example, in the practice and on the website) with the following information:
- the identity and contact details of the data controller, and the data protection officer where relevant
- the processing purpose and its legal basis
- any recipient of data or categories of recipients
- the existence of the data subject rights
- the right to withdraw consent at any time
- the right to lodge a complaint with the supervisory body (ICO)
- retention periods
- the existence of automated decision-making, including profiling and information about how decisions are made, their significance and consequences
- details of transfers to countries outside the EU and safeguards.
The information should be concise, transparent and easily accessible. It should be written in clear and plain language, particularly if meant to be read by a child.
The GMC's Confidentiality: Good practice in handling patient information states that when sharing personal information about patients for direct care, details about how it will be used and their right to object should be made readily available to those patients.
Most patients understand and expect information to be shared within the direct care team, which includes administrative staff. If patients object to any or all of their information being shared, you should respect this decision unless disclosure is in the public interest or is of overall benefit to a patient who lacks capacity.
2: The right of access
Information must be given to patients without delay, and at the latest within one month of the request.
This can be extended by a further two months if requests are complex or numerous. If you need an extension, you will need to tell the patient why within one month.
Under GDPR, patients cannot be charged for subject access requests unless the request is 'manifestly unfounded or excessive'. You could then charge a 'reasonable fee' based on the administrative costs of providing the information. There is no definition of unfounded, excessive or reasonable fee, and the onus of establishing this is on the data controller.
If the request is unfounded or excessive you can refuse to act on it, but you must explain this to patients and tell them of their right to complain to the ICO and to seek judicial remedy.
3: The right of rectification
Data subjects have the right to correct data if it is inaccurate or incomplete. You must respond to such requests within a month and inform any third parties with whom you have shared data, if possible. The one-month period may be extended by a further two months when the request is complex.
A clinical opinion is not inaccurate data, even if it later turns out not to have been correct. You are not required to remove clinical opinions but can allow the patient to add a note to the records to indicate they disagree with the opinion.
If you refuse a request for rectification, you must explain why to the patient and tell them of their right to complain to the ICO and to seek a judicial remedy.
4: The right of erasure - the right to be forgotten
This allows an individual to request removal or deletion of personal data where (for example) the data is no longer necessary for the purpose it was collected.
You can refuse to comply with a request for erasure of records if processing is necessary:
These are legal bases for most NHS processing (see below) and it is unlikely the right to erasure will apply to health records that need to be maintained.
5: The right to restrict processing
Individuals can request that you stop processing their data for the following reasons, including if:
- data accuracy is contested by the individual for a period while the controller verifies its accuracy
- processing is unlawful and the data subject opposes erasure and requests restriction instead
- the data controller no longer needs the data but the subject needs it to establish, exercise, or defend legal claims
- the data subject has objected to the data processing necessary to perform a public interest task or purpose of legitimate interests and you are considering whether your organisation's legitimate grounds override those of the individual.
This means you can store the personal data, but not process it further. You will need to establish procedures to receive and assess requests to restrict processing. You should discuss with your system provider how to do this technically; for example, by removing access to the whole or part of a record, prevention of changes or deletion of the data.
You will need to inform the data subject when you decide to lift a restriction on processing.
You should include information about this right in your information notices.
6: The right to data portability
This allows individuals to obtain and reuse their data across different services. Data must be provided in a structured, commonly used and machine-readable format.
The right only applies to the following data:
- personal data provided by an individual…
- …where the legal processing is based on consent, or for the performance of a contract, and
- where processing is automated.
The information must be provided free of charge within one month.
7: The right to object
Data subjects have a right to object to your processing their data even if you believe it is legitimate to do so. The grounds for their objection must relate to their particular situation.
Controllers must stop processing the data unless they can demonstrate compelling, legitimate grounds for processing that override the interests, rights and freedoms of the individual (such as performing a task in the public interest or exercise of official authority), or the processing is for the establishment, exercise or defence of a legal claim.
8: Rights related to automated decision-making and profiling
Individuals have the right not to be subject to a decision based on automated processing that results in a legal effect on them or significantly affects them in some other way.
The GDPR defines 'profiling' as any form of automated processing of personal data to evaluate certain personal aspects of an individual, especially to analyse or predict certain things, including health.
Automated decisions can be made with or without profiling and profiling can take place without making an automated decision.
Lawful basis for data processing
All data must be processed under a 'lawful basis'. UK GPDR sets out a number of lawful bases for processing and there is detailed guidance on the ICO's website on this complex area.
Although it is very important to advise patients of how their data will be used, consent is only one of the lawful bases for processing data and is not usually the most appropriate lawful basis for processing data used for direct clinical care.
Most health and social care organisations need to establish a lawful basis derived from Article 6 (of the GDPR). Two specific provisions are relevant to independent practice and NHS practice.
When it comes to private/independent practice:
- processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract - Article 6(1)(b).
Independent practitioners may be able to rely on this as the lawful basis for data processing. However, NHS practitioners are not considered to have a contractual arrangement with patients and cannot use this condition as the legal basis for processing. The relevant provision for NHS practitioners and organisations is that:
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller - Article 6(1)(e).
As health data and social care data is 'special category data' you must also establish a condition from Article 9 for lawful processing. Most commonly, health and social care organisations can use Article 9(2)(h):
- processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of UK law or a contract with a health professional.
Read more about data protection for independent practitioners.
While explicit consent is one way to comply with UK GDPR and the Data Protection Act 2018, consent might not be the most appropriate basis for processing data used for direct clinical care in many health and social care contexts.
This may seem to run against the principle that patients must be made aware of how their data is to be used. However, consent as a basis for processing under GDPR has very specific requirements. In particular data must not be processed once consent is withdrawn if that is the chosen lawful basis that a data controller is relying upon to process data.
That can be problematic in a healthcare context where there may be an obligation to retain records for a given period or where a practitioner cannot agree to delete accurate information from a clinical record just because the patient would prefer it not to be included in their records.
For more, read our guide to GDPR data breaches.
This page was correct at publication on 07/03/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.