Why the right of access to patient data needn’t be a headache for GPs
Issued by the Information Commissioners Office of the UK. The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
A patient’s right to access their own medical records from their GP is a long-established principle supported and strengthened by data protection law, most recently the General Data Protection Regulation (GDPR).
Under the updated data protection regime a patient’s request to access their records (commonly known as a subject access request (SAR) must now be processed free of charge and within one month.
Requests on the rise
Medical practices have reported a significant rise in SARs since the GDPR came into effect in May last year, which is a similar trend in other sectors. Many believe this is partly down to lawyers increasingly submitting SARs on behalf of clients to support legal claims. Ultimately, we want to promote a culture of transparency and compliance without any detrimental impact on individual data rights, patient care or the ability of both the medical and legal professions to do their jobs as efficiently as possible.
SARs are designed to be ‘purpose-blind’ because access is a cornerstone right of data protection, so GPs cannot query the reason for a patient or their representative requesting the information. However, we do appreciate the administrative impact of the increased workload on GP surgeries. The GDPR is an evolution – not revolution – of data protection legislation, and many of the ways practice staff dealt with requests to ease the burden of printing reams of paper under the previous framework are still valid.
DPC issues important message on personal data transfers to and from the UK in event of a ‘no deal’ Brexit
European Data Protection Board – Eighth Plenary session: Interplay ePrivacy Directive and GDPR, statement on ePrivacy Regulation, DPIA Lists ES & IS, Statement on Elections