NHS Subject Access Requests

In an earlier blog I talked about my experiences as a patient trying to take ownership of my health records so that I had a complete and logitudinal care record for the next time I turn up at hospital.

In this blog I will explore some of the specific issues I encountered when requesting my data using my legal right under the Data Protection Act known as  SAR (Subject Access Requests) and the implications for the future.

Making the request

I always make a subject access request via email. If I can’t find a specific address I use the PALs team as they usually have an email contact. As long as you land the email with the correct organisation they must process this and ensure the correct team deals with it.

On the most part this has worked. There is no requirement to go through a particular channel to make your request and everyone in a given organisation should have a enough knowledge to know to forward such a request to the correct department.

With the exception of Royal Free whose PALs team sent me an automated acknowledgement of my email but never responded to me this has worked for all my records.

Forms / process

It’s important to note that an organisation cannot require you to fill in a specific form or follow a given process. They may have one locally but cannot refuse your request because you chose a different path.

The NHS organisation will need to ensure they have the correct person and to avoid back and forth they do sometimes point you to the form, but a valid requests is a valid request.

I will always send my fullname, NHS number, date of birth, copy of my passport and details of the care episodes so that I can be safely identified.

So far the Oxford John Radliff is the only orgnaisation to refuse my request for not  filling in their forms. I explained that I had made a valid reqwuest and that the clock was now ticking on my request. The Access Team Manager in the Data Quality Department responded :

“The clock does not begin until we have received the correct paperwork.
The completion of the form is a part of the process we have to follow,”

Page one of the ICOs advice on Subject Access Requests has a series of questions including:

“Can I require individuals to use a specially designed form when making subject access requests? - No”.

That seems pretty clear to me so as a patient, so I’m curious how an “Access Team Manager” has not grasped this basic fact.

After a formal complaint they changed their mind about this and put it down to “training”. I disagree and wonder how long this has been going on and what the wider implications are for data sharing in the Trust.

Returning your data

This is where it tends to get sticky. I always ask for my information to be returned by email as I want to file it away and be able to recall it easily when I need it.

I can only recall one organisation who did this without any question or quibbles and this was my previous GP in London: Hampstead Group Practice. Not only did they send the information they did it within 24 hours.

Typically the response is refusal on the grounds of “privacy” and “security” this was also true of the Oxford John Radcliffe.

My case with  Wirral Hospital was a particular interesting case as it demonstrated where some of the misinterpretation came from and the basic lack of understanding around consent.

I was dealing with the “Health Records Manager & Access to Information Manager” in the Information Governance Department.

Great, this should be easy to get sorted as she’ll know her stuff. But alas no. She went as far as to start spouting the data protection act:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”

“Unfortunately, the Trust does not have the facility to encrypt medical records which are classed as sensitive data  and, therefore, is unable to send this information to you by email.”

The supreme irony of all this is that they asked me to resend a copy of my passport by email for identification purposes which requires a special kind of NHS logic.

Consent

The key with all of this and indeed the majority of data sharing “issues” in the NHS is one of consent.

The law does not require encryption and indeed if it did the postal service would not be permitted, a common sense point seemingly lost on the majority of the NHS.

Organisations are required to take measures which prevent the unauthorised and unlawyful processing of data as the Wirral kindly pointed out. However, as I was requesting my information and asking for it to be emailed this was would not be unauthorised or unlawful.

Indeed it is clear that consent establishes the legal basis.

Bad advice

Having refused to email me my data because they had no means to encrypt email the Wirral offered me a choice of paper/post  or a CD ROM.

I pointed out that paper was neither secure or encrypted a point which fell on deaf ears and seemingly lost on much of the NHS. If anything the postal service is less secure than the post from my view point.

As for CDROM I mentioned that I no longer have a CDROM drive and haven’t for some years. To this I was  advised I could use a public computer / library. This opens up a whole can of privacy and security issues which could be an entiire blog in it’s ownright.

Needless to say in the case of the postal system and CDROM they offered no information or advice as to the privacy / security implications of each service , whilst virrently definding their right to refuse email.

In any case I think they would struggle to claim that I had meaningfully consented.

Timeframe

Legally organisations must return data within 28 days.

As I mentioned earlier to this day the Royal Free has yet to respond and it is now months since I requested my information.

Despite some intial problems the Oxford John Radcliff and my last GP did eventually return my data in a sensible timeframe.

With all the messing around with the Wirrla b y the time I had complained and they ad agred to email me they were well and truly over 28 days.

The upshot

So the upshot of this is that only 1 out of 5 of my requests so far have been completed successfully and without issues.

A further 3 were completed once I entered in to a formal complaint and one the Royal Free I have yet to formally complain about.

If only 20% of the NHS understands Data protection properly is it any wonder it is in the state it is in when it comes to data sharing? These are very basis issues that are being misunderstood and mismanaged.

Right now 100’s of organisations across the NHS are preparing for the new GDPR legislation. Given they have yet to get the Data Protection Act 1998 right, I hold out little hope.

Whats more citizens will have greater rights, there are stiffer penalties and it seems likely more and more people will exercise their rights.

This is a costly shambles that will not scale and central NHS bodies such as NHS Digital need to step up to the plate and sort this mess out once and for all and Nationalise Subject Access request prococesss.

It is supposed to be a National Health Service after all.

Useful links and references

• Data Protection Act Principle 6 – Rights: Subject access request
  https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/