Site icon WriteUpp Blog

GDPR and the Access Request

Article 15 of GDPR, “the right of access” is a powerful and often less discussed aspect of the GDPR that is designed to empower data subjects with total visibility of the information that organisations and public bodies hold about us.

Moreover, there are also various follow-on rights like erasure, rectification and restriction of processing that can emanate from the original access request.

The upshot of this is that:

As a result, Article 15 of the GDPR (the right of access) has a direct impact on healthcare professionals as well as any other industry that captures, holds and processes significant amounts of personal data.

Responding to an Access Request

The recommended approach to dealing with an Access Request is as follows:

All the Data

To be clear, this means:

It does not mean you can:

95% of clinicians will have no problem with sharing the data with clients, but a decent number may find it a challenge to pull the information together in a timely, cost-effective manner.

When might it be a problem fulfilling an Access Request?

How do you pull data together?

If you maintain paper-based records, you might spend a lot of time next to your photocopier.

If you use a system and its your sole repository of client-related information then check out the data export options available to you and hopefully you can find one that will produce an output that will allow you to comply with Article 15 of the GDPR.

If you’re a WriteUpp user you probably already know that we’re big fans of GDPR (long before privacy was fashionable and of the moment!). We’ve been planning for it since 2016 and banging on about it since the middle of 2017.

Our Access Request feature, which will be available from mid-April, should mean that you’re able to satisfy an Access Request in under 2 minutes, depending on the size of the dataset.

Hit Main Menu -> Tools->Access Requests

Click on “CREATE NEW ACCESS REQUEST”

Log the details of the request and hit save:

At this point you have fulfilled your initial obligations under Article 15 and you need to await verification of the identity of the person making the request.

You need something like a driving licence or passport that will allow you to verify they are who they say they are visually. For your own protection, we would recommend copying their ID and attaching it to the client record.

In the background, WriteUpp will be working its magic and pulling together all the data you hold about the client.

As this can sometimes be a fairly intensive task we queue up Access Requests and set the status of the request to “Pending” until it’s ready. This normally takes 30-60 seconds, and once it’s available to download, the status is set to “Complete”.

Having verified the identity of the requestor just click on Main Menu -> Tools and you will see a log of your Access Requests along with a download link, which automatically expires 7 days after it has been created.

Find the request relating to your requestor and click on “Download”. A ZIP file will be saved to your hard drive with contents that will be structured like this:

    1. Assessments, Notes and Consents are all placed into folders and converted into PDFs
    2. Appointments, Episodes and Invoices are summarised in .csv files
    3. The Patient tab is summarised in a file called client-summary.pdf

Please keep in mind the contents of the ZIP file are dependent on what data you hold about the client

Once you have reviewed the contents of the ZIP file you should immediately password protect it using your preferred ZIP utility

You can then complete the process and fulfil your Article 15 obligations by emailing the ZIP file to the requestor or by providing it to them on optical media. In both cases it should be password protected.

Conclusion

The tool in WriteUpp makes complying with an Access Request simple and cost-effective but there are other important things to consider here:

The key is to think ahead. At some point you will receive a request and when you do you’re on a pre-determined path. If you embed this expectation into your business, ethics and people then it shouldn’t present any problems at all but if you don’t it may bite you!

Exit mobile version