GDPR: Don’t Underestimate the Access Request
It remains to be seen how much visibility GDPR will get with consumers and patients when it comes into effect on May 25th 2018.
Certainly, the recent Facebook/Cambridge Analytica saga has raised consumer awareness of the amount of data that organisations and public bodies hold about them and the ways in which it can be used. This Guardian piece is usefully illustrative: Facebook logs SMS texts and calls, users find as they delete accounts
“What does this have to do with me?” I hear you cry.
Potentially, quite a lot. Article 15 of GDPR, “the right of access” is a powerful and often less discussed aspect of the GDPR that is designed to empower data subjects (you and I) with TOTAL visibility of the information that organisations and public bodies hold about us. Moreover, there are also various follow-on “rights” like erasure, rectification and restriction of processing that can emanate from the original access request.
My contention, is that:
- Consumers will become more savvy about the information that companies and public bodies hold about them
- Consumers will realise that fundamental decisions about them are being made using this data
- Consumers, particularly those in the EU/EEA who are protected by GDPR, will gradually become aware of their new found rights
- Consumers will start making access requests. I don’t have a crystal ball and I’ve no sense as to whether it will be a trickle or a tsunami. In the UK, a watered down version of this right already exists and it’s fair to say that most organisations haven’t been inundated with access requests but my sense is that the privacy climate is rapidly changing and as a result the number of requests may increase significantly.
As a result, my expectation is that Article 15 of the GDPR (the right of access) is going to have a direct impact on healthcare professionals as well as any other industry that captures, holds and processes significant amounts of personal data.
Responding to an Access Request
The recommended approach to dealing with an Access Request is as follows:
- Acknowledge, in writing, receipt of the data subject access request (SAR) under Article 15 of the General Data Protection Regulation (GDPR)
- Request a copy of the data subject’s ID to confirm their identity and eligibility to receive the information
- Log the date when the request was received and confirm to the data subject that you have a statutory requirement to provide the information within 30 days
- If necessary, ask any questions that you may have about the reason for the request so that you can deal with it appropriately. In particular, use this opportunity to try and quantify how much data you need to supply. In most cases, it will be everything that you have but there may be circumstances where it might more appropriate for the data subject if you supply a subset of your data.
- Confirm to the data subject that once you have provided the information they have the following rights:
- request the rectification/correction of their personal data;
- request the restriction of your processing of their personal data;
- object to your processing of their personal data.
- Let the data subject know that they have the right to lodge a complaint with the Information Commissioner’s Office (if you are substantially based in the UK) https://ico.org.uk/. If you are based elsewhere in the EU/EEA you should provide the details of your country’s responsible authority.
- Provide the data subject with a reference number for their request which they should quote on all correspondence concerning the request.
Yup, ALL the data!
To be clear, this means:
- ALL the personal data that you hold about that client, including anything you might hold on your practice management system, paper, spreadsheets etc.
- The data needs to be provided in a secure format and that doesn’t mean you can’t use paper but if you do you will need to make sure that photocopies are legible and they are either collected in person or securely despatched by recorded delivery/courier
- If you provide the data electronically it needs to be in an intelligible form and readable by the data subject in a non proprietary file format like PDF, .xls or .csv. It should also be password protected.
- The data needs to be understandable by the data subject i.e they can read it and an average person can understand what it means
- The data must be provided at no cost to your client
It does not mean you can:
- Provide whatever data you can easily can lay your hands on
- Provide a summary of the data that you are happy/comfortable to share
- Provide a modified version of your notes that removes content that you might not want your client to see
- Provide an illegible handwritten scrawl
- Provide content that is in code or shorthand that cannot easily be understood by the data subject
- Disincentivise the data subject from making the access request by charging them for pulling the data together
My personal take on this is that 95% of clinicians will have no problem with sharing the data with clients, however I suspect a decent number may find it a challenge to pull the information together in a timely, cost-effective manner.
When might it be a problem fulfilling an Access Request?
- If data is distributed across disparate systems, including spreadsheets and paper records
- If your system(s) are unable to output EVERY facet of information for a specific individual
- If you hold too much personal information about an individual. I’ve definitely come across practices that are holding or maintaining data that isn’t required for the purpose of treating the patient. GDPR will require you to address this but it naturally means that the dataset that you are trying to corral is bigger than it needs to be and potentially more complex to handle
- If you don’t have the physical resources in place to fulfil an access request
- If your team aren’t aware of your obligations under Article 15 of the GDPR and ignore or fail to respond appropriately to an Access Request
How do you pull the data together?
If you maintain paper-based records then you might be spending a lot of time next to your photocopier.
If you use a system and its your sole repository of client-related information then check out the data export options available to you and hopefully you can find one that will produce an output that will allow you to comply with Article 15 of the GDPR.
If you’re a WriteUpp user you probably already know that we’re big fans of GDPR (long before privacy was fashionable and of the moment!). We’ve been planning for it since 2016 and banging on about it since the middle of 2017.
Our Access Request feature, which will be available from mid-April, should mean that you’re able to satisfy an Access Request in under 2 minutes, depending on the size of the dataset.
- Hit Main Menu->Tools
- Click on “CREATE NEW ACCESS REQUEST”
- Log the details of the request and hit save:
- At this point you have fulfilled your initial obligations under Article 15 and you need to await verification of the identity of the person making the request. You need something like a driving licence or passport that will allow you to visually verify they are who they say they are. For your own protection I would recommend copying their ID and attaching it to the client record.
- In the background, WriteUpp will be working its magic and pulling together all of the data that you hold about the client. As this can sometimes be a fairly intensive task we queue up Access Requests and set the status of the request to “Pending” until its ready. This normally takes 30-60 seconds and once its available to download the status is set to “Complete”.
- Having verified the identity of the requestor just click on Main Menu->Tools and you will see a log of your Access Requests along with a download link, which automatically expires 7 days after it has been created.
- Find the request relating to your requestor and click on “Download”. A ZIP file will be saved to your hard drive with contents that will be structured like this:
- Assessments, Notes and Consents are all placed into folders and converted into PDFs
- Appointments, Episodes and Invoices are summarised in .csv files
- The Patient tab is summarised in a file called client-summary.pdf
Please keep in mind the contents of the ZIP file are dependent on what data you hold about the client
- Once you have reviewed the contents of the ZIP file you should immediately password protect it using your preferred ZIP utility
- You can then complete the process and fulfil your Article 15 obligations by emailing the ZIP file to the requestor or by providing it to them on optical media. In both cases it should be password protected.
I’m sure you have a view about the volume of Access Requests you might receive as a result of the changing privacy environment and GDPR. In a way, regardless of your view of that number, the likelihood is that you will receive at least one per year. The tool in WriteUpp makes complying with an Access Request simple and cost-effective but there are other important things to consider here:
- Your documentation must be fit for external consumption
- Your documentation must be understandable by the individual
- Your record keeping needs to be structured and organised and to be clear I’m not advocating an electronic system over paper. I’ve seen amazing paper-based record-keeping but you need to be diligent and audit-ability is more challenging in a paper-based environment
- You need to ensure you have the resources or documented operating procedures in place (if you’re not going to use a tool) to deal with an Access Request from the moment it arrives as the clock will be ticking. You have 30 days, after that you risk action (including fines) from your country’s responsible body, which in the UK is ICO.
The key, in my humble opinion, is to think ahead. At some point you will receive a request and when you do you’re on a pre-determined path. If you embed this expectation into your business, ethics and people then it shouldn’t present any problems at all but if you don’t it may bite you!