FAQ’s about GDPR and my Medical Record

The General Data Protection Regulations came into force on the 25th May 2018 – here are some questions you may have about how the regulations affect your rights regarding to your health care record.

How do I find out what data you hold on me and who you share it with?

We post our full Privacy Notice (sometimes referred to as a Fair Processing notice) on our website.

In this document you can find detailed information on the data we collect, why we collect it, the people we share data with it and who to make enquiries to about your data.

I have heard that under the GDPR I can ask to see my medical records – is this correct?

It is – but this is not a new right and has in fact been the case since 1998.

When you make an application to view your medical record it is called a Subject Access Request.

Usually patients ask because they want to see a specific piece of information or information relating to a specific appointment or time or illness.

The main way we encourage patients to view medical records in general practice is through signing up to view your medical records online. Most practices will give you a form to apply for Online Records at any time.

We will normally be able to respond to your Subject Access Request within 30 days unless it is very complex information you are requesting in which case we will let you know of the delay.

There is no charge for requesting access to your health data.

If you ask to see your records you may be asked to fill out a form and will be asked to provide proof of your identify.

Occasionally patients request access to their entire medical record including old data that is only held in paper form. If this is the case and the record is lengthy we may levy a fee based on the time and cost of providing the copy.

You may also be charged if you put repeated requests in for the same data.

I have heard that I can have my data corrected or ‘rectified’ – is this true?

You have the right to have any factual inaccuracies corrected.

We encourage you to let us know if you have given us some information and it is not correct in your records such as your DOB, address etc. Ask your health professional about amending your records if you believe they contain a factual error relating to your health information.

There is no obligation to amend professional opinion, however sometimes it is difficult to distinguish between fact and opinion. Where you and the health professional cannot agree on whether the information in question is accurate you can ask that a statement is included to set out that the accuracy of the information is disputed by you.

I have heard under the GDPR I have the right to data portability? Can I take my records with me when I transfer to another practice?

Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

This does not apply to the information in your heath record which is collected under the legal basis of ‘Public Task’. The right to ‘data portability’ applies to personal data an individual has provided, where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.

However in the UK if you move from a practice your electronic health record does follow you automatically and securely to your new practice.

I want the practice to stop processing my data – do I have this right?

You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

However GPs are obligated under both medico-legal and contractual reasons to maintain accurate records and would be unable to provide safe provision of direct care and processing which is necessary for compliance with a legal obligation if you withdraw processing consent for your care and treatment.

I have heard under new rules I can ask my data to be deleted – is this true?

You have the right to request this however as a practice we cannot ‘delete’ GP health data – legally we are bound to retain health records for the lifetime of a patient and at least 10 years after death.

When you move on to another practice your file is ‘archived’ and restricted at your old practice but we cannot ‘delete’ your health record.

Don’t you need my explicit consent (i.e. clearly stated) to process my data – why haven’t you asked me for this?

For direct care the lawful basis for processing special category health data is that processing is: ‘necessary… in the exercise of official authority vested in the controller’ (Article 6(1)(e)).12

The special category condition for processing for direct care is that processing is: ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).

Neither of these legal basis rely on consent and it would be misleading/disingenuous to ask for your consent as we would be unable to provide care to you if you refused.

The one occasion when we will seek your explicit consent is when you have given instruction to release any of your medical records to solicitors/insurers.