HOW BREACHING GDPR IS ALL TOO EASY

Touted as the most significant change in data privacy in twenty years, GDPR is a statute in EU law on privacy and data protection for citizens of the EU and the European Economic Area. It also discusses the transfer of personal data outside the EU and EEA areas.

Information stored by the NHS and then used by a second or third party for medical research must go through a stringent system and set of procedures, in line with GDPR, to become ‘anonymised’ data. However, it has become increasingly apparent that breaching these laws is all too easy.

An example of just how easy it is to breach GDPR was that of a Fordingbridge man in 2016, who discovered by chance that his medical records were accessed and shared by the NHS and local council without his knowledge or consent.

In an investigation into the man’s mental health condition, by the Council, a member of NHS staff handed over medical records. The man had contacted the board of Councillors following a case of intimidation and threatening behaviour by a neighbour. He had requested a more secure door for his home to add security and peace of mind following the threats.

According to the man, the Council were not forthcoming, and after making a ‘Right of Access’ information request, he discovered the breach, which included personal notes and unsubstantiated opinions on him, which were both inappropriate and unlawful.

Not only should this information have not been kept on file as the individual was not aware nor was it a legal requirement, but the content could influence other readers opinions of the individual, which is not acceptable.

It is important to note that you ARE able to make negative notes on someone, but they must be factual. The following examples show how to correctly record notes, providing they are GDPR compliant…

‘Mr Jones was on the phone for 1 hour and swore constantly’, is OK.

‘Mr Jones needs to attend anger management classes’, is not!

‘Debbie is lazy’, is not acceptable.

‘Debbie consistently takes twice as long as colleagues to perform tasks’, is lawful.

A Southern Health NHS Foundation Trust spokesperson stated that the NHS takes the confidentiality of patients very seriously and works hard to ensure people’s data is processed according to their wishes. They went on to apologise for falling short of these standards. Information on sharing policies and staff guidance to define information sharing requests from third parties has been since updated and reiterated.

If you have any worries about potential gaps in your GDPR compliance, get in touch with our specialists on 01673 885533 and we’ll be happy to help.