The EU General Data Protection Regulation (“GDPR”) was incorporated into UK law by the Data Protection Act 2018 (“DPA 2018”). It remains part of UK law even after Brexit.
One GDPR protection is the Article 17 right for individuals to have their personal data erased, also known as the ‘right to be forgotten’. It is exercised regularly, and the Information Commissioner’s Office has some general guidance on how to respond to data erasure requests. However, it is not an unrestricted right, and there are limits on what data an individual can get erased.
Doctors, surgeons and clinics in private practice often receive requests from patients to erase their data. If the patient is only asking to be removed from a marketing database, this is unproblematic. But difficulties arise where the data forms part of the patient’s medical records. Several Incision members have received such requests, with some patients actually citing GDPR. Patients have expressly asked doctors, surgeons and clinics to permanently destroy medical records, including (in some cases specifically) clinical photographs. The patient’s reasons are not always clear. Sometimes they genuinely feel vulnerable because their highly personal clinical photos are held for long periods, even though the doctor, surgeon or clinic is highly regulated and will keep the images safe. In other instances, it seemed that the patient was making a cynical attempt to get rid of evidence in preparation to make a complaint or claim.
So are doctors, surgeons and clinics obliged to destroy medical records in response to a GDPR ‘right to be forgotten’ request? Fortunately they are not, so records needed to defend a potential claim should be preserved. The right does not apply where the data is being held to comply with a legal obligation, and there are also exceptions where the data (in this case medical records) is being held under a duty of patient confidentiality for medical diagnosis or for the provision of healthcare. Therefore even where the course of treatment has completely finished, medical records including correspondence and clinical photos must not be destroyed. In private practice, doctors, surgeons and clinics must keep the patient records and clinical photographs complete, safe and secure for the periods required by The Private and Voluntary Health Care (England) Regulations 2001 (Schedule 3), which is usually eight years but can be longer for some classes of patient. Incision insureds have access to a detailed guidance note on records retention periods.
So as a doctor, surgeon or clinic manager in private practice, what should you do if a patient asks for their data or any part of their medical records and clinical photos to be erased? Incision insureds have access to excellent medico-legal guidance from dual-qualified doctors and lawyers. You should seek medico-legal guidance right away whenever you receive a ‘right to be forgotten’ request. The medico-legal team can help you assess whether there is any data that can and should be erased in response to the request, but also accurately identify any data which is actually part of the medical records and cannot be destroyed. The medico-legal team can also help assess the likely reasons behind the request. They can help create a reassuring and sensitive response where it seems that the patient is making the request out of a sense of vulnerability, to help preserve the relationship with the patient and prevent unnecessary complaints. But they can also help identify situations where the data erasure request indicates that the patient intends to make a complaint or claim. They can make sure that notification to insurers and other steps are taken to protect the position of the doctor, surgeon or clinic. Just as importantly, the medico-legal team can help you look at any permissions you might previously have received to use the medical records for other purposes such as training or even marketing, and assess whether the patient has now withdrawn those permissions so you should stop using the records for those other purposes.
But what about situations where you (or an employee or medical secretary on your behalf) has already erased patient records in response to a ‘right to be forgotten’ request, without realising that the right does not apply to medical records? In these situations you need to contact the Incision medico-legal team urgently. There can be regulatory implications for destroying medical records that should have been retained, even where this was done under a genuine misunderstanding of the law. Therefore the medico-legal team needs to get involved right away to help you manage and mitigate the situation. Incision insureds have cover for lost and destroyed records, so depending on the exact circumstances there could be insurance funding to help restore any records that can still be retrieved. The medico-legal team can also make notifications to protect your position in case the incident leads to an investigation from the regulator and you need insurance funding for your defence. The medico-legal team can also get you early advice from specialist healthcare regulatory lawyers where necessary, to make sure that any remediation work you need to do to protect you from regulatory sanctions is done promptly.
While patients might perceive the GDPR ‘right to be forgotten’ as very simple, in fact this is a complex area of law and regulation, with potentially serious implications for you if you take the wrong steps in response to an erasure request. If you are a doctor, surgeon or clinic in private practice and a patient asks you to erase the data you hold on them, or if you or an employee has inadvertently erased medical records that should have been retained, get proper medico-legal guidance immediately. Incision insureds have cover for lost or destroyed records, and cover for defence in regulatory investigations and claims, together with an outstanding medico-legal team who will help you manage and mitigate these difficult situations, to get the best available outcomes in these often difficult situations.
Incision July 2023