GDPR, Surgeons and Coronavirus

Incision Indemnity
9th September 2020
3 mins read

It has been over two years since GDPR and the Data Protection Act 2018 came into force. The ICO’s resources for healthcare professionals are at Yet surgeons still regularly face data protection concerns. Here is some food for thought about situations where surgeons need to be alert to potential data problems, and particularly in the context of Coronavirus.

Storing patient records

The publicity around GDPR raised some uncertainty. One of the GDPR principles is that data should be stored for no longer than is necessary. But this does not affect the long-standing requirement on surgeons to retain medical records for a specified period – a minimum of eight years, and often longer for particular groups of patients such as children.

Also, patient records often prove crucial in the defending of any claims for negligence. Premature destruction of records could seriously harm the ability to defend a claim that is made later on.

We don’t know of any official guidance about whether the Coronavirus Lockdown means that medical records should be stored for longer. However, it is clear that there has been extensive disruption to medical care across most specialties, with swathes of surgery being postponed for long periods. Also, it is clear that many claimant solicitors were significantly affected by Lockdown and had difficulty progressing claims that were already in the pipeline, or were about to start. Therefore it is possible that records may be needed for somewhat longer than they would be in normal times. Surgeons may wish to consider pausing any data destruction activities for the moment.

Mass Mailings

It may be that Coronavirus has prompted more mass mailing by surgeons than usual. Many surgeons will have had to send out mass emails or other mailings to patients to provide essential information about changes to their practice. Even once the emergency is over, some surgeons may find that they need to engage in more marketing to re-build their practises after the interruption of Coronavirus.

Under the GDPR, in order to process a person’s personal data, a controller of personal data must have a “lawful basis” on which to do so. To take marketing communications as an example, it is acceptable to send marketing emails on the basis of “consent” or “legitimate interests”. If you have a record of the patient’s agreement that you could contact them for marketing purposes, then that is sufficient. But if you do not the position is more complicated, and sending that marketing email could be a breach. As a controller of personal data, this could expose you to the risk of receiving a financial penalty imposed by the ICO.

Medical indemnity and cyber insurance

Incision members have medical indemnity and cyber insurance to provide appropriate cover for data protection breaches. All surgeons should check whether they have cover for data protection breaches – some medical indemnity policies exclude that sort of liability.

If your patient records or data have been lost, damaged or stolen, or if anyone alleges a data protection breach, you should contact your medico-legal advisers and insurers/indemnifiers straight away. You need guidance on what to do next to protect your interests.