It is now nearly four years since the introduction of the General Data Protection Regulation (GDPR),1 a wide-reaching piece of legislation that was introduced in 2018 which very few organisations, if any, remain untouched by, including GP practices.
In brief, GDPR has general application to the processing of personal data by any organisation and sets out extensive obligations on data controllers and processors as well as providing strengthened protections for data subjects in a healthcare setting. Among these strengthened protections is the right to erasure, ie. a right to have personal data erased, also known as the right to be forgotten. On occasion, patients or data subjects may submit requests to their GP practice for their records to be erased or deleted in reliance on this right. These types of requests can often give rise to confusion particularly in light of the strong focus on the maintenance of good records from both a legal and ethical point of view in the healthcare profession. As a result, these requests require careful consideration of a GP practice’s obligations under data protection legislation.
Right to erasure/right to be forgotten
Article 17 of GDPR provides for a right to erasure on a number of grounds, including where the data subject withdraws consent. A request for erasure can be made verbally or in writing and does not necessarily have to include the phrase ‘request for erasure’ or Article 17 of GDPR, as long as one of the grounds for the right to erasure applies. However, this right is not absolute and is subject to restrictions.
Article 17(3) of GDPR and Section 60(7) of the Data Protection Act 2018 provide that these restrictions include reasons of public interest in the area of public health. This includes where the data is required for medical diagnosis or the provision of health treatment. GDPR and the Data Protection Act 2018 also provide for an exception to this right to erasure where the data may be required for the establishment or defence of a legal claim (Article 23.1 (g) GDPR).
Ethical and contractual obligations
In addition to the restrictions on the right to erasure set out in Article 17 of GDPR, a doctor must be cognisant of their ethical obligation to keep and maintain records. This obligation is provided for under Paragraph 33 of the Medical Council Guide to Professional Conduct and Ethics for Registered Medical Practitioners, 8th Edition 2019, which provides the following:
- 33.2 You must keep accurate and up-to-date patient records either on paper or in electronic form. Records must be legible and clear and include the author, date and, where appropriate, the time of the entry, using the 24-hour clock.
- 33.4 You must comply with data protection and other legislation relating to storage, disposal and access to records. You should understand the eight rules of data protection (see Appendix B).
- 33.6 You should keep medical records for as long as they are likely to be relevant to the patient’s care, or for the time the law or practice standards require. You may also wish to take advice from your medical defence organisation or legal adviser about retaining records for medico-legal purposes
Furthermore, many doctors may also find that maintaining records is a term of their GP indemnity insurance policy.
Another consideration when dealing with the right to erasure is the obligation under data protection legislation not to retain data longer than necessary. The Data Protection Acts specifically provide that “Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
The HSE National Hospitals Office, Code of Practice for Healthcare Records Management 2 provides guidance in respect of the recommended retention periods for medical records. This guidance is also detailed in the ICGP’s ‘Processing of Patient Personal Data: A Guideline for General Practitioners v2.33’ 3 and is in line with the recommendations of Medical Indemnity Agencies and the Health Information and Quality Authority (HIQA).
A brief summary of some of the key retention periods specified under the HSE records management guidance are set out below:
Type of patient record
Healthcare records of an adult:
8 years after last contact
8 years after date of death
Children and young people:
Until the patient’s 25th birthday, or 26th if the young person was 17 at the conclusion of treatment, or eight years after the patient’s death. Guidelines for public hospitals also recommend keeping records for longer periods if the contents have relevance to adult conditions or have genetic implications
25 years after the birth of the last child
Records of a mentally disordered patient:
20 years after last treatment or eight years after death
Processing an erasure request
For a wide variety of reasons, a patient or data subject may request that their records are erased. For example, there may be a difference in opinion with the clinical decision reached and recorded by the treating doctor or due to the breakdown of the therapeutic doctor-patient relationship. Regardless of the reason, each request submitted under Article 17 of GDPR should be examined and considered on a case-by-case basis. It can be helpful to implement a protocol on the steps to take to deal with such requests which could include the following:
- Review records/data: As an initial step, there should be a review of the information/data which the patient or data subject has asked to be deleted in order to consider whether the records fall within the allowable exceptions to the right to erasure as provided for under Article 17 of GDPR (Section 60 of the Data Protection Act 2018) as mentioned above. More often than not, the request will concern entries into the patient’s clinical records. The erasure request may relate to a specific consultation entry or section or it may request the deletion of the entirety of the clinical records held by a practice. As part of this review, it is advisable also to consider if retention of the records is still appropriate, in line with the HSE retention periods guidance.
- Consider restrictions: If, following review of the records/data, you are satisfied that the retention of the records is necessary for the purpose of medical diagnosis/treatment and/or in order to comply with your obligations under the Medical Council Guidelines and/or in order to defend a claim or complaint, then the data should not be erased.
- Communicate decision: If the conclusion is that the data does fall within the restrictions to the right to erasure and should not therefore be erased, the decision should be communicated to the patient or data subject as promptly as possible along with an explanation of the reasons for the decision.
- Consider alternatives: In communicating the decision to the patient or data subject, it can also be helpful to consider whether there are any alternative steps that could be taken to address a patient or data subject’s request or concern about the data being retained. For example, offering to include a note in the records documenting a patient’s objection to the record or their request to delete a specific entry for future reference and reasons for this. Or considering whether any other reassurances can be provided about the measures in place to ensure that records are stored securely and safely within the practice and reviewed in line with the recommended retention periods.
- Right to complain: In line with obligations under GDPR, the patient should be advised that they have a right to complain about the decision to the Data Protection Commissioner via the website (https://forms.dataprotection.ie/contact). It can also be helpful to direct the patient or data subject to your practice complaints policy as another remedy in the hope of trying to resolve the matter at a local level.
- Good record-keeping: It is important to maintain careful notes of the decision-making process and any communication with the patient or data subject, as these may be helpful should a complaint be made to the Data Protection Commission (DPC) at a later stage. If you do receive such a complaint, you should contact your indemnifier/insurer to seek specific advice.
There is an obligation to consider each erasure request on an individual basis and consider each request on its own merits to decide whether it is appropriate to agree to the request or whether there is a legitimate reason for the data to be retained within the allowable exceptions provided for under the GDPR legislation. It is advisable to try and deal with all requests as promptly as possible and ensure that they are responded to within the GDPR timeframes, ie. 30 days, extendable to two months in certain limited circumstances and with notice to the patient or data subject.
Queries regarding GDPR access requests and rights can often involve a balancing exercise between the patient’s rights and the duties and obligations on a doctor and can require specific tailored advice. If you have any such queries, it is always advisable to contact your indemnifier/insurer for advice.
- General Data Protection Regulation 25 May 2018
- The HSE ‘National Hospitals Office, Code of Practice for Healthcare Records Management Record Retention – HSE.ie
- Processing of Patient Personal Data: A Guideline for GPs – www.icgp.ie