This briefing considers the rights of data subjects which have either been strengthened and or introduced by GDPR in outline. There has been an abundance of commentary in relation to this area in particular and we hope to summarise the key points of relevance to health and social care providers.
A data subject’s right to fair processing is a fundamental right recognised in the EU Charter. The following rights are provided for in the GDPR:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right not to be subjected automated individual decision making, including profiling, where the decision will have legal or other significant effects
- Right to a remedy
The information to be provided to data subjects has been covered in an earlier briefing. We will address changes in relation to subject access requests in a forthcoming briefing.
Conflicting rights of data subjects
It is important to bear in mind that the data which is subject to these rights may constitute the personal data of more than one data subject and the rights of data subjects may conflict with one another. The GDPR does not give automatic priority to one data subject’s rights over another’s and a balancing exercise will have to be undertaken on case by case basis. Opinions recorded by healthcare staff about a patient in that patient’s care record constitute personal data of the patient. However, they are also likely to be regarded as the personal data of their author, whose rights will need to be considered in any processing decision.
The controller’s responsibility to exercise the subject’s rights
From the outset it is worth noting the obligations contained in Article 12, whereby the Controller is required to facilitate the exercise of the Data Subjects’ rights. In summary:
- Art 12(3) requires controllers to advise data subjects within one month of receipt of a request under articles 15 to 22 as to whether any action has been taken. That period may be extended by two further months where necessary.
- Art 12(4) states that if the controller does not taken action, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of making a complaint to the supervisory authority.
- Art 12(5) states that information and action taken in response to requests shall be free of charge unless requests are manifestly unfounded or excessive.
The right to rectification
Under GDPR, data subjects have the right to obtain rectification of inaccurate personal data without undue delay and taking into account the purposes of processing, the right to have incomplete personal data completed.
The right to portability
In effect this right is a subject access right. However, it applies only to personal data which the data subject has provided to a controller (and not information generated from that personal data), where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means. This will include any computer based processing. Data controllers will be required to provide personal data to individuals, or in some cases other organisations, without hindrance, in a structured machine readable format.
The EU’s Article 29 Working Party have adopted guidelines in relation to the right to portability. The Working Party advises that the outcome on an assessment regarding a user’s health… [cannot of itself] be considered as provided by the data subject. The term ‘provided by’ includes personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but does not include data resulting from subsequent analysis of that behaviour.
That is not to say that such data is not personal data but simply that it falls outside the scope of the right to portability.
The right to restrict processing
Under Article 18 data subjects have the right to restrict processing where:
- Accuracy of the data is contested
- The processing is unlawful and the data subject opposes the erasure of data
- The controller no longer needs the data, but the subject requires the data for the establishment, exercise or defence of legal claims, or
- The data subject has objected to the processing pursuant to Article 21(1) pending the verification as to whether legitimate grounds of controller override those of subject
Where processing has been restricted, further processing, other than storage, may only go ahead with the consent of the subject or for the establishment, exercise or defence of legal claims or for the protection of another natural or legal person of for reasons of important public interest of the EU or a member state.
The right to object
Where the public interests or legitimate interests conditions in Article 6 are relied upon, data subjects have the right to object to their personal data being processed at any time. The controller is not permitted to carry on processing unless it can demonstrate that there are compelling legitimate grounds which override the interest, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where processing is undertaken in reliance on consent, withdrawal of consent will render further processing unlawful in the absence of another relevant ground.
Rights relating to automated decision making and profiling
The GDPR’s provisions are similar to those contained within the DPA. Individuals have a right not to be subject to a decision when it is based solely on automated processing, including profiling and where that decision produces a legal or similarly significant effect on them. This does not apply where it is necessary for entering into a contract, authorised by law or based on explicit consent. The processing of special category personal data for automated decision making is subject to additional restrictions.
As the A29WP notes, ‘Profiling is a procedure which may involve a series of statistical deductions. It is often used to make predictions about people.’
There is ample scope for automated decision making in the context of health and social care, such as the use of risk rating algorithms. Whilst it is likely that such tools would normally be subject to human intervention in respect of the implementation of any resulting decision, the question of whether the degree of human intervention was adequate in a given case may be the subject of dispute.
Given the growth in the use of AI in healthcare this aspect of the GDPR is likely to become increasingly relevant in this field.
The right to have data erased
This principle requires personal data to be accurate. Under the DPA, a data subject may apply to the court to request that the inaccurate data which is being processed is blocked, erased, rectified or destroyed.
Article 17 GDPR does not provide an absolute right to be forgotten. It provides data subjects with a right to erasure without undue delay where one of the specified conditions are met. These include:
- The personal data are no longer necessary in relation to the purposes for which they were collected
- Where the consent on which processing is based is withdrawn
- The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to processing pursuant to Art 21(2)
- Personal data have been unlawfully processed
However, there are exemptions. It is likely that service providers in health and social care will be able to decline requests for erasure in many cases as processing (including retention of records) could be considered necessary for:
- For compliance with a legal obligation which requires processing by EU member state law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
- The establishment, exercise or defence of legal claims, which includes prospective claims
The right to a remedy
Under Article 82(1) Data Subjects have the right to compensation, the provision is as follows:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Damages will remain available for ‘distress only’ claims, in line with current UK case law. In terms of liability, processors will only be liable to the extent that they have acted outside of their instructions or failed to comply with aspects of GDPR specific to the obligations of processors.
The recent High Court decision in Various Claimants v Morrisons demonstrates the possibility that processors or controllers could be held vicariously liable for the wrongful acts of their employees. That decision is likely to be the subject of an appeal.
How to respond to requests from data subjects
In light of the overarching obligation contained in Article 12, organisations will have to consider how they will co-ordinate their response to requests from data subjects regarding the exercise of their rights and prepare appropriate policies and procedures for handling such requests.
In the first instance it may be worth setting up designated email addresses to receive such requests where possible and raising staff awareness so that they are able to recognise a request and forward this for action as appropriate. This will be necessary as there is no specified format for such requests.