Faster and free - Your clients’ right to medical records under GDPR?

The introduction of the General Data Protection Regulation (GDPR) back in May generated a lot of uncertainty and work for businesses but created clear benefits for us all as individual “data subjects”. One up-side that went largely unnoticed is the right for clinical negligence claimants to have free access to their medical records.

Before this summer, even just the mention of GDPR might be met with groans from colleagues tired of hearing about this important but inevitably complex piece of legislation that all of us in any sort of business had to get our heads around, to some extent.

However, one specific aspect that has been of particular interest to all of us who work on behalf of people who have been harmed by medical malpractice, is the impact that the Regulation has had on accessing a client’s medical records.

The right to see the information that medical professionals have recorded about us isn’t new, of course. Such rights were certainly codified under GDPR’s predecessor the Data Protection Act in 1998 and, to a limited extent, the Access to Medical Reports Act back in 1988.

Two key aspects of GDPR have already had a significant impact on how such matters are progressed. First, the regulation has reduced the amount of time that an organisation has to respond to a subject access request (SAR) from 40 to 30 calendar days, speeding up the process of assessing a claim which should be ultimately beneficial for all parties.

Second, and perhaps more important, has been GDPRs provision that organisations are no longer permitted to charge an administration fee for responding to a SAR, in most instances. As well as making it easier for prospective clinical negligence clients to get hold of their medical records before a specialist solicitor assesses the merits of their case, this also has the effect of speeding up the claims process. 

These implications of GDPR are not entirely uncontentious and there has been some resistance, particularly for some smaller medical organisations such as GP surgeries, claiming to be overwhelmed by the demand to review large, historic medical files in order to redact data about any third parties who may not have consented to the release of any information about them.

There remains some uncertainty around precisely where such responsibilities fall but, on the whole, GDPR appears to have supplied a rare improvement for claimants trying to assert their legal rights in what are often the most difficult of circumstances.

While surveying its members on the impact of such requests, the BMA has produced some useful guidance for the medical profession about GDPR, particularly its FAQs related to SARs.

Like all legislation, there are clearly some wrinkles that still need to be ironed out. Nonetheless, anything that speeds up the lengthy process of seeking redress for injury caused by clinical negligence can only be a good thing, for all parties involved.

ARAG Legal Services & GDPR

We have had a number of queries about GDPR and what help is available to Policyholders on our Legal Services website. The team behind the website has been busy working on changes and enhancements to ensure that the service we provide to customers is GDPR compliant. While some changes are already in place others will go live from the 22nd of May.

Changes to legal content – documents and law guide

Business Legal Services

Employment

• We’ve updated the employment contracts so they’re compliant with the GDPR and – when it comes into effect – the new Data Protection Act.

• All supporting recruitment documents have been reviewed to help employers fulfil their data protection obligations when receiving personal information from job applicants.

• The Employee handbook now features a detailed Data Protection policy, outlining a business’s data protection responsibilities and how their staff should help ensure they’re met.

• There is also a new Privacy notice for employers to give to existing and prospective staff, ensuring they’re given the requisite information about what personal data of theirs the employer holds.

Updated documents: Consultancy agreement, Criminal convictions declaration form for job applicants, Employee handbook, Employment agreement, Employment statement, Executive director’s service agreement, Fixed-term employment agreement, General purpose reference request letter, General purpose rejection letter, Interview checklist, Job application form, Job description, Job offer letter, Licence for an employee to occupy residential accommodation, Licence to occupy business premises, New employee induction checklist, Service occupancy agreement (Scotland), Zero-hours agreement

E-commerce

The Privacy and cookie policy for a website has been overhauled, giving users the opportunity to fully outline what categories of information they capture via their website, what they do with it and their reasons behind it. To be more in keeping with the GDPR terminology, we’ve renamed the document Privacy and cookie notice for a website. However, its purpose remains the same.

The related website terms and conditions documents have also been updated with the GDPR in mind.

Landlords Legal Services

Both commercial and private residential landlords fall under the scope of the GDPR. They will need to give their tenants information about the personal data they hold and what they’ll do with it. A new privacy notice for landlords has been created to fulfil this purpose, and we’ve added guidance to the documents listed below to help landlords understand their obligations.

Updated documents: Agreement for a landlord to share a house/flat, Agreement to let a room to a lodger on a serviced basis, Assured shorthold tenancy agreement, Letter from landlord confirming status of tenant, Medium term lease of commercial premises with rent review, Private residential tenancy agreement (Scotland), Residential tenancy agreement (Northern Ireland), Short term lease of commercial premises with no rent review

Law guides

GDPR-related information is being added to the following law guides:

Ecommerce, Employment, Landlords, Property, Purchase & Sales, Workplace

----

Changes to websites and operational procedures

Consent for use of data

The data we process in order to fulfil our service is almost all provided to us under the GDPR lawful basis of ‘Contract’, meaning that the data that customers provide is necessary in order for us to fulfil our obligations to them. However, when customers register to use a website for the first time, we ask them to provide specific ‘consent’ to use their data for some purposes. For Business customers This is to receive a business bulletin. As we cannot presume any previously supplied consent is still valid this must be reset and collected again. 

We have amended our registration form to capture consent in a more granular way, as required under the GDPR, and to tell customers how they can update their preferences. We have also updated the summary privacy notice included on the registration form:

Going forward, all existing consent responses will be reset to ‘No’ in our databases, and customers will be prompted to opt in again when they next visit the site. 

Timestamps for consent collection

As required by the GDPR, at all points where consent is collected electronically, this will be timestamped and versioned, so that there is an exact record of what a client consented to and when this took place. 

Data Protection Policies

All data protection/privacy policies that our website supplier maintains or controls will be updated to better explain who the data controller is and to adopt a friendlier format, with a hyperlinked list of sections at the start of the document. Links to the Data Protection Policy will also be displayed more prominently on the website as part of the registration process.

Terms of use

All website terms of use will be updated to show GDPR data, including reference to the Data Protection policy.

We hope Policyholders find all of these changes helpful and that they feel supported in meeting the new GDPR obligations.  

(Details of GDPR updates described in this Blog have been supplied by the team behind our legal services website). 

ARAG Legal Services website - Free Business Bulletins

If your clients/policyholders have an ARAG policy and have not yet registered to use > araglegal.co.uk , they could be missing out on lots of useful information.
In addition to maintaining the law guide and creating online legal documents for clients to customise to their own circumstances, the team behind our Legal Services website also publish topical Business Bulletins. Once registered with the site, customers can opt- in to receive these.

General Data Protection Regulations

For this first blog I’ve extracted some content about the General Data Protection Regulations from a recent business bulletin. Why not send this to clients with a reminder of their voucher code and encourage them to register on the Business Legal Services website to receive information like this in the future.

Introduction

The Data Protection Act 2018 will implement provisions of the General Data Protection Regulations (GDPR) into domestic law in the UK. The Bill is currently bobbing along through Parliament and will be passed into law to take effect from 25 May 2018. 

GDPR: how to demonstrate accountability

GDPR imposes an obligation on those who control other people's personal data. Data controllers must be able to demonstrate compliance with 6 essential principles.

In summary, these principles are that personal data must be:

1. processed lawfully, fairly and transparently;

2. collected only for specified legitimate purposes;

3. adequate and relevant, but limited to what's necessary for your stated purpose for processing it;

4. accurate and kept up to date;

5. kept for no longer than necessary for the stated purpose;

6. processed in a way that is secure.

What does it mean, in practice, to be able to demonstrate compliance with these principles?

Most importantly, you must have appropriate data protection policies and procedures. You may be a

very fair person and only ever process data lawfully, fairly and transparently (as required by the

GDPR). But if you don't have policies and procedures, you won't be able to demonstrate that.

You'll also have to be able to demonstrate that you correctly implement your policies and procedures and that you have effective compliance measures endorsed by the highest level of management in your business. You'll also have to provide training so that all staff understand what it means to be compliant with data protection principles, and you'll need policies for dealing with poor compliance and data breaches.

The Information Commissioner's Office says that, where appropriate, appointing a data protection officer (DPO) is necessary for demonstrating accountability. Businesses must appoint a DPO if their core activities include: regular and systematic monitoring of individuals on a large scale; or large-scale processing of information relating to criminal offences or 'special categories' – i.e. sensitive information on 8 specific topics, such as racial origin or political beliefs.

We expect most SMEs will not have to appoint a DPO. However, we'd suggest you choose someone to oversee data protection anyway, to help you demonstrate accountability.

Article 30 of the GDPR describes the records of data processing activities that you must keep. For

example, the record must include your name and contact details, the purposes of the processing and

any recipients of the processing. In effect, this amounts to a data protection audit.

If you employ fewer than 250 employees, you might not have to comply with Article 30. However,

the duty to be able to demonstrate compliance applies to all businesses that control data, so if your

business does then we'd suggest you conduct a data protection audit.

What this means for you

If your business controls personal information you must act fairly and in line with the principles of the GDPR. You must also be able to demonstrate this. How you do that will depend on your business and the personal information you control. At the very least, appropriate data protection policies and procedures will help. You should, however, also conduct an audit of the personal information that your business receives and processes.

How we can help

Our Privacy and cookie policy for a website will help if you have a website through which you

capture customer information. We also have an Employee handbook that instructs staff about the

data protection principles and their obligations. Both documents are compliant with the current Data Protection Act, but we're currently working to update them for the GDPR.

This Blog features legal content from Epoq Legal services, creators of ARAG Business Legal Services. 

Watch out for my second blog with some more extracts for you/your clients on employment law updates.

3 legal developments that probably won’t happen in 2018

There’s any number of articles around at this time of year telling us about legal developments that are coming up in the next 6 to 12 months.

From the annual increases to tax allowances, minimum wage rates, and statutory pay for sickness, maternity and other family-related absence, to much more fundamental changes such as the new gender pay gap reporting requirements to the much heralded General Data Protection Rules (GDPR) there is a lot that UK businesses need to prepare themselves for, by springtime.

But, looking further into 2018, there is also plenty of legislation that has been proposed but is still a long way from the statute books, let alone an implementation date.

The combination of the government’s surprisingly weakened position in the House of Commons since last June’s election and the inevitable priority that must be given to the legislation necessary to deliver an orderly exit from the European Union, has greatly reduced the political capital and parliamentary time available to other legislation.

The free vote that the Prime Minister had promised on repealing the 2004 Hunting Act was an early casualty in 2018, but there are a few other initiatives unlikely to get before parliament, onto the statute books and into force by the end of the year.

Tribunal fees strike back?

As recently as October, (then) Lord Chancellor David Liddington claimed the government still wanted to replace the employment tribunal fee regime struck down by the Supreme Court last summer. However, higher priorities for the Ministry of Justice and the reduced income that any fair and workable system could raise, will make quick progress on this unlikely.

LASPOA reform

Formal assessment of the impact that five years of the Legal Aid, Sentencing and Punishment of Offenders Act (2012) has had on access to justice, was finally timetabled by David Liddington last year, and is due to report by the end of April. Given the time it has taken even to get the assessment underway, the prospect of any major reform of the legislation being implemented in 2018 seems remote.

Civil Liability Act

Another piece of MoJ business that we seem to have been talking about forever, is the Civil Liability Bill mentioned in last year’s Queen’s Speech. The proposed increases to small claims court limits of £5,000 for road traffic injury claims and £2,000 for other injuries appear to be set in stone, but the faltering progress these reforms have seen since George Osborne first announced them in 2015, makes a September implementation seem less likely than April 2019.

Unlikely as these three developments may be to see legislative action this year, there is more than enough reform taking place in 2018 to keep us all busy. The uncertainty surrounding the implications of Brexit, especially what it means for employment law, should become clearer as the year progresses. But one piece of EU reform that seems certain to survive, GDPR, should be enough to keep us all busy, at least until the summer.

Getting Data Privacy Right

“Data protection… didn’t we just do that?”

Facebook founder Mark Zuckerberg was still in high school, two Stanford PhD students were in the process of founding Google and none of us had even heard of WiFi, let alone cloud computing, when the UK passed it’s most recent Data Protection Act.

So, it’s fair to say the legislation could do with a tune-up. The General Data Protection Regulation (GDPR) will supersede our 1998 Act and similar legislation in every other EU member state, and has been built to unify legislation and strengthen data protection for individuals throughout the EU.

What’s new?
There are new rights for data subjects; new responsibilities for businesses; a new principle: accountability; and much tougher penalties including compensation for data subjects and fines of up to €20 million (more for the very largest companies).

What do brokers need to know?
Far too much to cover here, but BIBA has produced extensive guidance, available online.

What about law firms?
Similarly, solicitors have a lot to be aware of, but the Law Society has created some excellent resources for the profession.

But, but… Brexit?
GDPR will be enforced in the UK regardless of Brexit. It is also expected that its requirements will continue here, whatever the terms of any Brexit deal.

How long have we got?
About 6 months. GDPR compliance must be achieved by May 25, 2018. That may still seem a way off , but we all know how long systems work can take.