NHS: Data Protection

(asked on 19th July 2018) - View Source

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps the NHS has taken to maintain patient records in a suitable format to reduce the time it takes staff to comply with subject access requests resulting from the General Data Protection Regulation.


Answered by
Jackie Doyle-Price Portrait
Jackie Doyle-Price
This question was answered on 24th July 2018

Professional bodies emphasise the importance of appropriate knowledge, skills and behaviours in the education and training of health professionals. This includes the accurate recording, maintenance and retrieval of patient records as a key part of providing quality and safe care and to support effective and efficient management of the healthcare system.

Employers will also ensure that their employees have undertaken relevant training in information governance and data protection.

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, replacing the Data Protection Act (DPA) 1998. Its provisions form legal obligations that must be observed. The right of access plays a central role in the GDPR. This updates similar provisions, known as Subject Access Requests, that were available within the DPA 1998.

The GDPR provides that the usual time limit for responding to right of access requests (within one month) may be extended by two further months where necessary, taking into account the complexity and the number of the requests and providing an explanation is given to the data subject within a month of receiving the request.

NHS Digital holds important patient information, created from general practitioner medical records, in the Summary Care Record system. It can be seen and used by authorised staff in other areas of the health and care system involved in the patient's direct care. This information is already stored in a suitable format and therefore no changes have been required to support timely response to subject access requests.

Reticulating Splines