Whether the names of those who have accessed the patient's records is the patient's PD is one of those hazy areas IMO. On a Durant type analysis it does not relate to / is not about the data subject. On a purposive approach it is certainly a privacy issue for the subject as to who has been accessing his sensitive PD.
Today I am prepared to accept - just - that it is not. So falls outside the primary s7 duty.
However even if that is correct it is not the end of the matter. There are customer care considerations. There is s7(1)(b)(iii) mandatory disclosure of recipents or classes of. There is the NHS Care Records Guarantee: http://systems.hscic.gov.uk/rasmartcards/documents/crg.pdf
The latter says: "If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, which could include ending a contract, firing an employee or
bringing criminal charges. "
This falls short of committing to say who has accessed but has a strong transparency flavour.
s7(1)(b)(iii) of course only requires a description of the recipients.
Looking at in the round I share the concerns of those who query why there really should be any objection even if not strictly required legally. As long as staff are clearly made aware that access is logged and may be disclosed what is the issue? In rare cases they can lodge a formal objection and have it upheld if reasonable.
Alternatively a good balance might be:
1. Disclose the identity of all those who have accessed as part of normal clinical care. There are good privacy and ethical reasons why this is good practice.
2. Describe very clearly as required by s7(1)(b)(iii) who else has accessed, and why (see s7(1)(b)(ii)), without necessarily naming them.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|