Phil,
Thanks for this excellent post. It clarifies the issue. The NHS responsibilities are slowly, but surely, coming into local government so it is worth consider this level of attention to local government audit systems.
Thanks again for the detailed response. Much appreciated.
Best,
Lawrence
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 18 September 2015 10:15
To: [log in to unmask]
Subject: Re: Audit log entries - personal data?
Whether the names of those who have accessed the patient's records is the patient's PD is one of those hazy areas IMO. On a Durant type analysis it does not relate to / is not about the data subject. On a purposive approach it is certainly a privacy issue for the subject as to who has been accessing his sensitive PD.
Today I am prepared to accept - just - that it is not. So falls outside the primary s7 duty.
However even if that is correct it is not the end of the matter. There are customer care considerations. There is s7(1)(b)(iii) mandatory disclosure of recipents or classes of. There is the NHS Care Records Guarantee: http://systems.hscic.gov.uk/rasmartcards/documents/crg.pdf
The latter says: "If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, which could include ending a contract, firing an employee or bringing criminal charges. "
This falls short of committing to say who has accessed but has a strong transparency flavour.
s7(1)(b)(iii) of course only requires a description of the recipients.
Looking at in the round I share the concerns of those who query why there really should be any objection even if not strictly required legally. As long as staff are clearly made aware that access is logged and may be disclosed what is the issue? In rare cases they can lodge a formal objection and have it upheld if reasonable.
Alternatively a good balance might be:
1. Disclose the identity of all those who have accessed as part of normal clinical care. There are good privacy and ethical reasons why this is good practice.
2. Describe very clearly as required by s7(1)(b)(iii) who else has accessed, and why (see s7(1)(b)(ii)), without necessarily naming them.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|