Out-Law News 4 min. read
12 Nov 2012, 9:34 am
Data protection law specialist Danielle van der Merwe of Pinsent Masons, the law firm behind Out-Law.com, said that it was a fundamental right of individuals to be given access to the personal data organisations store about them under the Data Protection Act (DPA).
She said that the UK's data protection watchdog the Information Commissioner's Office (ICO) would almost certainly inform an NHS body in England that it would have to foot the vast majority of a £2,000 bill to provide a patient access to details of a medical scan they hold.
Patient Andrew Brown asked Worcestershire Acute Hospitals NHS Trust for a copy of the image taken from a cardiac ultrasound that he had in 2004. Brown said he wants to compare the 2004 image to that from a more recent scan taken earlier this year, according to a report by the BBC.
However, the NHS body said that although it "does have the visual data on file" it said the "cost of generating an image from what is now obsolete technology is not a cost effective use of public money," according to the BBC's report.
"We have made inquiries with other trusts in the country to see if they have the facility to download and transfer the data we hold on to a CD but to no avail," the Worcestershire trust said.
The Trust has said that it would need to fly-in special equipment from the US to access the data which is stored on a "magneto-optical disc" because the particular disc reader is no longer in production in the UK, according to a report by The Register.
It has asked the ICO for its view on whether the NHS body should have to pay the £2,000 to comply with Brown's request for the data.
Under the DPA organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it. In order to comply with this data subject access request, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."
The ICO has issued guidance that explains that the concept of 'disproportionate effort' in the context of a subject access request. According to the guidance the rule on disproportionate effort "applies only to the task of responding to a subject access request by providing a copy of the information in permanent form."
"It does not apply to the effort required to locate the personal data," it adds. "Even where the provision of a copy of the information in permanent form may involve disproportionate effort, the data controller will still be obliged to try to comply with the subject access request in some other way."
Organisations can charge data subjects a fee of £10 to exercise their right of access to their personal data.
Organisations do not have to comply with a data subject access request if it has previously complied with an "identical or similar request ... unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request."
The NHS body has claimed that it previously gave Brown a copy of a written record of his 2004 scan results, according to The Register's report, however it seems that Brown is now seeking a copy of the actual scan taken in 2004.
"In determining ... whether requests ... are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered," according to the DPA.
Van der Merwe said that it is "unlikely" that the ICO will grant the Trust permission to refuse the request.
"It is a fundamental right under the DPA for data subjects to have access to the personal data organisations process about them," van der Merwe said. "It is not the fault of the data subject if organisations store their data in a way that is difficult and costly to access."
"If the Trust is able to argue that the scan is stored on a part-electronic, part-manual filing system then it may be able to charge Brown £50 to gain access to the record. This is because in cases where organisations hold medical records on either manual filing systems or part-electronic, part-manual filing systems, they are entitled to levy such a fee before responding to a request for that information. It appears, though, that Brown's 2004 scan is stored electronically only, albeit in a format that is inaccessible by the organisation," the expert said.
"The 'intelligible form' rules under the DPA prevent the Trust from simply handing over the disc to Brown and placing the burden of accessing the information on it on him. In other cases the Trust could have invited Brown to view the scan on its computers on the grounds that it would represent a disproportionate effort to provide him with a permanent copy, but it appears that the problems the Trust face is in actually accessing the data in the first instance," van der Merwe added.
"It is important for all organisations, to assess what information they hold which could be subject to a data subject access request and to make sure that they can easily access such information," she said. "It is more than likely that the ICO would be of the opinion that it is the organisation's responsibility to ensure that they transfer the personal data from obsolete media to more modern systems in order to reduce the time and cost burdens on themselves if called upon to respond to subject access requests. This is of course providing that it is still necessary for the organisations to continue to retain old personal data records."
"We should not think of this as an isolated case. In this day in age, organisations cannot afford to be short-sighted" she said.
"The Trust has followed good practice by asking for the ICO's opinion on this case and it may lead to the watchdog issuing new guidance on how cost burdens, particularly on public bodies, should be accounted for when organisations are asked to comply with a subject access request," van der Merwe said.