Purpose of Data Storage & Processing
I am provided with personal data about data subjects, by the legal teams that instruct me. The data subjects include:
This data is stored by me, and processed only insofar as it is required to enable me to offer expert opinion on the standard of practice of General Practitioners (GPs) in the following scenarios:
Nature of Data
Data includes: demographic data, health records, witness statements from individuals involved in a case, opinions from other medical experts, and legal documents pertaining to the case. Health records may contain, in addition to information about health, information about race, ethnic origin, religion, sex life, and sexual orientation. The General Data Protection Regulation 2018 (GDPR) defines the data that I store and process as “Special Category Data”.
Nature of Processing
“Lawful Basis”
The law requires that I identify one of six categories of “Lawful Basis” for storing and processing data. The lawful basis for my processing and storage of data is: “Legal Obligation”. The Information Commissioner’s Office (ICO) says that:
“Article 6(1)(c) provides a lawful basis for processing where: processing is necessary for compliance with a legal obligation to which the controller is subject.”
“Article 6(3) requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So it includes clear common law obligations”
“This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.”
“You should be able to identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations”
As an expert witness I have legal obligations to provide honest and impartial opinion to the Courts, and the legal teams responsible for conducting civil litigation matters. It is impossible to provide expert opinion without storing and processing the data, which means that such storage and processing is essential so that I can comply with my legal obligations.
The legal obligations of expert witnesses are clearly defined in law, including:
“Special Category Condition”
As the data is “Special Category Data”, the law also requires me to identify an additional “Special Category Condition” for my storage and processing of the data. The “Special Category Condition” listed in Article 9(2) of the GDPR that applies is:
“processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.”
The draft UK Data Protection Bill defines ‘legal claim’ at Schedule 1, Part 3, Section 29 thus:
“Legal claim.... This condition is met if the processing—
a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
b) is necessary for the purpose of obtaining legal advice, or
c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights”
It is my view that my work meets this definition.
Risk Assessment
Risks associated with the loss of data are very small as all data that is stored and processed by me is also stored by other organisations. For example: a data subject’s health records will be stored by both the healthcare provider that created the record, and the legal teams involved in conduct of the proceedings.
Unauthorised access to data may occur by deliberate attempt by an unauthorised person, or by an error on the part of myself, for example sending a report to the wrong person.
Deliberate attempts to access health records by unauthorised persons are rare in the healthcare sector.
However, if unauthorised access did occur, the potential consequence of such a breach is great for the individual subject as health records contain extremely sensitive personal information. Whilst unauthorised access to such information is unlikely to cause direct financial or physical harm to the data subject, it might cause great embarrassment, emotional distress, disruption to personal relationships, detriment to employability, and vulnerability to discrimination. In summary, the potential personal consequences for data subjects of a data breach involving health data are significant.
It is not possible to guarantee protection against unauthorised access to data by a determined third party acting outside the law. However, the measures described below represent accepted healthcare industry best practice in terms of protecting personal data and are likely to limit the possibility of unauthorised access to a great degree. Furthermore, they are proportionate, affordable and practical.
How Data Are Stored
Data are received and stored only in electronic format.
Electronic documents are stored in computers which are protected by a password at log-in, and by regularly maintained antivirus and firewall software. The data is stored within an encrypted section of the hard drive that is protected by a further password.
The encrypted sections of each hard drive are synchronised with each other via a cloud service, which also stores a copy of each file on remote servers which are located within the UK in data centres that meet the ISO 27001 standard. The data is fully encrypted in transmission as well as in storage. If local data loss occurs, files can be restored from the remote servers.
Health records are stored until either:
This is because legal proceedings frequently experience long delays, and if records are destroyed sooner, this may necessitate copies being re-sent to me if I am asked to comment further at a later date. This would introduce additional risk of data breach in transmission.
Documents that are created by me in the course of my processing of the data, for example letters and reports, are stored for 6 years from the date that the last document on file was created. I am personally liable for the opinions I give, and as such need to retain this work product in order to defend myself against potential claims.
Transmission of Data
Data are transmitted in one of two ways:
1) Via the cloud storage service referred to above.
2) Email, in which case files containing sensitive personal data are encrypted and password protected. Passwords are advised separately to receiving parties.
Data are not transferred outside the UK.
Access by Data Subjects
Should data subjects require access to the data I store about them, then this can be provided, free of charge. Data subjects should contact Orgwood medical services Ltd to arrange this.
Accountability
If data subjects have any concerns about how their data is processed they are invited to contact Orgwood Medical Services to discuss this in the first instance. Alternatively, or if their concerns remain unresolved, they can contact the Information Commissioner’s Office (ICO). Their contact details are:
Web: ico.org.uk
Tel: 0303 123 1113