Showing posts with label Data Protection Act. Show all posts
Showing posts with label Data Protection Act. Show all posts

Friday, 28 July 2023

Medical Centre in Harlesden responds to allegation they are breaking guidelines over charging for copies of patient records

 

The Kilburn Unemployed Workers Group has taken up what they see as over-charging by a Harlesden medical practice, Freuchen Medical Centre,  for printouts of people's medical records. It is difficult for people to access disability benefits, especially with an invisible illness, unless they have proof of their conditions. Claimants understand the importance of documentation and are forced to pay  the fee for a copy of their records.  KUWG say the practice is full of people who have no money at all and no understanding of the system, with a large immigrant and refugee client base, and to whom this illegal fee will be acting as a very effective barrier.

In the letter sent to the practice in December 2022, KUWG said: 

It is most surprising that your Data Protection Officer seems unaware of the provisions of the General Data Protection Regulation and Data Protection Act 2018 with regards to patients access to their medical records. Perhaps you might bring their attention to the BMA guidance on access to medical records, which is available in full as a PDF download from the BMA website at  www.bma.org.uk/advice-and-support/ethics/confidentiality-and-health-records/access-to-health-records

 

For your convenience, here is a copy of the relevant paragraphs:

 

4.8Can a fee be charged?

 

“Initial access must be provided free of charge (including postage costs) unless the request is ‘manifestly unfounded’ or ‘excessive’ – in which case a ‘reasonable’ fee can be charged. These circumstances are likely to be rare and should be assessed on a case by case basis.

 

The ICO has advised us that a request may be deemed ‘manifestly unfounded’ if the requestor makes it clear they are only requesting the information to cause disruption to the organisation or if the requestor makes completely unsubstantiated accusations against the controller. If however, the requestor has some form of genuine intention in obtaining their information, it is unlikely the request could be deemed as manifestly unfounded.

 

A request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee based on the administrative costs of providing further copies or refuse the request.”

The KUWG had  not received a response so Wembley Matters yesterday asked Freuchen Medical Centre for a statement on the allegations. They responded:

With reference to youe allegations and information surrounding GDPR and Data Protecvtion 2018, subject access requests and patient access to medical records. We acknowledge these and are aware of these regulations. These are clearly documented and followed in our practice policy.

All patients have the right to access their medical records, whether electronically or in printer form. However, for patients who are deemed to have requsted excessively and wish to request printed copies, there is an administration fee associated with the service. The fee is necessary to cover the costs of printing paper and ink, as well as adminstrative time involved, as this is not covered by the NHS,

Our primary goal is to ensure that patients have convenient access to their medical information, and we encourage the use of electronic records as a more sustainable and cost-effective option. Nevertheless, we understand that some patients may have specific preferences or needs that require require physical copies.

Unfortunately, without further information surrounding the specific case it is difficult to comment further.

We are extremely mindful of the socio-economic deprivation prevalent in the area in which we operate, with multiple vulnerable groups. Charges for non-Nhs work which falls outside of our contractuak obligations are completed in order to help these  vulnerable groups, often without any charges being applied to them.

Commenting on the statement KUWG said

The fact that they have a reason for breaking the provisions of the Data Protection Act doesnt make it legal or correct. Anyone breaking a law will have a reason. The guidelines are clear.
 
In most GP practices if you ask for a copy of your summary care record it is done on demand at the click of a button by the receptionist and involves no more than 3 pages of printing. Even if they were allowed to charge a fee, £5 is exorbitant for a minute's work and between one and 3 pages of printing. 
 
Where people want a full printout of their records this can more be problematic for the surgery because there can be a great many pages, and many practices ask for the full amount of time given under the Data Protection Act ie 40 days. But the Act still says that this should be provided for free. We note the response from the practice states that the fee is only for people who 'prefer to receive printed copies' but nowhere on the price list is it stated that they are offering a free digital alternative. This is irrelevant but surprising. They do have a right to charge what they like for copies of any data that is not held elecronically and which needs to be scanned and printed by hand, like specialist reports from hospitals but that's all. They also have a right to charge for letters. But not for printouts of people's data.
 
 
 


 

Tuesday, 26 September 2017

Information Commissioner's Office calls on Brent Council to take measures to avoid future data protection breaches

Following the data breach by Brent Council when e-mail addresses of residents were sent to recipients of a message about a meeting acomplaint was made to the Information Commissioner's Office.

This is their response:

-->
You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.

Summary of case

In this case, your email address was cc’d into an email and disclosed to other individuals.

It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).

Role of the ICO

Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.

Next steps

Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.

However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
  • To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
  • To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
  • To check that all staff have undertaken data protection training within the last 12 months.
  • Inform any other parties whose data may have been inappropriately disclosed in this case.

Although we do not intend to take any further regulatory action on this case, this will remain on our systems to help us build a picture of Brent Council’s information rights handling.

We will continue to monitor the council’s data protection practices, and should any regulatory action be taken against them in the future, your case may form a part of our intelligence against them. You can view any regulatory action we do take on our website, using the following link: https://ico.org.uk/action-weve-taken/

Thursday, 24 December 2015

Only 'Limited Assurance' for Brent Council data protection in ICO Audit

The Information Commissioner's Office recent audit of data protection at  Brent Council resulted in a 'Limited Assurance' grade - the second lowest.

The report LINK Executive Summary states:
There is a limited level of assurance that processes and precedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the Data Protection Act.
Among the areas for improvements are (bold is my emphasis):
At present the[Council] have not implemented any endpoint controls which would restrict the import and export of data using portable devices resulting in the risk that an individual could download personal information without authorisation or potentially introduce malware into the council's network.

There is currently no formally establised programmes of data protection security or information security related refresher training in place, with the last training of this nature being delivered via e-learning in 2012. Staff who commenced employment at the council prior to the last refresher course in 2012 may not have had data protection or information securioty refresher training for a significant period of time.

[The Council] reported a 64% subject access compliance rate during 2014. This increased to 78.6% during January - May 2015, and are targeting 80% during 2015 and 95% for 2016. The ICO belives this latter target is more appropriate and (The Council] should also ensure that they prioritise requests which are in danger of falling outside the statutory 40 calendar day period.

[The Council] have aimed to raise awareness of data sharing through a combination of methods which include e-learning and use of the intranet. Despite this, awarness of specific data sharing policies and / or guidance amongst operational staff was low, with interviews unable to make reference to specific polices.

There are inconsistencies in the use and completion of the Data Sharing Agreement (DSA) template and no specific provisions within the DSAs viewed as part of the audit to distinguish between fact and opinion within shared data.  In addition not all the DSAs and supporting procedural documentation specify retention periods for shared data or prescribe that the recipients of shared data must destory or return that data once the relevant purpose is served or any relevant retention period expires.
There is an Appendix attached to the report showing that although Islington and Barnet Councils achieved the higher 'Reasonable Assurance' grade (second out of four grades) other councils also achieved the Limited Assurance.  An Action Plan is tabled LINK and the ICO will conduct a desktop check within 6 to 9 months.

Thursday, 13 August 2015

Brent Council: Same two questions – why no answers?

Philip Grant wondered if Wembley Matters readers could stand another posting on 'The Two Questions' when he submitted this guest blog. One of Brent Council's strategies is to continue to stonewall until complainants give up. Philip's persistence is admirable and should be supported.

Some “Wembley Matters” readers have been following the saga of my two questions to Christine Gilbert about the probable “pay off” by Brent Council to its former Director of HR, Cara Davani, and the explanations given as to why she cannot answer them. This is the latest round. Anyone who wishes to see the earlier rounds can find them at LINK and LINK and LINK  .

If you are interested enough to read the exchange of emails below, I would welcome your comments. Are the reasons given by Brent’s Chief Legal Officer reasonable? Even if you think they are not, do you feel that I should give up now, and let those at the top of the Council get away with what appears to be a cover-up? Or do you support my efforts to get to the bottom of this matter? If the latter, then please show your support, not just by adding a comment below, but by emailing your local councillors to say that Brent must answer Philip Grant’s two questions, and explain why it believes that any “pay off” to Cara Davani is justified, and not a misuse of funds that the Council should be spending instead on services for local people. Thank you.

THIS IS A LINK TO COUNCILLOR TELEPHONE AND EMAIL DETAILS

Email from Fiona Alderman, sent at around 10pm on Wednesday 12 August 2015:-
Dear Mr Grant

I am replying to your recent correspondence to the Chief Executive and myself.

It is accepted that, under the Data Protection Act 1998, information relating to individuals can be disclosed if it is necessary and reasonable to do so and there is an overriding public interest justification. However, in respect of employment matters, individual members of staff have a legitimate and reasonable expectation of privacy and confidence and it is not appropriate for the Council to answer your enquiry. 

In relation to your separate question regarding compensation, the remedies hearing in the case of Ms Clarke has not yet determined any compensation award and, as such, it would not be appropriate to comment further at this stage.

I will provide a copy of this response to Councillors Warren and Kansagra.

Regards 

Fiona Alderman
Chief Legal Officer

Email from Philip Grant, sent at around 5.30pm on Thursday 13 August 2015:-

Dear Ms Alderman,
Further to my acknowledgement of the email which you sent me yesterday evening, I am now writing to reply to the latest reasons you have given for Brent Council not answering the two questions which I put to Christine Gilbert on 9 July 2015.
My questions were raised in the context of serious concerns which many local people, including Council staff, expressed when rumours emerged two months ago that Cara Davani was to receive a “pay off” from Brent. The Council had announced that she was leaving at the end of June, to take a “career break”, so there appeared to be no reason why she should receive any further financial benefit.  She was already a controversial figure, who many thought should have resigned when her actions against Rosemarie Clarke in 2013 became public knowledge, through the publication in September 2014 of the Employment Tribunal judgement. It seemed inexplicable that Brent appeared to have taken no disciplinary action against her then for gross misconduct.
The possibility that Cara Davani might also be “rewarded” when she finally did leave the Council generated those serious concerns, and I sought answers from Christine Gilbert to find out whether the rumours were true, and if so, what was the justification for any such “pay off”. Those are still the matters which need to be resolved, and they will not be resolved by the Council continuing to be evasive over providing the answers. I realise that you are probably only carrying out the wishes of those above you in trying to defend that prevarication, and I will explain now why the reasons you have given do not stand up, by reference to the questions that I still believe Brent must answer.
1. Can Brent Council confirm that there has not been, and that there will not be, any financial payment by the Council to Cara Davani in connection with her leaving the Council's employment as Director of HR and Administration, other than her normal salary payment up to 30 June 2015?   YES or NO.
You have said:
‘It is accepted that, under the Data Protection Act 1998, information relating to individuals can be disclosed if it is necessary and reasonable to do so and there is an overriding public interest justification. However, in respect of employment matters, individual members of staff have a legitimate and reasonable expectation of privacy and confidence and it is not appropriate for the Council to answer your enquiry.’
It is already in the public domain that Cara Davani, former Director of HR and Administration, left the Council at the end of June 2015, and that there was an agreement with her, even though ‘the council cannot legally disclose any details of the arrangements relating to Ms Davani’s departure’, which are presumably contained in that agreement. By simply answering “yes” or “no” to my question 1. above, the Council would not be breaching any ‘reasonable expectation of privacy and confidence’ that Ms Davani might have, especially given the context of this matter as outlined above (which I believe does provide ‘an overriding public interest justification’).
As I have said before, to Christine Gilbert, if the honest answer to question 1 is “yes” (i.e. that there was no financial payment other than her normal salary up to 30 June 2015), that is the end of that matter. However, if the answer is “no”, then Ms Gilbert does need to explain what justification there is for having made an additional payment (even if the amount of any such payment can only be given, in confidence, to those Council staff and councillors who need to know it). If the Council cannot show that there is a valid justification for any additional payment to Ms Davani, then such a payment could be a misuse of Council funds, and should be open to public challenge. That consideration must surely override the “privacy” of a person who may have received such a payment.
2. Can Brent Council confirm that it has not agreed, and will not agree, to pay any award of compensation, damages or costs made against Cara Davani personally, as a separately named respondent from Brent Council, in any Employment Tribunal or other legal proceedings in which she and the Council are named parties?   YES or NO.
I have already dealt with your ‘expectation of privacy and confidence’ point above, but you also say:
‘In relation to your separate question regarding compensation, the remedies hearing in the case of Ms Clarke has not yet determined any compensation award and, as such, it would not be appropriate to comment further at this stage.’
I thought that I had already covered this point in my email to you and Christine Gilbert on 3 August, making clear that the fact that the remedies hearing has not yet been finalised does not prevent Ms Gilbert from answering my second question. However, I will spell it out again here.
If the Council has not agreed, and will not agree (as it should not, for the reasons below), to pay any award made against Ms Davani personally, then the answer is “yes”, and that is the end of the matter.
If the Council has agreed to fund all or any part of any award which the Tribunal may make against Ms Davani personally, then the answer is “no”. The question is not asking for any amounts, so it does not matter that those are ‘not yet determined’.
I accept that the Tribunal has not yet made any awards in this case, but given its findings in favour of Rosemarie Clarke in the judgement of September 2014, it is likely to make awards at the remedies hearing. It may decide to make its awards solely against the first respondent, the London Borough of Brent, the employer. However, as Cara Davani is a separately named respondent in the Employment Tribunal proceedings, it is open to the Tribunal to make an award against her personally. If it does that, it will be doing so on the basis of its findings of fact, after reading and hearing detailed evidence.
In these circumstances, I believe that it would be wrong, and a misuse of Council funds, if Brent were to pay any award made against Ms Davani personally. That is why it is important that my second question is answered, and answered now, so that if the honest answer is “no” Ms Gilbert can explain why she, or whoever on behalf of the Council agreed such an arrangement, considers that it is justified for Brent to pay any such award
I am sure that the Tribunal will only make an award against Ms Davani personally, if it does make such an award, if it believes that award reflects her own liability on the facts of the case, and not that of the Council. Surely it is right that councillors and the public should be able to challenge any possible misuse of Council funds. To conceal the facts, when they have been openly requested, in a way that does not require the Council to breach its secrecy agreement with Ms Davani over the details, just as surely cannot be right.
I am copying this email to Cllr, Kansagra and Cllr. Warren, and will forward a copy to the other councillors who were copied into my previous correspondence with Ms Gilbert on this matter. I will also make it publicly available, as I informed you this morning.
In conclusion, I hope that you will now provide the two “yes” or “no” answers to my two questions. If you do not feel you can do so in Ms Gilbert’s absence, please confirm that you will advise her to provide the answers on her return from annual leave, and let me know, please, when that is expected to be. Thank you. Best wishes,

Philip Grant.

Monday, 26 January 2015

Rosemarie Clarke’s missing votes: Cara Davani refuses to tell





Guest blog by Amir Tahir



On 22nd December last I submitted a Freedom of Information request to Brent Council asking for the following:
1. The number of nominations/votes received by individual Brent Staff Achievement Award winners 2014                                                                                                                                                                          2. The number of nominations/votes received for Rosemarie Clarke for Brent Staff Achievement Awards 2014.
By return I received the following acknowledgement from Cara Davani:
‘Thank you for your information request. We (sic) will forward it to the relevant department who will contact you shortly.’
On 21st January  I received the following from Brent Council HR department.
‘The requested information is exempt from disclosure under Section 40(2) of the
Freedom of Information Act (FoIA).  The information is personal data as defined by
the Data Protection Act 1998 (DPA). As it is information about individuals, we are
unable to give this to you; release of this information would constitute a breach of
Principle 1 of the DPA. Principle 1 states that personal data shall be processed
(used) fairly and lawfully and, in particular, shall not be used unless at least one of
the conditions in Schedule 2 of the DPA is met; in this case none of those conditions
have (sic) been met.*
 This response therefore acts as a refusal notice under section 17 of
the FoIA.’  
                                                                    * I would welcome opinions on this. AT
Obviously, my request for the total number of Rosemarie’s votes was not made out of idle curiosity; we all know that the response to the ’Vote for Rosemarie’ idea was overwhelming with Civic Centre staff and members of the public expressing  their solidarity with Rosemarie and their admiration for the way she had conducted herself in the face of what a British court has adjudged was Cara Davani and Brent Council’s racial discrimination, victimisation  and constructive dismissal. The online vote she received was massive. Nor was it my intention in any way to detract from the achievements of the other worthy winners of Brent Staff Achievement  awards.
However, the Council leadership’s mean-spirited response to the avalanche of votes for Rosemarie seems to me a missed opportunity for Butt, Gilbert and Davani finally to concede that those voting for Rosemarie possibly had a point; that Civic Centre staff and the public generally support Rosemarie for principled and valid reasons; and that an employment tribunal judge’s opinion possibly carries a little more authority than that of a small cabal of mutually back-scratching and terminally compromised senior managers  and local politicians.