“Nobody can hurt me without my permission.”
― Mahatma Gandhi
Often the occupational health file of a former officer contains disclosed medical records; records that were obtained via consent for a specific purpose, be it the original decision or the last review. The GP medical records do not belong to the force – they were collated for a reason and should be disposed of once that reason has ended. Does the force have the right to dip in and out of these medical records as they chose?
Here is a response from the Information Commissioner’s office regarding the limitations of consent:
Case Reference Number ENQ0571696
In your email you ask questions about third parties gaining consent to access your medical records from your GP.
Question: […] once consent is given, is that consent infinite until explicitly withdrawn? In other words once consent is so given is the passage of time, whether that be days, weeks, months or years irrelevant ?.
ICO answer: Consent would need to gained with each request.
Question: […] once that consent has been given in writing for a third party (as above) to access a patients medical records, at the point those records are provided (accessed), does that specific consent then expire?
ICO answer: The consent would last until the records were accessed by the third party.
Question: To clarify that, can that given consent be exercised more than once or continuously ?
ICO answer: Consent would need to be gained with every request.
Question: Would any request made now be considered a fresh request and any attempt to use a historical consent be denied ?.
ICO answer: If there is going to be a new request for your medical data, consent would need to be gained.
Question: Would any registered medical practitioner be acting unethically if they made such a request based on an historical consent ?.
ICO answer: A medical practitioner needs to comply with the Data Protection Act 1998(DPA) and could not use a historical consent.
Question: Would the ICO position be if such a historical consent was attempted to be used or presented as being valid (despite the passage of time and previous access) that any registered medical practitioner should reject such a request as invalid and require a ‘fresh and current consent’ from the patient ?.
ICO answer:The GP would be required to gain consent upon every request.
Question: Any consent should be subject to informed consent and valid, a gap of years surely must be contrary to the original informed consent ?.
ICO answer: The third party need to obtain consent from yourself, every time they wish to access your medical records. Requesting consent every time would mean the third party would be complying to the first principle of the DPA. The first principle is about processing fairly and lawfully and with respect to one of the conditions outlined in the act.
To clarify, this means that an organisation must:
have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how they intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;handle people’s personal data only in ways they would reasonably expect; and make sure they do not do anything unlawful with the data.
Information Commissioner’s Office
That seems very unambiguous. Once consent is given that consent has to be timely and relevantly exercised; subsequently, new consent has to be obtained to allow for further use of the data. So a force is unable to delve into the medical records enclosed in a occupational health file at their whim; they are unable to approach a GP practice and ask for further disclosure using previous consent without expressly renewing the consent.
Some forces are under the misapprehension that once they have copies of medical records, they own the data and their access to it is then infinite. This is incorrect. To give a clear view of this mistaken belief, here is the fallacy of what Avon & Somerset thinks historical consent allows:
Police Medical Pensioners Medical Record Authority Timescale – a Freedom of Information request to Avon and Somerset Constabulary
In respect of Police medical pensioners. When an authority to release medical records from General Practitioners, specialists and consultants in relation to that Officer has been submitted to the Force, how long in timescale does that authority last? Is it days, weeks, months, or years. Please be specific.
Private Our Reference 089/15
Philip Piper Your reference
[FOI #249845 email] Date 17 February
Dear Mr Piper
I write in connection with your request for information dated 23^rd
January concerning medical records.
Specifically you asked:
In respect of Police medical pensioners.
When an authority to release medical records from General Practitioners,specialists and consultants in relation to that Officer has been submitted o the Force, how long in timescale does that authority last? Is it days, weeks, months, or years. Please be specific.
The authority lasts until consent is withdrawn.
Freedom of Information Officer
Corporate Information Management Department
No it doesn’t Mr/Mrs C Quartey. The consent lasts until the the records are accessed. Once that access is completed then the consent expires. Any decision made without valid permission for those records to be accessed is therefore unsound.
It is quite frightening that a Police Force has such disregard for data belonging to former officers. What liberties is it taking with data of other members of the public?
An interesting point is raised if the review is unlawful for reasons given on earlier posts. Here is an extract from the ICO’s website
In brief – what does the Data Protection Act say about handling personal data fairly and lawfully?
The Data Protection Act says that:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
This is the first data protection principle. In practice, it means that you must:
have legitimate grounds for collecting and using the personal data;
not use the data in ways that have unjustified adverse effects on the individuals concerned;
be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
handle people’s personal data only in ways they would reasonably expect; and
make sure you do not do anything unlawful with the data.
So if consent is provided and then the force revisits causation and applies apportionment then they are, by default, acting unlawfully. The corollary is their unlawful action invalidates the consent. This follows in revisiting previous disclosed medical records – if they try to look at any medical history prior to the last final decision they are contrary to the regulations, and not only is there no implied consent anyway the illegality is a block in the first instance. The ICO is able to impose severe fines for such breaches.