ICO

The General Data Protection Regulations (GDPR) and you

The General Data Protection Regulations (GDPR) and you

The General Data Protection Regulations (GDPR) and you

As a charity, we get asked a lot of questions about our rights under these new regulations. This guide is based on our interpretation, ongoing legal challenges and numerous advice that’s already been issued by the Information Commissioners Office (‘ICO’).

The Data Protection Act 1988 was superseded by the Data Protection Act 2018 and the General Data Protection Regulations (‘GDPR’).

Under Article 9 of the GDPR, special categories of personal data known as “sensitive data” includes “data concerning health”. This type of data should provide extra safeguarding against anyone (in our case, police forces and Selected Medical Practitioner (‘SMP’)) wishing to obtain, retain and process this type of data.

 

When can forces ask for “sensitive data”?

In general terms this will be;

  1. During the ill-health retirement process
  2. Consideration for an injury award
  3. Subsequent review of an injury award
  4. Police Medical Appeal Board (‘PMAB’) resulting from (b), (c) or (d).

The above is the usual sequence of events for an officer that retires after being injured on duty with an ill-health retirement and an injury award (gratuity and pension), so let’s look at them in a little more detail.

 

Ill-health Retirement Process

A Force Medical Examiner (‘FMA’), or the officer may make a request that they should be considered for ill-health retirement if they have a permanent disability (whether they have suffered an injury on duty, or not). Provided that that the request is not considered to be frivolous of vexatious, they must be referred to a SMP for consideration of ill-health retirement (‘IHR’).

Notwithstanding the fact that the officer may have supplied a full copy of their medical records when they were originally appointed as a police officer, they will often be asked again to supply a full copy for both the FMA and SMP to make an assessment as to the whether the officer has a permanent disability which would prevent them from performing the ordinary duties of a police officer.

It is correct to comply with this request as the SMP will need to complete a comprehensive report to the Police Pension Authority (‘PPA’) for their consideration as to whether they should retire or retain the officer. (Supplying medical records at IHR is different from a ‘Reassessment of injury pension’, often referred to as a review, commenced by a police force).

 

Request for an injury award

If an officer has suffered an injury on duty, they may apply for an injury award (one off gratuity and monthly pension). Again, it is perfectly normal during the application process, for the officer to supply their medical records in order that the FMA and SMP can make the necessary assessments.

Whilst it is perfectly acceptable for medical records to be seen by the FMA and SMP, who are both doctors, it is, in our view, unacceptable for any other person in the process to have access to a former officer’s personal medical history. This includes Human Resources (‘HR’) staff, admin staff within Occupational Health (‘OH’), force solicitors and even the PPA. None of these people are doctors or any other type of medical practitioners and do not have to make any determinations based on viewing your medical records, and therefore have no need to see your records.

Remember that when a person grants permission for forces to process (use or view) their data, the permission is for this sole purpose only and the force would need to rely upon renewed permission, or other statutory provisions to either retain or process it again (post).

Once the ill health retirement is complete, along with the injury award process, we believe that forces are entitled to hold only the minimum amount of information about an injured former officer, in order to justify your retirement and the payment of your pensions.

This may include –

  • The SMP certificate/report (H1 certificate)
  • Any accompanying report from the SMP
  • Specialist reports, if they were relevant to the SMP’s determination

Anything outside of this, in our opinion, would possibly breach the GDPR/DPA and would need to be justified on a document by document basis.

This is what the ICO had to say about the matter –

8th September 2017 – “It would appear that the constabulary is excessively processing sensitive personal data about you. It would appear that it is unnecessary for the constabulary to continue to retain information about your medical records, going right back to your birth.”

 

10th November 2017 – “In the light of the above, the ICO considers that the current requirement by [the police] for all historical data held about former officers as part of IODA reviews appears to be excessive and in breach of the DPA.”

 

13th September 2018 – “In relation to the deletion of your personal data I can explain that under the data protection legislation organisations like [the police] need to ensure that personal data is kept for no longer than is necessary.”

 

Putting the above information into practice, we would, therefore, suggest that at the conclusion of the ill-health retirement/injury award process, former officers write to their force and inform them that the force stop processing their (the pensioner’s) data. Pensioners should request that their data be returned to them or destroyed.

Please note that there is no statutory requirement for forces to provide a destruction notice if they destroy your data, and they do not need your permission to do so. We would hope that if a force have destroyed data at an officer’s request, they would confirm in writing that they have complied.

A Subject Access Request (‘SAR’) under Article 15 GDPR to the force will quickly confirm what data they are currently holding and something we would advise everyone to do. (A template of a SAR can be found on our website).

 

What can forces demand from you during a review?

Under Regulation 37(1), forces are permitted to review the level of an injury award as long as there has been a suitable interval in a pensioner’s particular circumstances. Forces that do review will often ask for a whole range of information from a former officer including, but not limited to, a full copy of medical records from birth, ask for a comprehensive questionnaire to be completed along with requesting information about DWP benefits and also copies of tax returns from HMRC.

There is nothing stopping forces from asking for all this information, in fact they can ask for the moon on a stick, but just because they request it, it doesn’t mean that they are legally entitled to have it, or that a pensioner has to comply!

The ICO have said –

13th September 2018 – “Further to this, it is our understanding that Injury on Duty reviews consider the period from the original assessment or most recent review. We would therefore expect that the information obtained should relate to this timeframe; information sought outside of these time periods may be considered excessive.”

 

This point mirrors the case of LAWS which tells us that if a pensioner is called for a review of their injury pension under regulation 37(1), it is a comparison exercise from the date of retirement, or the last review to the present day. This means that the last known position is their starting point, and the SMP needs to identify substantial alteration from this point until today. As there is no requirement to go back beyond this point, it therefore follows that forces do not need to retain or process data prior to this point, or request it afresh.

 

Who can obtain a pensioner’s data?

During the review process, the SMP is acting on behalf of the PPA, and this is what the ICO has said this about their role,

21st August 2018 – “Based on the information that we have, it is our view that SMPs are likely to be data controllers in their own right. This is because they are making medical decisions based upon an individual’s sensitive personal data, and this decision is independent of [the police].”

 

13th December 2018 – “It is likely that the SMP’s are likely to be data controllers in their own right in addition to the [police] also being a data controller.”

 

Now, this position raises some interesting questions; the SMP is an independent medical authority and a data controller in their own right so what authority do forces’ HR departments, or even Occupation Health admin staff have in demanding personal sensitive data? We believe that all requests should come directly from the SMP to the pensioner. The data should not be seen by anyone other than the SMP, and at no stage should it be passed to the FMA, HR, Occupation Health, force solicitors or the PPA.

Indeed, this position is further enforced by the ICO –

20th April 2018 – “If our understanding is correct it would seem that it would be for a medical professional to determine what information is needed for each review on a case by case basis (our emphasis).”

 

21st August 2018 – “Therefore, when it comes to determining what personal data needs to be requested to conduct an Injury on Duty assessment or review this is ultimately down to the SMP.”

“However Article 5(c) of the GDPR states that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

“It is our understanding that Injury on Duty award reviews consider the period from the original assessment or most recent review. We would therefore expect that generally the information obtained should relate to this time-frame.”

“Each injury on duty review is different and so the information being sought should be decided on a case by case basis.”

 

It is clear to us that it is the SMP who should be requesting this data directly from the pensioner and it should not be made by any other department or persons designated by the PPA. Additionally, they should be able to justify each request and just not make a blanket request in all cases.

Using this information and again, putting it into practice, if a force’s FMA, HR department, Occupational Health, force solicitor, or PPA write to you asking for ANY medical information, we suggest that the pensioner informs them that no one other than the SMP is entitled to request information for a review. Any medical notes that you choose to supply should go straight to the SMP, with the added assurance that they would not be shared with anyone other than that SMP.

We’ve established who can ask for what and why, but despite all this advice from the ICO, there is nothing in The Police (Injury Benefit) Regulations 2006, that says you need to hand anything over. Readers will probably be aware that this very issue is currently the subject of a legal challenge in the case of Baker & Ors v Chief Constable of Staffordshire Police, so we cannot go into much more detail at this stage until this is clarified by the court, but suffice to say that the regulations are silent on the matter.

As it stands currently, we would advise anyone being called to a review by their former force, not to hand any documents or medical records over at all.

 

What can forces do with data that they already have?

If readers have been following us up to this point, we should have reached the stage where forces should only be holding the bare minimum of data, since the pensioner’s original retirement or last review, whichever came last.

When conducting a review, forces are asking pensioners whether they consent to them processing this data. The ICO have this to say –

20th April 2018 and the 5th September 2018 – “Although consent is not defined by the DPA, it should be freely given. Where an individual has no option but to consent to the processing of their personal data, it is unlikely that consent has been freely given. This therefore raises fairness concerns and in our view we do not believe that consent is an appropriate condition to rely on for the processing of sensitive personal data.”

 

13th September 2018 – “In data protection terms consent should only be relied upon if an individual has a genuine choice as to how they wish their data to be processed. As an Injury on Duty review does not seem to be optional, seeking consent does not appear to be fair or reasonable as the individual has no alternative but to consent.”

“To comply with the ‘lawful’ aspect of this principal [the police] must have a lawful authority for processing under Article 6, and Article 9 in the case of special category data, of the GDPR.”

 

What the ICO are saying here, is that giving consent under GDPR to view or process your medical data should be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. If the pensioner does not have the option to say no because forces have a legal right to review, and thereby process your medical records, it cannot be true consent. This being the case forces should be using a statutory authority if they have it, rather than relying on consent.

 

What data should be supplied to a PMAB?

Whenever you make an appeal to a PMAB, like the SMP, they should be supplied with a full copy of your medical records.

It has recently come to our notice, that historically forces have been obtaining an officer’s or former officer’s full medical records for and on behalf of the PMAB. This practice is undoubtedly a serious breach of the GDPR.

Prior to a PMAB, an officer or pensioner will sign an authority permitting their medical records to be released from their GP surgery to go to the PMAB direct. What has been discovered is happening, is that this consent form is handed back to the force where the officer is from, and the force is requesting the medical documents from the GP surgery. The medical records are duly sent to the force where solicitors, HR staff and other unqualified medical personnel are reading very private and sensitive data, of which they are not entitled to do.

If you are attending a PMAB, we suggest that that you ensure that you provide the appropriate authority DIRECTLY to the PMAB, with the clear instructions, that it MUST be them that makes the application to your doctor and that under no circumstances should the letter of authority or any data obtained be passed to any other third party.

The ICO Audits Staffordshire Police

The ICO Audits Staffordshire Police

We are drowning in information and starved for knowledge.

― Author Unknown

 

One of the many advantages of being a member of IODPA is the availability of expert knowledge on a variety of topics, all relevant to police injury pensions.

One way we assist our members is by informing them of their rights as ‘data subjects.’

The term ‘data subject’ refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an individual whose personal data can be collected.

In the course of an officer’s career, their force accumulates considerable quantities of information about the individual. In the case of injury-on-duty pensioners that accumulation of data does not stop on their retirement – their force keeps on gathering it.

Trouble is, some forces don’t look after the personal information they acquire.

It is fair to say that data protection law rarely springs to the forefront of injury-on-duty pensioners minds. That is understandable, but when we see that a large and professional organisation, seems to have little knowledge of how the law requires them to manage the huge quantities of data they acquire and store, then we begin to worry.

One such deficient organisation is Staffordshire Police, which has just been shockingly revealed to be in dire need of improving its data handling processes and procedures.

The Information Commissioner’s Office has recently published its Executive Summary of a Data Protection Audit which it conducted of Staffordshire Police. You can read it here.

staffordshire-police-audit-052018

 

The report concludes Staffordshire Police could provide only limited assurance that,

processes and procedures are in place and delivering data protection compliance.

Moreover, the audit identified,

considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.

The ICO report is also critical of Staffordshire Police’s lack of a data protection policies, a lack of awareness of arrangements for sharing information, out of date information about data protection on its web site, failing to advise people about fair processing of personal information, an inability to show that information held was accurate and up to date, no publication scheme covering freedom of information requests and responses, and a low training rate of employees on data protection.

That covers pretty much all of the areas of data protection law, and shows that Staffordshire is failing in all of them.

What this means for injury-on-duty pensioners can be best illustrated by recounting some of the experiences of our members.

We are told of swathes of personal information being lost or destroyed, including important records confirming entitlement to an injury pension.

We are informed of the opposite – of Staffordshire unnecessarily retaining huge quantities of sensitive personal financial and medical information relating to former officers, and in some cases, relating to third parties such as family members.

We hear of long delays in responding to Freedom Of Information Act requests.

We are notified of inaccurate information being held, and of very sensitive personal information being accessed by employees without the permission of the data subject.

 

The situation is so bleak within Staffordshire Police that some of our members have been compelled to make formal complaints to the Information Commissioner’s Office. It is our understanding that these complaints will reveal even more deficiencies in Staffordshire’s handling of personal information.

The ICO report advises, ‘The matters arising in this report are only those that came to our attention
during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement.’

IODPA believes that Staffordshire is only one of many forces who are failing in respect of data protection.

The Information Commissioner’s Office provides a valuable and important safeguard of injury-on-duty pensioners’ data rights and we applaud the ICO for its work and for bringing the deficiencies of Staffordshire Police into the light of public knowledge. The findings of the ICO’s initial audit are, we hope, a salutary wake-up call to Staffordshire and to all other forces who casually process so much personal information whilst starved of knowledge of data protection law.

More ICO advice for Northumbria Police

More ICO advice for Northumbria Police

Another interesting development regarding the use of injured pensioners data by Northumbria Police and complaints that have been made to the Information Commissioners Office (‘ICO’).

IODPA believe that a number of police pensioners have made similar complaints regarding their former force attempting to coerce them to hand over their private and sensitive data (medical notes).

Many of them have taken the step to complain to the ICO, who have now issued advice to them.

The complaints have been centred around consent being freely given when considering releasing medical notes, the retention of medical notes and Subject Access Requests. The upshot is, that it is “unlikely that NP are complying with the first principal of the Data Protection Act”, which states that personal data should be processed fairly and lawfully.

Please note, this is advice from the ICO as opposed to a formal decision notice and it is for individuals. We would imagine that the ICO would come to the same conclusion for any pensioner with a similar complaint, regardless of force.

Of course this is not the first time that the ICO have provide advice in relation to Northumbria Police – https://iodpa.org/2017/11/24/northumbria-police-federation-wins-ico-advice-notice/

If you believe your data is being processed unfairly, please get in touch with the ICO – https://ico.org.uk/

 

Nothumbria - ICO advice