The General Data Protection Regulations (GDPR) and you
As a charity, we get asked a lot of questions about our rights under these new regulations. This guide is based on our interpretation, ongoing legal challenges and numerous advice that’s already been issued by the Information Commissioners Office (‘ICO’).
The Data Protection Act 1988 was superseded by the Data Protection Act 2018 and the General Data Protection Regulations (‘GDPR’).
Under Article 9 of the GDPR, special categories of personal data known as “sensitive data” includes “data concerning health”. This type of data should provide extra safeguarding against anyone (in our case, police forces and Selected Medical Practitioner (‘SMP’)) wishing to obtain, retain and process this type of data.
When can forces ask for “sensitive data”?
In general terms this will be;
- During the ill-health retirement process
- Consideration for an injury award
- Subsequent review of an injury award
- Police Medical Appeal Board (‘PMAB’) resulting from (b), (c) or (d).
The above is the usual sequence of events for an officer that retires after being injured on duty with an ill-health retirement and an injury award (gratuity and pension), so let’s look at them in a little more detail.
Ill-health Retirement Process
A Force Medical Examiner (‘FMA’), or the officer may make a request that they should be considered for ill-health retirement if they have a permanent disability (whether they have suffered an injury on duty, or not). Provided that that the request is not considered to be frivolous of vexatious, they must be referred to a SMP for consideration of ill-health retirement (‘IHR’).
Notwithstanding the fact that the officer may have supplied a full copy of their medical records when they were originally appointed as a police officer, they will often be asked again to supply a full copy for both the FMA and SMP to make an assessment as to the whether the officer has a permanent disability which would prevent them from performing the ordinary duties of a police officer.
It is correct to comply with this request as the SMP will need to complete a comprehensive report to the Police Pension Authority (‘PPA’) for their consideration as to whether they should retire or retain the officer. (Supplying medical records at IHR is different from a ‘Reassessment of injury pension’, often referred to as a review, commenced by a police force).
Request for an injury award
If an officer has suffered an injury on duty, they may apply for an injury award (one off gratuity and monthly pension). Again, it is perfectly normal during the application process, for the officer to supply their medical records in order that the FMA and SMP can make the necessary assessments.
Whilst it is perfectly acceptable for medical records to be seen by the FMA and SMP, who are both doctors, it is, in our view, unacceptable for any other person in the process to have access to a former officer’s personal medical history. This includes Human Resources (‘HR’) staff, admin staff within Occupational Health (‘OH’), force solicitors and even the PPA. None of these people are doctors or any other type of medical practitioners and do not have to make any determinations based on viewing your medical records, and therefore have no need to see your records.
Remember that when a person grants permission for forces to process (use or view) their data, the permission is for this sole purpose only and the force would need to rely upon renewed permission, or other statutory provisions to either retain or process it again (post).
Once the ill health retirement is complete, along with the injury award process, we believe that forces are entitled to hold only the minimum amount of information about an injured former officer, in order to justify your retirement and the payment of your pensions.
This may include –
- The SMP certificate/report (H1 certificate)
- Any accompanying report from the SMP
- Specialist reports, if they were relevant to the SMP’s determination
Anything outside of this, in our opinion, would possibly breach the GDPR/DPA and would need to be justified on a document by document basis.
This is what the ICO had to say about the matter –
8th September 2017 – “It would appear that the constabulary is excessively processing sensitive personal data about you. It would appear that it is unnecessary for the constabulary to continue to retain information about your medical records, going right back to your birth.”
10th November 2017 – “In the light of the above, the ICO considers that the current requirement by [the police] for all historical data held about former officers as part of IODA reviews appears to be excessive and in breach of the DPA.”
13th September 2018 – “In relation to the deletion of your personal data I can explain that under the data protection legislation organisations like [the police] need to ensure that personal data is kept for no longer than is necessary.”
Putting the above information into practice, we would, therefore, suggest that at the conclusion of the ill-health retirement/injury award process, former officers write to their force and inform them that the force stop processing their (the pensioner’s) data. Pensioners should request that their data be returned to them or destroyed.
Please note that there is no statutory requirement for forces to provide a destruction notice if they destroy your data, and they do not need your permission to do so. We would hope that if a force have destroyed data at an officer’s request, they would confirm in writing that they have complied.
A Subject Access Request (‘SAR’) under Article 15 GDPR to the force will quickly confirm what data they are currently holding and something we would advise everyone to do. (A template of a SAR can be found on our website).
What can forces demand from you during a review?
Under Regulation 37(1), forces are permitted to review the level of an injury award as long as there has been a suitable interval in a pensioner’s particular circumstances. Forces that do review will often ask for a whole range of information from a former officer including, but not limited to, a full copy of medical records from birth, ask for a comprehensive questionnaire to be completed along with requesting information about DWP benefits and also copies of tax returns from HMRC.
There is nothing stopping forces from asking for all this information, in fact they can ask for the moon on a stick, but just because they request it, it doesn’t mean that they are legally entitled to have it, or that a pensioner has to comply!
The ICO have said –
13th September 2018 – “Further to this, it is our understanding that Injury on Duty reviews consider the period from the original assessment or most recent review. We would therefore expect that the information obtained should relate to this timeframe; information sought outside of these time periods may be considered excessive.”
This point mirrors the case of LAWS which tells us that if a pensioner is called for a review of their injury pension under regulation 37(1), it is a comparison exercise from the date of retirement, or the last review to the present day. This means that the last known position is their starting point, and the SMP needs to identify substantial alteration from this point until today. As there is no requirement to go back beyond this point, it therefore follows that forces do not need to retain or process data prior to this point, or request it afresh.
Who can obtain a pensioner’s data?
During the review process, the SMP is acting on behalf of the PPA, and this is what the ICO has said this about their role,
21st August 2018 – “Based on the information that we have, it is our view that SMPs are likely to be data controllers in their own right. This is because they are making medical decisions based upon an individual’s sensitive personal data, and this decision is independent of [the police].”
13th December 2018 – “It is likely that the SMP’s are likely to be data controllers in their own right in addition to the [police] also being a data controller.”
Now, this position raises some interesting questions; the SMP is an independent medical authority and a data controller in their own right so what authority do forces’ HR departments, or even Occupation Health admin staff have in demanding personal sensitive data? We believe that all requests should come directly from the SMP to the pensioner. The data should not be seen by anyone other than the SMP, and at no stage should it be passed to the FMA, HR, Occupation Health, force solicitors or the PPA.
Indeed, this position is further enforced by the ICO –
20th April 2018 – “If our understanding is correct it would seem that it would be for a medical professional to determine what information is needed for each review on a case by case basis (our emphasis).”
21st August 2018 – “Therefore, when it comes to determining what personal data needs to be requested to conduct an Injury on Duty assessment or review this is ultimately down to the SMP.”
“However Article 5(c) of the GDPR states that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
“It is our understanding that Injury on Duty award reviews consider the period from the original assessment or most recent review. We would therefore expect that generally the information obtained should relate to this time-frame.”
“Each injury on duty review is different and so the information being sought should be decided on a case by case basis.”
It is clear to us that it is the SMP who should be requesting this data directly from the pensioner and it should not be made by any other department or persons designated by the PPA. Additionally, they should be able to justify each request and just not make a blanket request in all cases.
Using this information and again, putting it into practice, if a force’s FMA, HR department, Occupational Health, force solicitor, or PPA write to you asking for ANY medical information, we suggest that the pensioner informs them that no one other than the SMP is entitled to request information for a review. Any medical notes that you choose to supply should go straight to the SMP, with the added assurance that they would not be shared with anyone other than that SMP.
We’ve established who can ask for what and why, but despite all this advice from the ICO, there is nothing in The Police (Injury Benefit) Regulations 2006, that says you need to hand anything over. Readers will probably be aware that this very issue was the the subject of a legal challenge in the case of Baker & Ors v Chief Constable of Staffordshire Police. The judgment handed down made it clear that the SMP may ask for what they consider necessary to complete the reconsideration.
We would therefore advise anyone being called to a review by their former force, not to hand any documents or medical records over at all unless specifically requested by the SMP. We would further suggest that any medical information os handed directly to the SMP and not to the force.
What can forces do with data that they already have?
If readers have been following us up to this point, we should have reached the stage where forces should only be holding the bare minimum of data, since the pensioner’s original retirement or last review, whichever came last.
When conducting a review, forces are asking pensioners whether they consent to them processing this data. The ICO have this to say –
20th April 2018 and the 5th September 2018 – “Although consent is not defined by the DPA, it should be freely given. Where an individual has no option but to consent to the processing of their personal data, it is unlikely that consent has been freely given. This therefore raises fairness concerns and in our view we do not believe that consent is an appropriate condition to rely on for the processing of sensitive personal data.”
13th September 2018 – “In data protection terms consent should only be relied upon if an individual has a genuine choice as to how they wish their data to be processed. As an Injury on Duty review does not seem to be optional, seeking consent does not appear to be fair or reasonable as the individual has no alternative but to consent.”
“To comply with the ‘lawful’ aspect of this principal [the police] must have a lawful authority for processing under Article 6, and Article 9 in the case of special category data, of the GDPR.”
What the ICO are saying here, is that giving consent under GDPR to view or process your medical data should be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. If the pensioner does not have the option to say no because forces have a legal right to review, and thereby process your medical records, it cannot be true consent. This being the case forces should be using a statutory authority if they have it, rather than relying on consent.
What data should be supplied to a PMAB?
Whenever you make an appeal to a PMAB, like the SMP, they should be supplied with a full copy of your medical records.
It has recently come to our notice, that historically forces have been obtaining an officer’s or former officer’s full medical records for and on behalf of the PMAB. This practice is undoubtedly a serious breach of the GDPR.
Prior to a PMAB, an officer or pensioner will sign an authority permitting their medical records to be released from their GP surgery to go to the PMAB direct. What has been discovered is happening, is that this consent form is handed back to the force where the officer is from, and the force is requesting the medical documents from the GP surgery. The medical records are duly sent to the force where solicitors, HR staff and other unqualified medical personnel are reading very private and sensitive data, of which they are not entitled to do.
If you are attending a PMAB, we suggest that that you ensure that you provide the appropriate authority DIRECTLY to the PMAB, with the clear instructions, that it MUST be them that makes the application to your doctor and that under no circumstances should the letter of authority or any data obtained be passed to any other third party.