Your Patients' Data Rights Under GDPR

Published: Thursday, 31 May 2018 11:30

Since 25 May, your patients now have more explicit rights as ‘data subjects’ under the new data protection rules. To comply, your practice needs to uphold these rights and ensure they are reflected in your practice privacy policy.

DATARIGHTSThe GDPR sets out 8 data subject rights for individuals which are summarised below:

1. Right to be informed - Patients have the right to know how you will use their personal data. This is normally achieved by setting out the necessary information in a “privacy policy” which should always be concise, transparent, intelligible and easily accessible.

Healthcode’s GDPR Toolkit includes a Privacy Policy template which you can adapt for your practice. Please log in to ePractice for further information.

2. Right of access - Patients have the right to access their personal data by making a subject access request, either verbally or in writing. It is important to note that under the new Data Protection Act 2018 which has recently received Royal Assent, there is no ability to add an extension of time to provide data when a Subject Access Request is received.

Healthcode’s GDPR Toolkit discusses the Right of Access in further detail, it also includes a Subject Access Request Form Template, a Subject Access Request Procedure Template and a Subject Access Export feature (release is imminent) so you can extract the information you hold about a patient on your ePractice system.

3. Right to rectification - Patients are entitled to request corrections to data that is inaccurate or incomplete.

ePractice allows you to edit patient details while you can add notes and documents against individual patients in ePractice manager.

4. Right to object - Patients can object to the processing of their personal data in certain circumstances. This is an absolute right in the case of direct marketing. If you are processing data for another purpose you may be able to continue if you can show that you have a compelling reason for doing so.

5. Right to erasure - Also known as the ‘right to be forgotten’, the GDPR introduces a right for individuals to have personal data erased in certain circumstances. You can refuse such requests on several grounds including where processing is necessary for the establishment, exercise or defence of legal claims.

6. Right to restrict processing - As an alternative to erasure, patients have the right to request the restriction or suppression of their personal data in certain circumstances e.g. where they contest its accuracy. You must inform the patient if you decide you have legitimate reasons to lift restrictions.

ePractice manager allows you to add a ‘warning note’ to a patient about any processing restrictions.

7. Right to data portability - Patients have the right, in certain circumstances, to obtain and reuse their personal data for their own purposes in a structured, commonly used and machine-readable format such as a CSV file.

The Subject Access Export feature within Healthcode’s GDPR toolkit enables you to extract and transfer data in a portable format. Please log in to ePractice for further information.

8. Right not to be subject to automated decision-making - The GDPR restricts solely automated individual decision-making, including profiling, where this has significant negative effect on the patient. This is a very complex area and the input of a data protection specialist is vital.

For more detailed information about the new data protection law and a range of resources to help you comply, log in to ePractice to purchase the GDPR Toolkit. You can also find general information on the ICO website at