An individual contacted the DPC following the refusal of their erasure request by a health care provider. According to the individual, they had requested the erasure of all historic health records relating to them held by the health care provider, as the individual was of the opinion that the records were incorrect as they related to an alleged misdiagnosis.

As part of its examination of the complaint, the DPC requested that the health care provider set out its lawful basis for processing the individual’s health records, specifically in relation to Articles 6 and 9 of the GDPR. The health care provider advised that it was relying on Article 6(1)(e) of the GDPR for processing the individual’s personal data which states that processing shall be lawful if ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

In relation to Article 9 of the GDPR, the health care provider stated that it continues to process the health records under Articles 9(2)(h) and (i) of the GDPR. Article 9(2)(h) of the GDPR states, ‘processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis…’. While Article 9(2)(i) of the GDPR states, ‘processing is necessary for reasons of public interest in the area of public health…’.

As part of their engagement with the health care provider, the individual provided them with a contradictory diagnosis from another health care provider, which the individual stated was evidence that proved the original diagnosis was incorrect. Having reviewed the documentation provided, the health care provider noted that a medical diagnosis is a medical opinion that is given at a point in time. Therefore, any medical opinion, given at a different point in time, cannot be accepted as evidence that a historic medical opinion was incorrect. The medical provider further advised that while a medical condition may change over time, it does not eradicate the fact that an individual was, at one point, treated for a particular illness or provided with a certain diagnosis.

The DPC noted that for the purposes of the GDPR, personal data is inaccurate if it is incorrect as to a matter of fact. However, based on the information available to the DPC, the personal data held on file by the health care provider, namely the original diagnosis, was not inaccurate as it was the original diagnosis at that point in time. On this basis, the DPC found that the health care provider had a lawful basis for the continued processing of the individual’s health records in accordance with Article 17(1)(a) of the GDPR.

In this regard, the processing of the personal data in the form of retaining the original diagnosis is still necessary in relation to the purposes for which the personal data was originally collected or otherwise processed. Further, the DPC found that the health care provider’s refusal to comply with the individual’s erasure request is consistent with Article 17(3)(c) of the GDPR in providing comprehensive medical assessment and treatment of the individual.

Following the engagement of the DPC, the health care provider added a supplementary statement on the individual’s medical record to include the documentation provided by the individual, which would inform any future readers of the individual’s medical file of the individual’s opinion, and the contradictory diagnosis in relation to the medical diagnosis.

Note: Article 17(1)(a) of the GDPR states that a data controller shall erase personal data that is no longer necessary for its original purposes. However, Article 17(3)(c) of the GDPR excludes the application of Article 17(1) in circumstances where the processing is necessary, ‘for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3).’.