The Data Protection Commission (DPC) frequently receives complaints from individuals who have requested to alter or have erased information contained in their medical records and whose request(s) has been refused by the Data Controller (the organisation processing the data).  In fact, the General Data Protection Regulation (GDPR) does provide individuals with the right to rectification of inaccurate personal data as well as the right to erasure in specific circumstances. Neither right is absolute however and, as we will see below, those rights rarely apply to personal data such as medical opinions or diagnosis and clinical treatment notes.

Can I ask to have my medical records changed (rectified)?

Article 16 of the GDPR provides individuals the right to have “inaccurate” or incomplete personal data rectified or completed. This rule is easy to apply when it comes to discrete information such as your date of birth. That sort of personal data is constant and can be easily verified and corrected if entered in error. However, it is not as simple to deem other information, such as clinical notes or an opinion or diagnosis, to be inaccurate. 

Take the example of past medical opinions or diagnosis contained in your medical records. Your diagnosis may change or be revised over time, but that does not make your original diagnosis factually inaccurate and open to rectification. One reason for this is that a diagnosis is akin to a snapshot in time; it is the reflection of the professional opinion of the doctor or nurse at that moment in time and based on the information available to them at that moment in time. Even if the underlying information changes at a later date - resulting in a different opinion or diagnosis - the “snapshot” will not change. As a result, it remains factually accurate to record the opinion or diagnosis that was made and what the opinion or diagnosis was, such data would not be “inaccurate” as it is a factually accurate reflection that an opinion or diagnosis occurred and what the opinion or diagnosis was at the time. In circumstances such as this, the right to rectification would likely not apply where the data in question is not “inaccurate”.

Another reason a medical opinion or diagnosis is likely not open to rectification is that it provides important context for any subsequent medical treatment decisions made by your health care providers. A prior opinion or diagnosis may explain why certain medications were prescribed or certain treatment plans adopted. Maintaining these records is not only required as a matter of law, it serves the public interest by ensuring the individual and the treating professional have a reliable record of what has taken place.

If your medical record is not open to rectification, it may still be possible for a supplementary statement to be attached to your medical record outlining where you believe the data is inaccurate or incomplete. Article 16 of the GDPR grants individuals “the right to have incomplete data completed, including by means of providing a supplementary statement” taking into account the means of processing. While medical providers are unlikely to revise a diagnosis given in the past, where personal data is “incomplete” you can request a supplementary statement be added to the record by the medical provider to complete the record.

Please be aware that the DPC will never be in a position to determine whether your medical diagnosis was correct or not. The DPC is not a health care organisation and has neither the authority nor the expertise to replace the judgment of your medical care provider with its own. As such, the DPC will never make a determination as to the accuracy of a medical diagnosis.

I want to get my medical records rectified. What can I do?

Article 16 of the GDPR provides individuals the right to have “inaccurate” personal data rectified. Where your personal data contained in your medical records are “inaccurate” as to a matter of fact, you can request that a data controller rectify the factual inaccuracies contained in your medical records. In order to do so you must contact the data controller directly outlining what personal data you consider is factually inaccurate, why it is factually inaccurate (providing any evidence demonstrating the factual inaccuracies) and requesting that it rectify the data.

Likewise, Article 16 of the GDPR provides individuals the right to have “incomplete” personal data completed, taking into account the means of processing. Where your personal data contained in your medical records are “incomplete”, you can request that a data controller add a supplementary statement to the records in order to complete them. In order to do so you must contact the data controller directly outlining what personal data you feel is “incomplete”, why it is incomplete (providing any evidence demonstrating that it is incomplete), outlining what information you consider should be added to the record to make your personal data complete and requesting that they complete same.

Can I ask a medical practitioner/hospital to delete my medical records?

The right of erasure, sometimes called the right to be forgotten, is set out in Article 17 of the GDPR. Like the right to rectification, the right to erasure is not an automatic or absolute right and only applies in certain circumstances. As a first step, in order for an individual seeking erasure of their personal data to demonstrate that the right to erasure applies to the personal data in question, they must first outline why they consider one of six criteria listed in Article 17(1) apply. The six criteria are as follows:

1. That your personal data is no longer necessary in relation to the purpose for which it was collected or processed.
2. That you withdraw your consent to the processing, where the processing is based on consent, and there is no other lawful basis for processing the data. (It is important to note that consent is not the only lawful basis a data controller can rely on for the processing of personal data).
3. That you object to the processing and there is no overriding legitimate grounds for continuing the processing.
4. That your personal data has been unlawfully processed.
5. That your personal data has to be erased in order to comply with a legal obligation.
6. That your personal data has been collected in relation to the offer of information society services (e.g. social media) to a child.

As a reminder, old medical records or prior opinions or diagnosis you do not agree with, do not become unnecessary merely because they are old. Medical records provide documentary evidence for the delivery of patient care and the fact that an opinion or diagnosis was made may remain relevant even if it is later determined to be incorrect.

Even where you are able to demonstrate that one of the Article 17(1) criteria apply, you still might not be entitled to have your personal data erased.  Article 17(3) of the GDPR contains exceptions to the right of erasure that allow the data controller to retain your personal data. There are specific exceptions set out under Article 17(3) that relate to the processing of personal data contained in medical records. Medical providers most commonly rely on the exceptions in Article 17(3)(b), (c), and (e) to deny an erasure request. Specifically, these exceptions are:

b) - Your data is necessary for compliance with a legal obligation.

c) - Your data is necessary for reasons of public interest in the area of public health.

e) - Your data is necessary for the establishment, exercise, or defence of legal claims.

These exceptions are quite broad in scope, and as a consequence, will likely apply more often than not to personal data contained in medical records. 

For example, Article 9(2)(h) of the GDPR provides a lawful basis for the processing of your health data  for the following purposes:

• preventative or occupational medicine,
• medical diagnosis,
• health or social care or treatment,
• management of health systems, and;
• contract with a health professional.

Article 17(3)(c) outlines a specific exception to the right to erasure in circumstances where personal data is processed for one of the above purposes. Once again, these lawful bases are broad and will allow a provider to retain your data in most circumstances where it is processed for one of the above purposes as an exception will apply.

It is also important to understand that medical and health providers are subject to legal obligations, which require them to keep your records for lengthy periods - such periods may last many years and may even extend after your death. These requirements are set forth in law, guidelines regulating the health professions, as well as in the document retention policies for individual providers and the Health Service Executive (HSE). 

A health provider may also be entitled to retain your records if doing so in the “public interest in the area of public health.” This includes circumstances where the provider can demonstrate that the retention of your records is for the purpose of ensuring that the care provided meets high standards of quality and safety. In addition, it includes situations where the retention of your personal data is necessary to comply with the law applicable to public health matters.

Finally, a health provider may be entitled to retain your records in certain circumstances for the establishment, exercise or defence of legal claims. This exception may be relevant whenever you have an ongoing legal dispute with the health care provider, or when they can reasonably anticipate or contemplate that such a dispute may arise.

I want to get medical records erased. What can I do?

As previously outlined, you have the right to have your personal data erased where one of six criteria listed in Article 17(1) apply.  The six criteria are as follows:

1. That your personal data is no longer necessary in relation to the purpose for which it was collected or processed.
2. That you withdraw your consent to the processing, where the processing is based on consent, and there is no other lawful basis for processing the data. (It is important to note that consent is not the only lawful basis a data controller can rely on for the processing of personal data).
3. That you object to the processing and there is no overriding legitimate grounds for continuing the processing.
4. That your personal data has been unlawfully processed.
5. That your personal data has to be erased in order to comply with a legal obligation.
6. That your personal data has been collected in relation to the offer of information society services (e.g. social media) to a child.

Where one of these criteria apply to your personal data, you can request that a data controller erase that personal data contained in your medical records. In order to do so you must contact the data controller directly outlining what personal data you wish to have erased and which of the above criteria apply to the personal data (providing any evidence demonstrating that the criteria apply) and requesting that they erase same.

I can’t get my records rectified or erased. What can I do?

The DPC recommends that your first step in addressing concerns regarding the content of your medical records is to contact the medical provider that has control over those records. If the issue is not related to correcting a discrete factual inaccuracy (your date of birth, for example), the provider may decline to delete or amend your record. However, the provider may be willing to attach a supplementary statement. A supplementary statement might, for example, note your disagreement or highlight a changed diagnosis by referring to records that are more recent.

If you remain unsatisfied with the data controller’s response, you may lodge a complaint with the DPC. In order to progress your complaint in as efficient a manner as possible, the DPC will require the following information in order to assess your complaint:

• Your original request to the data controller (to include date and time stamp where available)
• Your reasoning as to why the relevant right applies.
  
  • In the case of a rectification request, what data is factually inaccurate/incomplete.
  • In the case of an erasure request, which of the six criteria apply.
• Copies of any correspondence received from, or exchanged with, the data controller in respect of your request.
• Where you disagree with the data controller’s position/exceptions applied, outline why you disagree with their position/exceptions applied.