Nhs doctor problem, also failure to comply with s10 data protection request

[nolegion]

There's a lot of information in that post, "hiuth", and others may come along to pick up more general points.

 

Perhaps, apart from commiserating on the all-too-often- encountered difficulties on changing medical service provider, I could just address the question of getting details the GPs hold about your intended under the Data Protection Act.

 

The section of the Act principally concerned is Section 7. (Section 10 is about trying to force changes to data, rather than extracting it in the first place.)

 

The reason you carefully report the GPs as having provided to you, for not complying with your written 'subject access request', is NOT an adequate reason for refusing to send you the copy information you have requested.

 

The law allows a 'let-out' where there is a risk of the release of information causing 'serious harm' to someone. Even if it were the case that it might prompt, say, an 'expressive outburst', in words or in print - which I am sure is not relevant in your case anyway – , that wouldn't mean 'serious harm' entitling them to withhold what you have asked for.

 

When the 40 day time-limit expires, if it hasn't already, I would suggest that you raise a formal complaint with the Information Commissioner's Office without further ado.

 

As you may know you can, complain to the ICO 'online' and it doesn't cost anything - although it will take several weeks. I see no useful future in being deflected towards some purported NHS 'governance officer'. Just more delay.

 

Best of luck.

[nolegion]

The applicable law is buried in a statutory instrument made under the DPA 1998, HIUTH.

 

I give a link to the actual "Order" at the foot of this post, but the ICO's code of practice covers the point fairly clearly:-

 

"……special rules apply where providing subject access to information about an individual’s physical or mental health or condition would be likely to cause serious harm to them or to another person’s physical or mental health or condition. These rules are set out in the Data Protection (Subject Access Modification) (Health) Order 2000 (SI 2000/413), and their effect is to exempt personal data of this type from subject access to the extent that its disclosure would be likely to cause such harm."

 

From (page 50 of):-

 

https://ico.org.uk/media/for-organisations/documents/1065/subject-access-code-of-practice.pdf

 

It is a very narrow exemption, and if they are still relying on it, I would send the issue to the ICO to look at, without delay. As the code indicates, there must be a real likelihood of actual harm - and, from what you have reported, I just don't see that holding up as an excuse.

 

http://www.legislation.gov.uk/uksi/2000/413/contents/made