skip to Main Content

Thinking inside the box

0845 602 7006 | 0117 322 6163

How does the GDPR apply to the management and storage of medical records?

Filofile currently stores and manages over 7000 document boxes for various medical establishments including Yeovil District Hospital and most recently Symphony Care which runs a group of GP surgeries across Somerset. We are therefore taking a look at some of the obligations that data controllers need to consider as well as new rights for patients.

As explained by the office of the Information and Data Protection Commissioner, the GDPR has introduced an obligation on data controllers to report breaches of patients’ health records to the data protection authority within 72 hours from becoming aware of the incident. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If the breach is likely to result in a high risk to patients, for instance, the compromised electronic health records were not encrypted and no measures could be taken to reduce the risk, the health professional would be required to notify all the affected individuals.

However much of this advice concerns electronic data and IT security, and many organisations, including those in healthcare sectors, continue to create and process paper documents carrying personal information. Many have accumulated vast paper archives, going back over long periods of time. This presents problems if you are no longer sure what information is held in the archive. It is now more important than ever to know what you have, know where it is and know how to get to it when you need it.

Paper can slip through the cracks of the strictest information classification and storage policies, simply by being copied or printed and left lying around, carelessly disposed of, or even removed from a secure building. According to a report from Price Waterhouse Cooper, many European data security incidents that result in a penalty stem from human error in the handling of paper documents. Consequently, despite the best intentions of an organisation to comply with a data deletion request, employees may be keeping the data alive in a desk drawer or home office environment.

It is essential that security of health records is placed at the top of the priority list, since any misuse may have irreversible consequences for the data subject. Existing rights have been strengthened, in particular, the right to erasure and the right of access. Exercising a right of access entitles patients to request copies of their medical records. At Filofile we receive regular requests from both hospital departments and GP surgeries and we operate same day or next day delivery service plus an optional fast emergency retrieval service delivering within two hours of the order.

The GDPR want privacy to be front of mind in how information is produced, managed and disposed of. For paper this is about information handling processes. Organisations should make it difficult, if not impossible, for unauthorised people to access or make copies of documents that carry personally identifiable information. Information storage, retention and destruction processes should all be reviewed with privacy requirements in mind – and adapted where necessary.

Both the controller and the processor share the responsibility to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures may include encryption, the use of pseudonyms, and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Physical security must not be overlooked since it plays an equally important role in the security chain.

At Filofile all our documents are stored in secure buildings monitored 24/7 and linked to Police and Fire Services. If you would like to learn more, please contact us HERE


Back To Top