Redaction software for SARs

BACKGROUND

A practice manager (PM) contacts the MDDUS telephone advice line regarding the process for handling subject access requests (SARs). The PM says that her administrative team has been spending increasing time preparing responses to SARs, and the practice is considering buying redaction software to assist. She wants advice on whether there’s reason not to do this – or any downsides to consider?

ANALYSIS/OUTCOME

A medical practice adviser (MPA) offers advice.

The MPA reminds the PM that it is important to remember that patients are entitled to access all of their data, unless an exception set out in the UK GDPR and the Data Protection Act 2018 exists. For health records, these include:

1. Information relating to third parties (other than healthcare professionals)
2. Information likely to cause serious harm to the physical or mental health of the patient or another person.

Software can be a useful tool in alleviating the administrative burden of SARs. However, the technology is only as good as the parameters you set and does not replace the practice’s responsibilities as data controller for the information being disclosed.

This type of software is commonly applied to redact third-party identifiers, such as ‘wife’, ‘husband’, ‘son’ or ‘daughter’. This provides a useful starting point, but it’s important to remember that the context may be enough to identify the person, even if their name or relationship to the patient is redacted. Caution is therefore advised.

MDDUS was recently made aware of an example of software which had been used to redact some ‘sexual health’ identifiers. The software had redacted ‘ED’ as a possible abbreviation for erectile dysfunction, but it had actually been used in these instances to denote emergency department. In either instance, the redaction was inappropriate as it didn’t meet the ‘serious harm’ test, which is a high bar.

It may be reasonable to use the software to identify certain key terms which could give rise to concerns about ‘serious harm’, such as ‘abuse’ or ‘violence’, on the basis that these could then be flagged for clinical review.

The PM is advised that while it is perfectly acceptable to use redaction software to do the bulk of the leg-work, this should always be sense-checked by a clinician to ensure that the redactions undertaken are indeed appropriate.

If the 'serious harm' exemption is relied upon to justify non-disclosure of some of the data, there must be evidence that the information has been deemed "likely to cause serious harm" by an appropriate healthcare professional. This is usually the clinician who is currently or was most recently responsible for the diagnosis, care or treatment of the patient. It is therefore not appropriate to delegate these tasks entirely to non-clinical staff, although they can of course undertake the bulk of the administrative work before clinical review.

The PM is advised to be mindful of the need for a written contract with the software provider if they are processing data on the practice’s behalf (i.e. they are a data processor). For further information see the ICO website. They are also advised to discuss their plans with their local Data Protection Officer.

During the telephone discussion, the MPA takes opportunity to remind the practice manager to be mindful of ensuring that any SAR is carefully considered to ensure appropriate justification or consent is provided before sharing patient information. A request from someone other than the patient (such as a family member or solicitor) requires patient consent or evidence of the requester being otherwise entitled to act on the patient's behalf. The nature and scope of the request is also important to consider. Is the full record needed to comply or can it be limited to a particular matter or time period?