Matching new orders to existing health records

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by AM300, Mar 5, 2018.

  1. AM300

    AM300 UKBF Newcomer Free Member

    3 0
    Hi I was wondering if you anyone could advise me on the following.

    I work for an organisation that provides bespoke medical products to the NHS. As part of this, we keep patient health records. Clinicians regularly send us orders for patients that we have seen in the past requesting that we provide them with the bespoke medical device to "the same specification as before". The last time we provided a medical device for the patient could have been several years ago.

    We cannot use patient names or NHS ID numbers as references under GDPR to match up the new order with the patients' medical records, Is anyone aware of any way that these could be matched up?

    Posted: Mar 5, 2018 By: AM300 Member since: Mar 5, 2018
  2. Mr D

    Mr D UKBF Legend Free Member

    10,680 1,115
    Postcode, house number, day of birth / month of birth?

    What information that the NHS hold are you allowed to have in your records?
    Posted: Mar 5, 2018 By: Mr D Member since: Feb 12, 2017
  3. fisicx

    fisicx It's Major Clanger! Staff Member

    29,352 8,657
    Assume you can't hold the data anymore and ask for it to be transmitted each time then expunged after processing.
    Posted: Mar 5, 2018 By: fisicx Member since: Sep 12, 2006
  4. AM300

    AM300 UKBF Newcomer Free Member

    3 0
    We're allowed to keep the patients' medical records. That, along with the NHS ID number (to match up new orders with existing records), is all we need to process the order. The issue is what to use a reference on our computer systems. It needs to be anonymous and the NHS ID number is not anonymous.
    Posted: Mar 5, 2018 By: AM300 Member since: Mar 5, 2018
  5. AM300

    AM300 UKBF Newcomer Free Member

    3 0
    I was hoping there was another solution, but it increasingly looks like this may be the only option.
    Posted: Mar 5, 2018 By: AM300 Member since: Mar 5, 2018
  6. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    82 22
    Have you identified who the data controller is for the information you hold/process? If you are not the controller, they should specify the handling/processing requirements. It would be your role as a processor to prompt the controller if you are unsure. Bear in mind health records are classed as special categories of data so you need to ensure that the correct 'lawful right for processing' is reviewed and documented. The best thing to do would be to complete a Privacy Impact Assessment which will help you work out all the questions and what you need to do. Guidance on this is on the ICO website.
    Posted: Mar 6, 2018 By: Simon Plummer Member since: Dec 6, 2017
  7. Keith Budden

    Keith Budden UKBF Contributor Full Member

    77 10
    I don't quite see the issue here - you would appear to have a lawful and contractual basis to use the data, that the NHS ID is used as the reference should not be an issue, assuming that you keep the data itself in a way that the data while stored is encrypted, and assuming that email is via SSL/TLS. Providing you carry out a data impact assessment, with an associated risk assessment, I really don't see any major problem in continuing the way you are, unless I'm missing something?
    Posted: Mar 30, 2018 By: Keith Budden Member since: Mar 30, 2018