An introduction to the protection of personal information in the healthcare practice

8. The 8 conditions for lawful processing of PI

8.8. Data Subject Participation (Sections 23-35)

Topics

  1. Confirmation
  2. Requests
  3. Fees
  4. Refusal
  5. Access
  6. Correction


1. Confirmation

A DS, having provided adequate proof of identity, has the right to request a RP to confirm, free of charge, whether or not the RP holds PI about the DS.


2. Requests

A DS, having provided adequate proof of identity, has the right to request from a RP:

  1. the record or a description of the PI about the DS held by the RP
  2. particulars of the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
The RP has to respond:
  1. within a reasonable time
  2. at a prescribed fee, if any
  3. in a reasonable manner and format
  4. in a form that is generally understandable.

The practice therefore needs to make sure that dealing with such request are as effortless as possible by putting systems in place that will help the practice deal with such requests.


3. Fees

If the RP requests a fee from the DS for providing the requested information, the RP:

  1. must give the DS a written estimate of the fee before providing the information
  2. may require the DS to pay a deposit for all or part of the fee.


4. Refusal

A RP may or must refuse, as the case may be, to disclose any information requested by the DS on the following applicable grounds:

  1. if it would endanger the life or safety of an individual
  2. privileged documents (in the context of legal proceedings) must not be disclosed.

If a request for access to PI is made to a RP and part of that information may or must be refused, every other part must be disclosed.

The Promotion of Access to Information Act dictates the following with regards to access to healthcare records:

If the IO who has to grant a request for access to a record provided by a healthcare practitioner in his or her capacity as such about the physical or mental health, or well-being of the DS or CP and the IO is of the opinion that the disclosure of the record to the DS might cause serious harm to his or her physical or mental health or well-being:

  1. the IO may, before giving access, consult with a healthcare practitioner who has been nominated by the DS or CP (is the DS is under the age of 16 years) or the court (if the DS is mentally incompetent)
  2. the IO may only give access if the DS proves to the satisfaction of the IO that adequate provision is made for such counseling or arrangements as are reasonably practicable before, during or after the disclosure of the record to limit, alleviate or avoid such harm to the DS
  3. the counselor must be given access to the record before the disclosure to the DS.


5. Access

The manner in which the DS must request access is regulated by sections 18 and 53 of the PAIA act.

A request for access to a record of a RP must be made to the RP concerned at its address, fax number or email address.

The DS must at least provide the following sufficient particulars to the RP to enable the IO:

  1. to identify the record or records requested
  2. to identify the DS
  3. to indicate which form of access is required
  4. to specify a postal address or email of the requester in the Republic
  5. to identify the right the DS is seeking to exercise or protect and provide an explanation of why the requested record is required for the exercise or protection of that right
  6. if, in addition to a written reply, the requester wishes to be informed of the decision on the request in any other manner, to state that manner and the necessary particulars to be so informed
  7. if the request is made on behalf of a person, to submit proof of the capacity in which the requester is submitting the request, to the reasonable satisfaction of the IO.


6. Correction

If, in response to a request to confirm PI held by the RP, PI is communicated to a DS, the DS must be advised of the right to request the correction of information.

A DS may request a RP to:

  1. correct or delete PI about the DS in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully
  2. destroy or delete a record of PI about the DS that the RP is no longer authorised to retain.

On receipt of a request a RP must, as soon as reasonably practicable:

  1. correct the information
  2. destroy or delete the information
  3. provide the data subject, to his or her satisfaction, with credible evidence in support of the information
  4. where agreement cannot be reached between the RP and the DS, and if the DS so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

If the RP has taken steps that result in a change to the PI and the changed PI has an impact on decisions that have been or will be taken in respect of the DS in question, the RP must, if reasonably practicable, inform each person or body or RP to whom the PI has been disclosed of those steps.

The RP must notify a DS who has made a request of the action taken as a result of the request.