Skip to main content

Part of Data Security Standard 1 - Personal confidential data

Individuals’ rights are respected and supported (1.2)

Previous Chapter

The organisation has a framework in place to support lawfulness, fairness and transparency (1.1)

Current Chapter

Current chapter – Individuals’ rights are respected and supported (1.2)

View all

Next Chapter

Accountability and governance in place for data protection and data security (1.3)
Page contents

Individual rights (1.2.2)

Individual rights under UK GDPR

UK GDPR provides the following rights for individuals:

  1. The right to be informed (see evidence item 1.1.3)
  2. The right of access (see evidence item 1.2.3 below)
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

Your organisation must have a policy and procedures in place documenting how an individual can exercise their rights. This may be captured in a single policy or it may be separated out, for example you may have a separate subject access request procedure. Instructions for individuals of how to make a request must be made available to them, such as through privacy notices.

The right to rectification

People have a right to rectification if you hold inaccurate factual information about them. Depending on the purposes of processing, people also have a right to have incomplete personal data completed. Holding inaccurate information would likely be a breach of UK GDPR. However, care needs to be taken when amending any information from health and care records. This is because it may have been viewed and relied upon for a decision. The IG portal contains further guidance on amending patient and service user records.

The right to erasure

The right to erasure allows an individual to request removal or deletion of personal data.  This right only applies in certain circumstances. You can refuse to comply with a request for erasure of personal data if processing is necessary:

  • to comply with a legal obligation
  • to perform a task in the public interest
  • for individual health and care purposes
  • for reasons of public health 
  • where erasure is likely to seriously impair or prevent scientific research from achieving its objectives

For more information on where the right to erasure does not apply, please refer to the ICO guidance.

These are legal bases for most processing in health and care so it is unlikely that the right to erasure will apply to health and care records. An example of where it may apply is if an individual supplies details of their circumstances, such as their patient story, to be used as promotional material. The individual may change their mind and ask for you to delete the information you have been provided. It is important to note that if the information has already been published online, although your organisation can remove copies it holds and will make reasonable efforts to request the same of other controllers processing the data (such as social media providers), the nature of the internet is that a copy may persist elsewhere. This should be made clear to the individual at the point they provide consent for you to use their story.

The right to data portability

The right to data portability allows people to obtain and reuse their data across different services, for example from one IT system or application to another.  

The right only applies if the personal data has been provided by the individual, where the lawful basis under UK GDPR is either consent or for a contract with the data subject, and the processing is by automated means. This right is therefore mainly likely to apply to organisations providing services directly to patients and service users through an app or online platform. Information must be provided within a month.

The right to object

In certain circumstances, UK GDPR gives individuals the right to object to the processing of their personal data. Your organisation must have procedures and processes in place which ensure that when individuals make objections to processing, they are duly considered and responded to. The right to object applies to situations where you process data for:

  • the performance of a task carried out in the public interest), or
  • your or a third party’s legitimate interests

For direct marketing purposes, the right to object is absolute. Where data is processed for scientific or historical research, or statistical purposes, the right to object is more limited.

It is unlikely that an objection would be upheld where the data is processed for individual care, but each request must be considered on a case-by-case basis. However, it is important to note that there are other routes in which an individual can raise an objection to processing.

Rights in relation to automated decision making and profiling

Individuals have the right not to be subject to a decision solely based on automated processing that results in a legal effect on them or significantly affects them in some other way, such as in the way they receive care. UK GDPR defines 'profiling' as any form of automated processing of personal data to evaluate certain personal aspects of an individual, especially to analyse or predict certain things, including health.

An example of where this could happen in some sectors is AI. However, at the moment health and care professionals usually make the final decision as set out in the AI guidance on the IG Portal. Similarly, data used for risk stratification purposes are likely to be subject to review for a decision by a human health and care professional and so this is not considered automated decision making.

Subject access requests (1.2.3)

UK GDPR gives individuals the right of access to their personal data from any health and care organisation that holds records on them. This right is commonly referred to as a ‘subject access request’ (SAR).

You must ensure that your organisation has a procedure that allows individuals to be provided with a copy of the data where requested, along with information about the processing

For practical guidance on responding to SARs, including the procedures you must follow, the necessary timescales, and the situations in which they can be refused, see guidance on the IG Portal

It should be noted that organisations are no longer required to submit FOI information for the purposes of the DSPT, however this does not negate or diminish required organisation obligations. For more information, see the ICO’s guide to freedom of information

National data opt-out (1.2.4)

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of data that identifies them for research or planning purposes.

This does not apply to anonymous data, such as statistics of how many people received a specific treatment. You must ensure that you have a mechanism to apply any opt out decisions to relevant datasets. Find out detailed information about how to implement the national data opt-out

Last edited: 21 May 2024 10:27 am

Previous Chapter

The organisation has a framework in place to support lawfulness, fairness and transparency (1.1)

Next Chapter

Accountability and governance in place for data protection and data security (1.3)

Chapters

  1. Data Security Standard 1 - Personal confidential data
  2. The organisation has a framework in place to support lawfulness, fairness and transparency (1.1)
  3. Individuals’ rights are respected and supported (1.2)
  4. Accountability and governance in place for data protection and data security (1.3)
  5. Records are maintained appropriately (1.4)