Be careful out there…..
Much of our outsourced DPO work takes place in the health sector and we look after over 40 health related organisations.
Part of this work involves giving advice around third party Subject Access Requests. These come about, commonly, where there is a legal or insurance issue and the individual gives his/her permission for a solicitor or insurance company to contact the hospital or medical practice on their behalf to receive the relevant details from their health record.
However, we have been surprised and alarmed by how many requests are being received for the WHOLE medical record of the individual, even for seemingly simple leg/arm/shoulder trauma issues.
We are becoming familiar with our right to expect that the personal data we give in order to purchase a service or an item will only be the minimum information necessary for the transaction to take place. The same care does not always seem to take place with these scatter-gun third party requests.
Our concern is that the solicitor or insurance company may have sensitive personal data that is totally extraneous to the purpose for which it is requested. This data may reveal other things about our state of health, which we might otherwise think twice about releasing: high blood pressure perhaps, a heart defect, a diabetic or asthmatic condition, our mental health, a long-past prescription for anti-depressants. Such information would be very useful to companies making actuarial calculations about pensions, mortgages, life insurance policies and loans etc.
But surely, such companies will only select the data needed for the declared immediate purpose and will disregard, and securely dispose of, any sensitive personal data not otherwise relevant. They would never dream of processing your most sensitive data for an undeclared secondary purpose? They wouldn’t, would they?
Mind how you go now…..