NHS records and GDPR

[Tuesdayquery]

Can anyone offer advice on the following scenario please.

Person (not me) posts a comment on a social media thread about a doctors surgery and the service they receive when trying to get an appointment. The post states they can always get an appointment but the receptionists are rude. Person gets a shitagram letter from the surgery about the post. The social media username is a variation of their real name but not in full so they have made an assumption (whilst correct) that it was them.

My question is, is this the correct use of their systems/personal records as this wasn't for a medical reasons.

IPCO will be contacted for advice but wondered if anyone had an idea here tonight.

Of course it is. I'm not a solicitor but even I know you're being ridiculous.

Did the surgery already have the social media handle in question? If not, how many patient records have they combed through to try and find the correct patient?

The surgery are processing the patient's data to provide medical care. They shouldn't be using it to try and track down who has left bad feedback on Facebook, let alone sending out letters. Yes, they've abused their position by tracking the reviewer down through their medical records. They've probably trawled through a fair few other people's records to try and find the right person - again, abusing their position.

The ICO may be interested. However, they have been inundated with complaints since the law changed (although this would still be illegal under the old law) so if you do complain don't expect to hear back from them quickly.

Sorry you think I'm being ridiculous Velvet. It was only a question and my opinion was the same as Enough.

Thanks for your reply Enough. No they wouldn't have know the username. I can't believe it's good use of NHS time and money let alone records on a bad review.

Could it be that she was rude to the receptionists / made a similar comment on the phone and that's why they've sent the letter?

Information collected on the basis of vital interests (which would apply to medical data) can be processed for other purposes in some circumstances. This is also true if information was collected on the basis of legitimate interest or contract. However, if data was collected on the basis of consent or legal requirements it can only be used for the purpose for which it was collected. As I say, I expect the surgery would class their records as being held under vital interests.

For this particular processing to be allowed they would need to show that it was compatible with the original purpose. Without knowing more details it is impossible to say for sure. It sounds like it probably isn't compatible, in which case this was a breach (although I doubt the ICO would regard it as a particularly serious breach).

I don't think so. On the thread the surgery took a right battering. Would be interesting to know if others had received a letter. I'm stunned they bothered to be honest. Can you imagine if anyone gave a bad review of a hospital they accessed your records and sent you a shitty letter? It's bizarre.

Thanks Bridge.

Happy to hold my hands up and admit I must be wrong. I really can't get my head around it though. I would've thought it was more than a reasonable use of an address for a service provider to send a letter advising to stop criticising or go somewhere else.

I don't think they've done anything wrong under GDPR. If they'd sent the person a Facebook message, making the assumption they were the patient, there could be a breach if they had included personal information.

However, from a PR/ customer service perspective, this wasn't the best way to handle it. It would have been better for the Drs surgery to comment on the post and advise the patient how they could go about making a complaint if they were dissatisfied.

You would probably be more successful complaining to the practice manager than the ICO: I very much doubt that this letter has been sanctioned by them. As prh47 said, a change in purpose has to be compatible with the original purpose - unless there's other information you're not providing, this doesn't appear to be compatible and a data subject must be notified of a change of purpose that isn't compatible.

Leaving aside the data issues, GP surgeries are entitled to remove a patient from their list if there has been a breakdown of the doctor-patient relationship. If you've reached the stage of slagging the surgery off online and receiving snottograms in return, perhaps you can see the doctor-patient relationship has broken down and perhaps it would be worth you taking the initiative to find a new surgery?

Leliana

Thank you for your reply but that wasn't the point of my post. As I said, this isn't me but thank you for your suggestion. I think the issue was the customer service offered by the receptionist and not the medical staff.

Out of curiosity, what did the letter say? You're entitled to your opinion surely?

I work at a GP surgery and handle some of the GDPR stuff.

It's slightly vague legislation, but I don't think that there has been a GDPR breach.

The surgery has the right to use personal data (including the patient's address) for the provision of healthcare. In fact, healthcare has some separate provisions under GDPR but I digress. Breakdown of the Dr-Patient relationship and addressing that is part of the provision of healthcare and as such I can't see that this is anything the ICO would be interested in.

As an aside, unless any discussions are part of a closed group, we ALWAYS find out about social media discussions. Friendly patients usually feed this stuff back to us (good and bad) and remember we live and work in the local community. We don't particularly mind about this, but IMO it is cowardly and rude to name specific individuals where there is no right of reply. If there's an issue, complain to the PM, move surgery, whatever. But slating named individuals in public is beyond the pale when they can't answer back.

And whilst it would never affect any healthcare we delivered we would have no hesitation in refusing optional / non-contractual work (insurance medical form, travel cancellation, letter for the gym etc) and can do this for whatever reason we choose (actually we don't have to give a reason - we just say no thanks). So it's always better to sort things out in a decent manner - in general GP surgeries (including receptionists) are decent people who are working under intolerable strain and limited resource and do not set out to be difficult.

Well said, @ewhittaker.

Pretty below the belt thing to do - to criticise the poor receptionists on line. Perhaps go round with a bunch of flowers and apologise to them. It always pays to be nice in life.

Thank you for those who replied especially with some sort of useful content.

For the final time guys, this is not me so no I won't be buying a bunch of flowers for anyone in this situation.

It was also not a personal comment about a named person. It made mention of "some of the receptionists being rude on occasion" and was in response to a community request for opinions and recommendations on local Dr surgeries.

It's now come to light that letters have gone out to others on the FB Page but not all of them.

Obviously social media is massive now but if you can't give an honest view on service you have received from somewhere then we live in a sad world. We all rely on reviews at some point and have probably all given negative ones and this is no different.

The NHS Constitution actually makes providing feedback a patient responsibility. Admittedly slagging the practice off in a private FB group doesn't really fit within that definition, but the practice is absolutely bang out of order to be trying to shut this down. I would provide the feedback again through more official channels - NHS Choices and Care Opinion. This would also provide the practice with a right of reply.

"if you can't give an honest view on service you have received from somewhere then we live in a sad world. We all rely on reviews at some point and have probably all given negative ones and this is no different."

Sure, and in most areas there is a right of response (eg Tripadvisor) where the other party can explain their side of the story. The surgery is obviously unable to do this publicly (due to confidentiality issues) and have chosen to address it in the only way available to them, which is to to write to the people involved.

It's impossible to say much more without knowing the tone and content of the letter, but I'm sure you don't think that people should be able to say anything they want publicly with total impunity (true or not) and without being able to be challenged about it?

To post the letter would be massively outing for the person involved so I'm sorry that's not going to happen.

I asked a question and got some helpful replies and then some MN replies which are expected I suppose

There's no need to be defensive, it wasn't a request for you to post the letter, just an explanation of why the surgery's actions MAY have been reasonable given the limited information you have provided....