A recent decision of the Information Commissioner’s Office (https://ico.org.uk/) has manifested a fear that for years affected the UK (and not only) and that it is the focus of the discussions between the associations for the protection of clients/patients/data subjects.
The above document states that the British “Data Controller” has experienced an anomaly related to the possibility that patients give their consent to the processing of personal data for purposes other than direct care …
In particular, in January 2014, HSCIC offered patients the chance to opt-out of their personal confidential information, through the so-called “type 2 objection”, thus choosing to accept or deny the use of their confidential information “uses other than direct care” …
The disruption behind the incident consisted in not giving the correspondence between the choice of the patient and the effect on the data processing of the latter.
Actually, the cause is imputable to a combination of technical issues combined with regulatory limits that in some cases have recommended HSCIC to share information with third parties, confident to have the legitimacy to go against the wish of the patient.
ICO states that “HSCIC was not able to collect, record or implement the type 2 objections registered by patients with their GPs” (GPs refers essentially to the MMG).
The incident involved about 700,000 patients.
Such example is similar to the separate collection procedure conducted in certain Italian cities, started before the existence of waste disposal sites … but this transition can go on for years … for personal data protection this approach is unacceptable …
Following the direction of the Secretary of State on health issues (Direction to HSCIC of April 15, 2016), certain regulatory preconditions have been created in order to implement the opt out requests of patients.
However, ICO has adopted a measure divided into 7 points against the abovementioned behavior of HSCIC.
Basically, ICO enforces HSCIC to remedy, within 3/6 months (this does not refer to a range of time but to different measures with different timings), the conduct which violated the Data Protection Act,
through the adoption of procedures that implement the “type 2 objection”, report the illegality of patient data collected between 2014 and 2016 to those who have been shared with, as well as the destruction of databases interested by the unlawful conduct.