Select a region
HSC has revealed the "immense pressure" staff are facing in dealing with Data Subject Access Requests, under data protection laws brought in a few years ago.
It's after the department was reprimanded by the Office for the Data Protection Authority for breaching data access rules, again.
The ODPA said that a person made a data subject access request to the Committee for Health and Social Care, requesting a copy of their personal data. While HSC provided some of their personal data in response to their request, the person was concerned they had not been given everything that they were entitled to receive.
They raised a complaint with the Data Protection Authority and an investigation found that HSC had "failed to consider all relevant filing systems and electronic databases when it searched for the individual’s personal information".
This meant that information the complainant was entitled to was not provided to them.
The ODPA also said that the records created by HSC of the searches for personal data were inadequate, meaning "HSC was unable to demonstrate that reasonable steps had been taken to comply with the request".
Separately, the ODPA said HSC also failed to comply with an Information Notice issued by the Authority within the required time period. As a legally binding notice this required HSC to provide information to the Authority to assist in this investigation.
The ODPA said this is the second public statement by the Authority relating to a matter where information was missed by HSC in a subject access request, and deadlines were not met. An earlier investigation saw HSC ordered to improve such search processes then.
Pictured: The Committee for Health and Social Care has been reprimanded by the Office for the Data Protection Authority.
The Authority said it has concerns that this is the second Order against HSC requiring improvements in processes relating to data subject access requests. As a result, we are calling upon HSC to elevate their efforts to ensure that implemented measures are effective.
“We accept the findings of the ODPA," said a spokesperson for HSC, in response to the ODPA's statement.
"It is a matter that we take seriously, and we are proactively working on the recommendations as part of health and social care transformation as well as our cycle of continuous improvement.
“While we recognise that it is important for data subjects to get information in a timely manner it would be remiss of us not to highlight the immense pressure HSC is under in this area, as the volume of Data Subject Access Requests (DSARs) has more than doubled over the last two years.
"These requests are often particularly complex and span an individual’s entire lifetime.
"We are reviewing how to meet this demand going forward, including expanding our resource capability to best meet our legal obligations”.
As a result of the breach, the ODPA has imposed an Order against HSC, requiring that it carry out further searches for the person’s personal data, and provide them with a copy of everything that they are entitled to receive.
Additionally, the Order requires that HSC put in place measures to identify all the relevant filing systems and electronic databases which may need to be considered when conducting a search for personal data.
The Order also requires that within three months HSC should implement improved processes to ensure compliance with future data subject access requests and confirm to the Authority that this has been done.
A Reprimand has also been imposed against HSC in respect of its failure to comply with an Information Notice within the required timeframe.
HSC breaches data rules, again
HSC Data Protection concerns addressed
HSC reprimanded over data protection shortcomings
Health prevented family from finding out about abuse of vulnerable family member
HSC formally reprimanded for non-compliance with data request
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.