Appendix 4: Individual rights

The right to be informed covers some of the key transparency requirements of the UK GDPR. It is about providing individuals with clear and concise information about what you do with their personal data. (Articles 13 and 14 specify what individuals have the right to be informed about).

Individuals have the right to access their personal data which is commonly referred to as a subject access request (SAR). Responses to these requests should typically be made within one month (however there are circumstances where an extension may be sought). There needs to be consideration if the request includes information about others. The ICO has produced a Code of Practice for SARs. Further information on SARs is also available on the NHS England information governance hub. 

Individuals have a right to have inaccurate personal data rectified or completed if it is incomplete. These requests can be made verbally or in writing and organisations have one calendar month to respond. In certain circumstances, organisations can refuse a request for rectification. (Note, this right is closely linked to controllers obligations under the accuracy principle of UK GDPR [Article (5) (1) (d)]. The following relevant statements from the NHS Constitution (2013, 2015) and how this right may be applied should also be noted:

“You have the right to have any factual inaccuracies corrected. Ask your health professional about amending your records if you believe they contain a factual error.”

“There is no obligation to amend professional opinion; however, sometimes it is difficult to distinguish between fact and opinion. Where you and the health professional cannot agree on whether the information in question is accurate, you can ask that a statement is included to set out that the accuracy of the information is disputed by you” (page 56) The Handbook to the NHS Constitution 2013.

The NHS England Template Data Sharing and Processing Agreement, defines a process that can be adopted for communicating rectifications of personal and special category information between organisations.  

Individuals have a right to have certain personal data erased, commonly known as “the right to be forgotten”. The right to erasure only applies where data is processed under consent.

This request can be made verbally or in writing. Organisations have one month to respond to a request. This right is not an absolute and only applies in certain circumstances. The NHS European Office explains that “the right to be forgotten and erasure of data does not apply to an individual’s health record, or for public health purposes or research purposes.” Health and care professionals may advise patients or service users that certain data cannot be removed because it allows continuity of care for their wellbeing.

Relevant exemptions to this right include:

• if the data collection took place to comply with legal obligations
• the exercise of official authority
• in the public interest relating to public health

A general public interest exemption also exists for archiving purposes in the public interest and, for scientific research purposes and statistical purposes as well.

Individuals have the right to request the restriction or suppression of their personal data. This request can be made verbally or in writing. Organisations have one calendar month to respond to a request. This is not an absolute right and only applies in certain circumstances. When processing is restricted, organisations are permitted to store the data but not use it. This right has close links to the right to rectification (Article 16) and the right to object (Article 21).

This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure manner, without affecting its usability. This right only applies to information that the individual has provided to the controller.

The right to portability applies if the data processing is automated and the legal justification is consent. Where the organisation’s lawful basis is public interest (task), the rights of portability do not apply.

Individuals have the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. They can make this objection verbally or in writing and organisations have one calendar month to respond to an objection. There are other cases where organisations can continue processing the data, if they show that they have a compelling reason for doing so.

The UK GDPR has provisions on:

• automated individual decision-making (making a decision solely by automated means without any human involvement), and
• profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

Article 22 of the UK GDPR has additional rules to protect individuals if organisations are carrying out solely automated decision-making that has legal or similarly significant effects on them. These types of effect are not defined in the UK GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision. 

There are exemptions such as where automation is in accordance with another law, where the automation is necessary for the entering or performance of a contract between the individual and pharmacy contractor, or when the individual has given their explicit consent.