GDPR laws do not apply to West Hampshire CCG, apparently
This is the twenty-first blog post regarding my NHS Continuing Healthcare hell. Having moved on to highlight failings in other organisations in this case, you may have thought that the worst was over when it comes to West Hampshire CCG. Sadly, that is simply not the case.
This blog post focuses on serious data breaches by West Hampshire CCG in their attempt to force an unlawful MDT to reassess my wife’s eligibility. This time, without our knowledge or consent.
In order to understand the circumstances for this sequence of events, we need to refer back to our second formal complaint regarding the January 2018 review. I detailed the nature of the CCG response in my ‘Done something wrong, CCG? Don't worry, just say it is "Local Governance Procedures"’ post. Due to the lies, omissions and misleading statements within the CCG response, on the advice of the PHSO, I submitted follow up questions to seek clarification, evidence and actual answers. West Hampshire CCG refused to answer them.
Roll on eight months. With the support of a data protection consultant, I submitted a subject access request (GDPR Article 15) to obtain the information for many of the questions I had submitted. Particular focus was on the following:
· Investigation records
· Reasoning for the review
· Accuracy of records
· The “guidelines” used in the January 2018 review
· Timeline of activities for the handling of our February 2018 complaint
· Funding agreement
Every request was backed up with references to local policies, law, NHS England policies and national guidelines. You can view the subject access request here.
The response was received in January 2019. Needless to say, the information provided did not answer the questions. This is where a detailed knowledge of GDPR comes in, and I very much thank my GDPR consultant for his support.
Having double and tripled checked with the CCG that there were no other records to share, on our behalf, our advisor informed the CCG that data had not been disclosed. He stated that this leaves two possible scenarios and/or combinations of same:
· The data referenced does not exist.
· GDPR Article 15 has not been complied with and access to the data has not been granted to the data subject by the CCG.
It was apparent that the data did not exist but the second option had to be formally mentioned.
As a result, we submitted a GDPR Article 18(1)(d) request for full restriction of processing of my wife’s data whilst the accuracy of the personal data held was verified. Under the Data Protection Act 2018, the CCG had one month to respond.
So what did the CCG say?
Again, with the support of our GDPR advisor, we contacted West Hampshire CCG on 21 February 2019, for the attention of the Head of CHC. This time, due to their failure to adhere to the GDPR Article 18 request, we submitted a GDPR Article 17(1)(d) request for the deletion of the November 2017 review report, the January 2018 review report and all related clinical information, on the basis that the processing of data was without a valid legal basis.
How did WHCCG respond?
AND IT GOT WORSE.
Not only did they refuse to respond the GDPR requests, they continued processing my wife’s sensitive personal data relating to the reviews. So much so, I was contacted by an administrator on 27 February 2019 stating he wanted to arrange an MDT to reassess my wife’s eligibility. It goes without saying, I stopped him in his tracks immediately by informing him that he was in breach of the law even having this conversation. The conversation was ended with the administrator needing to seek managerial advice.
Our GDPR advisor emailed West Hampshire CCG later that day. He made it very clear that the CCG were in breach of the GDPR Article 18 restriction, along with failing to acknowledge of GDPR Article 17 request. He informed them that processing must stop until a decision on the requests is made. He also reiterated the withdrawal of “all consent(s) given to do with the review process starting November 2017”, and that there will be “no problem with their data being processed once they are satisfied that it is accurate and that it is being done lawfully.”
How did WHCCG respond?
THEY IGNORED IT AND CARRIED ON.
AND IT GOT WORSE.
Internal emails, obtained in a subject access request (GDPR Article 15), show that they very much planned to carry on with the MDT, without our knowledge or consent. It was booked for 20 March 2019. The CCG had verbally agreed this with the social worker and the care agency. We knew nothing. Despite this, Ciara Rogers (Deputy Director of CHC) wrote in an email that our MP could be informed that we had been invited to the MDT. ABSOLUTELY NOT. The administrator stated he wanted to book it. We said he cannot. No dates mentioned. End of story. Or so we thought.
The CCG were still using the information from the reviews to conduct the MDT and they actively tried to get records from the care agency. Thankfully, the agency abided by my withdrawal of consent to pass on sensitive personal data to the CCG. Internal emails indicate this was the main reason that they eventually postponed the MDT.
Quite simply, West Hampshire CCG broke the law by continuing to process sensitive personal data while there were GDPR Article 18 (restriction) and 17 (deletion) requests and an even more explicit withdrawal of consent to process the review data until the GDPR requests were resolved.
To conduct an MDT in those circumstances, the CCG would have had to demonstrate an alternative valid legal basis and not use any of the information that they held. They did not. They simply ignored our basic rights.
As such, this blog post is a formal complaint to West Hampshire CCG for a serious data breach. The content of this blog is separate to our previous formal complaints to the CCG.
I will post their reply. Please feel free to comment on how you believe the CCG will respond.
I send most of my blog posts to the relevant organisations prior to publishing to provide them with the opportunity to inform me of any factual inaccuracies. This blog post was sent in advance and it has, as requested, be logged as a formal complaint.