Privacy and Data Handling

 1. Information governance

Copies of medical records and other relevant documentation can be sent electronically, on CD or in paper form (hard copy). These will be stored in a secure location, compliant with the 1998 Data Protection Act and the EU General Data Protection Regulations, until the conclusion of the case, or the end of my involvement in a case (whichever is sooner), whereupon the data will be destroyed. Data acquired from a consultation for an expert report is treated in the same way. Reports are sent securely to the instructing solicitor/other lawyer and are retained safely for 6 years, after which they are destroyed.

I am registered as a data controller with the Information Commissioner. My ICO registration number is C1472562.

2. Purpose of data storage and processing

I am provided with personal data about data subjects, by the legal teams that instruct me. This data is stored by me, and processed only in so far as it is required to enable me to offer expertopinion on the standard of practice of Ophthalmologists in two broad scenarios:

 1)    For the Court in civil litigation on behalf of the Claimant, and on behalf of the Defendant.

 2)    For the General Medical Council (GMC), and/or the Medical Practitioners Tribunal Service (MPTS) in the professional regulation of Ophthalmologists on behalf of the GMC, and on behalf of registered medical practitioners.

Data includes: demographic data, health records, witness statements from individuals involved in a case, opinions from other medical experts, and legal documents pertaining to the case. Health records may contain, in addition to information about health, information about race, ethnic origin, religion, sex life, and sexual orientation. The General Data Protection Regulation 2018 (GDPR) defines the data that I store and process as “Special Category Data”.

3. Nature of processing

•       The contents of the documents referred to above are scrutinised by myself only, for the purposes of considering the information contained within them insofar as in it relates to questions about standard of practice of Ophthalmologists

•       This information informs opinions provided by me in writing and orally to the Court, the GMC, the MPTS, and the legal teams involved in conduct of professional regulation proceedings and civil litigation

•       Parts of the aforementioned documents may be transcribed into documents (reports and letters)that I write for the Court, the GMC, the MPTS, and the legal teams involved in conduct of professional regulation proceedings and civil litigation

•       The whole of the aforementioned documents are scrutinised, as it is not apparent until they are scrutinised which parts of them contain relevant information. However, only relevant information is transcribed into, or referred to, in reports, letters and oral advice or evidence

4. Lawful basis

The law requires that I identify one of six categories of “Lawful Basis” for storing and processing data. The lawful basis for my processing and storage of data is: “Legal Obligation”. The InformationCommissioner’s Office (ICO) says that:

“Article 6(1)(c) provides a lawful basis for processing where: processing is necessary for compliance with a legal obligation to which the controller is subject.”

“Article 6(3) requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So it includes clear common law obligations”

“This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.”

“You should be able to identify the obligation in question, either by reference to the specific legalprovision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations”

As an expert witness I have legal obligations to provide honest and impartial opinion to the Courts, GMC, MPTS, and the legal teams responsible for conducting civil litigation and professional regulatory matters. It is impossible to provide expert opinion without storing and processing the data, which means that such storage and processing is essential so that I can comply with my legal obligations.

The legal obligations of expert witnesses are clearly defined in law, including:

•       Civil Procedure Rules 1998(CPR) Medical Act 1983 together with the Fitness to Practise Rules 2004

•       The General Professional duties of an expert as defined by the GMC in Acting as a Witness in Legal Proceedings; and

•       Common Law obligations.

“Special Category Condition”

As the data is “Special Category Data”, the law also requires me to identify an additional “SpecialCategory Condition” for my storage and processing of the data. The “Special Category Condition” listed inArticle 9(2) of the GDPR that applies is:

“(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.”

The draft UK Data Protection Bill defines ‘legal claim’ at Schedule 1, Part 3, Section 29 thus:

“Legal claim... This condition is met if the processing—

a)    is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

b)    is necessary for the purpose of obtaining legal advice, or

c)   is otherwise necessary for the purposes of establishing, exercising or defending legal rights”

It is my view that my work meets this definition.

5. Risk assessment

Risks associated with the loss of data are very small as all data that is stored and processed by me is also stored by other organisations. For example: a data subject’s health records will be stored byboth the healthcare provider that created the record, and the legal teams involved in conduct of theproceedings.

Unauthorised access to data may occur by deliberate attempt by an unauthorised person, or by an error onthe part of myself, for example sending a report to the wrong person

Deliberate attempts to access health records by unauthorised persons are rare in the healthcaresector. However, if unauthorised access did occur, the potential consequence of such a breach is great for the individual subject as health records contain extremely sensitive personal information.

Whilst unauthorised access to such information is unlikely to cause direct financial or physical harm to the data subject, it might cause great embarrassment, emotional distress, disruption to personal relationships, detriment to employability, and vulnerability to discrimination. In summary, the potential personal consequences for data subjects of a data breach involving health data are significant.

It is not possible to guarantee protection against unauthorised access to data by a determined third party acting outside the law. However, the measures described below represent accepted healthcare industry best practice in terms of protecting personal data and are likely to limit the possibility ofunauthorised access to a great degree.

Furthermore, they are proportionate, affordable and practical.

5. How data are stored

Data are only received in electronic format.

 Electronic documents are stored in one computer. This is protected by a password and /or biometric security at log-in.

 The data are continuously synchronised via a cloud service, which also stores a copy of each file on remote servers which are located within the UK in data centres that meet the ISO 27001 standard. The data is fully encrypted in transmission as well as in storage. If local data loss occurs, files can be restored from the remote servers.

 Health records are stored until either:

•       I am informed by the instructing legal team that the matter has concluded, or

•       2 years after the last activity on the file in that particular matter has expired, whichever is sooner.

This is because legal proceedings frequently experience long delays, and if records are destroyedsooner, this may necessitate copies being re-sent to me if I am asked to comment further at a later date. This would introduce additional risk of data breach in transmission.

 Documents that are created by me in the course of my processing of the data, for example letters andreports, are stored for 6 years from the date that the last document on file was created. I am personally liable for the opinions I give, and as such need to retain this work product in order todefend myself against potential claims.

5. How data are transmitted

Data are transmitted in one of two ways:

1)    Via the cloud storage service referred to above.

2)    Email, in which case files containing sensitive personal data are encrypted and password protected.

Data are not transferred outside the EU.

5. Access by data subjects

Should data subjects require access to the data I store about them, then this can be provided, free of charge. Data subjects should contact me to arrange this. For contact details please see my website: www.jonathanluckmedicolegal.org.uk

5. Accountability

If data subjects have any concerns about how their data is processed, they are invited to contact meto discuss this in the first instance. Alternatively, or if their concerns remain unresolved, they can contact theInformation Commissioner’s Office (ICO). Their contact details are:

Web: ico.org.uk

Tel: 0303 123 1113