Press "Enter" to skip to content

Can Patients be Data Controllers?

The short answer is no! To find out why, please read on…

Data Controller is a legal term, used in the Data Protection Act and subsequently in the GDPR, for a role. The aim of the law is to increase privacy and extend data rights for citizens. In particular, to extend data rights over organisations who store and use our information (e.g. a bank in relation to its customers, a GP surgery in relation to its patients).

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

ICO guidance.

A private individual who stores computer files about themselves on their own computer is not subject to the DPA or GDPR. While they have literal ‘control’ over their data, they are not a data controller, as there is no need to protect the subject from themselves.

However, if the private individual chooses to store their files on a cloud-based file storage service (e.g. Dropbox), then they enter an agreement with Dropbox. Although the individual can control their files (by uploading, editing and deleting, via the software), they are not the data controller. Dropbox determines the purpose(s) for their service and the means (e.g. via servers in the U.S., using some form of software service). In this case, Dropbox is both the controller and processor.

In another scenario, imagine your GP surgery holds records about your visits. They do so in some form of electronic system, most likely run on their behalf by a technology firm. In this case, the GP surgery is likely to be the data controller and the specialist technology firm is likely to be a data processor. The patient remains the data subject.

In some cases, patients are given access to their medical records online (commonly known as a personal health record). Sometimes these systems allow patients to view their records and in other cases, they are given their own copy of the clinical records. Either way, until the record is downloaded to the patient/subject’s computer, it is held on a third party system (which the patient has access to). It is not relevant that the patient can access their records online, or what control the functionality of the system provides to the patient. While their records are held by a third party, the patient/subject cannot be the data controller.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *