Scanning of Paper Medical Records
We have come across a number of cases recently where the transfer of paper records to digital form has caused difficulty in defending claims. This is especially so where CTG traces are involved. Sometimes the originals are destroyed and this is a serious problem if the scan is not perfect. Sometimes traces are sliced in order to ease scanning. Reconstituting such traces for litigation purposes is fraught with difficulty because parts can be lost, and even if all the original components are retained the process of putting them together can be time-consuming and costly. The courts will usually place a negative interpretation on such problems from the defendant’s perspective – in other words any ambiguity or loss of data caused by the process will be interpreted against the defendant. That can be very expensive for the NHS in birth-damage cases.
There follows a helpful analysis of the position by our panel solicitors, Bevan Brittan, and we are grateful to them for permission to reproduce it (in slightly abbreviated form) for Resolution Matters:
Any organisation which “processes” personal data (which includes obtaining, holding or carrying out any set of operations such as adaptation or alteration of the information, retrieval, consultation or use of the information, or indeed erasure or destruction of data), must comply with the eight principles of good practice set out in Schedule 1 Part 1 of the Data Protection Act, 1998 (DPA). Trusts will be considered the data controller for their medical records.
In accordance with Principle 7 of DPA, the data controller has a duty to provide “appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The Act does not provide a standard set of measures which need to be put in place, but what is expected is that the data controller will assess any risk and ensure both a level of security and technical measures appropriate to the harm which may result. Consequently, whilst there is no specific legislation preventing an organisation from slicing and uploading large paper records as part of a digitisation process, there is a legal duty imposed on Trusts to be responsible for those records – to ensure that they are secure and that there is no inadvertent, accidental or malicious amendment, change or deletion.
There are very clear potential risks to patients should there be any change to patient information, and Trusts should be alive to those risks and potential liabilities.
Potential Liability Issues
Should a patient suffer harm as a result of an inadvertent, accidental or malicious change to any health information/record, or merely because that record did not upload with the same clarity as the original (as a result of it being sliced and uploaded) then that individual would be entitled to bring a claim against the Trust. It is unlikely that ‘harm’ would be interpreted as extending to cover the prejudice of not being able to prove a claim in negligence but this is theoretically arguable. It is more likely, in keeping with recent judicial comment, that any lack of clarity due to the digitisation process would be interpreted in the claimant’s favour.
Section 13 of the DPA clearly states that –
- “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage”.
- Therefore claims for compensation could be directed against the data controller – if the claimant was able to argue successfully that the Trust wilfully contravened Principle 7 of the DPA (Schedule 1, Part 1) in connection with this known issue arising from the digitisation programme.
Trusts could also leave themselves exposed to the risk that individuals may report them to the Information Commissioner should they subsequently request / have sight of their records and feel that the DPA has been breached. The Information Commissioner is able to impose monetary penalties on data controllers where:
- There has been a “serious contravention” of one of the DPA’s Principles; and
- It is of a kind likely to cause substantial damage or substantial distress and either (i) the contravention was deliberate, or (ii) the data controller knew or ought to have known that there was a risk that contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent the contravention.
The Information Commissioner has issued fines and, moving forward, once the General Data Protection Regulations take effect in May 2018, monetary penalties are likely to be significant.
Other issues to consider more widely with regard to digitisation –
The same minimum retention period applies to computerised as to paper records. The retention schedules for different types of records are set by the Department of Health. After the end of the relevant retention period, systems should be in place to ensure that records are safely destroyed in a secure way so that obsolete records are not inappropriately retained.
Care needs to be taken to prevent corruption or deterioration of the data stored on computer.
Future migration of data will need to be considered as equipment and software become obsolete.
To satisfy DPA principles, Trusts need to ensure that they have good information handling systems in place:
- They must take appropriate technical and organisational measures to prevent the unlawful processing or disclosure of data.
- They should ensure that there are appropriate security measures in place to protect data (records) and unauthorised access.
- Depending on the digitisation process, Trusts will need to consider where the scans are stored – will there be a central location, or will they be uploaded locally? This in turn may give rise to ensuring that there are appropriate encryptions and safeguards to prevent sensitive data being inappropriately available if equipment is stolen, for example. Trusts should already have appropriate procedures in place for the destruction of equipment.
- Trusts should consider which staff have access to the records and to what degree.
- There must be safeguards in place within the digitisation process to ensure records are uploaded and assigned to the correct patient.
- There should also be safeguards in place to ensure that those accessing the system cannot amend records unless the time, manner and author of any change are captured.
If digitised records need to be disclosed, for example in response to a subject access request or in Court proceedings, Trusts must be sure that they are able to locate and provide the required information. Importantly if a personal injury action is brought against a Trust, inappropriate destruction of records or steps which have inadvertently affected the content of the records could severely prejudice the ability of the Trust to defend a claim. If a Trust is unable to respond appropriately to a DPA request, for example, an individual may bring a complaint to the Information Commissioner with the subsequent risk of a financial penalty.
We are not suggesting that Trusts should halt plans for digitisation, which has benefits in terms of cost, reduction in administration and storage requirements, and quicker access to information. However they must be aware of the risks which digitisation may entail, give appropriate consideration to them and weigh them effectively.
Trusts need to ensure an adequate level of protection against unlawful, malicious or accidental loss, destruction or damage to personal data.
Each Trust should risk assess this issue and balance the likelihood of claims, as well as consider whether there are any “fixes” which could be reasonably applied to the system. Trusts may wish to ask themselves whether the risk and cost of attempting to defend a cerebral palsy claim many years down the line with a digitised record are greater than the advantages of digitisation of CTG traces.