Can the right of access to the medical record also mean access to the data of the professionals who have accessed it?
The Council for Transparency and Data Protection of Andalusia has ruled on the appropriateness of providing patients with information regarding the identity of healthcare professionals who have materialized access to their medical records, when exercising their right of access, recognized in the General Data Protection Regulation (RGPD).
In his analysis, the Council is based on the fact that the right to access the information contained in the medical record is regulated by Law 41/2002, which does not include the possibility of “knowing the identification data of healthcare professionals who have accessed this file”.
The question at this point would be: does the RGPD allow this when it regulates the right of access from a data protection point of view?
To answer the question, the Council refers to the Judgment of June 22, 2023, of the Court of Justice of the European Union, in case C-579/21, which stems from a procedure initiated by a private individual who sought to know, after exercising the right of access, the data to consult his data from his bank.
The CJEU, in this judgment, concluded in the following interpretations of the right of access:
- Both the concept of “information” and the concept of “treatment” in the RGPD and, in particular, in the regulation of the right of access, must be interpreted broadly, encompassing “all kinds of information, both objective and subjective, in the form of opinions or assessments, whenever they are”about the person in question””.
- As a result of the foregoing, it is understood that the right of access recognizes the interested party the right to obtain a “wide range of information” about the processing of their personal data. Taking into account that the right of access is initially intended to allow the interested party to know and verify the lawfulness of the processing, limiting its exercise means limiting the possibility of the interested party to assess the lawfulness of the processing of their data and, consequently, the possibility of exercising the prerogatives provided for in the regulations.
- The right of access includes the information of the recipients of personal information, although the employees of the data controller (in this case, healthcare personnel) cannot be considered as “recipients” in application of the concepts of the RGPD. However, it could constitute information that would allow you to verify the lawfulness of the processing to which your data were subject and, in particular, to ensure that the processing operations have actually been carried out under the authority of the data controller and in accordance with his instructions.
- In the event of a conflict between, on the one hand, the exercise of the right of access that guarantees the effectiveness of the rights recognized by the GDPR to the interested party and, on the other, the rights and freedoms of others, it is appropriate to weigh the rights and freedoms in question.
After the above considerations, the CJEU concludes by considering that: the right of access “does not enshrine in principle the right for the patient to obtain from the person responsible for the treatment of their medical record information relating to the identity of the healthcare professionals who carried out operations to consult said history, unless such information is essential to allow the patient to effectively exercise the rights conferred on him by the GDPR and always on the condition that rights and freedoms are taken into account of those who carried out the above-mentioned consultations.” For example, the right of access may prevail in cases of suspected access to the medical record by unauthorized personnel or for illegal purposes in application of data protection principles.