Skip to 0 minutes and 3 secondsTRIX MULDER: The GDPR provides for several rights for data subjects, such as Anna. This includes transparency of information and communication, provision of information, right of access, right to rectification, right to erasure-- also referred to as the right to be forgotten-- right to restriction of processing, right to data portability, right to object, and right not to be subjected to automated decision making. A patient in a medical context also has these rights. However, they work differently in practice, where sometimes decisions are left to the discretion of the doctor. This goes, for example, for the right to rectification, the right to erasure, and the right of access. Access means that the person may access the personal data processed about him or her.

Skip to 0 minutes and 51 secondsAnna has the right to access her patient file, but it is left to the discretion of the doctor to withhold certain information if this is in the interest of the treatment. Think of situations concerning mental health of a patient or of randomised, controlled trials, which use placebos for the control group. In accordance with right to rectification, Anna can request the doctor to rectify inaccurate personal data in her file. So if her address is wrong, which it was, she can ask to rectify this information. If, however, it concerns medical information, this is, again, left to the discretion of Anna's doctor, because she is ultimately the medical expert.

Skip to 1 minute and 27 secondsAs regards to right to erasure, the doctor has the same discretion, because some of the data in Anna's patient file might be of importance for future treatment. On the other hand, some of the rights provided by the GDPR work in the same way, whether it is inside or outside the medical context. If a data subject provides personal data to a controller, the right of data portability offers the data subject, in some cases, the possibility to get the information back from the controller. This means that Anna can only receive the data provided for by herself.

Skip to 2 minutes and 0 secondsThe analysis based on this data does not fall under the rights of data portability, meaning that conclusions drawn by Anna's doctor, based on her data, fall outside the scope of these rights. These were the most relevant rights of data subjects as regards health data. If you want to learn more, please follow the next steps.

Rights of data subjects in a medical context

The GDPR provides for several rights for data subjects whose data are being processed. This includes:

  • Transparency of information and communication;

  • Provision of information;

  • Right of access;

  • Right to rectification;

  • Right to erasure (the right to be forgotten);

  • Right to restriction of processing;

  • Right to data portability;

  • Right to object;

  • Right not to be subjected to automated decision making.

Within a medical context it is however sometimes left to the discretion of the medical professional to withhold certain information if it is in the interest of the treatment because he or she is ultimately the medical expert. Furthermore, medical professionals generally make an analysis based on a patient’s health data. These analyses are conclusions drawn by medical professionals and as such do not fall under personal data protection. Data subjects thus enjoy the same rights within and outside the medical context, however, these rights might work slightly differently in those different contexts. We will explore the rights of data subjects more in the next step.

Share this video:

This video is from the free online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

University of Groningen

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: