To ask Her Majesty's Government who owns the (1) information contained in patients’ health records, and (2) health records themselves; and who is responsible for (a) the use of information contained in patients’ health records, and (b) access to the health records themselves.
The Data Protection Act 2018 gives effect to The General Data Protection Regulation (GDPR) introduced in May 2018. The GDPR provides rights in relation to the control of data, rather than referring to ownership.
The organisation that creates a health record is responsible for the use of information in the record and determines who has access to it and that any access is lawful. In addition, under the national data opt-out an individual has the right to opt out of their data being shared beyond their direct care, and under Article 21 of the GDPR, an individual has the right to object to the processing of their personal data under certain circumstances.
Every organisation is required by law to maintain the original medical record of patients and must safeguard it from loss, damage, alteration and unauthorised use. Every organisation handling personal data must comply with the GDPR when processing patients’ personal data and is accountable for its own compliance and risk management strategies and decisions.