Who is the 6.2cm tall man?
The story of Liam Thorp, a 32-year-old man with no underlying health conditions being offered a Covid vaccine early because his GP surgery thought he had a body mass index (BMI) of 28,000 made national headlines.
The data protection implications of this case have been unreported but are important to consider.
The inaccurate personal data could have led to someone receiving a jab before someone else more in need. Therefore, there could have been practical health implications for that person if their access to a jab was delayed because someone else received their jab in error.
For all organisations, the collection, use, and maintenance of accurate personal data can be critical to operating efficiently: whether you are providing services to people, recording their preferences, Giftaid status, or simply their contact details.
Breach of GDPR – part 1
Mr Thorp’s GP surgery had incorrectly recorded his height as 6.2cm rather than 6ft 2ins (188cm). Combined with his weight, this had given Thorp a BMI of 28,000 – roughly 1,000 times higher than the UK average – which would have made him morbidly obese.
Mr Thorp’s personal data was inaccurate.
The GDPR states that personal data shall be “accurate and, where necessary, kept up to date…”
The GDPR also states that “…every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
The surgery appears to be in clear breach of the accuracy principle.
In such cases, it’s easy to put it down to “human error.” Someone simply recorded the height inaccurately.
But this is not sufficient. Data protection law requires us to consider: what measures was the surgery, Data Controller, taking to ensure its handling of personal data was adhering to the accuracy principle? What reasonable steps was it taking to identify inaccurate data and rectify it without delay? Does it need to review its processes, procedures, and operational systems to prevent this sort of mistake from happening again?
How to improve data accuracy
What technical measures could their systems have had in place to help ensure staff recorded accurate data?
- g. a “minimum and maximum limit” on the height field – to alert the staff if a figure was recorded that was outside agreed parameters, and ask them to confirm if the “outlier” figure was accurate or to amend it.
- g. a “minimum and maximum limit” on the BMI field – to alert staff to BMIs outside of agreed parameters (this also poses the question of whether the BMI figure was created for the purpose of allocating Covid jabs, or was already on record. If it was already on record, why had it not been recognised and acted upon before?).
What organisational measures could have been in place to help ensure staff record accurate data?
- g. Staff training on the importance of recording and using accurate personal data. This can be especially important when it comes to giving staff the confidence to accurately record “free text” narrative notes and information about people.
- g. Annual audits of data accuracy. Such an audit might have flagged the anomaly of a 6.2cm height in the system.
Breach of GDPR – part 2
There is also the possibility that the surgery breached the “Data Protection by Design” requirements of the GDPR.
These state that organisations should “…implement appropriate technical and organisational measures…which are designed to implement data protection principles… in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR and] protect the rights of [people].”
Essentially: If the surgery had brought in their system after May 2018, the technical measures should have been considered, and could have formed part of the specification.
- Conduct an audit of data accuracy.
- Review and/or deliver staff training on data accuracy.
- Ensure the specifics for your next IT system consider data protection by design – and include technical measures to help ensure accurate personal data is recorded.