I fully understand your friends' concern.
When I was young and stupid (aren't we all), I racked up four DUI charges. The unfortunate thing is that even though the last offence was well over 30 years ago, the charges are all permanent and to this day, still show up on my driving record. Despite the fact that I paid the penalty and haven't offended in over 30 years (in fact the only infringement in that time is one parking fine about 26 years ago), my driving record still prevents me from doing certain types of work. In short, it's a bloody joke - so yes, I understand your friends' concerns.
So with that said, I'm not a lawyer, but I have some thoughts about data retention that may or may not be helpful.
1. Data retention should always apply to individual events, not records as a whole. To explain - if an event is recorded in 2000 and the retention period is 10 years, then that event should be removed in 2010. If another event is recorded in 2008, then that should NOT stop the first event from being removed 2 years later. This is how criminal records work. If you are convicted of an offence that qualifies for automatic removal from your criminal history after a set period, then committing any offence at a later date does not change this - the initial offence will still be removed. So the first thing to understand, is that data retention should always be "dynamic" and not "static" in operation, applicable to "events", not "records" as a whole. In simple terms, think of events as food. You have cans of food ("events") stored in your pantry ("record"). Each can has it's own expiry date ("retention period"). Buying another can (adding a new event to the record) doesn't magically change the expiry date on the cans you already have.
2. Accessing information should have no bearing at all on data retention. When you request access to a record (medical or otherwise), that is not an "event" to be added to the record itself, but is instead an "access" which should be added to a log associated with the record. Access, along with the request for deletion in this case, are not "medical events" and should be recorded in a way that does not interfere with the actual medical data itself. Again we can think of food here. Let's say you have a condiment ("event") in your pantry ("record") that expires in 2 years ("retention period"). You can use ("access") that condiment as many times as you like over the next 2 years, but the expiry date never changes and once the 2 years is up, that item, and only that item, should be thrown out ("deleted"). If at any time a stranger looks in the pantry, they can see that the condiment is either there or it isn't. But... if it is there, there's no way for them to know know how many times it's been used; and if it isn't there, there's no way for them to know that it ever was.
3. Data and access are two entirely different things. If you have a record where data has been deleted at some point, then anytime that someone accesses the record, there shouldn't be any reference whatsoever to the data that was deleted. The whole purpose of retention periods, is that data is deleted because it's no longer relevant. Therefore if someone checks the record, they should only see what currently exists in the record without any reference at all to anything that has been deleted. Your friend should clarify this and get it in writing, because if this is the case, then the whole name change issue is redundant. And of course, let's think of food again. If you give someone a half full bottle of tomato sauce ("record"), they can only see that it's half full ("current record"), not how many times you've squeezed it in the past or how much sauce you used on each squeeze ("deleted events").
4. You should expect any organisation to legally protect itself. While it appears that the hospital is being difficult, you need to accept that they will do whatever it takes to ensure that deleting data doesn't compromise their ability to defend themselves in any kind of legal matter. This is obviously the reason for statutory declarations etc, especially in the world that we now live in - where it feels like scams are more prominent than legit behaviour. Your friend should focus on having the data deleted, not the process required to make that happen. As long as the data is deleted and anyone accessing the record in the future doesn't see any reference to that deletion, then that's a win and names are irrelevant. (I couldn't think of a food reference for this one, so feel free come up with your own!)
Ultimately, if you can get it in writing that any person accessing the record can't see that information has been deleted, then confidentiality shouldn't be an issue at all, even with a name change. The process of getting the data deleted therefore shouldn't matter, only the end result.
When I was young and stupid (aren't we all), I racked up four DUI charges. The unfortunate thing is that even though the last offence was well over 30 years ago, the charges are all permanent and to this day, still show up on my driving record. Despite the fact that I paid the penalty and haven't offended in over 30 years (in fact the only infringement in that time is one parking fine about 26 years ago), my driving record still prevents me from doing certain types of work. In short, it's a bloody joke - so yes, I understand your friends' concerns.
So with that said, I'm not a lawyer, but I have some thoughts about data retention that may or may not be helpful.
1. Data retention should always apply to individual events, not records as a whole. To explain - if an event is recorded in 2000 and the retention period is 10 years, then that event should be removed in 2010. If another event is recorded in 2008, then that should NOT stop the first event from being removed 2 years later. This is how criminal records work. If you are convicted of an offence that qualifies for automatic removal from your criminal history after a set period, then committing any offence at a later date does not change this - the initial offence will still be removed. So the first thing to understand, is that data retention should always be "dynamic" and not "static" in operation, applicable to "events", not "records" as a whole. In simple terms, think of events as food. You have cans of food ("events") stored in your pantry ("record"). Each can has it's own expiry date ("retention period"). Buying another can (adding a new event to the record) doesn't magically change the expiry date on the cans you already have.
2. Accessing information should have no bearing at all on data retention. When you request access to a record (medical or otherwise), that is not an "event" to be added to the record itself, but is instead an "access" which should be added to a log associated with the record. Access, along with the request for deletion in this case, are not "medical events" and should be recorded in a way that does not interfere with the actual medical data itself. Again we can think of food here. Let's say you have a condiment ("event") in your pantry ("record") that expires in 2 years ("retention period"). You can use ("access") that condiment as many times as you like over the next 2 years, but the expiry date never changes and once the 2 years is up, that item, and only that item, should be thrown out ("deleted"). If at any time a stranger looks in the pantry, they can see that the condiment is either there or it isn't. But... if it is there, there's no way for them to know know how many times it's been used; and if it isn't there, there's no way for them to know that it ever was.
3. Data and access are two entirely different things. If you have a record where data has been deleted at some point, then anytime that someone accesses the record, there shouldn't be any reference whatsoever to the data that was deleted. The whole purpose of retention periods, is that data is deleted because it's no longer relevant. Therefore if someone checks the record, they should only see what currently exists in the record without any reference at all to anything that has been deleted. Your friend should clarify this and get it in writing, because if this is the case, then the whole name change issue is redundant. And of course, let's think of food again. If you give someone a half full bottle of tomato sauce ("record"), they can only see that it's half full ("current record"), not how many times you've squeezed it in the past or how much sauce you used on each squeeze ("deleted events").
4. You should expect any organisation to legally protect itself. While it appears that the hospital is being difficult, you need to accept that they will do whatever it takes to ensure that deleting data doesn't compromise their ability to defend themselves in any kind of legal matter. This is obviously the reason for statutory declarations etc, especially in the world that we now live in - where it feels like scams are more prominent than legit behaviour. Your friend should focus on having the data deleted, not the process required to make that happen. As long as the data is deleted and anyone accessing the record in the future doesn't see any reference to that deletion, then that's a win and names are irrelevant. (I couldn't think of a food reference for this one, so feel free come up with your own!)
Ultimately, if you can get it in writing that any person accessing the record can't see that information has been deleted, then confidentiality shouldn't be an issue at all, even with a name change. The process of getting the data deleted therefore shouldn't matter, only the end result.
Last edited:
