The General Data Protection Regulation (GDPR) comes into effect in the UK on 25 May 2018. The GDPR and the forthcoming Data Protection Act (DPA) 2018, which has yet to be finalised, will replace the current Data Protection Act.
What is the GDPR?
The GDPR was designed to harmonise data privacy laws across Europe. The aim is to protect citizens from privacy and data breaches.
The current DPA dates from the 1990s when organisations held much less data on individuals. As the amount of data held has increased and technology has advanced, so has the risk of cyber crime and data breaches. The GDPR aims to address gaps in current legislation by providing a framework with greater scope and tougher punishments for those who fail to comply.
The key principles of the current DPA remain unchanged, but some areas of legislation have been strenghtened.
Like the DPA, the GDPR applies to ‘controllers’ and ‘processors’ of data – a controller says how and why personal data is processed and the processor acts on the controller’s behalf. Practices are data controllers.
The GDPR applies to all personal data held by an organisation in both automated and manual filing systems. Any personal data a practice holds about staff or job applicants will also be covered by the legislation.
The definition of personal data is more detailed than the DPA. For example, an online identifier, such as an IP address, will be classed as personal data. Personal data that has been pseudonymised can also fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to an individual.
What are the key changes?
The main changes under the GDPR are:
- Organisations will be obliged to demonstrate that they comply with the new law. Practices must have data protection policies and procedures in place and keep a record of all data processing activities and the legal basis for this processing in order to do this.
- There are significantly increased penalties for any breach of the regulation, not just data breaches. The Information Commissioner’s Office (ICO) will be able to levy fines of up to £17m.
- There is a legal requirement to notify the ICO of any security breaches that are 'likely to result in a risk to people’s rights and freedoms'. Any breach of health data would probably fall into this category and therefore require reporting. This should be no later than 72 hours after the practice first becomes aware of the breach.
- The GDPR will remove charges, in most cases, for providing copies of records to patients or staff who request them (see subject access requests, below). Practices will have to provide information within one calendar month instead of 40 days.
- Practices are required to have a data protection officer.
- A data protection impact assessment will be required for all 'high-risk processing', which would cover health data.
- There are specific requirements for transparency and fair processing, which need to be included in privacy notices for patients.
What should practices be doing?
NHS Digital’s Information Governance Alliance (IGA) is producing guidance for NHS organisations on how they can comply with the new regulations. It has recently produced a 'key points' document for GP practices. The BMA has also produced some useful guidance on the practice's role as a data controller (see below for links to these).
Ensure you have a data protection officer
Larger practices may decide to appoint their own data protection officer, but this role can be shared across multiple organisations. In some areas the data protection officer role may be undertaken at CCG-, PCO- or federation-level.
You should also make sure you know where to get information governance support. In England this should be provided locally by NHS England as part of the 2016-18 GP IT operating model.
Understand what information you hold and how it is shared
The ICO's data protection self assessment tool for data controllers, which you can find here, can help you understand what information you hold and how it is shared.
The BMA guidance says that practices will need to maintain records or an information register of the data flows in which the practice particpates in order to demonstrate compliance with the GDPR.
Practices must also undertake a data protection impact assessment whenever they engage in a new data sharing agreement or when new technologies are used. This would include a description of the data processing, an assessment of any risks and how that risk will be mitigated.
Review the practice's privacy notices
Under the GDPR organisations need to be open and transparent about how data is handled and used. The BMA says that practices should have at least one privacy notice prominently displayed on the practice notice board and website addressing how patient data is used to provide direct patient care.
This basic information can then signpost people to where they can find more detailed information. Other privacy notices must explain when medical records are used for purposes other than direct care, for example for legal obligations or for medical research or health management purposes.
The BMA advises practices that privacy notices should include the following:
- Contact details of the practice
- Contact details of the data protection officer
- The purposes for processing the data and the legal basis for processing the data (see below)
- Information about with whom the data are shared
- Any right of objection that are available
- That patients have the right to access their record and to have inaccurate data corrected
- Retention periods
- The right to lodge a complaint with the ICO.
The NHS in all four nations publishes codes of practice for records management, which include standard retention periods and you may want to direct patients to this when explaining how long data is retained for.
Under the GDPR practices need to understand the lawful basis for processing any data. The GDPR has a lawful basis for processing health data when it is for the provision of direct care that does not require explicit consent. GPs can also continue to reply on implied consent to share confidential data for the provision of direct care.
For purposes other than direct care the practice has to have explicit consent for processing any data. Consent must be 'freely given, specific, informed and an unambigious indication of the data subject's agreement'.
Practices do not need explicit consent where they have a legal obligation to disclose information, for example in relation to public health or health service management.
Update data protection policies and procedures
All of the practice's data protection policies should be updated to reflect the requirements of the GDPR. As part of this you should ensure the practice has a policy and system in place for investigating and reporting a data breach to the ICO within 72 hours of discovery.
You should also have policies to cover subject access requests (see below), how you handle requests for data from third parties, staff training, system failures and remote access to data.
Subject access requests
Under the GDPR, practices will not be able to charge patients for access to their records. The BMA is currently updating its guidance on subject access requests, but in its GDPR guidance it says cases where practices can charge for access to records are likely to be 'rare'.
Practices will have to comply with a subject access request within one calendar month of receipt under the new rules. You can extend this period by a further two months if the request is complex or there are numerous requests, but you must inform the individual of this within one month of receipt of the request and explain why the extension is necessary. Requests can be made verbally or in writing, rather than in writing only as is currently the case.
Practices should have procedures in place for dealing with requests for information from third parties, including solicitors, and ensure they have clearly obtained consent from patients to share this information.
- BMA guidance on GPs' role as data controllers.
- NHS Digital Information Governance Alliance (IGA) GDPR guidance
- IGA: GDPR Key Points for GPs
- The Information Commissioner's Office has produced an FAQ for small health sector bodies here.
- The Information Commissioner’s Office has extensive information about the GDPR, which you can find here.
- The ICO is also due to publish final guidance on consent under the GDPR shortly, however the guidance it consulted on can be found here.