The UK LMCs conference, which is taking place in Liverpool today, also unanimously called for the GPC to urgently explore the possibility of commissioning health organisations having one data protection officer for all practices in their area and backed part of the motion to that said it was no longer sustainable for the GP to be the sole data controller.
Dr Christiane Harris from Bedfordshire LMCs raised concerns about the levels of fines that could be levied and said that it could be ’the final straw for over-burdened, under-staffed practices struggling to cope as it is.’
She said the legislation allowed for local amendments and that it was ‘clear that these local amendments should apply for medical practices’.
GPC IT lead Dr Paul Cundy said that the BMA was actively engaged with the Information Commissioners Office and NHS England to ‘do what we can to mitigate the impact of GDPR’. He said that the BMA evidence submitted to the Doctors and Dentists’ Review Body, which makes recommendations on pay, had said that GP practices should be reimbursed for any costs associated with implementing the GDPR.
Dr Ursula Brennan from Eastern LMC in Northern Ireland said: ‘It is no longer sustainable for the GP to be the sole data controller. Without satisfactory guidance practices will be vulnerable and at risk of the wide ranging implications of the GDPR and the risk of data breaches.’
However GPC member Dr Grant Ingrams said: ‘If not us who should be looking after our data? Do you really want to share your data with the secretary of state? Do you really want non-GPs deciding who your patients’ data is shared with. Do you want your friendly local managers to dictate to you how your data is recorded?
‘Setting aside that the law does not and will not allow you to do this, it will not improve the lot of practices it will just replace one headache with a whole suite of new ones.’
The GDPR and the Data Protection Act 2018, which has yet to be finalised, come into effect on 25 May 2018 and replace the current Data Protection Act.
The new legislation will strengthen data protection laws and significantly increase the financial penalties for data breaches. Organisations will also have to be able to actively demonstrate that they are complying with the rules and have a designated data protection officer. Under the GDPR fines can also be issued for non-compliance, even when there has not been a data breach.