Data protection laws are set to change in a few weeks as we prepare for the introduction of the new General Data Protection Regulation (GDPR). But what do the new rules mean, and why do they matter for GPs?
The GDPR replaces the current Data Protection Act, and will set a stronger framework for how we collect, store and share data across the health and care system in future.
With the current scandal engulfing Facebook and Cambridge Analytica, as well as high profile security breaches affecting a number of sectors over recent years, the new rules come in at a time when public awareness of data issues has never been greater.
It is my strong belief that GDPR will give us the framework we need to build patient confidence in how their information will be accessed and used, and ensure that we can continue to yield the benefits of having a more connected and integrated approach to data management.
At the core of GDPR is the need to appoint a data protection officer or data protection lead within every organisation – a named person responsible for overseeing the handling of sensitive personal data either within a practice or across multiple practices.
All organisations will also be required to demonstrate that they are complying with the new regulations and must report any security breaches within 72 hours in a bid to boost transparency and accountability. We need to have the same fast and forensic approach to addressing any compromised data as we do to failures in patient care – both are fundamentally breaches of patient trust and safety.
The new laws also put more power into the hands of the patient. They will mean that for the first time patient data can be requested and obtained within a month – rather than the current 40 days. They will, in other words, have greater agency and control over how their data is managed than ever before.
There are, clearly, important logistical challenges for GP practices in preparing for the new regulations, which is why we have been working with NHS Digital and the Information Commissioner’s Office to prepare a range of tailored advice to support practices prepare and get to grips with the new rules as quickly as possible.
But let’s not lose sight of why this matters. In the 70 years since the NHS was created, clinicians and scientists have consistently approached data with the guiding principle that it can make a huge difference to patient care. And there is consensus now that this matters now more than ever, not least as we seek to deliver fast, effective transfer of records helping to join up care for patient with complex and multiple conditions.
Yet we can only travel as fast and as far as the public’s confidence allows us, and in a volatile climate, where people are asking serious questions about the ethics of Big Data, the introduction of this new regulation – alongside the work already being done in the wake of Fiona Caldicott’s Review – gives us definitive answers within healthcare.
By implementing the regulation, we can win permission to ensure more patients can benefit from an improved experience and better outcomes as a result of fully integrated and shared personal medical records.