GDPR- Headline Requirements with GPC and NHS Digital guidance
NHS Digital have now published a GDPR guidance note . This guidance is from the national GDPR working group and Information Governance Alliance and will help organisations to make the changes needed due to the implementation of the GDPR in May 2018
The GPC IT committee lead Dr Paul Cundy who a GP in London GP, has been working on behalf of the BMA with other health related organisations and the Information Commissioner on GDPR and how this will relate to the NHS and Primary care. Paul has written a GDPR blog which contains various guidance, templates and advice on GDPR and we recommend practices read it, this is contained within dropbox so you will need an account tio view it
The GPC Have now created a Hub page on their website with resources for practices
What is the General Data Protection Regulation (GDPR)?
The GDPR is an EU Directive that is applicable from 25th May 2018 designed to strengthen the protection of personal data. Parliament will pass a new Data Protection Bill which will enshrine the GDPR into UK law thus establishing its continuity after leaving the EU. The Data Protection Act 1998 will be repealed. The GDPR strengthens the controls that organisations are required to have over the processing of personal data, including pseudonymised data. Compliance with the law is always essential but fines under the GDPR will be up to a maximum of 20 million Euro or four percent of turnover. Data Subjects will also be able to sue Data Controllers for the first time not only for material losses but also for emotional harm.
Headline Requirements
- Mandatory appointment of a Data Protection Officer (DPO) for all public authorities which includes all NHS GP practices;
- A requirement to demonstrate compliance with the new law;
- Legal requirements to notify the regulator the Information Commissioner’s Office (ICO) of security breaches within 72 hours;
- Removal of charges (in nearly all cases) for providing copies of records to patients or staff who request them under Subject Access requests (SAR);
- Requirement to keep records of data processing activities;
- Data Protection Impact Assessments required for high risk processing (including the large-scale processing of health-related personal data);
- Data protection issues must be considered in all information processes;
- Enhanced requirements to be transparent and inform individuals how their data is used;
- Where consent is used to process data (such as for research purposes or marketing to new patients) it must be explicit. Consent is not normally required for the processing of health data as Article 6(1) (e) of GDPR recognises that GPs process data on their patients because they are legally required to do so under The Medical Act, The NHS Act and contracts with the NHS.
- Specific requirements for transparency and fair processing
Practices that are performing well in the information governance toolkit will have a good baseline to work from. However, organisations will be required to take specific actions and to be able to give evidence that they have done so.
The Information Governance Alliance (see: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance) has published general guidance and some resources for primary care.
The British Medical Association has published guidance at: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr
The ICO has published a couple of check lists which may be helpful, https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/. It also has GDPR specific webpages at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
And the GPC has advised the following:
Practices should already have data protection policies and procedures; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware of these policies.
Practices should already know what personal data they hold, who can access it (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).
Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection.
Practices need to be able to demonstrate their compliance with the regulations upon request – at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO inspects a practice it will need to be able to provide the inspectors with a document showing all of the above.
Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR. The regulator (ICO) can take action to enforce compliance and where an issue has caused (or is likely to cause) harm or distress can impose a significant financial penalty.
Practices will no longer be able to charge a fee for patients to access their own information if requested under the GDPR as a SAR. However, the GPC’s Dr Paul Cundy says that solicitors are not permitted to seek a SAR to support an application that should be made under the Access to Medical Reports Act (AMRA), i.e., reports for employment and insurance purposes. This covers accident claims and insured negligence as well as mortgages and life insurance – anything covered by an insurance contract that requires a medical report. If a solicitor’s letter does not make the precise purpose of the request and report clear, then ask them if the report is being requested under GDPR or AMRA. If the report is to support an actual or potential insured claim then AMRA applies. You can charge and no additional information is needed.
Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here .
Privacy poster
The poster must provide basic information which explains to patients how their medical records are shared. An additional option is to use the practice’s telephone answering system to play a recorded message which reminds patients to look at the website if they want to learn more about how the practice handles medical records and what their rights are.
The poster should signpost where more the detailed PPNs can be found on the practice website and elsewhere, for example leaflets at reception and/or leaflets given to new patients or provided with prescriptions.
Suggested example of text for a poster
Practice privacy notices
The four template PPNs are a suggested way for practices to provide this more detailed information for patients. The PPNs cover four key themes: provision of direct care; medical research and clinical audit; legal requirements to share; and national screening programmes.
The documents are formatted so that the key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.
Due to the variation in data sharing arrangements across local regions and between the four nations of the UK it is not possible to provide ‘one size fits all’ templates. It is therefore essential that practices amend and add wording to the templates so that they are relevant to local arrangements and the country in which the practice is based. Practices can copy and paste the wording in the templates where appropriate. The PPNs should be regularly reviewed and kept up to date.
Practice privacy notice 1 – Provision of direct care
Practice privacy notice 2 – Medical research and national clinical audits
Practice privacy notice 3 – Legal requirements to share data
Practice privacy notice 4 – National screening programmes
Further notices, information and Templates here
Principles of Data Sharing for GPs
In light of GDPR / DP 2018 we are aware that many practices are asked to review Data Sharing Agreements, to this end the following document provides practices with an updated guide reflecting current legislation (and we thank Londonwide LMCs and Wessex LMCs for sharing this document): Principles of Data Sharing for GPs