Menu Home Search

GDPR- Headline Requirements with GPC and NHS Digital guidance

Updated on Friday, 14 September 2018, 2794 views

NHS Digital have now published a GDPR  guidance note . This guidance is from the national GDPR working group and Information Governance Alliance and will help organisations to make the changes needed due to the implementation of the GDPR in May 2018

The GPC IT committee lead Dr Paul Cundy who a GP in London GP, has been working on behalf of the BMA with other health related organisations and the Information Commissioner on GDPR and how this will relate to the NHS and Primary care. Paul has written a GDPR blog which contains various guidance, templates and advice on GDPR and we recommend practices read it, this is contained within dropbox so you will need an account tio view it

The GPC Have now created a Hub page on their website with resources for practices 

What is the General Data Protection Regulation (GDPR)?

The GDPR is an EU Directive that is applicable from 25th May 2018 designed to strengthen the protection of personal data. Parliament will pass a new Data Protection Bill which will enshrine the GDPR into UK law thus establishing its continuity after leaving the EU. The Data Protection Act 1998 will be repealed. The GDPR strengthens the controls that organisations are required to have over the processing of personal data, including pseudonymised data. Compliance with the law is always essential but fines under the GDPR will be up to a maximum of 20 million Euro or four percent of turnover. Data Subjects will also be able to sue Data Controllers for the first time not only for material losses but also for emotional harm.

Headline Requirements

Practices that are performing well in the information governance toolkit will have a good baseline to work from. However, organisations will be required to take specific actions and to be able to give evidence that they have done so.

The Information Governance Alliance (see: has published general guidance and some resources for primary care.

The British Medical Association has published guidance at:

The ICO has published a couple of check lists which may be helpful, It also has GDPR specific webpages at:

And the GPC has advised the following:

Practices should already have data protection policies and procedures; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware of these policies.

Practices should already know what personal data they hold, who can access it (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).

Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection.

Practices need to be able to demonstrate their compliance with the regulations upon request – at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO inspects a practice it will need to be able to provide the inspectors with a document showing all of the above.

Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR. The regulator (ICO) can take action to enforce compliance and where an issue has caused (or is likely to cause) harm or distress can impose a significant financial penalty.

Practices will no longer be able to charge a fee for patients to access their own information if requested under the GDPR as a SAR. However, the GPC’s Dr Paul Cundy says that solicitors are not permitted to seek a SAR to support an application that should be made under the Access to Medical Reports Act (AMRA), i.e., reports for employment and insurance purposes. This covers accident claims and insured negligence as well as mortgages and life insurance – anything covered by an insurance contract that requires a medical report. If a solicitor’s letter does not make the precise purpose of the request and report clear, then ask them if the report is being requested under GDPR or AMRA. If the report is to support an actual or potential insured claim then AMRA applies. You can charge and no additional information is needed.

Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here .

Privacy poster

The poster must provide basic information which explains to patients how their medical records are shared. An additional option is to use the practice’s telephone answering system to play a recorded message which reminds patients to look at the website if they want to learn more about how the practice handles medical records and what their rights are.

The poster should signpost where more the detailed PPNs can be found on the practice website and elsewhere, for example leaflets at reception and/or leaflets given to new patients or provided with prescriptions.

Suggested example of text for a poster

Practice privacy notices

The four template PPNs are a suggested way for practices to provide this more detailed information for patients. The PPNs cover four key themes: provision of direct care; medical research and clinical audit; legal requirements to share; and national screening programmes.

The documents are formatted so that the key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.

Due to the variation in data sharing arrangements across local regions and between the four nations of the UK it is not possible to provide ‘one size fits all’ templates. It is therefore essential that practices amend and add wording to the templates so that they are relevant to local arrangements and the country in which the practice is based. Practices can copy and paste the wording in the templates where appropriate. The PPNs should be regularly reviewed and kept up to date.

Practice privacy notice 1 – Provision of direct care

Practice privacy notice 2 – Medical research and national clinical audits

Practice privacy notice 3 – Legal requirements to share data

Practice privacy notice 4 – National screening programmes

Further notices, information and Templates here

Principles of Data Sharing for GPs

In light of GDPR / DP 2018 we are aware that many practices are asked to review Data Sharing Agreements, to this end the following document provides practices with an updated guide reflecting current legislation (and we thank Londonwide LMCs and Wessex LMCs for sharing this document):  Principles of Data Sharing for GPs

Related guidance...

The General Data Protection Regulation (GDPR)

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the...

Somerset LMC weekly Update Friday 4th May 2018

All Somerset GPs and Practice Managers This and previous updates can be found here General Data Protection Regulations (GDPR): Data...

Somerset LMC Weekly Update Friday 9 March 2018

Sent all Somerset GPs and Practice Managers This and previous updates can be found here Workload control in general practice GP...

Somerset LMC Weekly Update Friday 2nd March 2018

All Somerset GPs and Practice Managers Communication, Communication, Communication the latest Blog from LMC Chairman Dr Nick Bray “Last...

Somerset LMC Weekly Update Friday 6th April 2018

All Somerset GPs and Practice Managers This and previous updates can be found here Somerset Local Medical...

Somerset LMC Weekly Update Friday 7th June 2019

Sent to all Somerset GPs and Practice Managers This and previous updates are available here Panoramic View the latest blog...

Somerset LMC Weekly Update Friday 1st June 2018

All Somerset GPs and Practice Managers This and previous updates can be found here Transformation of General Practice in Somerset...

Workforce Minimum Data Set

Workforce Minimum Data Set - GPC Focus on May 2017 Introduction The GPC has been active in dialogue with the Department of Health...

BIObank RCGP and Excess Stock of Fluad

All Somerset Practice Managers Dear Colleagues We have been made aware that the attached letter is now circulating in...

Somerset LMC Weekly Update Friday 29th June 2018

All Somerset GPs and Practice Managers This and previous updates can be found here GDPR Subject Access Requests (SARs) by...