Menu Home Search

GDPR- Headline Requirements with GPC and NHS Digital guidance

Updated on 25 May 2018, 422 views

NHS Digital have now published a GDPR  guidance note . This guidance is from the national GDPR working group and Information Governance Alliance and will help organisations to make the changes needed due to the implementation of the GDPR in May 2018

The GPC IT committee lead Dr Paul Cundy who a GP in London GP, has been working on behalf of the BMA with other health related organisations and the Information Commissioner on GDPR and how this will relate to the NHS and Primary care. Paul has written a GDPR blog which contains various guidance, templates and advice on GDPR and we recommend practices read it, this is contained within dropbox so you will need an account tio view it

The GPC Have now created a Hub page on their website with resources for practices 

What is the General Data Protection Regulation (GDPR)?

The GDPR is an EU Directive that is applicable from 25th May 2018 designed to strengthen the protection of personal data. Parliament will pass a new Data Protection Bill which will enshrine the GDPR into UK law thus establishing its continuity after leaving the EU. The Data Protection Act 1998 will be repealed. The GDPR strengthens the controls that organisations are required to have over the processing of personal data, including pseudonymised data. Compliance with the law is always essential but fines under the GDPR will be up to a maximum of 20 million Euro or four percent of turnover. Data Subjects will also be able to sue Data Controllers for the first time not only for material losses but also for emotional harm.

Headline Requirements

Practices that are performing well in the information governance toolkit will have a good baseline to work from. However, organisations will be required to take specific actions and to be able to give evidence that they have done so.

The Information Governance Alliance (see: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance) has published general guidance and some resources for primary care.

The British Medical Association has published guidance at: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr

The ICO has published a couple of check lists which may be helpful, https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/. It also has GDPR specific webpages at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

And the GPC has advised the following:

Practices should already have data protection policies and procedures; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware of these policies.

Practices should already know what personal data they hold, who can access it (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).

Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection.

Practices need to be able to demonstrate their compliance with the regulations upon request – at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO inspects a practice it will need to be able to provide the inspectors with a document showing all of the above.

Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR. The regulator (ICO) can take action to enforce compliance and where an issue has caused (or is likely to cause) harm or distress can impose a significant financial penalty.

Practices will no longer be able to charge a fee for patients to access their own information if requested under the GDPR as a SAR. However, the GPC’s Dr Paul Cundy says that solicitors are not permitted to seek a SAR to support an application that should be made under the Access to Medical Reports Act (AMRA), i.e., reports for employment and insurance purposes. This covers accident claims and insured negligence as well as mortgages and life insurance – anything covered by an insurance contract that requires a medical report. If a solicitor’s letter does not make the precise purpose of the request and report clear, then ask them if the report is being requested under GDPR or AMRA. If the report is to support an actual or potential insured claim then AMRA applies. You can charge and no additional information is needed.

Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here .

Privacy poster

The poster must provide basic information which explains to patients how their medical records are shared. An additional option is to use the practice’s telephone answering system to play a recorded message which reminds patients to look at the website if they want to learn more about how the practice handles medical records and what their rights are.

The poster should signpost where more the detailed PPNs can be found on the practice website and elsewhere, for example leaflets at reception and/or leaflets given to new patients or provided with prescriptions.

Suggested example of text for a poster

Practice privacy notices

The four template PPNs are a suggested way for practices to provide this more detailed information for patients. The PPNs cover four key themes: provision of direct care; medical research and clinical audit; legal requirements to share; and national screening programmes.

The documents are formatted so that the key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.

Due to the variation in data sharing arrangements across local regions and between the four nations of the UK it is not possible to provide ‘one size fits all’ templates. It is therefore essential that practices amend and add wording to the templates so that they are relevant to local arrangements and the country in which the practice is based. Practices can copy and paste the wording in the templates where appropriate. The PPNs should be regularly reviewed and kept up to date.

Practice privacy notice 1 – Provision of direct care

Practice privacy notice 2 – Medical research and national clinical audits

Practice privacy notice 3 – Legal requirements to share data

Practice privacy notice 4 – National screening programmes

Further notices, information and Templates here

Related guidance...

The General Data Protection Regulation (GDPR)

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the...