Information Governace - UK GDPR Headlines
To read the BMA’s latest guidance on Subject Access Requests (including fees), Data Protection Officers, FAQs and more go to: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr and click on ‘further information’.
BMA UK GDPR Privacy Notices
Template GDPR (PPNs) are available on the GDPR in the BMA resources section. The hubpage also contains information on the regulation and hosts a suite of resources and blogs to help guide members. Click here to download more information: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr/gdpr-and-practice-privacy-notices-ppns
What is the UK GDPR (UK General Data Protection Regulation)?
The UK GDPR came into effect on 31 December 2020. Its strengthens the protection of personal data. The UK has established the Data Protection Act 2018 which enshrines the provisions of the UK GDPR into the UK law.
Compliance is essential as fines under the UK GDPR are up to a maximum of 20 million Euro or 4% of turnover.
The UK GDPR strengthens the controls that organisations (data controllers) are required to have in place over the processing of personal data, including pseudonymised data.
- Mandatory appointment of a Data Protection Officer (DPO) for all public authorities
- A requirement to demonstrate compliance with the new law
- Legal requirements to notify the regulator of security breaches
- Removal of charges (in nearly all cases) for providing copies of records to patients or staff who request them
- Requirement to keep records of data processing activities
- Data Protection Impact Assessments required for high risk processing (including the large-scale processing of health-related personal data)
- Data protection issues must be addressed in all information processes
- Enhanced requirements to be transparent and inform individuals how their data is used
- Where consent is used to process data it must be explicit (NB consent should only be used where the individual has a real of about the use of their data. there are many other conditions that should be used to justify use of data in heath and care settings).
- Specific requirements for transparency and fair processing
- Tighter rules where consent is the basis for processing
The British Medical Association has published guidance at: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr
The information commissioners office, who regulate data protection law, have published a couple of check lists which may be helpful, https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
They also have UK GDPR specific webpages at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr