GDPR Headlines - Top Tips
To read the BMA’s latest guidance on Subject Access Requests (including fees), Data Protection Officers, FAQs and more go to: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr and click on ‘further information’.
BMA GDPR Privacy Notices
Template GDPR (PPNs) have now been published on the GDPR in the BMA resources section. The hubpage also contains information on the regulation and hosts a suite of resources and blogs to help guide members, including a new GDPR webinar to help practices prepare. Click here to download more information: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr/gdpr-and-practice-privacy-notices-ppns
Principles of Data Sharing for GPs
In light of GDPR / DP 2018 we are aware that many practices are asked to review Data Sharing Agreements, to this end the following document provides practices with an updated guide reflecting current legislation (and we thank Londonwide LMCs for sharing this document): Principles of Data Sharing for GPs
GDPR Templates - May/June 2018
Please see below a number of policies relevant to the GDPR. You may wish to adapt/amend the documents for your own surgery, but you do need to make sure that it reflects the arrangements within your own organisation as they will inevitably vary from practice to practice. Our thanks to the Testvale Surgery and The Centre Practice for sharing their policies with us.
GDPR Web Updates - May 2018
We’ve reviewed and updated the following guidance on our website so that it reflects the new GDPR requirements. Not all the guidance has changed particularly significantly but it may be useful for future reference.
Staff and Confidentiality: https://www.wessexlmcs.com/staffandconfidentiality
Employment Contract Clauses: https://www.wessexlmcs.com/employmentcontractclauses
Release of Data without Consent: https://www.wessexlmcs.com/releaseofdatawithoutconsent
Personal Data Rights: https://www.wessexlmcs.com/personaldatarightsaccesscorrectionobjectionmore
Confidentiality after Death: https://www.wessexlmcs.com/confidentialityafterdeath
Freedom of Information Act: https://www.wessexlmcs.com/freedomofinformationact2000
SMS Text messaging: https://www.wessexlmcs.com/textsmsmessaging
The Data Security and Protection Toolkit: https://www.wessexlmcs.com/informationgovernancerequirementsforgeneralpractic
What is the GDPR (General Data Protection Regulation)?
The GDPR is a regulation that is applicable from 25th May 2018. Its strengthens the protection of personal data. The UK is enacting a Data Protection Bill which enshrines the provisions of the GDPR into UK law and establishes continuity of the GDPR in the UK post Brexit. The Data Protection Act will be repealed at this time.
Compliance is essential as fines under the GDPR are up to a maximum of 20 million Euro or 4% of turnover.
The GDPR strengthens the controls that organisations (data controllers) are required to have in place over the processing of personal data, including pseudonymised data.
- Mandatory appointment of a Data Protection Officer (DPO) for all public authorities
- A requirement to demonstrate compliance with the new law
- Legal requirements to notify the regulator of security breaches
- Removal of charges (in nearly all cases) for providing copies of records to patients or staff who request them
- Requirement to keep records of data processing activities
- Data Protection Impact Assessments required for high risk processing (including the large-scale processing of health-related personal data)
- Data protection issues must be addressed in all information processes
- Enhanced requirements to be transparent and inform individuals how their data is used
- Where consent is used to process data it must be explicit (NB consent should only be used where the individual has a real of about the use of their data. there are many other conditions that should be used to justify use of data in heath and care settings).
- Specific requirements for transparency and fair processing
- Tighter rules where consent is the basis for processing
Practices that are performing well in their information governance toolkit will have a good baseline to work from. However, organisations will be required to take specific actions and to be able to evidence that they have done so.
The Information Governance Alliance (see: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance) has published general guidance and some resources for primary care.
The British Medical Association has published guidance at: https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr
The information commissioners office, who regulate data protection law, have published a couple of check lists which may be helpful, https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
They also have GDPR specific webpages at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
And the GPC has advised the following:
- Practices should already have data protection policies and procedures in place; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware these policies are in place.
- Practices should already know what personal data they hold, who can access them (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above, which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).
- Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection.
- Practices need to be able to demonstrate their compliance with the regulations upon request – at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO turns up at a practice, they need to be able to provide them with a document showing all of the above.
- Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR. The regulator (ICO) can take action to enforce compliance and where an issue has caused (or is likely to cause) harm or distress can impose a significant financial penalty.
- Practices will no longer be able to charge a fee for patients to access their own information.
- Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here .
The LMC will be sending out further information and advice to practices as it becomes available and we hope the above is helpful in the meantime.
'To access our FREE monthly webinars, please log-in to our website and access the members section next to the ‘my account’ button: https://www.wessexlmcs.com/membershipsectionhomepage. Please note that these live webinars are only available to our member practices’