General Data Protection Regulations
The General Data Protection Regulations (GDPR) will come into force on 25 May 2018; The LMC and GPC are concerned about the implications for practices of the regulations.
The GPC has been speaking to NHS England about the ramifications of the regulations and we are now aware that their guidance will not be published until the end of February at the earliest. The GPC is in the process of finalising its own comprehensive guidance which will be ready during January.
In the meantime, an interim update is included below:
- Practices should already have data protection policies and procedures in place; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware these policies are in place.
- Practices should already know what personal data they hold, who can access them (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above, which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).
- Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection.
- Practices need to be able to demonstrate their compliance with the regulations upon request– at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO turns up at a practice, they need to be able to provide them with a document showing all of the above.
- Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR, and have lower thresholds (i.e. you can be fined more for a lesser offence).
- Practices will no longer be able to charge a fee for patients to access their own information.
- Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA.
General Data Protection Regulations Update
LMC Law delivered an interactive GDPR training session for Calderdale LMC on Wednesday 28th March 2018.
The General Data Protection Regulation (GDPR) is an EU Regulation which will be directly applicable in the UK on 25 May 2018.
Key changes under GDPR
- Compliance must be actively demonstrated, for example it will be necessary to: keep and maintain up-to-date records of the data flows from the practice and the legal basis for these flows; and have data protection policies and procedures in place.
- More information is required in ‘privacy notices’ for patients.
- A legal requirement to report certain data breaches.
- Significantly increased financial penalties for breaches as well as non-compliance.
- Practices will not be able to charge patients for access to medical records (save in exceptional circumstances).
- Designation of Data Protection Officers.
Below is a brief outline of the topics covered in the session:
- What is GDPR?
- Current obligations
- GPs as data controllers
- Lawful basis for processing
- Establishing a special category condition
- Data Protection Officer
- Data Protection Impact Assessments
- Privacy Notice
- Subject Access Requests
- Breach/Penalties
To download the presentation please click on the following link: