Back in November 2017 Dr Rachel Birch, medicolegal adviser at Medical Protection, wrote Data protection: getting ready for change – an overview of the EU General Data Protection Regulation (GDPR) which comes into force on May 25, 2018 – to help practices prepare for the changes. Further detail has now emerged on two important areas that will be subject to change under the GDPR – subject access requests and transparency and fair processing.
Here Dr Birch explores transparency and fair processing – you can view her advice on subject access requests here.
Under the existing Data Protection Act 1998 practices have an obligation to inform their patients what they are doing with their data. However, the GDPR will bring in more detailed and specific rules on providing privacy information to data subjects.
The Information Commissioners Office (ICO) has published specific guidance about such privacy notices in the following two articles:
- Privacy notices under the EU General Data Protection Regulation
- Privacy notices, transparency and control
When should information be provided?
Privacy notices should be used to inform patients at the time of collecting their data. For example, information should be made available to patients when they register with your practice. However, you should consider other situations when it would be appropriate to provide privacy information.
How should data be provided?
The GDPR places emphasis on the importance of privacy notices being easily accessible to patients. Information within such notices should be concise, truthful and written in clear, straightforward language.
It may be better to provide separate notices for each category of patient. For example, if your clinicians consult with teenagers with capacity to make their own health decisions, you must ensure that privacy notices are appropriate to their level of understanding. The same principles would apply to vulnerable adults.
Privacy notices should also be translated into other languages, as necessary.
What data should be provided?
You must first identify what personal information you hold and how it is used. Once you have done so, you must provide the following within privacy notices:
- the data controller’s identity;
- the data protection officer’s contact details;
- the purpose of the processing; the legal basis for processing;
- the categories of personal data concerned;
- the potential recipients of personal data;
- how long the data will be retained;
- a list of the data subject’s rights;
- any safeguards that will be used if data is to be transferred to a country outside the EU.
In addition, patients must be informed that they can complain to the ICO if they believe there is a problem with how their data is being handled.
Where should you display the privacy notice?
You can use various methods to display this information, including posters in the waiting room, leaflets at reception, information sheets attached to registration forms and letters to patients. You could publicise the privacy notice on your practice website, with links to the relevant information. It is important to keep notices under regular review.
The ICO has published a self-assessment tool, incorporating helpful checklists to assess your compliance with data protection law and identify what steps you need to take at this stage to be GDPR-compliant on May 25, 2018.
Medical Protection will host a webinar on GP medical records and GDPR on Wednesday March 21, 7.30-8.30pm. Members can register here.
Read part I: Data protection: getting ready for change
Read part II: Subject access requests