General Data Protection Regulation (GDPR) comes into force May 2018. Dr Rachel Birch, medicolegal adviser at Medical Protection, sets out what practices need to know and what they can do now to prepare and reduce the risk of breaches or complaints when the new law comes into effect
On May 25 next year the EU General Data Protection Regulation (GDPR) will come into effect and will have a direct impact in every European country. It will supersede existing data protection laws, including the UK Data Protection Act 1998. It has been written to reflect our increasingly digital world and will give people greater control over their personal data.
The Information Commissioner’s Office’s (ICO) guidance Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now is a useful reference point for practice staff but, with several months still to go, the guidance is not yet complete and is subject to further changes and updates.
Here are some of the key changes to note from the ICO’s published list of changes.
Transparency and fair processing
Practices must inform individuals what they are doing with their data; privacy notices should be used to inform patients at the time of collecting their data. These could be available on the practice website and as posters in the practice.
The following information must be provided within such notices:
- The data controller’s identity.
- The data protection officer’s contact details.
- The purpose of the processing.
- The legal basis for processing.
- The categories of personal data concerned.
- The potential recipients of personal data.
- How long the data will be retained.
- A list of the data subject’s rights.
- Any safeguards that will be used if data is to be transferred to a country outside the EU.
In addition, patients must be informed that they can complain to the ICO if they believe there is a problem with how their data is being handled.
Subject access requests
The timescale for compliance with a patient’s subject access request will be reduced from 40 to 30 days. Practices will no longer be able to charge for such requests unless they are manifestly excessive or unfounded. If practices refuse a subject access request they must tell the patient why they have done that and inform them that they have a right to make a complaint to the ICO.
In the event of a data breach affecting a patient’s privacy rights – for example, a breach of confidentiality – data controllers will be required to notify the ICO without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. This is in addition to the duty of candour to inform patients of such breaches.
The ICO will have the power to impose higher fines for breaches of the regulation.
Data Protection Impact Assessments (DPIAs) are recommended as a way of assessing the level of protection in place to safeguard patients’ personal data; these were formerly known as Privacy Impact Assessments. Whilst considered good practice in any case, DPIAs will be legally required where the processing of personal data is likely to involve high risks to the confidentiality of individuals. They are likely to be required when practices introduce new technology, for example a new computer system or a new system of sharing data.
Data protection officer
Certain organisations will be required to have a Data Protection Officer (DPO), including those deemed to be public authorities. The UK Data Protection Bill 2017 has defined a public authority as those organisations subject to the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002. Therefore, practices will require a DPO.
The DPO’s role is an advisory and monitoring role and cannot be someone who takes decisions about data protection. It is unlikely that a practice manager could take on this role, as there would possibly be a conflict between advising on how to carry out processing in compliance with the GDPR and taking decisions about how that should be done.
Individuals will be given stronger rights under the GDPR, including the right to rectification, the right to erasure, the right to object to processing, the right to restrict processing and the right to data portability. This final right makes it easier for patients to move their information from one data controller to another and they will have the right to receive certain personal data in a structured, commonly used and machine-readable format.
These rights are complex and not absolute. Practices should ensure that they understand when they apply and have a process in place to deal with them, should patients wish to exercise them.
Medical Protection, or your medical defence organisation, can provide further guidance.
Data protection: getting ready for change