What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. This regulation will be effective from the 25th May 2018.
Where GPs are concerned this applies to personal and sensitive data they hold on patients.
Compliance is essential as fines under the GDPR are up to a maximum of 20 million Euro or 4% of turnover.
Main Actions:
- GPs need to establish both a lawful basis and a special category condition to process special category data. Your Lawful basis should include Consent, Contract, Legal Obligation, Vital Interests and Public Task.
- Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
- Your Privacy notice needs to be simple, clear and easy to understand. It must include the following: Contact details of Practice, what personal information you hold (medical data), how you plan to use that information and contact details of your DPO. (More compulsory requirements can be found on the LMC’s GDPR presentation.)
- Employees and Children require a separate privacy policy each that are more simplified and straightforward.
- Compulsory appointment of a Data Protection Officer (DPO)- A DPO needs to be trained and cannot be conflicted- The LMC are currently in conversation with Federations and CCG’s on how we can support practices in creating this role.
- The DPO will need to conduct audits and monitor compliance- be aware CQC inspections will be looking at the practice’s compliance to GDPR.
- Data Protection Impact Assessments (DPIA) will be the duty of the DPO- see ICO guidance here.
Breaches:
- Notify ICO within 72 hours if you are aware of any breach no matter how serious.
- Notify the individual this affects directly.
Remember!
- Patients have rights of access.
- You cannot provide access unless you have removed references to third parties.
- Patients can request amendment, correction, erasure. However, patients have no absolute right to be forgotten
We are pleased to be able to circulate with practices the guidance that has been developed and approved by the BMA and Paul Cundy, GPC policy lead relating to GDPR. This information pack includes:
- Example of privacy poster
- Practice privacy notices
- BMA regulation guidance
- Subject access requests
- Implementation checklist
- FAQ
The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of ‘practice privacy notices’.
The Information Commissioner’s Office suggests that a layered approach can be used to inform patients. A suggested approach is that practices should display a poster in the waiting room and online (so the information can be seen by those who do not attend the practice).
Privacy poster
The poster must provide basic information which explains to patients how their medical records are shared. An additional option is to use the practice’s telephone answering system to play a recorded message which reminds patients to look at the website if they want to learn more about how the practice handles medical records and what their rights are.
The poster should signpost where more the detailed PPNs can be found on the practice website and elsewhere, for example leaflets at reception and/or leaflets given to new patients or provided with prescriptions.
Practice privacy notices
The four template PPNs are a suggested way for practices to provide this more detailed information for patients. The PPNs cover four key themes: provision of direct care; medical research and clinical audit; legal requirements to share; and national screening programmes.
The documents are formatted so that the key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.
Due to the variation in data sharing arrangements across local regions and between the four nations of the UK it is not possible to provide ‘one size fits all’ templates. It is therefore essential that practices amend and add wording to the templates so that they are relevant to local arrangements and the country in which the practice is based. Practices can copy and paste the wording in the templates where appropriate. The PPNs should be regularly reviewed and kept up to date.
- Practice privacy notice 1 – Provision of direct care
- Practice privacy notice 2 – Medical research and national clinical audits
- Practice privacy notice 3 – Legal requirements to share data
- Practice privacy notice 4 – National screening programmes
Additional Information
We have also included the following information, which you may find useful.
- Read general data protection regulation guidance
- Implementation checklist
- Subject Access requests – revised 1st May 2018
- Subject Access requests (part 2) – revised 8th May 2018
- FAQs
Dr Paul Cundy, GPC IT Policy Lead, has published a series of blogs on the General Data Protection Regulation. He says “they are a narrative in nature and attempt to cover the questions (he) sees surfacing on the various email lists and other media. Their status should be of informed opinion. Facts are referred to as facts and opinions clearly identified and (he) hopes justified”. The links below are accessible here for those people unable to access dropbox with kind permission from Dr Cundy.
Blog 0: GDPR – where to start, in the beginning etc
Blog 1: GDPR for GPs from the IT lead for GPC
Blog 2: Background and scene setting
Blog 3: Data Protection Officers
Blog 4: Privacy notices (Revised 8th May 2018)
Blog 5: Texts and emails
Blog 6: Articles 6 and 9 deciphered
Blog 7: Subject Access Requests
Blog 7a: Subject Access Requests Part 2 (8th May 2018)
Blog 7b: Subject Access Requests Part 2 (8th May 2018)
Blog 8: Things to do list, plan, timetable
Blog 9: Fines
Blog 10: Erasure and Portability – NOT!
Blog 11: I’m an LMC – what’s in it for me ? (Revised 2nd May 2018)
Blog 13: Data Privacy Impact Assessment(s)
Blog 13a: DPIAs Part 2 (20th May 2018)
Blog 14: Data breaches
Blog 15: Documentation
Blog 16: Those you employ
Blog 17: Consent
Blog 18: The Myth Buster (15th May 2018)
Blog 19: Contract with Processors (20th May 2018)
Blog 20: Things to do, Letter for CCG
Blog 21: Helpful People
The EU GDPR: The Key points for GPs by the Information Governance Alliance
Guidelines on Consent under Regulation 2016/679 (wp259) [adopted but still to be finalised]
Guidelines on transparency under Regulation 2016/679
Official Section 251 guidance Health Research Authority
DRAFT: Privacy Notice – Care Quality Commission
DRAFT: Privacy Notice – Direct Care – Emergencies
DRAFT: Privacy Notice – Direct Care – Routine care and referrals
DRAFT: Privacy Notice- Carers
DRAFT: Privacy Notice – LMCs
DRAFT: Privacy Notice – National screening programs
DRAFT: Privacy Notice – Payments
DRAFT: Privacy Notice – NHS Digital
DRAFT: Privacy Notice – Public Health
DRAFT: Privacy Notice – Research
DRAFT: Privacy Notice – Commissioning, Planning, Risk Stratification, Patient Identification
DRAFT: Privacy Notice – Safeguarding
DRAFT: Privacy Notice- Recording Telephone Calls (20th May 2018)
Template: SARs log (15th May 2018)
The BMA has also updated their guidance on GDPR which can be found here.
Data Protection Officer (DPO) Presentation
On the 15th August 2018, LLR LMC hosted a “Beginners Guide to Being a DPO”
The key learning points from the event were:
- It is a legal requirement to have a DPO and register them with the ICO
- The DPO can NOT be the person who handles data requests/management in your practice
- The DPO can NOT and should NOT be asked to draw up legal contracts