GDPR: five things GPs need to have in place

Practices must be mindful of a number of fundamental requirements in order to comply with the legislation.

1. GP practices must have a data protection officer (DPO)

All GP practices providing services commissioned through NHS England are considered as public authorities and are required to appoint or have in place arrangements to share a DPO.

The DPO must have proven expert knowledge of data protection law and practice. They will need to keep up to date with any changes and clarifications (for example from the ICO) and understand how these changes impact the practice

2. Provide privacy notices

You must provide patients with information including:

  • Explaining the lawful purpose for which you are processing their personal data. For healthcare organisations this may be Article 6(1)(e) that it is '…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…' and Article 9 for special category data, which includes personal data about health.
  • The retention periods for the data.
  • Who it will be shared with.

The ICO has a useful checklist explaining the information privacy notices need to contain.

If you are relying on other legal bases, you will need to specify these in the privacy notice.

3. Have in place procedures for subject access requests

Individuals may request access to their own records. You should redact any third party information unless the third party has consented or anything that you believe may cause serious harm to the patient.

GDPR and the DPA only covers living individuals. Deceased patients' records are still subject to the Access to Health Records Act, 1990. Practices also need to be aware of the GMC's guidance on confidentiality.

Many of the provisions relating to subject access are long standing. However, there are some changes to subject access request processes from the Data Protection Act 1998. These include:

a) The subject access request does not have to be in writing.

b) The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients as set out in Good medical practice and the GMC's specific guidance on confidentiality. It may be helpful to discuss such cases with the DPO and/or to seek advice from the MDU.

c) You need to provide the information within one calendar month.

d) In Scotland, children aged 12 or over are presumed to have sufficient age and maturity to access their own records. In England, Wales and Northern Ireland competence is assessed on a case by case basis. A child may have capacity to consent and if they do, they should be asked for consent. Competent children may refuse access to their records unless the doctor believes it is not in their best interests.

e) You should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided about the right to complain to the ICO or judicial remedy.

Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.

4. Review checklists

Most practices will have modified their processes to become compliant with the Data Protection Act 2018. If you want to review or audit your arrangements, the ICO has a checklist.

5. Pay a data protection fee

The Data Protection (Charges and Information) Regulations came into force on 25 May 2019. These regulations introduced new fees for data controllers. They set the charge period in which the fee is due for payment and fix the fee to be paid.

The amount you need to pay will depend on how many people you have in your organisation. You can find out more on the ICO's website.

This page was correct at publication on 03/11/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.