On 25 May 2018, the General Data Protection Regulation will be introduced into UK law. There will also be a new Data Protection Act and both will replace the Data Protection Act 1998. They will tighten up existing protections for data subjects, including patients, and place additional obligations on practices to demonstrate compliance with the law. Here the MDU's Carol Chu advises on how to prepare for the changes.
Because the Data Protection Bill is still before parliament, we will need to provide further guidance when it becomes law, but at this stage you should:
- review the Information Commissioner Office's '12 steps to take now'
- review policies regarding data protection
- make all staff aware of the new regulations and individuals' rights
- update notices explaining how the practice processes and stores data and complies with other fair processing requirements (for example, practice leaflets or websites)
- make sure systems are in place to detect, investigate and report data breaches.
The advice in this article concentrates only on the role of practices as data controllers for patients' data. Practices will need to take advice separately on other data for which they are responsible, such as employee data.
NHS Digital's website also contains helpful information about implementation of the GDPR for all NHS bodies. It has been compiled by an NHS England working group and is updated regularly.
This guidance was correct at publication 14/02/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.