As a doctor in independent medical practice, you will control the personal data of patients and, as under the Data Protection Act 1998, you will be a 'data controller'. You may ask others to process data on your behalf (a practice manager or secretary) and they will be 'data processors'.
The GDPR applies to data controllers and processors, but the principal responsibility for compliance sits with you as the data controller.
Here are some things independent practitioners should consider.
1. Identify whether you need a data protection officer
The GDPR obliges data controllers to appoint a data protection officer (DPO) if they are a public authority or a 'large scale' processor of special category personal data. It is not clear what large scale processing entails, but it is unlikely this would apply to an individual independent practitioner.
However, while a single independent practitioner is unlikely to need to appoint a DPO, larger multiple location or corporate private medical providers may need to.
If practices are not required to appoint a data protection officer, they may nevertheless wish to have a data protection lead. The title 'data protection officer' has a specific legal meaning and legal duties that relate to it; if your practice is not required to appoint a DPO but has a data protection lead, make sure the title DPO is not used to describe that role.
2. Identify your lawful basis for processing personal data
The GDPR applies to 'personal data', meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. You must determine a valid lawful basis for processing personal data, and inform the subject of the basis or bases you are relying on (if there is more than one).
Consent may seem an attractive lawful basis for processing, but keep in mind that you may need to continue to process information for other reasons if the patient withdraws consent. While consent is clearly an important part of making sure data is used appropriately, it is unlikely to be the only lawful basis in independent healthcare settings.
More appropriate might be Article 6(1)(b), 'processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract'.
In addition, health data is regarded as 'special category data' which, being sensitive, requires more protection. This means that as well as having a lawful basis for processing information, you must identify a special condition for processing under Article 9.
3. Privacy notices
You must provide individuals with information including:
- your purposes for processing their personal data
- your retention periods for that personal data
- who it will be shared with.
This privacy information must be provided to individuals at the time you collect their data. The ICO has a useful template explaining the information privacy notices need to contain.
4. Procedures for subject access requests
Individuals may request access to their own records. You should redact any third party information or anything that you believe may cause serious harm to the patient.
GDPR and the Data Protection Act 2018 will only cover living individuals. Deceased patients' records are still subject to the Access to Health Records Act 1990. Practices also need to be aware of the GMC's confidentiality guidance.
Under the new data protection regime, there are some differences to the subject access request process.
a) The subject access request does not have to be in writing.
b) The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients set out in Good medical practice and the GMC's specific advice in its confidentiality guidance. It may be helpful to discuss such cases with the DPO and/or seek advice from the MDU.
c) You need to provide the information within one calendar month.
d) Children should be assessed for capacity to consent to access to their records. Competent children may refuse access to their records unless the doctor believes it is not in their best interests.
e) You should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided regarding the right to complain to the ICO or judicial remedy.
Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.
5. Review checklists
The ICO has a self-assessment checklist which can be useful in making sure you have appropriate arrangements in place.
6. Review new data protection fees
The Data Protection (Charges and Information) Regulations came into force on 25 May 2018. These regulations introduce new fees payable by data controllers. The regulations set the charge period in which the fee is due for payment and fix the fee to be paid. The amount you need to pay will depend on how many people you have in your organisation.
You can find out more about how to register as a data controller and paying the relevant fees from the ICO's website.
If you're unsure whether you need to register, there is also a self assessment tool.
This page was correct at publication on 03/11/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.