General Data Protection Regulation (GDPR) applies throughout the EU and was enshrined in UK law by the Data Protection Act 2018 (DPA). All healthcare and other organisations have to comply with the DPA 2018.
The arrangements remain in place following the UK's departure from the EU, but the ICO has information on its website on the impact of Brexit and the end of the transition period on data protection law in the UK.
The definition of personal data and sensitive personal data have been expanded under GDPR. Personal data is defined as, 'any information relating to an identified or identifiable natural person'. This now includes location and online identifiers such as IP addresses.
Sensitive personal data, called 'special categories of personal data' in GDPR, is defined as data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for identification, data concerning health or data concerning a natural person's sex life or sexual orientation.
Primary care practices are considered as controllers of patient data. The GDPR introduces a new requirement for data controllers to state explicitly that they are responsible for the data and able to demonstrate compliance with the principles.
The GMC advises that in some parts of the UK, you may be sole data controller - as is generally the case in England, Wales and Northern Ireland - and in others a joint controller with your contracting authority. For example, in Scotland all GPs are joint data controllers with their contracting health boards.
The Information Commissioner's Office (ICO) suggests ways you can show compliance with GDPR principles. These include:
- implement appropriate technical and organisational measures that ensure and demonstrate that you comply, such as policies for staff training and internal audits of processing
- maintain relevant documentation on processing activities. Organisations with more than 250 employees have an obligation to maintain internal records of processing activities, but this is unlikely to apply to most GP practices. Organisations with fewer than 250 employees will have to document activities concerning high-risk processing, which includes health data.
- implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- use data protection
- impact assessments where appropriate
- data minimisation
- allowing individuals to monitor processing
- creating and improving security features on an ongoing basis.
Data protection officers
The appointment of a data protection officer (DPO) is mandatory for public authorities which include NHS primary medical and dental care practices.
The ICO has guidance on data protection officers on its website. DPOs must also be appointed by organisations that carry out large scale processing of special category personal data, which includes health data. Processing of patient health data by an individual physician does not constitute large scale processing.
If you are a single-handed private practitioner, the GDPR does not oblige you to appoint a DPO, but you must have sufficient staff and skills to meet your obligations under the GDPR. You can voluntarily appoint or contract a DPO.
Role of the DPO
- To inform and advise the organisation and employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments; training staff and conducting internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (for example, patients).
DPOs can be employees or a contractor engaged under a service contract. They must have expert knowledge of data protection law. In primary and independent care, we suggest they should also be familiar with relevant GMC guidance and understand how it complements data protection law.
DPOs should have a certain level of independence from the organisation, which must give the DPO the resources necessary to carry out their tasks.
The GDPR requires organisations to make sure that the DPO:
- does not receive any instructions about how to perform their tasks
- operates independently and is not dismissed or penalised for performing their tasks
- reports directly to the organisation's highest management level.
This page was correct at publication on 03/11/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.