General Data Protection Regulation (GDPR) applies throughout the EU and was enshrined in UK law by the Data Protection Act 2018 (DPA). All healthcare and other organisations must comply with the DPA 2018.

After Brexit, EU GDPR provisions were incorporated directly into UK law as the UK GDPR. The DPA 2018 sets out the data protection framework in the UK, alongside the UK GDPR.

Requirements

Personal data is defined as "any information relating to an identified or identifiable natural person". This includes location and online identifiers such as IP addresses.

Sensitive personal data, called 'special categories of personal data' in GDPR, is defined as data consisting of:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data for identification
data concerning health
data concerning a person's sex life or sexual orientation.

Accountability

Primary care practices are considered as patient data controllers. The requires data controllers to state explicitly that they are responsible for the data they hold and are able to demonstrate compliance with the principles.

The GMC advises that in some parts of the UK, you may be the sole data controller - as is generally the case in England, Wales and Northern Ireland - and in others a joint controller with your contracting authority. For example, all GPs in Scotland are joint data controllers with their contracting health boards.

The Information Commissioner's Office (ICO) suggests ways you can show compliance with GDPR principles. These include:

implement appropriate technical and organisational measures that ensure and demonstrate that you comply, such as policies for staff training and internal audits of processing
maintain relevant documentation on processing activities. Organisations with more than 250 employees have an obligation to maintain internal records of processing activities, but this is unlikely to apply to most GP practices. Organisations with fewer than 250 employees will have to document activities concerning high-risk processing, which includes health data
implement measures that meet the principles of data protection by design and data protection by default. Measures could include:

use data protection
impact assessments where appropriate
data minimisation
pseudonymisation
transparency
allowing individuals to monitor processing

creating and improving security features on an ongoing basis.

Data protection officers

The appointment of a data protection officer (DPO) is mandatory for public authorities, which includes NHS-funded GP practices.

The ICO has guidance on data protection officers on its website. DPOs must also be appointed by organisations that carry out large scale processing of special category personal data, which includes health data. An individual physician processing patient health data does not constitute large scale processing.

If you're a single-handed private practitioner, the GDPR does not oblige you to appoint a DPO, but you must have sufficient staff and skills to meet your obligations under the GDPR. You can voluntarily appoint or contract a DPO.

Role of the DPO

To inform and advise the organisation and employees about their obligations to comply with the GDPR and other data protection laws.
To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, and training staff and conducting internal audits.
To be the first point of contact for supervisory authorities and for individuals whose data is processed (for example, patients).

DPOs can be employees or a contractor engaged under a service contract. They must have expert knowledge of data protection law. In primary and independent care, we suggest they should also be familiar with relevant GMC guidance and understand how it complements data protection law.

DPOs should have a certain level of independence from the organisation, which must give the DPO the resources necessary to carry out their tasks.

The GDPR requires organisations to make sure that the DPO:

does not receive any instructions about how to perform their tasks
operates independently and is not dismissed or penalised for performing their tasks
reports directly to the organisation's highest management level.

Further advice

For more advice on GDPR, read our guides on:

The General Data Protection Regulation and the Data Protection Act 2018

Related articles

Membership in your pocket