General Data Protection Regulation (GDPR) applies throughout the EU and was enshrined in UK law by the Data Protection Act 2018 (DPA). All healthcare and other organisations must comply with the DPA 2018.
After Brexit, EU GDPR provisions were incorporated directly into UK law as the UK GDPR. The DPA 2018 sets out the data protection framework in the UK, alongside the UK GDPR.
The definition of personal data and sensitive personal data have been expanded under UK GDPR. Personal data is defined as "any information relating to an identified or identifiable natural person". This now includes location and online identifiers such as IP addresses.
Sensitive personal data, called 'special categories of personal data' in GDPR, is defined as data consisting of:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for identification
- data concerning health
- data concerning a person's sex life or sexual orientation.
Primary care practices are considered as patient data controllers. The GDPR introduces a new requirement for data controllers to state explicitly that they are responsible for the data they hold and are able to demonstrate compliance with the principles.
The GMC advises that in some parts of the UK, you may be the sole data controller - as is generally the case in England, Wales and Northern Ireland - and in others a joint controller with your contracting authority. For example, all GPs in Scotland are joint data controllers with their contracting health boards.
The Information Commissioner's Office (ICO) suggests ways you can show compliance with GDPR principles. These include:
- implement appropriate technical and organisational measures that ensure and demonstrate that you comply, such as policies for staff training and internal audits of processing
- maintain relevant documentation on processing activities. Organisations with more than 250 employees have an obligation to maintain internal records of processing activities, but this is unlikely to apply to most GP practices. Organisations with fewer than 250 employees will have to document activities concerning high-risk processing, which includes health data
- implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- use data protection
- impact assessments where appropriate
- data minimisation
- allowing individuals to monitor processing
- creating and improving security features on an ongoing basis.
Data protection officers
The appointment of a data protection officer (DPO) is mandatory for public authorities, which includes NHS-funded GP practices.
The ICO has guidance on data protection officers on its website. DPOs must also be appointed by organisations that carry out large scale processing of special category personal data, which includes health data. An individual physician processing patient health data does not constitute large scale processing.
If you're a single-handed private practitioner, the GDPR does not oblige you to appoint a DPO, but you must have sufficient staff and skills to meet your obligations under the GDPR. You can voluntarily appoint or contract a DPO.
Role of the DPO
- To inform and advise the organisation and employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, and training staff and conducting internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (for example, patients).
DPOs can be employees or a contractor engaged under a service contract. They must have expert knowledge of data protection law. In primary and independent care, we suggest they should also be familiar with relevant GMC guidance and understand how it complements data protection law.
DPOs should have a certain level of independence from the organisation, which must give the DPO the resources necessary to carry out their tasks.
The GDPR requires organisations to make sure that the DPO:
- does not receive any instructions about how to perform their tasks
- operates independently and is not dismissed or penalised for performing their tasks
- reports directly to the organisation's highest management level.
For more advice on GDPR, read our guides on:
This page was correct at publication on 07/03/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.