In order to understand the legal changes to data protection law that will be introduced during 2018, members need to be aware of two pieces of legislation.
The first is the General Data Protection Regulation (GDPR) which applies throughout the EU and will be enshrined in UK law from 25 May 2018. All healthcare and other organisations will have to comply with it. Brexit is not expected to affect its implementation and the intention is that when the UK leaves the EU, it will be incorporated into UK domestic law under the European Union (Withdrawal) Bill, currently before parliament.
The second piece of legislation is the Data Protection Bill 2017-19, which is currently before parliament. When enacted, this intended to replace the Data Protection Act 1998 and to provide a comprehensive legal framework for data protection in the UK, supplemented by the GDPR. It will also clarify some aspects of GDPR and set out UK exceptions to it.
The GDPR and the Bill are interrelated and you need to be aware of how they will affect your clinical practice and how to prepare for their implementation.
The definition of personal data and sensitive personal data have been expanded under GDPR. Personal data is defined as, 'any information relating to an identified or identifiable natural person'. This now includes location and online identifiers such as IP addresses.
Many of the requirements of the GDPR already existed in the Data Protection Act 1998 and MDU members will already be largely compliant. You still need to be familiar with the GDPR's main provisions so you can make any necessary changes to your practice's data protection policies and procedures.
Sensitive personal data, called 'special categories of personal data' in GDPR, is defined as data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for identification, data concerning health or data concerning a natural person's sex life or sexual orientation.
Differences between GDPR and Data Protection Act 1998
The basic principles of GDPR are very similar to those set out in the Data Protection Act 1998 (DPA), but with an emphasis on processing personal data lawfully, fairly and in a transparent manner, and that it should be collected for specified, explicit and legitimate purposes.
Primary care practices will continue to be considered as controllers of patient data. The GDPR introduces a new requirement for data controllers to state explicitly that they are responsible for the data and able to demonstrate compliance with the principles.
The GMC advises that in some parts of the UK, you may be sole data controller - as is generally the case in England, Wales and Northern Ireland - and in others a joint controller with your contracting authority. For example, in Scotland all GPs are joint data controllers with their contracting health boards.
The Information Commissioner's Office (ICO) suggests ways that you can show compliance with GDPR principles. These include:
- implement appropriate technical and organisational measures that ensure and demonstrate that you comply, such as policies for staff training and internal audits of processing
- maintain relevant documentation on processing activities. Organisations with more than 250 employees have an obligation to maintain internal records of processing activities, but this is unlikely to apply to most GP practices. Organisations with fewer than 250 employees will have to document activities concerning high-risk processing, which includes health data.
- implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- use data protection
- impact assessments where appropriate
- data minimisation
- allowing individuals to monitor processing
- creating and improving security features on an ongoing basis.
Data protection officers
The appointment of a data protection officer (DPO) will be mandatory for public authorities which include NHS primary medical and dental care practices. Preliminary guidance on DPOs from the Information Governance Alliance (IGA) is provided by NHS Digital, which currently says:
'DPOs may be shared by multiple organisations that are 'public authorities' taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest. A DPO team with a nominated contact for each organisation is an acceptable approach.'
We will provide further details when they are available about the types of arrangements that will satisfy the DPO requirements.
DPOs must also be appointed by organisations that carry out large scale processing of special category personal data, which includes health data. Processing of patient health data by an individual physician does not constitute large scale processing. If you are a single-handed private practitioner the GDPR does not oblige you to appoint a DPO, but you must have sufficient staff and skills to meet your obligations under the GDPR. You can voluntarily appoint or contract a DPO.
Role of the DPO
- To inform and advise the organisation and employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments; training staff and conducting internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (for example, patients).
DPOs can be employees or a contractor engaged under a service contract. They must have expert knowledge of data protection law. In primary and independent care we suggest they should also be familiar with relevant GMC guidance and understand how it complements data protection law.
DPOs should have a certain level of independence from the organisation, which must give the DPO the resources necessary to carry out their tasks.
The GDPR requires organisations to make sure that the DPO:
- does not receive any instructions about how to perform their tasks
- operates independently and is not dismissed or penalised for performing their tasks
- reports directly to the organisation's highest management level.
This guidance was correct at publication 14/02/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.