The Data Protection Bill, which will need to be considered with GDPR, received Royal Assent on 23 May 2018.
Although there are uncertainties about how some aspects of GDPR and the new data protection law will apply in practice, here is a list of things practices should have already done to prepare. Practices that haven't yet taken these steps should identify what they still need to do and have a plan in place to do so.
1. GP practices must have a Data Protection Officer (DPO)
All GP practices providing services commissioned through NHS England are considered as public authorities and are required to appoint or have in place arrangements to share a DPO by 25 May 2018.
The DPO must have proven expert knowledge of data protection law and practice. It is recognised that they will not fully understand all the ramifications of the new legal requirements from 25 May, and they will need to keep up to date with any changes and clarifications (for example from the ICO) and understand how these changes impact the practice, as the law becomes embedded.
There are several options regarding appointment of a DPO:
a) Employ a new member of staff with specific knowledge, qualifications and experience.
b) Appoint somebody who already works in the practice with the necessary knowledge, qualifications and experience. This person can add the DPO's requirements to other responsibilities, for example maintaining records of processing activities. DPOs must not be the final decision-makers regarding data processing; for example, they cannot be the data controller and must avoid any conflicts of interest.
c) Share a DPO with one or more practices. A CCG may be able to help facilitate this, but is unlikely to be able to fund such a person.
In deciding upon a shared DPO you will need to consider factors such as:
- the sizes of the practices
- the numbers of patients
- whether the DPO is genuinely going to be in a position to understand and advise each individual practice and monitor compliance.
You should document these considerations and the justification for your decision.
Further information about DPOs can be found on the ICO website and the IGA website, which will be updated as matters are clarified.
2. Update privacy notices
You must provide patients with information including:
- Explaining the lawful purpose for which you are processing their personal data. For healthcare organisations this may be Article 6(1)(e) that it is '…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…' and Article 9 for special category data, which includes personal data about health.
- The retention periods for the data.
- Who it will be shared with.
The ICO has a useful checklist explaining the information privacy notices need to contain.
If you are relying on other legal bases, you will need to specify these in the privacy notice. See the IGA's guidance for more on this.
3. Update procedures for subject access requests
The criteria for subject access requests under GDPR will be the same as now and individuals may request access to their own records. As is the case now, you should redact any third party information or anything that you believe may cause serious harm to the patient.
GDPR and the forthcoming DPA will only cover living individuals. Deceased patients' records are still subject to the Access to Health Records Act, 1990. Practices also need to be aware of the GMC's guidance on confidentiality.
Under the new data protection regime, there are some differences to the subject access request process:
a) The subject access request does not have to be in writing.
b) The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and, when considering them, doctors should bear in mind their general duties towards patients as set out in Good medical practice and the GMC's specific guidance on confidentiality. It may be helpful to discuss such cases with the DPO and/or to seek advice from the MDU.
c) You need to provide the information within one month.
d) The presumed age of consent for children for this purpose is 13 years, and you will need to get consent from children aged 13 years or older. However, children younger than 13 may have capacity to consent and if they do, they should be asked for consent. Competent children may refuse access to their records unless the doctor believes it is not in their best interests.
e) You should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided about the right to complain to the ICO or judicial remedy.
Insurance companies, solicitors or other third parties should not be charged if requesting records, with patient consent, under a subject access request. However, other requests for information or reports by third parties should be dealt with in the normal way.
4. Review checklists
The ICO and IGA have both provided checklists which you should review.
5. Review new data protection fees
The Data Protection (Charges and Information) Regulations come into force on 25 May. These regulations introduce new fees for data controllers. They set the charge period in which the fee is due for payment and fix the fee to be paid. The amount you need to pay will depend on how many people you have in your organisation. The ICO produced guidance when the regulations were in draft, and we expect this to be updated.
This guidance was correct at publication 25/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.