This site is intended for health professionals only

At the heart of general practice since 1960

Government must protect GPs against new data protection legislation, say LMCs

New data protection regulations are too onerous and practices should be offered protection and funding to deal with its 'unintended consequences'.

This was the message at Friday's LMCs Conference in response to the General Data Protection Regulation (GDPR), which comes into force 25 May.

As Pulse has already reported, the EU legislation is set to beef up UK data protection rules, which were introduced in 1995, and comes with hefty fines for breaches.

The motion, carried in all parts, said GPs should no longer be the sole data controller; that GP practices should share one data protection officer for their area; and for GP contractual funding to reflect related extra workload.

Presenting the motion, Dr Christiane Harris, from Bedfordshire LMC, said that while the new legislation 'may have been well intended', the 'unintended consequences' will be an 'unjust and bureaucratic nightmare'.

Highlighting the extra workload and risks related to the new legislation, Dr Harris called for 'local amendments' to be put in place to protect 'the medical profession and general practice in particular', perhaps via sharing of data controller responsibility with the Department of Health and Social Care.

She said: 'It will require some smart footwork, seeing as it comes in in May, but it is not impossible.'

She added: 'If there is no other way out, we need funding to defend ourselves from the depredations of this Act.'

But Dr Grant Ingrams, from the BMA's GP Committee, warned against sharing data controlling with the Government or local commissioners.

He said: 'It will just replace one headache with a whole suite of new ones.'

Dr Paul Cundy, GPC IT lead, said they were 'actively engaged' with the Government and ICO about how to 'mitigate the impact' of GDPR on practices 'as best we can'.

The new rules mean that patients can find out if their data is being processed, where it is being used and the reason why.

Providers will also have to hand over the information within 30 days, instead of the current 40 days.

Organisations which breach the legislation could be fined up to 4% of their turnover.

It also means GP practices will no longer be able to charge a fee for providing data.

Other moves include ‘clear and affirmative consent' for the processing of private data, the right to know when data has been hacked and to object to profiling.

Every practice will have to appoint a ‘senior employee’ to take on responsibility for data and cyber security, according to data security and protection requirements, published jointly by NHS England and the Department of Health and Social Care in November.

NHS Digital has published guidance on the legislation.

The motion in full

AGENDA COMMITTEE TO BE PROPOSED BY BEDFORDSHIRE: That conference with respect to the GDPR (General Data Protection Regulation):

(i) believes that GPs feel highly exposed to the GDPR

(ii) believes that it is no longer sustainable for the GP to be the sole data controller

(iii) calls on GPC to urgently explore the possibility of commissioning health organisations having one data protection officer for all GP practices in their area

(iv) calls on GPC to negotiate with governments a review of the application of GDPR to general practice

(v) demands an appropriate uplift in the core contract to reflect the resulting impact of the new regulation.

The motion was carried in all parts.

 

 

 

 

Readers' comments (7)

  • Could be the final straw but that's what they want isn't it

    Unsuitable or offensive? Report this comment

  • Cobblers

    Why is the GP the 'Data Controller?' I ask as almost all practices have remote servers hundreds of miles away and most GPs at best are data entry clerks.

    Surely the controller is the Government?

    Unsuitable or offensive? Report this comment

  • Neil Bhatia

    @cobblers
    No, the practice is the data controller.

    The server is in Leeds (for example) and the system supplier hosts the surgery database - in doing so, is a data processor.

    The system supplier cannot do anything with the patient records without the data controller's permission/instruction.

    Unsuitable or offensive? Report this comment

  • Unless they are a certain GP supplier, who thought they could ignore the instructions from their data controllers. Took several years but they have seen the light.

    Unsuitable or offensive? Report this comment

  • I’ve always thought that I owned the IT infrastructure ( with 100% reimbursement) however the CCG tell me that the NHSE own it. The NHSE also has determined who joins my list, as I have no veto. In essence then the NHSE owns the list and the IT systems. There is probably a case to say that NHSE is the data controller. The distinction is between data controller or data processor. Here is the distinction defined legally:
    Under the current EU Data Protection Directive:

    only the controller is held liable for data protection compliance, not the processor
    any processing must be: (a) governed by a written contract; (b) carried out in accordance with the controller’s instructions; and (c) subject to appropriate security measures
    in order to protect itself against unnecessary compliance risks, generally, a controller will seek to pass its responsibilities to the processor via the data processing agreement
    regardless of the existence of any data processing agreement, controllers remain legally responsible for any breaches caused by the actions of their data processors

    I think that pretty well sums it up. We are the processors, not the controllers.

    Unsuitable or offensive? Report this comment

  • NHSE is the ultimate controller,they are the ones trawling the data to spot outliers and persecute them.The ultimate fat controllers.

    Unsuitable or offensive? Report this comment

  • The IGA - Information Governance Alliance - is issuing guidance for Health and Social Care.
    https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance
    Unfortunately the General Practice/Primary Care Suite is now scheduled for March to May (previously March to April) - so it might appear to be a bit late to allow implementation by 25th May.

    Please note that Bedfordshire is 100% TPP SystmOne - which might have some influence on the suggestion that GPs shouldn't be the Data Controllers any longer.
    Connecting for Health decided that in a single shared record, GPs - and all other users - were Data Controllers in Common - with everything that that implied under DPA and will imply under GDPR.

    Unsuitable or offensive? Report this comment

Have your say