New data protection regulations are too onerous and practices should be offered protection and funding to deal with its ‘unintended consequences’.
This was the message at Friday’s LMCs Conference in response to the General Data Protection Regulation (GDPR), which comes into force 25 May.
As Pulse has already reported, the EU legislation is set to beef up UK data protection rules, which were introduced in 1995, and comes with hefty fines for breaches.
The motion, carried in all parts, said GPs should no longer be the sole data controller; that GP practices should share one data protection officer for their area; and for GP contractual funding to reflect related extra workload.
Presenting the motion, Dr Christiane Harris, from Bedfordshire LMC, said that while the new legislation ‘may have been well intended’, the ‘unintended consequences’ will be an ‘unjust and bureaucratic nightmare’.
Highlighting the extra workload and risks related to the new legislation, Dr Harris called for ‘local amendments’ to be put in place to protect ‘the medical profession and general practice in particular’, perhaps via sharing of data controller responsibility with the Department of Health and Social Care.
She said: ‘It will require some smart footwork, seeing as it comes in in May, but it is not impossible.’
She added: ‘If there is no other way out, we need funding to defend ourselves from the depredations of this Act.’
But Dr Grant Ingrams, from the BMA’s GP Committee, warned against sharing data controlling with the Government or local commissioners.
He said: ‘It will just replace one headache with a whole suite of new ones.’
Dr Paul Cundy, GPC IT lead, said they were ‘actively engaged’ with the Government and ICO about how to ‘mitigate the impact’ of GDPR on practices ‘as best we can’.
The new rules mean that patients can find out if their data is being processed, where it is being used and the reason why.
Providers will also have to hand over the information within 30 days, instead of the current 40 days.
Organisations which breach the legislation could be fined up to 4% of their turnover.
It also means GP practices will no longer be able to charge a fee for providing data.
Other moves include ‘clear and affirmative consent’ for the processing of private data, the right to know when data has been hacked and to object to profiling.
Every practice will have to appoint a ‘senior employee’ to take on responsibility for data and cyber security, according to data security and protection requirements, published jointly by NHS England and the Department of Health and Social Care in November.
NHS Digital has published guidance on the legislation.
The motion in full
AGENDA COMMITTEE TO BE PROPOSED BY BEDFORDSHIRE: That conference with respect to the GDPR (General Data Protection Regulation):
(i) believes that GPs feel highly exposed to the GDPR
(ii) believes that it is no longer sustainable for the GP to be the sole data controller
(iii) calls on GPC to urgently explore the possibility of commissioning health organisations having one data protection officer for all GP practices in their area
(iv) calls on GPC to negotiate with governments a review of the application of GDPR to general practice
(v) demands an appropriate uplift in the core contract to reflect the resulting impact of the new regulation.
The motion was carried in all parts.
