The introduction of the General Data Protection Regulation (GDPR) into EU law has some major implications for GP practices. Medicolegal expert Dr Rachel Birch answers some commonly asked questions about the new legislation.
What is GDPR and when will it come into force?
The General Data Protection Regulation (GDPR) is a new EU regulation that comes into force on 25 May 2018. The GDPR will, along with a new Data Protection Act (currently in draft Bill form), replace existing data protection legislation including the UK Data Protection Act 1998.
Who does the GDPR apply to?
The GDPR applies to all individuals and organisations with day-to-day responsibilities for data protection. It therefore applies to GP practices, as ‘data controllers’, and their clinicians and administrative staff.
Will it be affected by Brexit?
The UK will still be part of the EU in May 2018 and practices must therefore comply with the GDPR. The Data Protection Bill 2017 is currently being debated in Parliament. When it becomes an Act, it will set out how the GDPR will be brought into UK law, after Brexit.
What are the main changes?
The Information Commissioner’s Office (ICO) has published guidance ‘Preparing for the General Data Protection Regulation – 12 steps to take now’. The key regulation changes that affect practices are summarised below.
Definition of personal data has been expanded
Personal data is any information relating to an identified or identifiable natural person. It includes names, addresses, telephone numbers, dates of birth and GP and hospital numbers. Under GDPR, the definition has been expanded to include information processed via digital media.
In addition, special categories of personal data (formerly ‘sensitive’ data) – covering health, race, ethnicity, sexual orientation, religion and political views – now also include genetic and biometric data.
Practices must establish their legal basis for processing data
Practices must document both a lawful basis for processing personal data and also a condition for processing special categories of data.
The GDPR has six lawful bases for processing personal data – for general practice the relevant ones are explicit patient consent, that processing is necessary for the provision of a service/performance of a contract, or that processing is necessary in the vital interests of the data subject.
Meanwhile one of 10 conditions must be met for processing special categories of data – here the relevant options are explicit patient consent or that processing is necessary for provision of healthcare.
However, where ‘consent’ is chosen, the GDPR sets a high standard – it has to be specific, freely given, informed and should constitute an unambiguous indication of the patient’s wishes, by clear affirmative action to the processing of their data. Pre-ticked boxes, for example on new patient registration forms, would not count as valid consent for data protection purposes and there must be a positive opt-in process. Patients must also be provided with an easy way to withdraw their consent.
Given these requirements, rather than relying on explicit consent to process data, practices are likely to use another appropriate lawful basis and special category condition for the processing of personal and special categories of data, respectively. The ICO has published specific guidance on this.
For practices, this will mostly mean relying on ‘necessary for the provision of healthcare’ for processing sensitive data. As long as patients have been appropriately informed how their personal data will be used, in ‘privacy notices’, it would usually be reasonable for GPs to rely on implied consent for sharing relevant information in order to provide direct patient care – for example, when a patient agrees to a referral to another healthcare professional.
However, for some other purposes – for example, a request for confidential data from a third party such as an employer or insurance company, explicit consent will be needed.
Practices must provide more information in ‘privacy notices’
Practices must inform individuals what they are doing with their data. Privacy notices informing patients at the time of collecting their data should be available on the practice website, on posters in the practice and perhaps within leaflets provided at patient registration. The following information must be provided within such notices:
- Practice name (identified as data controller)
- Data protection officer’s contact details
- Purpose of processing patient data
- Lawful basis for processing personal data
- The categories of personal data concerned
- Potential recipients of personal data
- How long data will be retained
- A list of the patient’s rights
- Safeguards if data transferred to a country outside the EU.
Patients must also be informed they can complain to the ICO if they are unhappy with how their data are being handled.
Practices will rarely be able to charge for access to medical records
You will no longer be able to charge patients for subject access requests, unless the request is ‘manifestly unfounded or excessive’ or is a repetitive request for copies of the same information, previously disclosed. Such situations are expected to be rare. The timescale for compliance with a patient’s request will also be reduced, from 40 days to one month. If practices refuse a subject access request, they must tell the patient the reasons and inform them that they have a right to complain to the ICO.
You must report data breaches, and these incur bigger financial penalties
In the event of a data breach affecting a patient’s privacy rights (for example, breach of confidentiality), data controllers must notify the ICO ‘without undue delay’, and where feasible no later than 72 hours after becoming aware of the breach. Practices will also have to notify the patient of the breach if it is likely to result in a high risk to their privacy rights. This is in addition to the duty of candour to inform patients of such breaches. The ICO will also be able to impose much higher fines for breaches and non-compliance.
Practices must demonstrate compliance with the GDPR
Accountability was always implicit in data protection law, but the GDPR makes it mandatory for practices to be able to demonstrate that they are compliant with GDPR. They should maintain accurate records of all data processing activities, document all advice provided by the DPO and data protection impact assessments (DPIAs) undertaken. Now is the time to revise and update internal data protection policies, and arrange and document staff training.
DPIAs are recommended, as a way of assessing the levels of protection in place to safeguard personal patient data. Whilst considered good practice in any case, DPIAs will be mandatory when the processing of personal data involves high risks to confidentiality, such as when practices engage in data sharing arrangements, or where new technologies are being used, for example a new computer system.
Practices need to designate a data protection officer
General practices will be required to appoint a Data Protection Officer to advise and monitor data security. The Data Protection Officer can be an employee or external to the practice, and should have professional experience and knowledge of data protection law; this should be proportionate to the type of processing the practice carries out, taking into consideration the level of protection the personal data requires.
Patients will have more rights
Individuals will have stronger rights to control their data under the GDPR, including the right to erasure, the right to rectification, the right to object to processing and the right to restrict processing. These rights are complex and not absolute. Practices should ensure they understand when they apply and have a process in place, should patients wish to exercise them.
Where can I get further information?
The ICO has published comprehensive guidance on the GDPR and how organisations must comply. However, the recommendations are not completely finalised and you should check the ICO website regularly to review updates.
The ICO has also published the Data Protection Self-Assessment tool, with helpful checklists to assess your compliance and identify what steps you need to take now to be GDPR compliant on 25 May 2018.
Dr Rachel Birch is medicolegal advisor at Medical Protection
1. GDPR Portal https://www.eugdpr.org/
2. Information Commissioner’s Office. Preparing for the General Data Protection Regulation
3. Information Commissioner’s Office. Guide to the General Data Protection Regulation: Lawful basis for processing
4. Information Commissioner’s Office. Guide to Data Protection: Privacy notices, transparency and control
6.Information Commissioner’s Office. Resources and support: Data protection and self assessment