Patients need confidence that they can trust their doctors, not only with their health, but also with their personal data. Any breach of patients’ confidential information is likely to be damaging for public trust. However, appropriate sharing of patient information is also essential for safe and effective healthcare. Every GP practice is therefore expected to follow the strict data protection regulations that apply whenever personal data is used.
The Data Protection Act 2018 and GDPR
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR), which came into effect in the UK on 25 May 2018. This sets out how personal data must be used: fairly, lawfully and transparently. The Information Commissioner’s Office (ICO) is the independent supervisory body for this legislation.
Does GDPR still apply after Brexit?
The EU GDPR was designed to harmonise data privacy laws across countries in the EU. Since the UK has now left the EU, that EU Regulation no longer applies. However, the GDPR has been incorporated into UK law as the UK GDPR. In effect, very little has changed, with only a few technical amendments so that the regulation applies in a UK-only context.
However, if your practice receives personal data from the EEA, you may need additional safeguards in place to maintain data transfer beyond June 2021. More information is available in the ICO’s guidance on International Data Transfers and Data Protection at the end of the transition period.
How GDPR applies to GP practices
The GDPR applies to data controllers and data processors. GP practices, and some individual doctors, have the role of data controllers, who determine how and why personal data is processed.
‘Personal data’ means any information relating to a person who can be directly or indirectly identified from the data. This information may be held in automated or manual filing systems and can relate to patients or staff and job applicants.
GDPR requirements: Refresh your knowledge
GP practices will have implemented changes required under the GDPR when it was introduced in 2018. But given the importance of personal data protection in the context of healthcare and the hefty fines that can be levied for any breaches, it is essential to maintain your knowledge and compliance with GDPR requirements for GPs as data controllers.
Key obligations for GP practices are:
- Demonstrate compliance. Have data protection policies and procedures in place, and record all data processing activities and the legal basis for these activities. Check whether you need to perform a data protection impact assessment for any new data sharing arrangements (including new technologies).
- Notify ICO of security breaches. This legal requirement applies for any security breaches that are ‘likely to result in a risk to people’s rights and freedoms’. Notification must be within 72 hours of the practice becoming aware of the breach, so ensure that your practice has a policy for handling this.
- Have a designated Data Protection Officer.
- Do not charge for subject access requests in most cases. With rare exceptions, practices must provide copies of records to patients or staff requesting them, without charge, within one calendar month. Ensure you have a policy for how to handle third party requests, including from solicitors.
- Be open and transparent about how personal data is used in privacy notices. Display at least one privacy poster on the practice notice board and website to explain how patient data is used to provide direct patient care, with signposting to more detailed information. The British Medical Association (BMA) provides advice and useful templates for privacy notices.
Get support regarding information governance
Note that the ICO can levy substantial penalties for any non-compliance with the regulation, as well as data breaches. So it is important to get support where needed.
The General Medical Council (GMC) states: “If in doubt, you should seek the advice of an experienced colleague, a Caldicott or data guardian or equivalent, a data protection officer, your defence body or professional association, or seek independent legal advice.”
At Medical Defense Society, our team of experts can advise members on data protection policies and what to do if things go wrong.
- Guidance from GMC has been updated in keeping with GDPR legislation in Confidentiality: good practice in handling patient information.
- BMA provides guidance on GPs’ role as data controllers.
- The ICO offers FAQ on GDPR for small health sector bodies and a data protection self-assessment tool for data controllers.
- NHSX provides an information governance portal, including short videos and information addressing common questions.
Please get in touch at Medical Defense Society if you need assistance with implementing the GDPR to safeguard patient information or with handling a data breach.