The general data protection regulation (GDPR) comes into effect in the UK on 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect this deadline
What is the GDPR?
The EU GDPR is designed to harmonise data privacy laws across Europe. Its aim is to protect all EU citizens from privacy and data breaches. When it comes into effect next May it will replace the Data Protection Act (DPA).
The DPA dates from the 1990s when organisations held much less data on individuals. As the amount of data held has increased and technology has advanced, so has the risk of cyber crime and data breaches. The GDPR aims to address gaps in current legislation by providing a framework with greater scope and tougher punishments for those who fail to comply.
Like the DPA, the GDPR applies to ‘controllers’ and ‘processors’ of data and the definition of these remains similar. A controller says how and why personal data is processed and the processor acts on the controller’s behalf.
Under the GDPR processors have more legal liability for data breaches than under the DPA. The GDPR also places greater emphasis on the responsibility of data controllers to ensure their processors comply with the regulation.
The GDPR applies to all personal data held by an organisation in both automated and manual filing systems.
The definition of personal data is more detailed than the DPA. For example, an online identifier, such as an IP address, will be classed as personal data. Personal data that has been pseudonymised can also fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to an individual.
Practices should remember that these regulations do not just apply to information you hold on patients. Any personal data you hold about staff or job applicants will also be covered by the legislation.
What are the key changes?
The main changes under the GDPR are:
- Organisations will be obliged to demonstrate that they comply with the new law.
- There are significantly increased penalties for any breach of the regulation, not just data breaches.
- There will be a legal requirement to notify the Information Commissioner’s Office (ICO) of any security breaches. However, the ICO has clarified that mandatory reporting only applies to a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. Ideally this should be no later than 72 hours after the organisation first becomes aware of the breach.
- The GDPR will remove charges, in most cases, for providing copies of records to patients or staff who request them (see subject access requests, below).
- A requirement to keep records of all data processing activities.
- All public authorities should have a data protection officer.
- A data protection impact assessment will be required for all high-risk processing.
- Tighter rules around consent.
- Specific requirements for transparency and fair processing.
What should practices be doing?
NHS Digital’s Information Governance Alliance will be producing guidance for NHS organisations on how they can comply with the new regulations. This guidance is being developed by the National GDPR Working Group, which is chaired by NHS England, and will include specific information on Caldicott Guardians, information governance leads and employee responsibilities.
There is very little guidance currently available from this group. What is available stresses that the GDPR will now require organisations to be able to demonstrate thet are complying with the regulation, something they have not had to do under the DPA.
In order to do this, the guidance says NHS organisations will need to:
- record all data processing activities with their lawful justification and data retention periods.
- routinely conduct and review data protection impact assessments where processing is likely to pose a high risk to individuals’ rights and freedoms.
- assess the need for data protection impact assessment at an early stage, and incorporate data protection measures in the design and operation of information systems and processes.
- ensure demonstrable compliance with requirements for transparency and fair processing, including notification of individuals' rights.
- ensure that data subjects’ rights are respected (this includes providing copies of records free of charge, rights to rectification, erasure, to restrict processing, data portability, to object, and to prevent automated decision making).
- notify the ICO of any personal data security breaches (see above).
- appoint a suitably qualified and experienced data protection officer (the guidance says that this role may be shared by multiple organisations, so it may be that this role is at CCG- or federation-level in your area).
Organisations that are performing well in their information governance toolkit scores should have a good baseline to work from, the guidance says. However, it adds that the new regulations require organisations to take specific actions and have evidence to demonstrate that they have done so.
To do this, organisations should consider developing an action plan that could include the following:
- Establishing records of processing activities.
- Reviewing and revising fair processing information.
- Revising policies to ensure that the data protection officer is consulted routinely on the need for a data protection information assessment and that compliance with the GDPR is addressed when implementing information systems.
- Ensuring compliance with the GDPR of existing processes and systems.
- Reviewing contracts with suppliers to ensure they are compliant with the GDPR where applicable.
- Revising subject access procedures to reflect the new timescales and removal of a fee in most cases (see below for more on this).
Subject access requests
Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed and access to their personal data and other relevant information. These are similar to existing subject access rights under the DPA.
However, under the GDPR you must provide a copy of the information free of charge. The ICO says: ‘The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.'
It goes on to say: 'You can charge a "reasonable fee" when a request is manifestly unfounded or excessive, particularly if it is repetitive.
‘You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information.’
Under the GDPR practices will have to comply with a subject access request within one month of receipt. You can extend this period by a further two months if the request is complex or there are numerous requests, but you must inform the individual of this within one month of receipt of the request and explain why the extension is necessary.
Medeconomics will be providing more detailed advice on how practices can ensure they are complying with the GDPR as more guidance is produced by NHS Digital.
Useful resource for practices
- NHS Digital Information Governance Alliance GDPR guidance
- The Information Commissioner’s Office has extensive information about the GDPR, which you can find here. There is a very useful mythbuster series on the site.
- The ICO is also due to publish final guidance on consent under the GDPR shortly, however the guidance it consulted on can be found here.