The General Data Protection Regulation (GDPR) comes into effect in the UK on 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect this deadline. The GDPR and the forthcoming Data Protection Act (DPA) 2018 will replace the current Data Protection Act. The DPA 2018 has yet to be finalised.
What is the GDPR?
The GDPR is designed to harmonise data privacy laws across Europe. Its aim is to protect all EU citizens from privacy and data breaches.
The current DPA dates from the 1990s when organisations held much less data on individuals. As the amount of data held has increased and technology has advanced, so has the risk of cyber crime and data breaches. The GDPR aims to address gaps in current legislation by providing a framework with greater scope and tougher punishments for those who fail to comply.
The key principles of the current DPA remain unchanged, but some areas of legislation have been strenghtened.
Like the DPA, the GDPR applies to ‘controllers’ and ‘processors’ of data and the definition of these remains similar. A controller says how and why personal data is processed and the processor acts on the controller’s behalf. Practices are classed as data controllers.
The GDPR applies to all personal data held by an organisation in both automated and manual filing systems.
The definition of personal data is more detailed than the DPA. For example, an online identifier, such as an IP address, will be classed as personal data. Personal data that has been pseudonymised can also fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to an individual.
Practices should remember that these regulations do not just apply to information you hold on patients. Any personal data you hold about staff or job applicants will also be covered by the legislation.
What are the key changes?
The main changes under the GDPR are:
- Organisations will be obliged to demonstrate that they comply with the new law. The practice must have data protection policies and procedures in place and keep a record of all data processing activities in order to do this.
- There are significantly increased penalties for any breach of the regulation, not just data breaches.
- There will be a legal requirement to notify the Information Commissioner’s Office (ICO) of any security breaches. The ICO has clarified that mandatory reporting only applies to a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. It seems likely that any breach of health data would require reporting. This should be no later than 72 hours after the practice first becomes aware of the breach.
- The GDPR will remove charges, in most cases, for providing copies of records to patients or staff who request them (see subject access requests, below).
- All public authorities should have a data protection officer.
- A data protection impact assessment will be required for all high-risk processing.
- Specific requirements for transparency and fair processing.
What will practices have to do to comply?
NHS Digital’s Information Governance Alliance (IGA) is producing guidance for NHS organisations on how they can comply with the new regulations. It has recently produced a 'key points' document for GP practices. The BMA has also produced some useful guidance on the practice's role as a data controller. You can find more details about this guidance here.
In order to demonstrate compliance with the GDPR, the IGA says NHS organisations will need to:
- record all data processing activities with their lawful justification and data retention periods.
- routinely conduct and review data protection impact assessments.
- incorporate data protection measures in the design and operation of information systems and processes and ensure data protection is built-in from the start of any new activities.
- ensure demonstrable compliance with requirements for transparency and fair processing, including notification of individuals' rights.
- ensure that data subjects’ rights are respected.
- notify the ICO of any personal data security breaches (see above).
- appoint a suitably qualified data protection officer (this role can be shared by multiple organisations, so this role may be undertaken at CCG- or federation-level in your area).
What steps should practices take now?
Practices that are performing well in their information governance toolkit scores should have a good baseline to work from, the guidance says. However, the IGA has produced a checklist to help practices prepare. It recommends the following:
- Ensure you have a data protection officer
- Make sure you know where to find information governance support - this should be provided locally by NHS England as part of the 2016-18 GP IT operating model.
- Understand what information you hold, how it is used and shared. You can use the ICO's data protection self assessment tool for data controllers here to help with this.
- Understand the legal rights patients and staff have over their personal data.
- Update your subject access request policy.
- Review your practice's privacy notice. This is the information that you provide to patients which explains how their data is handled. Certain information must be included in privacy notice displayed in the practice, with basic information available in a variety of formats that signposts patients to a fuller explanation on the practice website or leaflet. A child aged over 13 should be able to understand the privacy notice.
- Understand the lawful basis for processing data and also understand the principles of consent under the GDPR.
- Have a system and policy in place for investigating and reporting a data breach to the ICO within 72 hours of discovery.
Subject access requests
Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed and access to their personal data and other relevant information. These are similar to existing subject access rights under the DPA.
However, under the GDPR you must provide a copy of the information free of charge. The BMA is currently updating its guidance on subject access requests, but in its GDPR guidance says cases where practices can charge for access to records are likely to be 'rare'.
Under the GDPR practices will have to comply with a subject access request within one calendar month of receipt and requests can be made verbally rather than in writing only as is currently the case. You can extend this period by a further two months if the request is complex or there are numerous requests, but you must inform the individual of this within one month of receipt of the request and explain why the extension is necessary.