The BMA said the guidance is subject to change when the Data Protection Act 2018 comes into effect, but it provides a useful guide to practices’ obligations as data controllers under the new regulations.
Below is a summary of key points from the guidance
The data controller role
As a data controller, practices have overall control of the data they hold. The BMA guidance says that practices are responsible for:
- Ensuring any third parties that processes the data they hold, for example IT suppliers, are complying with the GDPR. A contract should exist between the practice and any data processors that sets out these responsibilities and includes assurances that the processor has adequate security measures in place.
- Handling all requests for access to the data.
- Ensuring access to confidential data is subject to appropriate controls and that all staff who have access to medical records have confidentiality clauses in their employment contracts.
- Ensuring other healthcare staff not employed by the practice are able to legitimately access the medical records for direct care purposes.
The guidance also says that in groups of practices individual GP data controllers may agree to act as ‘joint data controllers’, but this must be reflected in contractual documents between the practices. Legal advice should be sought on joint data controller contracts.
Every practice must have a practice privacy notice. The BMA guidance says this should include:
- Contact details of the practice as data controller
- Contact details of the data protection officer
- The purposes for processing the data and the legal basis for processing the data – practices can state that the processing is for direct patient care, but should also include other legal bases that might result in data being processed for reasons other than direct care
- Information about with whom data are shared
- Any rights of objection
- That patients have the right to access their medical record and to have inaccurate data corrected (although any disagreements about accuracy should be made by a note in the record, rather than removal in most cases).
- Retention periods
- The right to lodge a complaint with the Information Commissioner’s Office (ICO)
This could be provided to patients in a ‘layered approach’, with basic information available from various sources and signposts to more detailed information, the guidance says.
However, every GP practice must have a privacy notice about their data flows relating to direct patient care, which should be prominently displayed on the practice notice board and visible and accessible on their website. This should explain that the practice holds medical records confidentially and shares them with appropriate staff who are involved with providing direct care for individual patients.
Other notices should explain when medical records are used for purposes other than direct patient care. The guidance says there are two broad categories these will fall into – disclosures which are required by law or clinical audit and disclosures for medical research or health management purposes – and provides examples of how practices can explain this to patients.
Some elements of compliance with the GDPR can be demonstrated via completing the Information Governance Toolkit. However, practices must be aware of and understand what data they process, including via third parties, the guidance says. The practice must:
- Maintain and keep up to data records or an information register of the data flows within the practices.
- Have internal data protection policies and procedures in place, including policies for handling subject access requests managing data breaches and handling requests for information from third parties
- Undertake data protection impact assessments when undertaking new data sharing arrangements or when new technologies are used. This must include a description of the processing, an assessments of the risk posed and detail of how this risk will be mitagated.
Subject access requests
The BMA is currently updating its guidance on access to health records. However, it says that in most cases patients must be given access to their medical records free of charge, including when a patient authorises access by a third party such as a solicitor. The circumstances in which the practice can charge a fee are likely to be rare, the BMA adds.
Data protection officers
All practices must designate a data protection officer. Larger practices are likely to have an in-house data protection officer, the guidance says, but smaller practices may designate an external data protection officer that could be provided by a CCG or local/regional health board.
It is mandatory to report data breaches to the ICO under the GDPR if this is likely to result in risks to people's 'rights and freedoms'. The ICO has yet to produce definitive guidance on breach notifications, but the BMA says that it seems likely that 'most, if not all, breaches of the confidentiality of confidential health data will amount to a risk which would warrant reporting'. Breaches must be reported within 72 hours of the data controller becoming aware of them occuring.
The GDPR creates a lawful basis for processing confidential data when it is for the provision of direct care that does not require explicit consent, the guidance says.
However, data controllers must also satisfy common law duty of confidentiality. The guidance says that, in order to do this, they can continue to rely on implied consent when sharing confidential health data for the provision of direct care.
For purposes other than direct care consent must be ‘freely given, specific, informed and unambiguous’, the GDPR says. However, the BMA guidance says that there is a lawful basis for disclosure under public health legislation and when processing data for medical research. It provides detail on how to explain this to patients in the section on privacy notices.
When handling requests from third parties, practices must be clear that there is a legal basis for the disclosure, the guidance says. Only information relevant for the specific purpose it is requested should be shared. Decisions about sharing data cannot necessarily rely on implied consent and may need to be made on a case-by-case basis. It might also be necessary for practices to seek advice from their data protection officer in some cases.