The BMA guidance on GPs' role as data controllers under the GDPR was published in early March. It is subject to change when the Data Protection Act (DPA) 2018 comes into effect, but it provides a useful guide to practices’ obligations as data controllers under the new regulations.
The DHSC's advice was published last week by the Information Governance Alliance (IGA), which is a national GDPR working group chaired by NHS England. Again, its recommendations are subject to change when the DPA 2018 comes into effect.
The key parts of this guidance are explained below. Most of the information is taken from the BMA guidance, which is more practical and sets out steps practices need to take. The IGA's advice is a 'key points' document, but it provides some useful, additional information, which is highlighted below.
The data controller role
As a data controller, practices have overall control of the data they hold. The BMA guidance says that practices are responsible for:
- Ensuring any third parties that processes the data they hold, for example IT suppliers, are complying with the GDPR. A contract should exist between the practice and any data processors that sets out these responsibilities and includes assurances that the processor has adequate security measures in place.
- Handling all requests for access to the data.
- Ensuring access to confidential data is subject to appropriate controls and that all staff who have access to medical records have confidentiality clauses in their employment contracts.
- Ensuring other healthcare staff not employed by the practice are able to legitimately access the medical records for direct care purposes.
The BMA also says that in groups of practices individual GP data controllers may agree to act as ‘joint data controllers’, but this must be reflected in contractual documents between the practices. Legal advice should be sought on joint data controller contracts.
Every practice must have a practice privacy notice. The BMA guidance says this should include:
- Contact details of the practice as data controller
- Contact details of the data protection officer
- The purposes for processing the data and the legal basis for processing the data – practices can state that the processing is for direct patient care, but should also include other legal bases that might result in data being processed for reasons other than direct care (see consent section below for more on this)
- Information about with whom data are shared
- Any rights of objection
- That patients have the right to access their medical record and to have inaccurate data corrected (although any disagreements about accuracy should be made by a note in the record, rather than removal in most cases).
- Retention periods (for patient records this is until death)
- The right to lodge a complaint with the Information Commissioner’s Office (ICO)
This could be provided to patients in a ‘layered approach’, with basic information available from various sources and signposts to more detailed information, the BMA says.
Every GP practice must have a privacy notice about their data flows relating to direct patient care, which should be prominently displayed on the practice notice board and website. This should explain that the practice holds medical records confidentially and shares them with appropriate staff who are involved with providing direct care for individual patients.
Other notices should explain when medical records are used for purposes other than direct patient care. The guidance says there are two broad categories these will fall into – disclosures which are required by law or clinical audit and disclosures for medical research or health management purposes – and provides examples of how practices can explain this to patients.
The GDPR creates a lawful basis for processing confidential data when it is for the provision of direct care that does not require explicit consent, the BMA says. Practices can also continue to rely on implied consent when sharing confidential health data for the provision of direct care.
For purposes other than direct care consent must be ‘freely given, specific, informed and unambiguous’, the GDPR says. However, the BMA guidance says that there is a lawful basis for disclosure under public health legislation and when processing data for medical research. It provides detail on how to explain this to patients in privacy notices.
When handling requests from third parties, practices must be clear that there is a legal basis for the disclosure, the guidance says. Only information relevant for the specific purpose it is requested should be shared. Decisions about sharing data cannot necessarily rely on implied consent and may need to be made on a case-by-case basis. It might also be necessary for practices to seek advice from their data protection officer in some cases.
Some elements of compliance with the GDPR can be demonstrated by completing the Information Governance Toolkit. However, practices must be aware of and understand what data they process, including via third parties, the BMA guidance says. The practice must:
- Maintain and keep up to data records or an information register of the data flows within the practices.
- Have internal data protection policies and procedures in place, including policies for handling subject access requests managing data breaches and handling requests for information from third parties
- Undertake data protection impact assessments when undertaking new data sharing arrangements or when new technologies are used. This must include a description of the processing, an assessments of the risk posed and detail of how this risk will be mitagated.
Subject access requests
The BMA is currently updating its guidance on access to health records. However, it says that in most cases patients must be given access to their medical records free of charge, including when a patient authorises access by a third party such as a solicitor. The circumstances in which the practice can charge a fee are likely to be rare, the BMA adds.
The timeline for complying with access requests has also been reduced from 40 days to one calendar month. The IGA guidance also highlights that while the DPA 1998 specifies that requests must be made in writing the GDPR does not, so practices could receive subject access requests verbally in future.
The IGA says that whether the request is verbal or written the practice must have processes in place to check that the person making the request is who they say they are.
It also suggests that the changed process 'will not be a burden on practices' if you provide patients with online access to their records 'because it is likely that it will reduce the number of requests'
Data protection officers
All practices must designate a data protection officer. Larger practices are likely to have an in-house data protection officer, the BMA says, but smaller practices may designate an external data protection officer that could be provided by a CCG or local/regional health board.
The IGA says: 'A practice manager, or one of their colleagues, can be appointed as data protection officer in addition to their existing roles as long as they have some data protection experience and are not the final decision taker about data use in the organisation (which would be seen as a conflict of interest).'
The IGA also says that practices can share a data protection officer.
It is mandatory to report data breaches to the ICO under the GDPR if this is likely to result in risks to people's 'rights and freedoms'. The BMA says that it seems likely that 'most, if not all, breaches of the confidentiality of confidential health data will amount to a risk which would warrant reporting'. Breaches must be reported within 72 hours of the data controller becoming aware of them occuring.
Data protection fee
Most organisations currently pay £35 to the ICO for processing personal data. The IGA says that from 25 May 2018 new regulations – the Data Protection (Charges and Information) Regulations 2018 – will come into effect. As part of this the fee payable will rise to £40 or £60.
According to ICO guidance the fee for 'public authorities', which practices would fall under, is determined by staff numbers only. Practices employing no more than 10 members of staff will pay £40. Those employing no more than 250 members of staff will pay £60.The ICO currently plans to phased in the new fees when an organisation's existing registration expires.
Useful resources for practices
- BMA guidance on GPs' role as data controllers.
- NHS Digital Information Governance Alliance GDPR guidance
- The Information Commissioner's Office has produced an FAQ for small health sector bodies here.
- The full ICO information on the GDPR is here. There is a useful mythbuster series on the site.
- The ICO has also prodcued a data protection self assessment tool, which you can access here.
- The ICO is also due to publish final guidance on consent under the GDPR shortly, however the guidance it consulted on can be found here.