Last reviewed 3 April 2018
Both the General Data Protection Regulation (GDPR) and the National Data Opt-Out are due to be implemented in the UK in May 2018. In order to ensure compliance with these new data protection requirements, general practices must ensure they are prepared. Martin Hodgson reviews the changes.
The General Data Protection Regulation
The General Data Protection Regulation (GDPR) was approved by the European Parliament in April 2016. It replaces the Data Protection Directive 95/46/EC and comes into force in all EU Member States on 25 May 2018.
The regulations were designed to harmonise data privacy laws across Europe and update them to reflect how modern organisations and individuals use data. Information is increasingly digital and the world is now much more “data-driven” than in the past. Protection for privacy has never been more important, especially when faced with growing “cyber-security” and “identity theft” threats.
The GDPR will be enacted in the UK as the Data Protection Act 2017, replacing the Data Protection Act 1998 (DPA) which will be repealed. It will be enforced by the Information Commissioners Office (ICO). Organisations will be obliged to demonstrate compliance with the new law and may face heavy fines if they do not.
A new tiered approach to fines will apply. Under the GDPR organisations can be fined a maximum of 4% of their annual turnover or €20 million (whichever is greater) for serious breaches of the rules.
NHS organisations in particular hold considerable amounts of personal information about people, including sensitive clinical information. The GDPR is therefore likely to have a significant impact.
Differences between the GDPR and current data protection law
Many of the concepts and principles behind the GDPR are reassuringly familiar. For NHS organisations that comply with current information governance practice this means that much of their general approach is likely to remain valid under GDPR.
For instance, as with the DPA, the GDPR applies to “data controllers” and “data processors” — the former controlling how and why personal data is processed, and the later doing the processing on behalf of a controller.
However, a number of provisions within the GDPR also represent substantial changes. Key differences include the following.
The GDPR introduces a principle of “accountability” whereby organisations must be able to demonstrate compliance.
As with the DPA, any information related to a person, or data subject that can be used to directly or indirectly identify them is regarded as personal data. However, the definition in GDPR is broader and can include names, photographs, email addresses, bank details, posts on social networking websites, medical information, or computer IP addresses. Even “pseudonymised” data may fall within the scope depending on how difficult it is to attribute to a particular individual.
The GDPR refers to sensitive personal data as “special categories of personal data” — this can include genetic and biometric data where it is processed to uniquely identify an individual.
Expanded rights of access
According to the GDPR, people will have expanded rights to obtain from a data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Data controllers must provide a copy of the personal data, free of charge, in an electronic format.
Strengthened consent conditions
Under GDPR any request for consent must be made in an easily accessible form, with the purpose for data processing attached. Consent must be clear and distinguishable from other matters, separate from other terms and conditions, and must use plain language. It must be as easy to withdraw consent as it is to give it.
It will be against the rules to use long illegible terms and conditions full of legal terms. Consent cannot be inferred from silence, pre-ticked boxes or inactivity.
For non-sensitive data, “unambiguous” consent as described above will suffice. However, for processing sensitive personal data explicit consent will be required which will usually involve an “opt-in” request.
New “Right to be Forgotten”
Article 17 of the GDPR involves the “right to be forgotten” — also known as Data Erasure. It entitles a data subject to request a data controller to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Conditions for erasure include data subjects withdrawing consent or data no longer being relevant to the original purposes for processing.
Data controllers have a duty to compare the subjects right to be forgotten with “the public interest in the availability of the data” when considering such requests.
Privacy by design
Privacy by design is another key concept in the GDPR. It calls for data protection to be a core element in the design of new systems, applying right from the start rather than being a later addition. Controllers are required under GDPR to implement appropriate technical and organisational measures in an “effective way” and to have adequate systems, contractual provisions and training in place.
The concept of data minimisation in Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of their duties. They must also limit access to personal data to those needing to act out the processing.
Notification of breaches
The GDPR requires local data protection authorities to be notified of a data breach within 72 hours of discovery. Data processors must also notify their controllers “without undue delay” after first becoming aware of a data breach.
In a key change to existing rules, the GDPR will apply to all companies and organisations processing the personal data of data subjects residing in the EU, regardless of the company’s location. Thus, the regulations not only apply to organisations located within the EU but also to those located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Data Protection Officers
Under the GDPR, the appointment of a Data Protection Officer (DPO) is mandatory for all “public authorities” — including general practices and other providers of NHS funded primary care services.
The role of the DPO is to inform and advise their organisation about all issues in relation to GDPR compliance. The DPO must be properly resourced and consulted on all data protection matters at an early stage. A single DPO may be appointed by a group of organisations provided all of the criteria for the role are met and provided the DPO is easily accessible from each organisation.
Preparation for GDPR
Primary care providers must ensure they are well prepared for the changes GDPR will bring. Failure to comply with the new law may invite action from the ICO and a possible fine. It will also be included in inspection regimes by regulators such as the Care Quality Commission in England.
Key people in the practice need to know about the changes. Practices should document what personal data they hold, where it came from and who it is shared with. Impact assessments should be carried out to determine what needs to change and what the resource implications are. If necessary, an information audit should be completed.
Privacy notices and consent requests should be reviewed and a plan put in place for making any necessary changes in time for GDPR implementation. Policies and procedures should be reviewed to ensure they cover all the new rights individuals have under the GDPR. Data protection training should be reviewed and records kept of all staff completing it.
In addition, practices must ensure they have the right procedures in place to detect, report and investigate a personal data breach.
National Data Opt-Out
On the same day that the GDPR comes into force the National Data Opt-Out also goes live.
The new opt-out model introduces a single national data opt-out choice for patients to say if they do not want their identifiable data being used for research or planning purposes. They will be able to register their choice online, using a system being designed by NHS Digital, or by using a non-digital alternative.
Existing Type 2 opt-outs (the option for a patient to register their choice with their GP) will be converted to the new national data opt-out.
All health organisations will be required to advise patients appropriately. They must also uphold patient choices by March 2020.
NHS Digital has commissioned the RCGP Clinical Innovation and Research Centre (CIRC) to produce a toolkit and e-Learning resource to support practices through these opt-out changes. The RCGP states that the work will be launched at the Patient Data Choices national event in May this year to coincide with the implementation of GDPR.
NHS Data Security and Protection (DSP) Requirements
To complete the current data protection overhaul, in addition to the GDPR and the National Data Opt-Out, NHS primary care organisations must also implement the 10 Data Security Standards recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care. These are set out in 2017/18 Data Security and Protection Requirements, published by the Department of Health and Social Care.
Part B of the document sets out specific compliance requirements for general practice.
The requirements do not form part of the GDPR. However, they support the implementation of GDPR and represent a strengthening of NHS data protection and cyber-security to government standards.
As part of this implementation, from April 2018 the Data Security and Protection (DSP) Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations. All NHS providers and GP practices must comply.
Compliance with the DSP Toolkit requires organisations to demonstrate that they are implementing the 10 standards as well as complying with the requirements of the GDPR. NHS Digital has announced it will publish a checklist of requirements for GDPR compliance which all organisations will need to complete in order to achieve DSP Toolkit compliance.
The GDPR will apply in the UK from 25 May 2018. The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The ICO states that, with so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals, regardless of Brexit.
be fully prepared to implement the GDPR by 25 May
ensure that key people in the practice know about the GDPR and have been appropriately trained
complete the new DSP Toolkit which replaces the IG Toolkit
ensure that staff are prepared to advise patients appropriately about the National Data Opt-Out.
A range of information is available to help organisations implement GDPR.
The ICO website is a good place to start. The ICO has warned UK businesses to get prepared and has produced a 12 Steps to Take Now document to guide them. Also available are two detailed online checklists, one for data controllers and one for data processors.
For healthcare providers, NHS Digital is responsible for helping organisations to prepare for GDPR as part of the Information Governance Alliance. It has produced a range of resources which can be found on its website.
Resources include the following.
Changes to Data Protection Legislation: Why This Matters to You — a briefing paper for executive leaders and boards.
GDPR: Guidance on the Data Protection Officer.
GDPR: Guidance on Accountability and Organisational Priorities.
GDPR: Guidance on Consent.
GDPR: Guidance on Lawful Processing.
GDPR: General Practitioner Advice Note.
Also available are a checklist and a regularly updated FAQ sheet.
Official EU documents and news can be found on the GDPR portal.