Happy GDPR day!
The General Data Protection Regulation (GDPR) comes into force today.
We set out below our answers to the most frequently asked questions by healthcare professionals and providers.
1. Hang on! What’s GDPR?
The GDPR is the new EU regulation which replaces the Data Protection Directive and the Data Protection Act 1998. The GDPR places more stringent obligations on how you process personal data.
But don’t forget about the Data Protection Act 2018, which is hot off the press after receiving Royal Assent on 23 May 2018! The Act sets out how the GDPR applies in the UK and rules about processing data not covered by the GDPR.
2. What about Brexit?
The GDPR is here to stay.
For the time being, the UK remains a member state of the EU, and you are legally obliged to comply with GDPR.
Parliament may, in theory, be able to amend our data protection laws once the UK has left the EU. However, the government has stated that the continued, uninterrupted and secure flow of personal data between the EU and UK is vital, recognises that UK law will have to remain equivalent to EU law to secure this objective, and is seeking a new data protection agreement with the EU within Brexit negotiations.
3. What is my lawful basis for processing health data for the purposes of direct care?
This will depend upon whether you are providing healthcare as part of the NHS or on a private basis. Public authorities such as NHS trusts and NHS foundation trusts, and private providers who have been commissioned by NHS England or a CCG to provide NHS services, are carrying out a ‘public task’ and may lawfully process a patient’s personal data where necessary for this purpose.
Providers of private healthcare need to find a different lawful basis – for example that the processing is necessary for the performance of a contract with that patient.
All registered healthcare providers are under a legal obligation to maintain health records, including a record of the care and treatment provided and of decisions taken in relation to the care and treatment provided, which is itself a lawful basis for processing such personal data.
Health data is subject to additional regulation as a special category of personal data. However, you may lawfully process such data where such processing is necessary for the provision of healthcare.
Given that the above lawful bases for processing are available, we strongly advise against relying upon consent as the lawful basis for processing health data for the purposes of direct care. This is because the GDPR sets a high standard for consent which is difficult to achieve; reliance upon consent confers additional rights to the patient; and such consent may be withdrawn at any time. What’s more, it would be misleading and unfair to ask patients for consent if you are not offering them a genuine choice about whether you process their health data.
4. Do I need to keep records of processing activities?
All controllers and processors of personal data must maintain up-to-date records of processing activities under their responsibility (this is sometimes called information asset management or data flow mapping).
There are no exemptions.
5. Do I need a privacy notice?
Whenever you collect personal data, you must provide accessible information to individuals detailing how you plan to use their data; the most common way to provide this information is in a privacy (or fair processing) notice. The GDPR specifically states what information must be provided, so you need to make sure your privacy notice covers this.
Privacy notices must be provided to patients when you first collect their personal data from them, or if the personal data is collected from another source (e.g. the patient’s GP), within a reasonable period and no later than one month. For healthcare providers, the first outpatient appointment is a good opportunity to supply a privacy notice directly to a new patient. Privacy notices should also be published on your website.
6. Do my contracts need updating?
Yes – unless you have updated them already.
It is highly likely that the clauses within your existing contracts will need to be updated to ensure that the data protection obligations reflect the new GDPR requirements. Equally, any contracts currently being negotiated should contain provisions which incorporate these.
In particular, any data controller contracting with an external data processor must ensure that any processing of personal data by that processor is governed by a data processing agreement that contains mandatory terms specified under GDPR. Don’t assume that if you already have a data processing agreement that it meets these requirements – it may need updating!
7. Will I need a data protection officer (DPO)?
You must appoint a DPO if you are a public authority or treated as one under the Freedom of Information Act 2000 (e.g. if you are an NHS primary care contractor).
If your organisation is not a public authority, whether or not you need a DPO depends upon whether you process special category data as part of your core activities, or perform regular or systematic monitoring of data subjects, on a large scale. EU guidelines suggest that processing of patient data by a hospital is large-scale, whereas processing by an individual healthcare professional is not. If you find yourself somewhere between these two examples, we recommend that you consider the appointment of a DPO; this will both ensure compliance with GDPR, and enhance the accountability and governance of your organisation.
8. Will I need to complete a data protection impact assessment (DPIA) before I process patient data?
You must undertake a DPIA where data processing is likely to result in a high risk to the rights and freedoms of data subjects. For example:
- large-scale processing operations which aim to process a considerable amount of personal data
- introduction of a new information process or information asset which will affect individuals
- where a profiling operation is likely to significantly affect individuals
Hospitals introducing new systems or large projects are likely to be caught. However, the GDPR says that a DPIA should not be mandatory for processing of personal data about patients by an individual healthcare professional. Again, if you find yourself somewhere between these two examples, a DPIA should be considered and it is in any event it is best practice to carry one out.
9. Can I still charge for a subject access request (SAR)?
You will not be able to charge for complying with a SAR – unless it is manifestly unfounded or excessive or a repeated request, in which case you may charge a reasonable fee.
You must now respond to a SAR within a month, rather than 40 calendar days, but there is now the possibility to extend this period for particularly complex or numerous requests.
10. What about applications for the records of deceased patients?
The Access to Health Records Act 1990 has been amended and no longer permits you to charge for an application to access the health records of a deceased patient.
Unlike a SAR, the time period for a response is staying the same (21 or 40 days, depending on when the record was last added to).
11. Do patients have a ‘right to be forgotten’?
Although patients will have the right to request that their data is erased, this does not apply to health records as you have a legal obligation to maintain them and are entitled to retain them to defend legal claims.
12. What about exemptions?
Within the UK, exemptions in the Data Protection Act 2018 will be largely familiar from the Data Protection Act 1998.
In respect of health data, these include personal data:
- of third parties, which it would not be reasonable to disclose without the third party’s consent
- the disclosure of which would cause serious harm to the physical or mental health of the data subject (or another individual)
- that was obtained from or provided by a child with an expectation that it would not be disclosed to an adult making a SAR on their behalf
Existing exemptions that facilitate the sharing of personal data for the purposes of the investigation and prevention of crime, prosecution of offenders, legal proceedings and regulatory functions remain largely unchanged.
13. Which of my policies do I need to update?
The most likely policies requiring review (or implementation if you don’t have one already) are:
- data protection/confidentiality
- privacy notices
- individuals’ rights (including subject access and access to health records)
- data protection impact assessments
- records retention
- data protection officer
- information security
- staff training
14. Will the penalties for data protection breaches increase?
There will be a two-tiered system for fines: up to €10 million or 2% of global annual turnover, or up to €20 million or 4% of global annual turnover.
Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine. Both tiers are significantly higher than the previous maximum penalty (£500,000).
Remember, these are maximum penalties. Not all GDPR breaches will incur the maximum fine; the ICO will consider the nature, gravity and duration of the infringement, as well as the types of personal data affected, any previous infringements and level of co-operation.
15. Will I have to pay a data protection fee?
There is a new charging structure for data controllers from 25 May 2018.
There are three different tiers of fee under which controllers are expected to pay £40, £60 or £2900 respectively, depending upon their turnover and number of staff. The highest fee applies to organisations with more than 250 members of staff or (in the case of a private organisation) a turnover of over £36 million.
There are some limited exemptions, however these are unlikely to apply to healthcare providers.
16. But I don’t think I’m ready!
The ICO recognises that data protection is an ongoing obligation which requires continual maintenance, not an all-encompassing ‘pass or fail’ test held on 25 May 2018.
Whilst the ICO may now require you to demonstrate compliance with GDPR, and there is no room for complacency, these new provisions represent ‘an evolution in data protection, not a burdensome revolution’. If you are already complying with the terms of the Data Protection Act 1998, and have an effective information governance programme in place, then you will already meet many of the requirements of GDPR.