Those who have attended our recent information governance seminars or tailored training sessions on the General Data Protection Regulation (GDPR) will be aware that, while the GDPR comes into effect on 25 May 2018, it has some gaps which member states, including the UK, are able to fill through domestic legislation.
Therefore, while the framework of the GDPR has been known for some time, there has been uncertainty as to how the UK Government would fill those gaps and what the law of the land would be in the UK come 25 May 2018.
That is, until now – as the Government has now published the Data Protection Bill 2017.
What is the Data Protection Bill 2017?
The GDPR will have direct effect in UK law from 25 May 2018. However, as it is an EU Regulation, it will cease to apply in the UK following Brexit.
The Data Protection Bill, which the Government intends to implement by 25 May 2018, incorporates the requirements of the GDPR to provide a comprehensive and consistent legal framework before and after Brexit. This is with a view to the EU recognising post-Brexit UK as a country which offers an adequate level of data protection, to ensure cross-border flows of personal data can continue. The Bill also introduces certain conditions and exceptions which modify or supplement the GDPR, where permitted.
The Bill also establishes a separate regime, beyond the scope of the GDPR, for processing of personal data by law enforcement authorities and intelligence services. Those provisions will be of very limited relevance to the health and social care sector but are mentioned here for completeness.
While the Bill must complete its passage through parliament, it would be surprising if there were many substantial amendments to the current text.
What does the Bill mean for the health and social care sector?
For the health and social care sector, the devil will be in the detail of the Bill rather than the headlines accompanying its publication. At over 200 pages, it will take time for the requirements and implications of the Bill to be fully explored and debated. However, we set out below some immediate points for the health and social care sector to note.
Lawfulness of processing
Processing of personal data is only lawful if it meets one of the conditions in Article 6 of the GDPR.
Most health and social care bodies in the public sector plan to rely upon Article 6(1)(e) of the GDPR as the basis for most processing of patients’ and service users’ data. This applies where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority. The Bill specifies that this includes functions conferred under an enactment, so would include all statutory functions of NHS bodies and local authorities (e.g. commissioning of health services by clinical commissioning groups; provision of health services by NHS trusts and foundation trusts).
The Bill defines a public authority by reference to the definition of public authorities under the Freedom of Information Act 2000, and therefore will also apply to publicly-owned companies. Such public authorities may not rely upon the catch-all ‘legitimate interests’ condition under Article 6(1)(f) of the GDPR, and therefore must ensure that any processing currently carried out on the basis of legitimate interests in accordance with the Data Protection Act 1998 can be justified under an alternative condition in future.
Private health and social care providers will need to rely on other conditions, such as the processing being necessary for the performance of a contract with the data subject (Article 6(1)(b)).
Processing of special categories of personal data – including health data
Processing of special categories of personal data must also meet an additional condition under Article 9 of the GDPR. Health, genetic and biometric data are all special categories of personal data.
Most organisations involved in health and social care plan to rely upon Article 9(2)(h) of the GDPR as the basis for most processing of patients’ and service users’ data. This has been transposed into the Bill without any significant modification or limitation and therefore should broadly facilitate most routine use of patients’ and service users’ personal data by or under the supervision of a health professional or social worker (or someone under a similar obligation of confidentiality). It includes processing necessary for the purposes of:
- preventive or occupational medicine
- the assessment of the working capacity of an employee
- medical diagnosis
- the provision of health care or treatment
- the provision of social care, or
- the management of health care systems or services or social care systems or services.
Wherever possible, both public and private health and social care organisations should rely on this condition rather than consent as a condition for processing personal data. This is due to the high bar for valid consent under the GDPR, the right of data subjects to withdraw consent, and the additional rights of data subjects which arise when consent is relied upon.
Information about criminal convictions and offences, while not treated as special category personal data under the GDPR, is subject to similar requirements under the Bill.
Rights of data subjects
The rights of data subjects under the GDPR are all present within the Bill, including subject access under which living patients and service users may access their health and social care records.
The Bill does not (and could not) modify the general principle that no fees can be charged to patients and services users for exercising their rights under the GDPR, unless such requests are manifestly unfounded, excessive or repeated in which case fees can be charged. However, the Bill does enable the Government to set limits on such fees under regulations.
The Data Protection Act 1998 contains a number of exemptions from the data protection principles and data subject rights. As expected, those exemptions have generally been transposed into the Bill with little modification, and are now referred to as exceptions. Many exemptions previously contained in secondary legislation have now helpfully been consolidated into the Bill. However, there are also some new exceptions and modifications which will require further consideration.
Of most immediate relevance to the health and social care sector is that exemptions currently relied upon in relation to the disclosure of health and social care records to patients, service users and others will generally remain in place as new exceptions under the Bill. In particular:
- When responding to a subject access request, there is an exception from providing the personal data of third parties unless it is reasonable to do so, which generally replicates the existing provisions about third party data. The assumption that it will be reasonable to disclose information of health and social care professionals acting in their professional capacity has been consolidated into the Bill.
- There is an exception from disclosing health and social care records to a patient or service user where this would be likely to cause serious harm to their physical or mental health or that of another individual.
- There are exceptions to permit disclosure of health and social care records to other organisations such as the police, courts and solicitors, where not doing so would prejudice the purposes for which such information is required (e.g. crime and taxation, legal proceedings, regulatory activity etc.).
The implications of the Bill will become clearer as it progresses through parliament towards becoming an act. However, to ensure compliance by 25 May 2018, you must act now.
We have so far delivered training on the GDPR to many individuals and health and social care organisations, including through our tailored training sessions. We are also advising a number of national and local health and social care organisations on the implications of the GDPR.