We have placed cookies on your device to help make this website better.
If you choose to customise the site it will help you to find the most relevant content for your needs. You will still be able to access all content on the site.
Don't have an account?
Click here to register
25 May 2018
GDPR has now come into force, and the Information Governance Alliance (IGA) and the Information Commissioners Office (ICO) have published guidance - and will continue to do so - to clarify how it applies to healthcare organisations.
The Data Protection Bill, which will need to be considered with GDPR, received Royal Assent on 23 May 2018.
Although there are uncertainties about how some aspects of GDPR and the new data protection law will apply in practice, here is a list of things practices should have already done to prepare. Practices that haven't yet taken these steps should identify what they still need to do and have a plan in place to do so.
All practices providing NHS treatment are considered as public authorities and are required to appoint a DPO, or have in place arrangements to share one, by 25 May 2018.
This individual must have proven expert knowledge of data protection law and practice. It is recognised that they will not fully understand all the ramifications of the new legal requirements from 25 May, and they will need to keep up to date with any changes and clarifications (for example from the ICO) and understand how the changes impact the practice, as the law becomes embedded.
There are several options regarding appointment of a DPO:
a) Employ a new member of staff with specific knowledge, qualifications and experience.
b) Appoint somebody who already works in the practice with all the above. This person can add the DPO's requirements to other responsibilities, for example maintaining records of processing activities. DPOs must not be the final decision-makers regarding data processing, for example they cannot be the data controller and must avoid any conflicts of interest.
c) You can share a DPO with one or more practices. NHS Commissioners locally may be able to help facilitate this, but are unlikely to be able to fund such a person.
In deciding upon a shared DPO you will need to consider factors such as:
You should document these considerations and the justification for your decision.
Further information about DPOs can be found on the ICO website and the IGA website, which will be updated as matters are clarified.
You must provide patients with information including:
The ICO has a useful checklist explaining the information privacy notices need to contain.
If you are relying on other legal bases, you will need to specify these in the privacy notice. See the IGA's guidance for more information.
The criteria for subject access requests under GDPR will be the same as now, and individuals may request access to their own records. As is the case now, you should redact any third party information or anything that you believe may cause serious harm to the patient.
GDPR and the forthcoming DPA will only cover living individuals. Deceased patients' records are still subject to the Access to Health Records Act 1990. Dental professionals also need to be aware of the GDC's guidance, Maintain and protect patients' information.
Under the new data protection regime there are some differences to the subject access request process:
a) The subject access request does not have to be in writing.
b) The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. There is currently no agreed definition of what constitutes a manifestly unfounded or excessive request, or what a reasonable fee is. It is hoped this type of request will be rare and when considering them dental professionals should bear in mind their obligations under paragraph 4.4 of the GDC's Standards for the dental team. It may be helpful to discuss such cases with the DPO and/or to seek advice from the DDU.
c) You need to provide the information within one month.
d) The presumed age of consent for children for this purpose is 13 years and you will need to get consent from children aged 13 years or older. However, children younger than 13 may have capacity to consent and if they do, they should be asked for consent.
e) You should document access requests and include information about any delay in providing the information, requests that are 'manifestly unfounded or excessive', and also the information you have provided regarding the right to complain to the ICO or judicial remedy.
Information requested by third parties, such as insurance companies or solicitors, are not subject access requests and should be dealt with in the normal way. You will still need to seek consent from the patient or personal representative before you release information.
The ICO and IGA have provided useful checklists which you should review.
The Data Protection (Charges and Information) Regulations come into force on 25 May. These regulations introduce new fees for data controllers. The regulations set the charge period in which the fee is due for payment and fix the fee to be paid. The amount you need to pay will depend on how many people you have in your organisation.
The ICO produced guidance when the regulations were in draft, and we expect this to be updated.
This guidance was correct at publication 25/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.
Be the first to comment
We have detected you are in and some website content may have been personalised to be more relevant to you.
You can change your region setting here or at the top of the page.