Unlocking GDPR
New General Data Protection Regulations (GDPR) came into effect in May 2018. These regulations replace the Data Protection Act of 1998, which was based on the European data directive of 1995.
Please note, GDPR is enacted into UK law, and is not affected by Brexit.
Overview
GDPR affects all of us, and the Information Commission’s Office (ICO) has produced various documents which cover all the main points. A link to their website is at the bottom of this page, under the heading ‘Important Links’.
We appreciate that the formal nature of ICO documents can make for difficult reading, so we have assembled the key points for you on this webpage. However, we strongly recommend that you also refer to the ICO documents, and regard the following as simplified guidelines only.
What’s the point of GDPR?
GDPR is about the harmonisation of data privacy laws across Europe. It is intended to give us (the public) greater protection about the use of personal data which is held about us.
GDPR will have the most impact upon large companies, and public-sector organisations. Any identified breaches of GDPR will incur significant penalties. However, for most practitioners who already manage data in a responsible and professional manner, the changes should be minimal.
What do you have to do?
There are a number of theories doing the rounds as to what you need to do, and as with all new legislation, adjustments will probably need to be made over the next few months, but here are some simple, practical suggestions:
- Your arrangement with existing patients, or patients whom you have not seen for some time, should be covered by the Data Protection Act 1998. This means that you do not need to contact them specially, as long as you continue to secure their privacy in the same way as you did at their last appointment. Your patients should already be clear about what data you hold on them, why you need it, how you use it, and how you safeguard this information. Basically, you need the information so you can prescribe for your patients, and support them in defining and managing their healthcare needs. In other words, you gather this information for legitimate purposes.
- For new and returning patients, it is recommended that you ask them to read through your privacy statement (see below), and sign to confirm that they understand how you manage their personal data, and accept that it will be used for the purposes outlined in your privacy statement.
- If you send your patients newsletters or marketing material via email, it is advisable that under the new GDPR legislation, you check that they wish to continue to receive such communications. Newsletters or marketing communications are not strictly ‘legitimate purposes’, unless you already had that covered in your privacy policy prior to 25 May 2018. This means asking them to ‘opt in’ to receiving emails which are not necessarily directly related to their consultation, from you in future.
Registering with the ICO
There is a lot of debate around whether you need to register with the ICO, or not. Technically, if you do not process any patient information on a computer, you are exempt from needing to register. However, even if you just hold a patient’s email address on your computer, you have electronic data relating to that individual.
Furthermore, all information we record in relation to our patients is sensitive. It is regarded as ‘special category’ data, and can include information about age, mental/physical health, sexual orientation, race, religion, politics, genetics, biometrics, and a whole range of deeply personal information. Under the circumstances, it is recommended that you register with the ICO, even if none of the above information is stored electronically. The current annual fee for data registration with the ICO is just £35, and the link to register is below.
If you are unsure about your need to register with the ICO, you can use the self-assessment toolkit on their website, which can be accessed by clicking here. Ultimately, it is the responsibility of each individual practitioner to determine their need to register with the ICO, or not.
Data controller versus data processor
Basically, most practitioners will be a data controller, who also processes data.
A ‘controller’ determines what data is recorded (and how), how it is used, and how it is protected. A data controller is fully responsible for safeguarding the privacy of an individual’s data. The buck stops with the data controller.
A ‘processor’ is simply responsible for processing data on behalf of a ‘controller’ – such as an administrator working for an organisation, who is tasked with typing in ‘customer’ data (or similar) on behalf of their employer. A ‘processor’ is answerable to the data controller of their particular organisation. They are not ultimately responsible for how the data is managed and safeguarded.
So, although most of us process our patients’ data ourselves, we are also fully responsible for managing and protecting that data, which means we are ‘data controllers’.
Our responsibilities under data protection
We need to take reasonable measures to:
- Comply with data protection law, and follow good practice
- Protect the rights of our patients
- Be clear with our patients about how their data is processed, stored and used
- Have a contingency plan in place in the event of a data breach
The eight principles of data protection
Article 5 of the GDPR identifies the following eight key requirements of data protection:
- Personal data shall be processed lawfully, fairly, and in a transparent manner.
- Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible for those purposes.
- Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is collected.
- Personal data held should be accurate and current. Inaccurate data should be erased or corrected.
- Data which allows for the identification of an individual, should be kept for no longer than is necessary.
- The processing of personal data must safeguard the rights and freedom of individuals
- Personal data must be processed in a manner which ensures appropriate security of the data. This includes protection against unauthorised or unlawful processing of the data, and accidental loss, destruction or damage of the data. This means having appropriate technological or managerial systems in place.
- Personal data cannot be transferred outside of the EU unless the country to which it is being transferred provides an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
A data handling policy
As of 25 May, it will be a legal requirement for all data controllers to have a data handling policy in place. Basically, this means you should document how you manage personal data, including how you acquire the data, how you store it, how you safeguard it, how you keep it up to date, how you record patients’ consent, how you respond to data requests from patients, how long you retain patient records, and how you destroy out-of-date patient records.
It is recommended that you write yourself a data handling checklist; this will help you to keep on track, and will also provide evidence of intended GDPR compliance in the event of an ICO investigation.
A privacy statement
This is one of the key compliance areas for the new GDPR. This is the equivalent to a contract between you and your patient, and it is your commitment to ensuring that the privacy rights of your patient will be upheld.
In your privacy statement, you set out clearly to your patients what personal information you propose to collect, how you collect it, how you use it, with whom you will share it, how you store it, how the information can be amended, and for how long you will keep that information.
Your patient will then need to sign an acceptance form to confirm that they have read and understood how you will be managing their personal data, and that they accept that their data will be used for the purposes you have identified in your privacy statement.
Parents should be informed and give consent for any use of their children’s data, though consent for children between the ages of 13 and 16 is a slightly grey area. Our first responsibility is to uphold and safeguard the rights of the child, so where the child has the ‘capacity’ for self-determination, it is recommended that the child is encouraged to actively engage with decisions relating to how their personal data is used.
Normally, practitioners do not share patient information with a third party. However, there may some exceptions, such as when there is compelling evidence to believe that it is in the best interests of the patient (or maybe even the practitioner) to share patient information with an appropriate third party, or when that information is required by a legal or statutory authority.
It is recommended that you send all your current patients your privacy statement, and ask them to confirm that they have read and understood how you will be managing their personal data in compliance with GDPR. They will need to agree with you managing and using their data in the manner described in your privacy statement. An email should suffice, but remember to save your patient’s reply together with their case notes.
If you have not seen a patient for a number of years, their data should be protected under the old data protection act. However, if they re-contact you for a consultation, remember to ensure that they read, understand and accept (by signing an acceptance form) your new privacy policy, at the beginning of their appointment.
The ARH privacy policy can be read by clicking here.
Storing data
Patient data should be stored in a designated location, such as your consulting room, and be adequately secured from external access. All data must be protected against unauthorised or unlawful processing, so restrict access to computers and paper-based files. You also need to ensure that you have back up systems in place in case of the accidental loss, damage or destruction of patient data.
When storing data electronically, please ensure computers/laptops and other mediums used to access patient data, are password protected, and that you use effective virus protection and firewall software.
The current recommendations relating to how long you should keep patient records suggests a minimum of seven years following the last occasion on which treatment was given. In the case of minors, the minimum recommendation is seven years following their eighteenth birthday.
For more information about patient record keeping, you can click here to read the recommendations made by Balens Ltd. Thank you Balens! Please note, although this information was originally compiled in 2010, the basic principles still apply.
Patients’ access to their data
Patients do have a right to know what data you hold on them, and can request access to that data within a 30 day time frame. However, this can be something of a grey area: Your patient case notes may hold information which is relevant for prescribing purposes, but could be confusing or misinterpreted if read by someone unfamiliar with the homeopathic process. In this situation, it is suggested that you provide a basic overview of your case notes, which describes presenting symptoms, symptom analysis and medicines prescribed.
You own your patients’ records and must retain the originals!
Patients have a right to request erasure of some data which you hold on them, but in order for you to comply with your insurance requirements, this is limited.
You must keep patient records for the 7 year minimum described above, plus all related material (for eg, written communications with patient, or other relevant parties). However, your patient does have the right to request that you remove them from your contact list, and cease future communications with them.
There are other grounds upon which you can refuse to erase patient information which include:
- Your need to comply with a legal obligation for the performance of a public interest task, or exercise of legal authority
- For public health purposes in the public interest
- The exercise or defence of legal claims
A request to access personal data, or to have data erased, must be made in writing and signed by the patient. Emailed requests, or requests made via text are not acceptable. Please make sure you keep a record of any such requests, plus follow-up communications, safely in your filing system.
A data breach
In the event of a data breach occurring, you will need to notify those affected immediately, and take appropriate steps to minimise any damage. This would involve informing patients who may have had their personal data compromised, and in the event of a serious data breach, informing the ICO directly.
In conclusion
Please bear in mind that above information is intended to provide you with guidelines only, and should be read in conjunction with the official documentation relating to GDPR, published by the ICO. Below are the main links to further reading.
Most of the requirements outlined in the ICO documents simply describe best practice, and hopefully you are already implementing them anyway. In reality, it will probably take several months before you manage to gain consent from all of your current patients, to manage and store their data in accordance with your privacy policy. As long as you are trying to follow the guidelines, you should be GDPR compliant. In the event of the ICO having a concern about how you are managing the personal data you keep, they will contact you and inform you of the steps necessary to become fully compliant.
So, don’t panic, just write your checklist, and start to work through it, one point at a time!
If you click here, you will find a PDF kindly compiled by James Cadle (thank-you James!), which not only provides more detail of the points raised above, but also includes a template of a privacy policy and a template of a consent form.
If you have any further questions after reading through the guidelines, do let us know.
Important links
Registering with ICO under data protection act – click here
The ICO Guide to the General Data Protection Regulation (GDPR) – click here
A 12 point checklist – click here
Detailed information regarding privacy notices – click here
Self assessment checklists – click here
ARH Privacy policy – click here