The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of practice privacy notices.
The Information Commissioner’s Office suggests that a layered approach can be used to inform patients. Practices should display a poster in the waiting room and online.
Privacy poster
The poster must provide basic information which explains to patients how their medical records are shared.
An additional option is to use the practice’s phone system to play a recorded message which reminds patients to look on the website for information.
The poster should signpost where the more detailed PPNs can be found.
Practice privacy notices
The four template PPNs (practice privacy notices) are a suggested way for practices to provide more detailed information for patients. The PPNs cover:
- provision of direct care
- medical research and clinical audit
- legal requirements to share
- national screening programmes.
The key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.
Due to the variation in data sharing arrangements across the UK it is not possible to provide ‘one size fits all’ templates. Practices should amend and add wording.
The information contained in this document is for general guidance only and cannot be relied upon as legal advice. The BMA accepts no liability for the accuracy of the information contained herein. You should always obtain specific legal advice separately before taking any action based on the information provided herein or if you are unsure as to how to act in any situation.