What are Data Protection Impact Assessments?
The ICO (Information Commissioner’s Office) defines a DPIA (Data Protection Impact Assessment) as a process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of a GP contractor’s accountability obligations under the UK GDPR, and when done properly helps assess and demonstrate how contractors must comply with their data protection obligations.
If a data controller wishes to process personal data in a new way, it must by law carry out a DPIA. Providing patients with access online to their medical records in accordance with the new legal requirements is a new form of processing, so GPs as data controllers need to conduct a DPIA.
The BMA completed its own general DPIA, using the ICO’s template, addressing the risks it has identified. You can use this as a template for your own DPIA, or you may wish to develop your own bespoke assessment to suit your own particular needs.
The BMA has used its general DPIA as a way of sharing the data protection analysis it has carried out. This was to help practices carry out their own DPIAs. The BMA DPIA has identified a number of risks which may be mitigated by operating an opt-in model, which means providing access only to patients who request access, as opposed to providing access to all patients who have not opted out. While the BMA has completed a general DPIA (dated 6 October 2023) practices are required to undertake their own DPIA and make their own decisions. Practices may use content from the BMA’s DPIA if they identify the same risks and mitigations.
After you have conducted your DPIA
Practices must make their own decisions on what to do after completing a DPIA, considering any risks identified and considering their obligations under their contract. Your local ICB team should be kept informed. If there are serious risks identified by your DPIA then you will need to consult with the ICO as discussed you will need to consult with the ICO. We have provided a template letter you can send to the ICO.
If a decision is made to change access settings in bulk to comply with their contract, we advise practices to contact their system supplier for help if needed.
If you are an EMIS practice and haven’t yet ‘gone live’ (thereby adopting the accelerated access to records functionality) then we are led to believe EMIS will provide further dates for ‘switch on’ in November 2023 for those who require it. For EMIS practices that do not wish to avail themselves of this functionality a manual process can be invoked to alter access settings on a per patient basis. TPP practices can provision bulk access themselves following instructions detailed here after running searches provided by TPP. SystmOne also has system wide settings that can set the default level of access given to new patients to that of the full prospective record. It will be for practices as data controllers to decide whether to turn this option on or off.
If your concerns within the DPIA are mitigated
If the GP contractor has completed a DPIA, taken actions to mitigate risks (which could include inviting opt outs after contacting patients and allowing sufficient time to collate and action responses) and determined that any remaining risks are acceptable then they have fulfilled their duty with respect to a DPIA. There should not be any obstacle to implementing the access required by the contract, which is an opt-out model.
EMIS practices should plan to ‘go live’ in this case if they haven’t already. TPP practices should ensure prospective access has been added in bulk to existing patients and the organisation preferences are appropriately set to make access to the full prospective record the default option.
If you still have concerns within your DPIA
Practices who conduct their own DPIA and identify serious risks which could not be mitigated against before 31 October 2023 may feel they have to implement an opt-in model for the time being, mindful of the contractual requirements to provide full prospective records access to all patients unless they decline.
Whether or not concerns are mitigated as a result of the DPIA, as data controllers, GPs will still have an ongoing responsibility to comply with their general duties under data protection law, so processing must always be carried out in accordance with those duties.