Ethics

Last updated:

General data protection regulation (GDPR)

Overview

The GDPR (General Data Protection Regulation) will apply from 25 May this year. It introduces wide-ranging and significant changes to UK data protection legislation.

The GDPR will increase the penalties for transgressions from a maximum of £500k under the current law to up to £17m or 4 per cent of turnover, whichever is higher. It strengthens existing requirements, and places greater emphasis on demonstrating compliance, as well as introducing a number of new concepts.

Due to the complex nature of the new regime for data protection laws, the BMA cannot offer comprehensive legal advice on GDPR, and this page should not be seen as such. However, it should help you navigate the legislation and point you in the right direction for guidance on the questions you may have. The page will be updated regularly as new guidance is published.

 

Watch our video

Our simple presentation helps to explain the key points of the new GDPR legislation. 

 

Who does it impact?

The GDPR applies to 'controllers' and 'processors' of data. Data controllers determine the purposes and means of processing personal data (for example GP practices). Data processors process data on behalf of the data controller (for example an IT system supplier).

The GDPR applies to personal data, which is any information relating to an identifiable person. There are also 'special categories' of personal data, such as health data, which are subject to greater protections.

 

What should I do now?

Ensure that your practice is compliant before the regulation comes into effect on 25 May 2018.

There are a number of resources to help you meet your obligations under GDPR, including detailed guidance, template privacy notices for GP practices, checklists, and FAQs. We've compiled a list of current, relevant resources (below) to get you started.

 

Further information

  • GDPR resources

    BMA resources

    GDPR and practice privacy notices (PPNs)

    Helping you prepare for GDPR webinar
    This webinar covers the key aspects of the General Data Protection Regulation taking effect on 25th May 2018, and how you can prepare your business for these changes.

    Access to health records guidance (PDF)

    Read our guidance on GPs as data controllers under the GDPR

    Read our guidance on GDPR changes to Subject Access Requests and fees

     

    ICO

    A Guide to the general data protection regulation

    Read guidance specifically for the health sector

    Take a GDPR self-assessment for data controllers and data processers

     

    NHS Digital Information Governance Alliance

    Read general data protection regulation guidance

    This includes:

    Implementation checklist

    FAQs

    A webinar

     

    Medical Research Council

    Read guidance on preparation for the implementation of GDPR and consent in research and confidentiality.

    Download the guidance

     

    BMJ articles

    Are you ready for General Data Protection Regulation?

    Data deadlines loom large for the NHS

     

  • FAQs related to SARs

    Can solicitors use SARs to request data on behalf of a patient?

    Yes. A patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a GP will be able to lawfully decline such requests.

    Provided the solicitor has given the GP the patient’s written consent for the disclosure of the full medical record, the SAR from the solicitor should be treated in the same way as if it was made directly by the patient. 


    What if the purpose of the SAR from the solicitor is for a legal claim, for example, in relation to employment or insurance?

    The purpose of the SAR should not affect whether or not GPs should comply. In fact, there is no requirement under the GDPR for the patient (or solicitor acting on their behalf) to indicate the purpose of the SAR. 

    In short, SARs are ‘purpose-blind’. The fact that the purpose might be for a legal claim does not place a limit on or reduce a patients’ SAR rights, including when the request is from the patient’s solicitor.


    Is it right that solicitors can ask for and receive full medical records under SARs? 

    Yes. A SAR made by a solicitor who is acting for the patient is, in effect, a SAR from the patient themselves. In this way, the solicitor can be viewed as someone who is acting in the patient’s interests or as the ‘agent’ of the patient. 

    As long as the patient has given written consent for their solicitor to access the full medical record, practices should comply with the patient’s or their solicitor’s request. 

    Solicitors will usually need to see full medical records so that they can assess which parts are relevant to the patient’s case. Past medical histories are highly relevant in compensation or insurance claims.


    Is this the same for insurers?

    No. There is a clear distinction between a SAR from a solicitor who is acting in their interests of the patient and a SAR from an insurance company. 

    The BMA has existing advice about SARs and the insurance industry. The ICO has said that the use of SARs by insurance companies to obtain full medical records is an abuse of SAR rights. 


    Can we charge solicitors a fee for SARs?

    Under GDPR, SARS are generally free of charge. Only if the SAR is considered to be ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged. 

    The circumstances when a fee can be charged are likely to be rare and should be assessed on a case by case basis.

    The ICO has advised that a request could be deemed as ‘excessive’ if an individual was to receive information via a subject access request (SAR), and then request a copy of the same information within a short period of time. In this scenario, the organisation could charge a reasonable fee, or refuse the request.


    How do I know the difference between a SAR and a request under the Access to Medical Reports Act?

    The GDPR entitles individuals to obtain a copy of their personal data. If the request from the solicitor is for a copy of the patient’s medical record, or a copy of some elements of the medical record, it is a SAR.

    If the request is asking for a report to be written or it is asking for an interpretation of information within the record this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act framework (or, in Northern Ireland, the Access to Personal Files and Medical Reports (Northern Ireland) Order 1991) - for which fees can be charged.  

    It is legitimate for GPs to clarify the nature of the request from the solicitor. If the solicitor confirms that they are seeking a copy of the medical record then this should be treated as a SAR and complied with in the usual way. 


    Can GPs charge for the cost of postage?

    No, the process of complying with a SAR – including postage costs - is free of charge unless the request is ‘manifestly unfounded or excessive’ in which case a reasonable fee can be charged.


    Can GPs insist the solicitor come to the practice to collect the copies of the record (rather than posting)?

    Provided the patient has given written consent to the full medical record being accessed, the GDPR does not prevent a solicitor from attending a practice in order to make a copy of the medical record.

    The practice must ensure that prior to the solicitor being granted access the record is reviewed to ensure that third party information and information which might cause serious harm to the patient or another individual is removed or redacted. (See the BMA’s guidance on Access to health records for the full list of information which must not be disclosed – para 4.9).

    The practice would also need to be able to offer appropriate facilities where the viewing could take place without undue risks to confidentiality.

    Practices cannot, however, insist that solicitors attend in person to take copies. A solicitor’s attendance is an appropriate option for providing access to the record if this is agreeable to both the practice and the solicitor.


    Can solicitors be asked to come to the practice to take photos of the records (with appropriate supervision?) If so, does redaction still need to occur or can the solicitor see the whole record without any redaction?

    The GDPR does not prevent solicitors taking photos of the medical record as a method for satisfying a SAR, provided this is with patient’s consent and the process is compliant with the advice in the above FAQ.

     
  • FAQs about the role of the DPO

    What is a Data Protection Officer (DPO)?

    A DPO has formal responsibility for data protection compliance within an organisation. The appointment of a DPO under the EU General Data Protection Regulation (GDPR) is only mandatory in three situations: when the organisation is a public authority or body, or when the organisation’s core activities consist of either:

    1. Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
    2. Large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation, etc.) and personal data relating to criminal convictions and offences.

     

    How does this apply to GP practices and their status as independent contractors?

    All practices which provide services commissioned through NHS England are public authorities, therefore it is mandatory that they designate under the regulation, but they do not necessarily have to employ or retain, a DPO. However the designation must have taken place by 25th May 2018.

     

    What are the options for a GP practice to appoint a DPO?

    Designation is a decision to be made by the practice. The DPO is expected to monitor compliance, however, responsibility for compliance remains with the data controller and data processor. Large practices and multi-practice groups are likely to have in-house DPOs, but smaller practices may prefer to designate external DPOs that could for instance be provided by a Clinical Commissioning Group, Business Services Organisation or local/regional health board.

    There are several options regarding designation of a DPO:

    1. Employ a new member of staff with specific knowledge, qualifications and experience.
    2. Appoint somebody who already works in the practice with the necessary knowledge, qualifications and experience, or who has the ability to acquire the necessary skills with suitable training. This person can add the DPO's requirements to other responsibilities, for example maintaining records of processing activities. DPOs must not be the final decision-makers regarding data processing; for example, they cannot be the data controller and must avoid any conflicts of interest.
    3. Share a DPO with one or more practices. A CCG may be able to help facilitate this, but is unlikely to be able to fund such a person.

    Although a practice must appoint a DPO, there is no reason why they shouldn’t be supported in the role by a more experienced person, such as an information governance lead in the CCG, federation or group of practices. CCGs and/or federations could then develop a local network to support those with a DPO role in the area.

    The recently published Addendum to the GP IT Operating Model, Securing Excellence in GP IT Services, (June 2018) requires that;

    “As part of the ‘core and mandated’ IG support service (PCES) to be commissioned by CCGs from 1st April 2018, a Data Protection Officer (DPO) support function should be provided to support General Practice designated Data Protection Officers.”

    Whilst CCGs have not been mandated to make available DPO(s) for practices to access, the addendum does include a requirement for CCGs to offer Data Protection Officer (DPO) Support:

    A Data Protection Officer Advice and Support function will be available to support General Practice designated Data Protection Officers. The service will include:

    • Access for General Practices during normal service hours to specialist qualified advice on GDPR matters
    • Advice on compliance with GDPR obligations, including those outlined in paragraph 1 of Figure 7 in this document
    • Advice reflecting national guidance on GDPR compliance as it is published
    • And advice to support General Practices to comply with the National Data Guardian eight-point data sharing opt-out model

     

    What if I choose to share a DPO?

    In deciding upon a shared DPO you will need to consider factors such as:

    • the sizes of the practices
    • the numbers of patients
    • whether the DPO is genuinely going to be in a position to understand and advise each individual practice and monitor compliance.

     

    Does every DPO need to be an expert in data protection law?

    No, Clause 97 states that in relation to the DPO; “... a person with expert knowledge of data protection law and practices should assist the controller”, it then continues in the same clause with “The necessary level of expert knowledge...” So GDPR accepts there will be different levels of “expert knowledge” needed according to the sort of processing being done, some will need more expert knowledge than others. It is recognised that they will not fully understand all the ramifications of the new legal requirements from 25 May, and they will need to keep up to date with any changes and clarifications (for example from the ICO) and understand how these changes impact the practice, as the law becomes embedded. Their knowledge can be added to through a network of practice DPOs supported by a lead with the necessary expertise in the CCG or GP Federation.

     

    What is the role of a DPO in a GP practice?

    The DPO is an essential role in facilitating ‘accountability’ and the practice’s ability to demonstrate compliance with the GDPR. What this means on a day to day basis is the DPO reports directly to the highest management level in the practice, normally the senior partner or partners. They don’t require line management, but must have access to the senior management team of the practice.

    The practice must also ensure the DPO has sufficient resources to undertake the role, including financial and human resources. As noted above, the DPO will need to keep up to date with any changes and clarifications and they must be supported by the practice to do so.

    More specifically, the DPO will ensure that information governance and related policies address:

    • practice accountability
    • DPO reporting arrangements
    • timely involvement of the DPO in all data protection issues
    • compliance assurance: privacy by design and default
    • advising on where data protection impact assessment is required
    • the DPO’s role in incident management

    The practice must ensure the DPO is not told how to carry out their function and does not face any disciplinary action, dismissal or other penalties for carrying out their tasks as a DPO.

    They must also ensure that where the DPO performs another function within the practice, there is no conflict of interest and that the contact details of the DPO are published in the practice’s transparency information for subjects and are communicated to the ICO.

    The DPO must not hold a position that leads him or her to determine the purposes and the means of the processing of personal data – this requirement will vary depending on whether the DPO is an internal or external appointment. In most cases, the data controller will be the GP practice rather than an individual GP and internal practice decisions about data processing (i.e. the purpose and means of processing) will be subject to the governance arrangements of the practice partnership. This means it might be possible for GP partners to fulfil the role of DPO provided the role is defined to avoid conflict of interests and decisions are documented.

    In summary, the principal tasks of the DPO in a GP practice, as determined by the GDPR are:

    • to provide advice to the practice and its employees on compliance obligations
    • to advise on when data protection impact assessments are required and to monitor their performance
    • to monitor compliance with the GDPR and practice policies, including staff awareness and provisions for training
    • to co-operate with, and be the first point of contact for the Information Commissioner
    • to be the first point of contact within the practice(s) for all data protection matters
    • to be available to be contacted directly by data subjects – the contact details of the data protection officer will be published in the practice’s privacy notice
    • to take into account information risk when performing the above

     

    What else do GP practices need to do to be compliant with the GDPR?

    The regulations require practices to identify and record what personal data has been collected from job applicants and carried through the employment lifecycle. This will cover data kept on HR information systems, in personnel files (both electronic and paper), and data saved on hard drives and emails. There isn't a prescribed format for how this data is held and it can take a variety of different forms as long as it fulfils the purpose of helping the practice to determine:

    What personal data is collected?
    Where is personal data stored?
    How is personal data processed?

    The GDPR requires a detailed record to be kept of personal data-processing activities - a data map such as outlined above can serve this purpose if it contains the necessary information.

    Article 6 of the General Data Protection Regulation (GDPR) states that processing of personal data will be lawful only if at least one of the following conditions applies:

    • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
    • Processing is necessary for compliance with a legal obligation to which the data controller is subject;
    • Processing is necessary to protect the vital interests of the data subject or of another person;
    • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
    • Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (this condition does not apply to processing carried out by public authorities in the performance of their tasks).

    Practices will need to look at the types of employee data they process and the processing activities they use and then determine which justification or justifications are relevant.

    If it's not possible to justify the processing activity with one of the available grounds, the practice will have to stop processing.

    Practices will have to take several technical and organisational measures to make sure data protection is incorporated into all procedures involving personal data. This will mean taking the following steps:

    • Reviewing policies and processes to ensure that only necessary data is collected, and that it is only processed to the extent necessary;
    • The data must be stored securely;
    • Access to the data must be limited;
    • The data must be destroyed once it's no longer needed.