General practitioner Practice manager Ethics GP practices

Last updated:

GPs as data controllers under the GDPR

The General Data Protection Regulation (GDPR) is an EU Regulation which will be directly applicable in the UK on 25 May 2018.

The most relevant changes for GPs in their role as data controllers are highlighted in the box below

It should be read alongside the forthcoming UK Data Protection Act 2018 (DPA 2018). The GDPR and the DPA 2018 will replace the existing Data Protection Act 1998.

The UK DPA 2018 has not yet been finalised; however, this interim guidance has been produced to help GP practices prepare for the GDPR. The guidance is subject to change when the DPA 2018 comes into force and may be updated.

 

What you need to know

The GDPR and Data Protection Act 2018 replace the Data Protection Act 1998 with an updated and strengthened data protection framework, however, the key principles of the original Act remain unchanged. The most relevant changes for GPs in their role as data controllers are highlighted in the box below.

The remainder of the guidance explains GP data controllers' responsibilities under the GDPR, and sets out the main themes of the legislation and what needs to be done to ensure compliance.

The principles in the guidance apply to doctors working in private practice or other NHS healthcare settings.

 

Key changes under GDPR

  • Compliance must be actively demonstrated, for example it will be necessary to:
    • keep and maintain up-to-date records of the data flows from the practice and the legal basis for these flows; and
    • have data protection policies and procedures in place.
  • More information is required in 'privacy notices' for patients.
  • A legal requirement to report certain data breaches.
  • Significantly increased financial penalties for breaches as well as non-compliance.
  • Practices will not be able to charge patients for access to medical records (save in exceptional circumstances).
  • Designation of Data Protection Officers

 

Key themes

The guidance sets out the main themes of the legislation and what you need to do to ensure compliance, including:

  • What is a data controller?
  • Consent and other lawful bases for processing
  • Right to object
  • Data controller responsibilities for processing: privacy notices
  • Accountability: demonstrating compliance
  • Dealing with requests for confidential health data
  • Breach reporting
  • Subject access requests
  • Breach reporting
  • Additional concepts under GDPR

 

Download

Access the full guidance to be clear on your key responsibilities as a GP data controller under the GDPR.

GPs as data controllers under the GPDR (PDF)

 

Related resources

General data protection regulation (GDPR) resources for practices

GP practices - service provision

General Practitioners Committee (GPC)