Data protection is of utmost importance in general practice. Asumpta Gallagher, owner of Best Practice, looks at GDPR and how practices can ensure they are compliant.
General practice is one of the areas of healthcare that collects and processes a significant amount of personal data. As such, it is essential for GP practices to have a robust General Data Protection Regulation (GDPR) system in place to ensure they are compliant with the regulation and protect the sensitive information of their patients.
For GP practices, GDPR compliance means ensuring that patient data is collected, processed, and stored securely and only used for its intended purpose. It also means ensuring that patients are fully informed about how their data is being used, and that their rights are respected.
Here are some tips and guidance for GP practices to ensure their GDPR compliance:
1. Conduct a data audit: This audit should include information about the types of data collected, how it is processed, and where it is stored.
2. Identify and document the lawful basis for processing personal data: Article 6 of GDPR outlines the six lawful bases for processing personal data and Article 9 details the ten lawful bases for the processing of special categories of data (which includes health data). Practices must identify and inform patients about the lawful bases for processing both types of data.
3. Publish your privacy notice: Practices should provide the following information: the data controller’s identity; the data protection officer’s contact details; the purpose of data processing; the lawful basis for processing; the categories of personal data concerned; the potential recipients of personal data; the data retention period; a list of the data subject’s rights; any safeguards that will be used if data is to be transferred to a country outside the EU. Privacy policies may be displayed in your reception and waiting room, as well as on the website and practice social media channels.
4. Appoint a Data Protection Officer (DPO): Under the GDPR, whilst it’s not mandatory for a GP practice to have a DPO, it can still be beneficial to have someone responsible for GDPR compliance. This is usually the practice manager, where one is in place.
5. Train employees: All employees who handle patient data should receive training on GDPR compliance, including the principles of data protection, the rights of patients and the procedures for handling patient data.
6. Maintain accurate and up-to-date patient records: Practices should ensure that all patient records are accurate and up-to-date, and only include the necessary information. Additionally, practices should regularly review patient records and ensure they are familiar with relevant guidance on record retention.
7. Securely store patient data: GP practices should ensure that all patient data is stored securely, whether it is in paper or electronic format. This includes using strong passwords, encryption, and firewalls to protect electronic data, and securely locking and limiting access to paper records.
The consequences of non-compliance with the GDPR can be severe. GP practices can face fines of up to 4% of their annual revenue or 20 million euros (whichever is greater), as well as legal actions and reputational damage.
Retention of medical records
Time limits
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The retention periods for medical records are taken from the HSE guidance National Hospitals Office Code of Practice for Healthcare Records Management. These periods are also in line with the recommendations of the Health Information and Quality 
Authority (HIQA).
| Type of healthcare record | Retention period |
General (adult) | Eight years after last contact, unless in the interest of the data subject to retain* |
Deceased persons | Eight years after death |
Children and young people (all types of records relating to children and young people)
 | Retain until the patient's 25th birthday or 26th if young person was 17 at the conclusion of treatment, or eight years after death. If the illness or death could have potential relevance to adult conditions or have genetic implications, the advice of clinicians should be sought as to whether to retain the records for a longer period |
Maternity (all obstetric and midwifery records, including those of episodes of maternity care that end in stillbirth or where the child later dies) | 25 years after the birth of the last child |
Mentally disordered persons (within the definition of the Mental Health Acts 1945 to 2001) | 20 years after the date of last contact between the patient/client/ service user and any healthcare professional employed by the mental health provider, or eight years after the death of the patient/client/service user if sooner |
Patients who have committed suicide (not included in mentally disordered persons) | 10 years |
Patients included in clinical trials | 20 years |
Cause of death certificate counterfoils | Two years |
*At all times the interest of the patient must be to the forefront. If it is not in the interest of the data subject, then the medical records should not be deleted. For example, a 25-year-old 
man has treatment for a malignant melanoma and after recovery is not seen in the practice for eight years. It would not be in the interest of the patient to delete his medical records. On the other hand, it would not be appropriate to retain data on an 87-year-old woman who died eight years ago, following a stroke, and had no history of a major mental health disorder.
Data breaches
A data breach in general practice occurs when there is an unauthorised access, disclosure or loss of patient data or personal information.
In the context of general practice, a data breach can occur in various ways, including:
1. Cyber-attacks: Cyber-attacks are one of the most common causes of data breaches in general practice. These attacks can happen through the use of malware, phishing emails, or other tactics that allow unauthorised access to patient data.
2. Theft: Patient data can be stolen physically or electronically by malicious actors or employees. For example, although thankfully an uncommon scenario, an employee might intentionally steal patient data to sell it or use it for personal gain.
3. Human error: Data breaches can also occur due to human error. This can include accidental deletion of data, sending sensitive information to the wrong recipient, or misplacing documents containing personal data.
4. Unauthorised access: Unauthorised access to patient data can occur when employees or others gain access to data without proper authorisation. This can happen due to inadequate access controls or other security vulnerabilities.
It is important to note that any unauthorised access, disclosure or loss of patient data is considered a data breach under the GDPR. This includes any incident, regardless of its severity or impact on patients.
In the event of a data breach, you must take immediate action to mitigate the impact of the breach and prevent further unauthorised access. Breach notification is mandatory where a data breach is likely to “result in a risk to the rights and freedoms of individuals” – in such a circumstance the Data Protection Commission (DPC) must be notified without undue delay and in any event within 72 hours of first having become aware of the breach. Furthermore, if the breach is likely to result in a high risk of adversely impacting an individual’s rights and freedoms, the patient must be informed without undue delay. This is in addition to the professional duty of candour for clinicians to inform patients when things go wrong and patients suffer harm or distress.
In conclusion, GDPR compliance is a vital aspect of running a GP practice. By implementing a robust GDPR system, practices can protect their patients' data, avoid legal and financial consequences, and build trust and loyalty with their patients. It is important for GP practices to stay up to date with the latest GDPR guidance and ensure that they are always complying with the regulation's requirements. This will not only benefit the practice but also improve the quality of care that they provide to their patients.
Asumpta Gallagher is the owner of Best Practice, an award-winning business that helps GPs and their teams navigate the many challenges associated with running a patient centred business. Services include setting up in practice, HR/management support, compliance and staff training. Further information can be found on her website.