The new legislation will bring numerous changes to UK data protection law. As such, this factsheet cannot be a full summary of either the GDPR or the Data Protection Bill (currently subject to Parliamentary debate). In addition this factsheet does not constitute legal advice.
If you have specific questions, regarding the legislation, you should contact the ICO and/or a data protection specialist.
From 25 May 2018, the EU General Data Protection Regulation (GDPR) (1) will come into force and will have a direct effect in every EU country.
The GDPR, together with the forthcoming Data Protection Act 2018 (currently in draft Bill form and subject to Parliamentary debate) will supersede current UK provisions within the Data Protection Act 1998 (DPA 1998). These will continue to apply after the UK leaves the EU.
The GDPR has been written to reflect the increasingly digital climate in which organisations now operate. It aims to enhance the current data protection rules, by introducing a number of additional data protection obligations on organisations operating within the EU and increasing rights for individuals and allowing them more control over their own personal data.
Who does the GDPR apply to?
The GDPR applies to all individuals and organisations (including hospitals, clinics and general practices) who have day-to-day responsibility for data protection. Therefore it is important that all data controllers and data processors are aware of its new rules around the storage and handling of personal data.
The GDPR does not apply to the processing of personal data relating to criminal convictions or proceedings. However, this is to be covered in the forthcoming Data Protection Act 2018.
All MPS members should be aware of the key changes that the GDPR brings, and ensure that they are compliant with the principles of the GDPR.
What are the key changes?
The Information Commissioner’s Office (the ICO) has published their Guide to the General Data Protection Regulation (GDPR) (2). This should be considered a living document, and extra resources and information are expected to be added right up until the legislation takes force in May 2018.
Although many of the GDPR’s main concepts and principles remain the same as those in the Data Protection Act 1998, there are a number of significant changes and also new concepts.
- New principle of accountability brings the requirement for organisations to keep records of data processing activities. Not only are organisations required to be compliant with the GDPR, but they must be able to demonstrate this compliance.
- Requirement to maintain records of data processing activities.
- There are wider definitions of what constitutes personal data and special categories of personal data (previously known as sensitive data).
- Stricter rules on consent when it is used as the lawful basis for processing personal data.
- Specific requirements regarding transparency and informing individuals about how their personal data is used.
- Removal of charges, in most cases, for providing copies of records to patients who make a subject access request.
- Timescale for subject access requests reduced.
- Additional rights for data subjects.
- Legal requirement for personal data breach notification to the ICO within 72 hours where there is likely to be a “risk to the rights and freedoms” of data subjects.
- The appointment of a Data Protection Officer is likely to be mandatory for all organisations providing healthcare.
- Data protection impact assessments are required for high risk processing of personal data.
- Significantly increased penalties possible for any breach of the Regulation, not just data breaches.
Comparison of GDPR with the DPA 1998
Principle of accountability
Requirement to keep records of data processing activities
Personal data now includes automated sources, such as online identifiers and IP addresses.
Special categories now include genetic and biometric data.
Consent as a lawful basis for processing data
Opt-out consent was permissible.
Freely given, specific and informed.
Pre-ticked boxes unacceptable.
Positive opt-in process.
Easy way to withdraw consent.
Transparency and Privacy notices
More detail required to be provided to individuals, including lawful basis for processing, how their data is processed, the DPO’s contact details and the right to complain to the ICO.
Subject access requests
Able to charge patients.
40 days to comply.
Removal of charges (in most cases).
One month to comply (in most cases).
Records may be requested in electronic format.
Encouragement of online access to records.
Stronger rights, including the right of erasure (to be forgotten) and the new right of data portability for automated processing
Data breach notification
Must inform ICO within 72 hours if risk to rights and freedoms of individuals.
Data processors must inform data controllers without delay.
Data Protection Officer
Mandatory for all public bodies handling large volumes of special categories of data.
Mandatory for high risk processing of personal data or when new technologies introduced.
For data security breaches.
For any infringement of the GDPR (not just data security breaches).
Significantly enhanced fines and a right to compensation for data subjects.
More detail of the changes imposed by the GDPR is provided under the headings below.
The data protection principles
There are now six key data protection principles in the GDPR, rather than the eight in the DPA 1998. They can be summarised as follows:
- Personal data should be processed lawfully, fairly and in a transparent manner.
- Personal data should be collected for specified, explicit and legitimate purposes and be processed in a manner compatible with those purposes.
- Personal data should be accurate, relevant and limited to what is necessary for purpose.
- Personal data should be accurate and kept up to date, and inaccurate data should be rectified without delay.
- Personal data, in a form that identifies the data subject, should be stored for no longer than is necessary for the purpose for which it is required. Exemptions in relation to the public interest and research may apply.
- Personal data should be securely stored and protected against unlawful processing and accidental loss, destruction or damage.
These principles are largely the same as in the DPA 1998. The two additional DPA 1998 data protection principles, regarding the rights of data subjects and the overseas transfer of data, have not been omitted from the GDPR. Instead they have been further developed, with additional detail, and are contained within separate sections of the GDPR.
The GDPR introduces, for the first time in data protection legislation, the important principle of “accountability”. As well as being responsible for ensuring that they are compliant with the above six data protection principles, organisations must now also be able to DEMONSTRATE their compliance with these principles, as well as with the GDPR as a whole.
Whilst the principle of accountability has previously been an implicit requirement of data protection law, it is now mandatory.
It is therefore important that organisations maintain accurate records of all their data processing activities. Undertaking audits and process mapping of processing activities may allow them to identify the extent of their data processing. They should document all advice provided by the Data Protection Officer and any risk assessments undertaken.
They should consider what organisational and technical measures may be required in order for them to be able to demonstrate compliance with the GDPR. Organisations should revise and update their internal data protection policies, to formally document how they will be compliant with the various requirements of the GDPR.
Organisations should undertake staff training to ensure that every member of the team is aware of the changes within the GDPR, the principles of data protection and their individual responsibilities.
NHS Digital’s Information Governance Alliance (the IGA) has published good practice guidance on accountability and organisational priorities (3). The ICO has published a self-assessment tool (4) for organisations to assist them in preparing for the GDPR.
What is personal data?
‘Personal Data’ is defined as “any information relating to an identified or identifiable natural person (the ‘data subject’)…. who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Under the DPA 1998, personal data includes names, addresses, telephone numbers, dates of birth, and hospital and GP patient numbers. Under the GDPR, the scope of ’personal data’ has now been extended to include both manual filing and automated collection of personal data, and as a result, now includes information such as online identifiers and IP addresses.
‘Special categories of data’ is a new term introduced by the GDPR and replaces the previous term ‘sensitive data’ under the DPA 1998. The data types are broadly the same and include details of race, health, sexual orientation, political views and religion.
The GDPR has also added the processing of genetic or biometric data to the special categories of data.
Lawful basis for processing
The GDPR states that there must be a valid lawful basis in order to process personal data. There are six lawful bases as follows:
- Necessary for the performance of a contract or the provision of a service
- Necessary in relation to a legal obligation
- Necessary in the vital interests of the data subject
- Necessary for a task carried out in the public interest or in the exercise of official authority
- Necessary for the purposes of a legitimate interest unless overridden by the rights and freedoms of the data subject.
Organisations should consider which basis is most appropriate to use, depend on their purpose and their relationship with the individual. They should document the lawful basis for the processing of personal data.
In relation to special categories of data (which includes health data), there are ten lawful bases. Whilst special categories of data may be processed with the individual’s consent, there are also specific provisions that allow data to be processed in order to provide medical care. Further information regarding this can be accessed in the ICO’s specific guidance on the lawful basis for processing (5).
You must identify both a lawful basis for general processing and an additional condition for processing special categories of data.
Whilst the requirement to have a lawful basis in order to process personal data is not new, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing.
Consent as a lawful basis for processing
It is likely that organisations may rely on another appropriate lawful basis for the processing of personal data, rather than consent.
However, if consent is to be used for the lawful basis of processing personal data, the GDPR places a very high standard for this consent.
Consent must be freely given, specific and informed. It should constitute an unambiguous indication of the patient’s wishes, by a clear affirmative action to the processing of his/her data. Pre-ticked boxes will not count as consent and there must be a positive opt-in process, separate from other terms and conditions. There must be an easy way for patients to withdraw their consent.
Transparency and fair processing
As has always been the case under the DPA 1998, organisations have an obligation to inform their patients what they are doing with their data. However, the GDPR will bring in more detailed and specific rules on providing privacy information to data subjects. In particular, organisations must now inform people upfront about the lawful basis for processing their personal data.
Privacy notices should be used to inform patients at the time of collecting their data. Therefore, for example, information should be made available to patients when they register with practices. However, you should consider other situations when it would be appropriate to provide privacy information. This can be done by imagining yourself in the patient’s shoes – are there any ways you use information in a way that patients would not expect?
The GDPR places emphasis on the importance of privacy notices being easily accessible to patients. Information within such notices should be concise, truthful and written in clear straightforward language.
It is important to consider the various groups of patients who are registered at your organisation and their differing needs. It may be better to provide separate notices for each category of patient. For example, if you consult with teenage children, with capacity to make their own health decisions, you must ensure that privacy notices are available appropriate to their level of understanding. The same principles would apply to vulnerable adults.
Privacy notices should be also translated into other languages, as necessary, for your non English speaking patients.
In order to decide what to include, you must first identify what personal information you hold and how it is used. Once you have done so, you must provide the following notice within privacy notices:
- The data controller’s identity
- The data protection officer’s contact details
- The purpose of the processing
- The lawful basis for processing
- The categories of personal data concerneD
- The potential recipients of personal data
- How long the data will be retained
- A list of the data subject’s rights
- Any safeguards that will be used if data is to be transferred to a country outside the EU.
In addition, patients must be informed that they can complain to the ICO if they believe there is a problem with how their data is being handled.
You may choose to use various methods to display this information, including posters in waiting rooms, leaflets at reception, information sheets attached to registration forms and letters to patients. Privacy notices could also be publicised on your organisation’s website, with links to further information.
Subject access requests (SARs)
The GDPR states that individuals will have a right to obtain:
- Confirmation that their data is being processed and the supplementary information that should be provided within a privacy notice
- Access to their personal data.
The GDPR clarifies that allowing individuals to access their data is so that they are aware of and can verify the lawfulness of the processing.
However, in terms of request for copies of medical/dental records, there may be varying reasons why patients may make requests, including keeping a record for personal reference, to jog their memory of distant events, or to investigate a potential complaint or claim.
Irrespective of reasons, patients are entitled to make subject access requests and they do not need to provide a reason for doing so.
The key changes relating to subject access requests are as follows:
- The identity of the person making the SAR should be confirmed using “reasonable means”. If in any doubt, it is reasonable to ask the individual to provide more information, such as a date of birth, a passport or a birth certificate.
The timescale for compliance with SARs will be reduced to one month, rather than the previous 40 days. This period may be extended by a further two months where requests are complex or numerous. However, if you need this further time, you must inform the patient within one month of the receipt of the request and explain why the extension is necessary.
In most cases organisations will no longer be able to charge for the provision of copies of records. However, the ICO states (6) that you can charge a ‘reasonable fee’ when a request is ‘manifestly unfounded or excessive’, particularly if it is repetitive. You may also charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that you can charge for all subsequent access requests.
- The GDPR states that if a subject access request is made electronically, you should provide the information in a commonly used electronic format.
- The GDPR also makes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. If this is not currently possible, you could consider whether it is feasible or desirable to develop such systems in the future.
- If an organisation declines to comply with a SAR, on the grounds that the request is ‘manifestly unfounded or excessive’, then the patient must be provided with a reason and be informed of their right to make a complaint to the ICO.
If you receive a request for copies of medical records from solicitors or insurance companies, these should be considered in the same way as subject access requests from patients. The requirements under GDPR are therefore the same as if a patient requested the information.
You should ensure that the patient has signed appropriate consent for the disclosure of their personal data to solicitors or insurance companies. As for requests from individuals, practices can only charge for requests that are "manifestly unfounded or excessive", or requests for the same information already provided to that requester.
Other individual rights
Individuals are given stronger rights under the GDPR, although these rights may be complex and not absolute. Data controllers should ensure that they understand when they apply and have a process in place to deal with them, should patients wish to exercise them.
- Right to rectification – individuals have the right to request that their data is rectified if it is inaccurate or incomplete. Your organisation must respond within one month, or two months if the request is complex. If the request is declined, you must explain why to the individual, informing them of their right to complain to the ICO and to a judicial remedy.
- Right to erasure – otherwise known as the ‘right to be forgotten’, although is not absolute. It enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing and in the following circumstances:
- If the information is no longer necessary for the purpose for which it was collected.
- If the individual withdraws consent, where their personal data is processed on that basis (there are exemptions which would capture health records, outlined by the ICO) (7).
- If the individual objects and there is no overriding legitimate interest for continued processing.
- If the data was unlawfully processed.
- If the data needs to be destroyed to meet a legal obligation.
- Right to object – individuals can object to the processing of their data, for example, in relation to direct marketing, profiling, scientific and historical research.
- Right to restrict processing – this may be requested by individuals where accuracy is contested, pending resolution; where an individual objects to processing, pending verification of legitimate grounds; where the organisation no longer needs the data, but the individual requires it to be kept for legal claims; where processing is unlawful but the individual opposes erasure.
- Right to data portability – this allows individuals to obtain and re-use their data for their own purposes across different services. Individuals have a right to receive their personal data in a ‘commonly used and machine readable format’. This right only applies where the processing is automated and is based on consent. It is unlikely to apply in the healthcare setting.
Data breach notification
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It may be accidental or deliberate.
Under the GDPR, breach notification will be mandatory where a data breach is likely to “result in a risk to the rights and freedoms of individuals” (8).
- Such data breaches must be notified to the ICO without undue delay and in any event within 72 hours of first having become aware of the breach. If the breach affects individuals in different EU countries, you should identify the relevant supervisory authority.
- When reporting a breach to the ICO, you must provide the following:
- a description of the nature of the personal breach
- the categories and approximate number of individuals and personal data records concerned
- oname and contact details of your Data Protection Officer (DPO)
- a description of the likely consequences of the personal data breach
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including any measures to reduce the impact of the breach.
- If the breach is likely to result in a high risk of adversely impacting an individual’s rights and freedoms, they must be informed without undue delay.
- If the breach is likely to result in a high risk of adversely impacting an individual’s rights and freedoms, they must be informed without undue delay. This is in addition to the professional duty of candour for clinicians to inform patients when things go wrong and patients suffer harm or distress (9).
- Organisations must have robust breach detection, investigation and internal reporting procedures in place.
- Data processors will be required to notify the data controllers, “without undue delay” after first becoming aware of a data breach.
- Records of all data breaches must be retained, regardless of whether they required to be notified to the ICO.
- Failure to notify a breach can lead to a fine of up to €10 million (or up to 2% of your annual global turnover).
Organisations would be advised to provide detail of action to be taken in the event of a data breach within their data protection policy.
Data Protection Officers
The GDPR introduces a mandatory obligation to designate a Data Protection Officer (DPO) in the following circumstances:
- If the organisation is a public body.
- If the organisation’s core activities require regular monitoring of data subjects on a large scale.
- If the organisation’s core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.
It is therefore inevitable that GP and GDP practices, hospitals and other health provider organisations will fulfil at least one of the above criteria and will need to appoint a DPO.
The DPO should have experience and adequate knowledge of both data protection law and the organisation’s IT infrastructure and other infrastructure pertaining to data collection, storage and processing.
The DPO must:
- Inform and advise the organisation and colleagues of their data protection obligations.
- Monitor compliance with the GDPR and other data protection laws.
- Monitor the organisation’s data protection policies.
- Provide advice regarding Data Protection Impact Assessments (DPIAs).
- Co-operate with the ICO.
- Act as a contact point for the ICO on data processing issues.
- Be the first point of contact for individuals whose data is processed.
The DPO should be supported by the necessary resources to carry out the role and maintain expertise. It is expected that the DPO will directly report to the highest management level of your organisation.
There should be timely involvement of the DPO in all data protection issues.
The DPO could be an existing employee, so long as they have sufficient expertise and no conflict of interest if they perform other roles within the organisation. Alternatively the role of DPO could be contracted out externally or may be shared by more than on organisation.
There must be no pressure by the organisation on the DPO as to how undertake the necessary tasks of the role. If the DPO is an employee they should not be dismissed or penalised for performing this role.
Data Protection Impact Assessments
Organisations are encouraged to undertake Data Protection Impact Assessments (DPIAs) by the ICO to assess the level of protection in place to safeguard individuals’ personal data. The aim is to identify and rectify emerging data protection issues at an early stage.
A DPIA must be carried out when, for example:
- New technologies are introduced. Examples may include the introduction of a new computer system or a new system of sharing data.
- Processing of personal data is likely to have a high risk to the rights and freedoms of individuals.
It would be prudent to make reference to DPIAs, and when they might be required, within your data protection policy.
Privacy by design
Under the GDPR, organisations are obliged to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities.
Although not a requirement of the DPA 1998, the ICO has encouraged organisations to adopt a “Privacy by design” approach, by ensuring that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle, for example when:
- building new IT systems for storing or accessing personal data.
- developing legislation, policy or strategies that have privacy implications.
- embarking on a data sharing initiative.
- using data for new purposes.
Security of processing
The GDPR’s “security principle” applies to both data controllers and processors and outlines that personal data shall be:
'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'.
It is important to consider the risks associated with data processing, undertaking a risk analysis, reviewing your organisational policies, as well as physical and technical measures.
The ICO provides the following advice (10):
- You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
- Where appropriate, you should look to use measures such as pseudonymisation and encryption.
- Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
- The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
- You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.
Organisations in breach of the GDPR may find themselves liable for fines. These may be imposed for any infringement of the Regulation, not only data security breaches.
There are two tiers of penalty, depending on the seriousness of the infringement.
Tier 1 – a fine up to a maximum of €10 million or 2% of the organisation’s annual global turnover, whichever is greater.
Tier 2 – a fine up to a maximum of €20 million or 4% of the organisation’s annual global turnover, whichever is greater.
Fines will be at the discretion of the ICO and are likely to be adjusted according to the circumstances of each individual case. It is important to note that these rules apply to both controllers and processors.
Individual data subjects also have a right to compensation, where they have suffered material or non-material damage as a result of a breach of the GDPR.
Transfer of personal data outside the EU
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. The ICO has published further information in this regard (11).