Ignore GDPR at your peril

9 February 2018
It’s tempting to see the new General Data Protection Regulation (GDPR) as more legislation that can be safely ignored. After the GDPR takes effect, and all the lawyers, consultants and event organisers have made their money, it will be business as usual, right?
 
Unfortunately the answer is no. For healthcare organisations, doing nothing before the 25 May deadline is risky bordering on reckless.
 
While it’s true that in many ways GDPR simply reinforces principles in existing data protection legislation, it also introduces some fundamental changes that anyone dealing with healthcare data, specifically personal medical information, needs to heed.
 
In 2015/16, 45% of all data security breaches reported to the Information Commissioner’s Office (ICO) involved the health care sector. In May 2016, the ICO handed out fines totalling £365,000 to NHS organisations.
 
Under the GDPR, maximum fines will increase from £500,000 to €20 million. If the biggest fine handed out to an NHS organisation to date - £325,000 to Brighton and Sussex University Hospitals NHS Trust – were scaled up under the new rules it could reach €15 million.
 
Speaking at a recent PCC event, David Hill, legal director at Hill Dickinson, said: “There’s money to be made creating a sense of alarm about GDPR, but there are some objective reasons we need to get to grips with it. If you do nothing, you will almost certainly be in breach.”
 
Since 2010 European lawmakers have been concerned by patchy implementation of data protection law. With each country free to enact its own legislation, there is no common understanding of fundamental concepts. For example, definitions of “personal information” vary from country to country.
 
A decision was taken to replace the current EU directive, with its wide scope for interpretation, with specific regulations which each country will need to enshrine in law.
 
Hill warned against the hope that GDPR could become irrelevant post-Brexit. Financial services companies and other organisations hoping to trade in Europe after the UK’s withdrawal will need to be GDPR compliant. Meanwhile new legislation implementing GDPR is currently making its way through the UK Parliament. “GDPR is here to stay,” Hill says.
 
“A lot is not new but is augmenting what is already there or making explicit what is now implicit,” said Hill.
 
AMONG THE CHANGES ARE:
 
  • New/amended definitions and scope
  • New/amended data protection principles
  • New/amended conditions for processing
  • New rules about consent
  • New/amended data subject rights
  • New obligations for data controllers and processors
  • More robust regulation and enforcement.
For health care organisations, where the data being processed is sensitive personal data – or what GDPR now terms “special category data” – the rules are set to become much tighter. Organisations cannot rely on inferred consent: it must be explicit.
 
Hill warns NHS bodies not to rely on consent where there is no genuine choice on offer. For example a patient undergoing a course of treatment should not be given a choice about whether the clinicians concerned can access their medical records. “It’s fine to say in effect we’re not asking for your consent because it’s part and parcel of the service,” Hill says.
 
“A way can always be found for any processing that is legitimate. For example, get the patient to sign to acknowledge what you propose to do with their data rather than obtain consent.”
 
The law makes no distinction between large and small organisations, so while trusts and other large NHS bodies may feel confident that they have the capacity to deal with new rules around record-keeping and the compulsory appointment of data protection officers, others, such as general practices may be concerned about another tsunami of bureaucracy heading their way.
 
Acknowledging that understanding and implementing the new arrangements could seem onerous, Hill said this was another area where it made sense for practices to join forces. For example, LMCs and federations could develop policies that can be shared by their practices. While every practice will be required to have a data protection officer (DPO), it is allowable to act as DPO for more than one organisation – again, this could be a role performed at federation level on behalf of a number of practices.
 
The PCC and Hill Dickinson event Implications of GDPR on the Health Care Sector is repeated on 12 April in Leeds. Other local events may also be run, subject to sufficient demand.
 
To book your place at the Leeds event: http://bit.ly/2Ex0nvP
 
For all other enquiries email enquiries@pcc-cic.org.uk with GPDR in the subject line.
Support updates Case studies

Latest News

New toolkit to help keep information safe

18 May 2018

NHS Digital has launched the new Data Security and Protection toolkit, replacing the previous Information Governance toolkit, to help keep patient information safe.

The Data Security and Protection toolkit is an online self-assessment tool that enables health and social care organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.

All organisations that have access to NHS patient data and systems – including NHS Trusts, primary care and social care providers and commercial third parties – must complete the Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Read More

NICE approves multiple sclerosis drugs after prices are reduced

18 May 2018

Reductions to the price of three multiple sclerosis (MS) drugs mean NICE is now able to recommend them for routine NHS funding.

NICE has published draft guidance recommending interferon beta-1b (Extavia, Novartis), glatiramer acetate (Copaxone, Teva UK Ltd), and interferon beta-1a (Avonex, Biogen Idec Ltd, and Rebif, Merck Serono Ltd) – as treatment options for people with a type of MS called relapsing-remitting MS.

Read More

Personal health budgets and integrated personal budgets: extending legal rights

18 May 2018

This consultation seeks views on giving more people the right to have personal health budgets and integrated personal budgets.

The consultation closes on 8 June.

Read More

After a diagnosis of dementia: what to expect from health and care services

18 May 2018

A guide to the support people should get from local services in England if they or someone they know have been diagnosed with dementia.

Read More

Supporting and applying research in the NHS

18 May 2018

At the NHS England public board meeting on 30 November 2017, NHS England and the National Institute for Health Research (NIHR) published a joint statement that committed to 12 actions to support and apply research in the NHS. Between November 2017 and February 2018, NHS England, working with the Department of Health and Social Care, the Health Research Authority and the NIHR launched a public consultation on proposals to better manage excess treatment costs and eliminate delays and further improve commercial clinical research set-up and reporting. The response document summarises the feedback received and outlines our next steps for implementation.

Read More